Successfully reported this slideshow.
Your SlideShare is downloading. ×

Building a Strong Foundation for Your Cloud with Identity Management


More Related Content


Related Books

Free with a 30 day trial from Scribd

See all

Building a Strong Foundation for Your Cloud with Identity Management

  1. 1. <Insert Picture Here> Building a Strong Foundation for Your Cloud with Identity Management Nishant Kaushik Lead Strategist, Oracle Identity & Access Management
  2. 2. Before We Start Oracle OpenWorld Join The Conversation Latin America 2010 On Twitter December 7–9, 2010 #OOW10 #IDM @NishantK Oracle OpenWorld @OracleIDM Beijing 2010 December 13–16, 2010 2
  3. 3. The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle‟s products remains at the sole discretion of Oracle. 3
  4. 4. Enterprises are Moving Towards the Cloud “ The future is looking very cloudy. Yes, very cloud indeed! 4
  5. 5. But there are Concerns 74% 74% rate cloud security issues as “very significant” Source: IDC Security Compliance Control 5
  6. 6. Cloud and the Loss of Control Built by Cloud Built by Customer Cloud Built by Customer Cloud Customer - Provided Control by Cloud Provided + by Cloud Provided by Cloud Infrastructure Platform Application (IaaS) e.g. Amazon EC2 (PaaS) e.g. Google App Engine (SaaS) e.g. Oracle On Demand 6
  7. 7. But that’s Predicated on Classic Security Approach 7
  8. 8. An Approach that has become Outdated Borderless networks subject to user mobility and asset distribution. Business processes are fluid Closed Perimeter with Controlled Entry Vision Restricted User Base Disruption Low Frequency of Change Adoption of cloud computing Stable Business Processes changes the equation for the business Convention 8
  9. 9. A New Approach to Security Secured by Policy, not Topology Loosely coupled, services-based Standards-based Rationalized, Integrated 9
  10. 10. Cloud Risk Assessment For an SME using a Cloud Service 0-2: Low Risk 3-5: Medium Risk 6-9: High Risk ENISA report on Cloud Computing – Benefits, risks and recommendations for information security 10
  11. 11. Cloud Risk Assessment For an SME using a Cloud Service Medium Impact – High Probability • Vendor/Service Lock-In • Isolation Failure • Cloud Provider Malicious Insider (Abuse of High Privilege Roles) • Management Interface Compromise (Manipulation, Availability of Infrastructure) • Legal Risks 0-2: Low Risk 3-5: Medium Risk 6-9: High Risk ENISA report on Cloud Computing – Benefits, risks and recommendations for information security 11
  12. 12. Cloud Risk Assessment For an SME using a Cloud Service High Impact – High Probability • Loss of Governance • Compliance Challenges • Changes of Jurisdiction • Data Protection Risks 0-2: Low Risk 3-5: Medium Risk 6-9: High Risk ENISA report on Cloud Computing – Benefits, risks and recommendations for information security 12
  13. 13. How do we Tame the Monster? “ You won’t like me when I’m angry! 13 Image: Incredible Hulk, TM and Copyright 2010 Marvel Comics
  14. 14. Cloud Security Starts with Identity “ The basis of security in a borderless environment, only something that can transcend domain boundaries, like identity, can be! 14 Image: Yoda, TM and Copyright 2010 Lucasfilm
  15. 15. IdM For The Cloud: Foundational Elements 15
  16. 16. Extend Enterprise IAM to the Cloud Cloud Apps Enterprise Apps Enterprise IAM Core Authentication Account Lifecycle Management Core Extended Claims-based Identity Authorization Policy Rationalization 16
  17. 17. Managing Authentication for the Cloud • For business critical • Provide internet applications, extend identity (e.g. User-Centric in-house SSO to Federation OpenID, OAuth) Identity cloud apps through AuthN schemes for SAML-based Cloud corporate users to federation AuthN use at non-critical cloud services (like open-source projects, Privileged Account community forums) Management • Don‟t give users direct access to the privileged account for a contracted cloud service • Use PAM to track, monitor and control access 17
  18. 18. Account Lifecycle Management Implement Implement Integrate Automate Self-Registration Access Provisioning Provisioning & Role-based Certification with PAM Provisioning processes Develop automated provisioning & de-provisioning for cloud services Leverage SPML when available; native APIs if forced to Roll out self-registration for users to request access through corporate portal. Support role-based provisioning when possible Attestation processes should identify high-risk cloud services based on management capabilities (No federation = high risk) Build assignment of PAM privileges into provisioning processes 18
