View
1.255
Download
3
Category
Preview:
DESCRIPTION
This session will help you understand what cloud security is and how to implement it in your enterprise. It will discuss the technical aspects of cloud security and how we can help you secure the cloud while ensuring sensitive information always remains behind the firewall.
Citation preview
Dale Olds, Distinguished EngineerBen Fjeldstet, Sr. EngineerNovell Cloud Security ServiceMarch 24, 2010
M
How to Implement Novell® Cloud Security ServicesNuts and Bolts
Dale Olds, Distinguished EngineerBen Fjeldstet, Sr. EngineerTom Cecere, Product StrategyNovell Cloud Security ServiceMarch 24, 2010
© Novell, Inc. All rights reserved.2
SaaS adoption is projected to increase three-fold to US$14 Billion by 2012, according to Gartner.
“SaaS sprawl” is causing IT administration and security nightmare for enterprises.
Enforcing consistent policies for internal and cloud applications is key to effective governance.
Novell® Cloud Security Service allows organizations to extend its internal policies, roles and workflow and manage a multi-SaaS environment consistently.
Novell is a leading provider of identity and security solutions and has been for over 20 years.
Key Takeaways
© Novell, Inc. All rights reserved.3
Why Novell® Cloud Security Service (NCSS)?
What Is NCSS and How Does It Work?
Architecture
Deployment Options
Agenda
© Novell, Inc. All rights reserved.4
Users
User data/permissions
User data/permissions
User data/permissions
User data/permissions
User data/permissions
Creating IT Administration Nightmare
User data/permissions
Systems/tools
Directory
AppsIT Department Enterprise Challenge
• Multiple usernames/passwords• Multiple identity silos• Disparate administration tools• Challenge in timely deprovisioning accounts of ex-employees
© Novell, Inc. All rights reserved.5
• DuPont: “When a sales person leaves the company, it takes 10 days to de-provision their account in SalesForce.com. Until then, the sales person has access to his account. This is a real problem.”
• International Fragrances & Flavors: At an executive briefing told us, “We cannot use SaaS until it uses our identity management systems.”
• “What’s keeping us from getting more large enterprise customers? Trust.” –David Carroll, Salesforce.com evangelist
And Concerns Over Security
© Novell, Inc. All rights reserved.6
Why Novell® Cloud Security Service (NCSS)?
What Is NCSS and How Does It Work?
Architecture
Deployment Options
Agenda
© Novell, Inc. All rights reserved.7
NCSS handles both use cases: A user directly logging into a cloud service or user logging into their enterprise system first.
How Does NCSS Work?
Novell CloudSecurity Services
IdP
AuthN ServiceUser Store
EnterpriseUser Store
Relying PartyParticipant
SaaS Application
1 UserAuthentication 3User Access
SaaS Resources
2
SAML 1,SAML 2,WS-Fed
NCSSecureBridge
1
© Novell, Inc. All rights reserved.8
NCSS Enterprise Connections with LDAP Identity Stores• Secure Bridge Service
– SSH Tunneling Services for Identity Verification for NCSS– Audit Reporting
• Secure Bridge Appliance (Post 1.0)– Identity Federation to NCSS– SSH Tunneling Services for Audit Reporting
Identity Store(s)
Audit Server(s)
Enterprise FirewallSecure Bridge
© Novell, Inc. All rights reserved.9
NCSS Enterprise Connections with Existing AM Solutions• Secure Bridge Service
– SSH Tunneling Services for Audit Reporting• Access Management Solution Integration
– Quick Start Integration for Common Identity Providers– SAML 2.0, POST capabilities required
Identity Store(s)
Audit Server(s)
Enterprise Firewall
Secure Bridge
© Novell, Inc. All rights reserved.10
Provider Console
Customer Console
Audit Collection/Reporting
Cost Accounting Collection/ReportingMulti-tenant Operations
Identity Federation
Event RoutingTenant A
Identity Federation
Event Routing
Identity Federation
Event Routing
Director
Security Brokers
NCSS Provider Components
• Multi-tenant Director– Console hosting– Audit Collection/Reporting– Cost Accounting Collection/Reporting– Multi-tenant Operations Management
• Per-tenant Security Brokers– Identity Federation– Event Routing for
Audit/Billing/Operations
Tenant B
Tenant C
© Novell, Inc. All rights reserved.11
NCSS SaaS Connections
• Quick Customer On-boarding
• Per-Customer Services– Identity Federation (SAML 2.0)– Audit Reporting
• Large Supported Platform Base– Java Spring– Apache– ...