  19. 19. Claims-based Identity AuthN token w/ Claims Cloud Apps Enterprise IAM Claims-based Provisioning Federation (SAML) token contains added identity data used by service to create an account (on first use) Claims-based Authorization Federation (SAML) token contains added identity assertions (attributes, roles) used by service to make AuthZ decisions 19
  20. 20. Authorization Policy Rationalization Cloud Apps AuthZ Engine XACML Document Entitlement Management Export AuthZ policies defined in Enterprise Entitlement Management system to import into Cloud service AuthZ engine Based on XACML standard Must be part of overall entitlement policy rationalization effort (one policy honored by multiple systems) 20
  21. 21. IdM For The Cloud: Platform for the Future 21
  22. 22. Become an Identity Services Provider Standards-based Simple APIs Identity Services Platform Partner SaaS Apps Cloud Apps In-house IdM Service Provider Cloud IdM Service Provider Allows Partner SaaS Apps and Cloud Apps to plug into and leverage IAM services exposed by the enterprise customer Secure “IAM Cloud” Services SDK via RESTful Interfaces Identity & Context Propagation, Claims-based access control Allows enterprise to leverage 3rd Party and Cloud-based Providers of Identity Services in addition to rolling out their own 22
  23. 23. Built on Vision of Service-Oriented Security Applications Cloud Service Providers Declarative Security Services Authorization Federation Authentication Audit Provisioning Role Mgmt Identity Hub A new architectural approach to building security into applications that leverages two key trends – SOA and Application Frameworks The goal: To provide security functionality in a consistent, reusable service-oriented model to all applications/services Promotes loose coupling to ensure long term viability and heterogeneity of business solutions 23
  24. 24. Security Glue For The Cloud Identity Services Platform Identity Services Platform Identity Identity Identity Identity Hub Administration Assurance Audit Service Service Service Service IAM Service Provider Business Service Provider Identity Services Platform Identity Identity Authorization Assurance Service Service Consumer All participants have interoperable identity services Every participant can be both the service provider and service consumer 24
  25. 25. Why Oracle? 25
  26. 26. <Insert Picture Here> @sheeri “Oracle is not a database company...Oracle is now an adjective, not a noun, as in „Oracle apps‟ or „Oracle middleware‟ ” 26
  27. 27. Oracle Fusion Middleware 27
  28. 28. Oracle Identity Management Oracle + Sun Combination Provisioning & Identity Access Directory Administration Management Services Roles-based User Authentication, SSO & LDAP Storage Provisioning Fraud Prevention Virtualized Identity Access Password Management Authorization & Self Service Request & Entitlements Approval Web Services Security Information Rights Management Identity Governance Platform Security Services Analytics Fraud Prevention Privacy Controls Identity Services for Developers 28
  29. 29. Oracle Identity Management Comprehensive and Best-of-Breed Identity Administration Access Management * Directory Services Access Manager Identity Manager Adaptive Access Manager Directory Server EE Enterprise Single Sign-On Internet Directory Entitlements Server Virtual Directory Identity Federation Information Rights Management Web Services Manager Identity & Access Governance Identity Analytics Security Governor Oracle Platform Security Services Operational Manageability Management Pack For Identity Management *Access Management includes Oracle OpenSSO STS and Oracle OpenSSO Fedlet 29
  30. 30. Oracle OpenSSO Fedlet SAML Enablement of SaaS Applications Identity Provider SaaS App OIF .NET Fedlet OpenSSO SaaS App 3rd Party Java Fedlet Oracle OpenSSO Fedlet is a lightweight SP-only implementation of SAML 2.0 SSO protocols Flexible integration framework Can be used by a SaaS App Provider to Federation-enable their application Standard-based cross-domain authentication and SSO Standard-based attribute exchange with advanced identity attribute mapping and filtering Multi-Tenant 30
  31. 31. Oracle Enterprise Single Sign-On Suite Plus On the Go Install of Enterprise Single Sign-On Anytime, Anywhere Remote ESSO Anywhere Client Download Enterprise Credential Applications Store Authenticate Validate Access Enterprise Applications Access Applications from Anywhere Faster Deployment and Version Control on the Deployment Packages Automate Updates and Rollbacks Reduce Overall Deployment Costs 31
  32. 32. Security with Oracle Cloud Platform Third Party ISV Oracle Applications Applications Applications Platform as a Service Cloud Management Shared Services Oracle Enterprise Manager Integration: Process Mgmt: Security: User Interaction: SOA Suite BPM Suite Identity Mgmt WebCenter Configuration Mgmt Application Grid: WebLogic Server, Coherence, Tuxedo, JRockit Lifecycle Management Database Grid: Oracle Database, RAC, ASM, Partitioning, Application Performance IMDB Cache, Active Data Guard, Database Security Management Infrastructure as a Service Application Quality Management Oracle Solaris Operating Systems: Oracle Enterprise LinuxLinux Oracle Enterprise Oracle VM for SPARC (LDom) Solaris Containers Oracle VM for x86 Ops Center Servers Physical and Virtual Systems Management Storage 32
  33. 33. Oracle Platform Security Services (OPSS) Oracle Platform Security Services Authentication Authorization Roles & Auditing Directory User Policy Store Session Data Entitlements Services Provisioning Management Standards-based Interfaces Oracle Identity Management Identity Store, Credential Store, and Policy Store Providers Access Management Identity Administration Directory Services Declarative Security Framework optimizes application lifecycle support Standards-based and Hot-Pluggable with Identity Management Systems Security Platform for Oracle Fusion Middleware and Fusion Apps 33
  34. 34. Cloud IdM Success Stories Identity Assurance BT Identity Services includes Managed Fraud and URU Identity Verification Services that relies on OAAM Identity Administration NetApp is provisioning Oracle CRM OnDemand from an on-premise OIM deployment Identity Administration Embry Riddle is provisioning Microsoft Live from an on- premise OIM deployment 34
  35. 35. Oracle IAM: Aiming for the Unbreakable Cloud 35
  36. 36. Addressing the 3 Dimensions of Cloud Identity Are you leveraging Do you need IAM, but don’t SaaS applications and want to maintain it? Cloud platforms? IAM for Cloud IAM as SaaS IAM in PaaS Are you building SaaS applications? 36
  37. 37. IAM for SaaS and Cloud Platforms Providing out-of-the-box support for common Cloud Platforms and SaaS applications OIM Provisioning Connectors for Salesforce, Google Apps, Amazon AWS, Microsoft Live, Oracle OnDemand OIF Federated SSO for Google Apps, Salesforce, Oracle OnDemand Securing Web & Cloud Services with OWSM Managing API Keys required for AuthN Managing connections SPML Enablement of SaaS Applications 37
  38. 38. SPML Enablement of SaaS Applications OIM Provlet Provisioning SaaS App System Provlet OIM SaaS App 3rd Party Provlet OIM Provlet is a lightweight SP-only implementation of SPML 2.0 provisioning protocol Web Application co-located with target Can be used by a SaaS App Provider to expose standards- based provisioning interfaces Built on same ICF-based connectors deployed in OIM Server REST or SOAP based Web Services Multi-Tenant 38
  39. 39. Provlet Deployment Architecture Oracle Identity Manager Provlet Web App SPML Web Services App 1 App 1 Metadata Connector Connector Bundle (LDAP Connector Framework LDAP AD Config) Connector Config 39
  40. 40. IAM as SaaS Client Enterprise 1 Cloud Apps Cloud IAM Client Enterprise 2 Customers are looking to outsource IAM Don‟t want to maintain in-house IAM IT Staff expertise is a challenge MSPs looking to offer IAM as a Service Cost benefits of shared service model over hosted instances Maintenance simplicity Requires many technical features: M/T, Federation, Metering/Billing 40
  41. 41. Deploying IAM as SaaS OIM Provisioning Gateway Provisioning App 1 Oracle Identity Manager Gateway DB Connector Bundle App App Connector App Connector Connector Metadata Metadata Framework Bundle Config Metadata Connector Bundle App 2 Deploy provisioning gateway at a customer site with a single connection back to the IAM service at the SP Limit number of firewall holes SP has to open to one per customer Limit number of firewall holes customer has to open to their IAM SP 41
  42. 42. IAM in PaaS Identity Services Cloud Apps SaaS Apps Partner SaaS Apps IAM Providers Private, Public or Hybrid Cloud Customers looking to build Cloud Services Telco Clouds and SDPs Trust and Federation Clouds Consumer Services MSPs that need to manage customer identities across environments Leverages new IAM infrastructure or existing IAM system 42
  43. 43. IDaaS APIs for OPSS Service-Oriented Security Optimized for the Cloud Cloud SP System Tenant Cloud Service Services Administrator Administrator Developer IDaaS Framework IDaaS Interfaces IDaaS Admin Interfaces (REST) (REST, SOAP) Oracle Platform Security Services Shared Services for Shared Services for Access Identity Oracle Identity Management LDAP Tenant Config Metadata 43
  44. 44. Cloud + Identity-based Security = IT Nirvana “ Well, when we do it, cloud-based defenses can be more robust, scalable and cost- effective. And we’ll throw in business differentiator to boot! 44 Image: Iron Man, TM and Copyright 2010 MVLFFLLC and 2010 Marvel
  45. 45. Questions Learn More Connect, Discuss @NishantK 45 45
  46. 46. 46