Identity
Events
Hoster/MSP Firewall
SaaSConnections
© Novell, Inc. All rights reserved.12
Why Novell® Cloud Security Service (NCSS)?
What Is NCSS and How Does It Work?
Architecture
Deployment Options
Agenda
© Novell, Inc. All rights reserved.13
SSH Protocol Tunnel
Cloud SecurityBroker
CSS DirectorAdministration
Operations Mgmt SaaS/PaaSConnections
PivotLink
SharePoint
GoogleAppEngine
Secure BridgeServices
ProtocolMapping
EventDistribution
WorkflowInitiation
Authentication
Federation
Event Distribution
High Availability
Limited Workflow
Attribute Aggregation
Identity Federationand R
ESTful APIs
CSS: Identity and Compliance Services System Architecture
© Novell, Inc. All rights reserved.14
Secure Bridge Services Stack
SSH Tunnel
CSB Connection Manager
LDAP ServerMapping
HTTP SvcsMapping
EventReceptor
LimitedWorkflow API
EventDistribution
Secure BridgeServicesProtocolMapping
EventDistribution
WorkflowInitiation
© Novell, Inc. All rights reserved.15
CSS - Director Stack
Administration
Provider Consoles
Operations Management
REST APIs Event ReceptorConfiguration Distributor
CABEProcessorsOperations Director Security Manager
HTML JavaScript
GWT
CustomerConsoles
CSS DirectorAdministration
Operations Mgmt
Infrastructure Service FoundationMessaging Stack(ActiveMQ)
HTTP Stack (Apache)
IaaS Management APIs(Cloud Vendor) SSH Tunnel SQL Database
(SQLite)
CSS CoreInstanceCommunication
ServicesManager
Event Receptor(REST)
SecurityManager
Session Broker(Clustering)
Data Store Mgmt(Clustering)
CSS Service Foundation
XERCESXALANXMLSEC
Apache / Tomcat
JPA (Hibernate) JMS/CMSJAX-RSAXISWS* Log4j/cxx
Cloud Service Bus
© Novell, Inc. All rights reserved.16
CSS - Director Stack
AdministrationProvider Consoles
Customer AdminIdentity ServicesCABE ServicesOperations ManagementSecurity AuditorBilling AuditorHelp Desk
Operations Management
REST APIs Event ReceptorConfiguration Distributor
CABEProcessors
Report GenerationEvent Correlation/AggregationEvent Receptor/StorageBilling Processing
Operations Director
CSB RegistryConfig Query APIsConfiguration DistributionSB Query APIsBackup/RestoreSystem MonitoringService Migration/Upgrade
Security Manager
Tenant SegregationCert/Key Distribution
HTML JavaScript
GWT
CustomerConsoles
Identity ServicesCABE ServicesSecurity AuditorReports (billing, etc.)
Infrastructure Service FoundationMessaging Stack(ActiveMQ)
HTTP Stack (Apache)
IaaS Management APIs(Cloud Vendor) SSH Tunnel SQL Database
(SQLite)
CSS CoreInstanceCommunication
ServicesManager
Event Receptor(REST)
SecurityManager
Session Broker(Clustering)
Data Store Mgmt(Clustering)
CSS Service Foundation
XERCESXALANXMLSEC
Apache / Tomcat
JPA (Hibernate) JMS/CMSJAX-RSAXISWS* Log4j/cxx
Cloud Service Bus
CSS DirectorAdministration
Operations Mgmt
© Novell, Inc. All rights reserved.17
CSS – Cloud Security Broker Stack
Infrastructure Service FoundationMessaging Stack(ActiveMQ)
HTTP Stack (Apache)
IaaS Management APIs(Cloud Vendor) SSH Tunnel SQL Database
CSS CoreInstanceCommunication
ServicesManager
Event Receptor(REST)
SecurityManager
Session Broker(Clustering)
Data Store Mgmt(Clustering)
CSS Service Foundation
XERCESXALANXMLSEC
Java / Apache
JPA (Hibernate) JMS/CMSJAX-RSAXISWS* Log4j/cxx
Cloud Security BrokerAuthentication
Federation
Event DistributionHigh Availability
Limited Workflow
Attribute Aggregation
EventRecptor
Identity Event Distribution
High Availability
Workflow
FederationProtocols
AuthenticationMethods
SessionAttributeManagement
Event Processors(Audit, Billing, Operations With Customer & Provider Views)
CSB & ServicesMonitor/Scale
ProvisioningTriggers
© Novell, Inc. All rights reserved.18
CSS – Cloud Security Broker Stack
Infrastructure Service FoundationMessaging Stack(ActiveMQ)
HTTP Stack (Apache)
IaaS Management APIs(Cloud Vendor) SSH Tunnel SQL Database
CSS CoreInstanceCommunication
ServicesManager
Event Receptor(REST)
SecurityManager
Session Broker(Clustering)
Data Store Mgmt(Clustering)
CSS Service Foundation
XERCESXALANXMLSEC
Java / Apache
JPA (Hibernate) JMS/CMSJAX-RSAXISWS* Log4j/cxx
Cloud Security BrokerAuthentication
Federation
Event DistributionHigh Availability
Limited Workflow
Attribute Aggregation
EventRecptor
Identity Event Distribution
High Availability
Workflow
FederationProtocols
AuthenticationMethods
SessionAttributeManagement
Event Processors CSB Cluster Director
Annexation
SAML 1.1
SAML 2
WS-*
Card Space
LDAP
OAuth
X-509
Aggregation
Security
Audit
Billing
Operations
CustomerService Health Monitor
CSB ClusterMonitor
UserDe-provision
User Provision
© Novell, Inc. All rights reserved.19
Enterprise SaaS/PaaS
SB
EnterpriseIdentity Store
SaaSServicesIdentity
FederationProtocol
Identity Connector
Event Connector
SB Daemon
AEB Mapping
LDAP Mapping
Secure DataMarshaling
CSB
© Novell, Inc. All rights reserved.20
Enterprise Console
Enterprise SaaS/PaaS
SBAudit Store
SaaSServices
REST API with 0Auth
Identity Connector
Event Connector
SB Daemon
AEB Mapping
LDAP Mapping
CSB
Secure DataMarshaling
© Novell, Inc. All rights reserved.21
Enterprise SaaS/PaaS
SB
Identity Store
SaaSServices
Identity FederationProtocol
Identity Connector
Event Connector
SB Daemon
AEB Mapping
LDAP Mapping
CSB
Audit Store
REST API with 0Auth
Secure DataMarshaling
© Novell, Inc. All rights reserved.22
Enterprise SaaS/PaaS
SB
Identity Store
SaaSServices
Identity Connector
Event Connector
SB Daemon
AEB Mapping
LDAP Mapping
CSB
Audit Store
CSSD
ProviderData Store
Federation
REST API
REST API
Secure DataMarshaling
© Novell, Inc. All rights reserved.23
Why Novell® Cloud Security Service (NCSS)?
What Is NCSS and How Does It Work?
Architecture
Deployment Options
Agenda
© Novell, Inc. All rights reserved.24
SaaSConnections
...
Provider Console
Customer Console
Audit Collection/Reporting
Cost Accounting Collection/ReportingMulti-tenant Operations
Tenant A
Director
Security Brokers
Tenant B
Tenant C
CustomerConnections
NCSS Small Deployment
• 1 Multi-tenant Director– With configuration backup/restore services
• 1-N Customers/Tenants, each with:– 1 Secure Bridge and– 1-2 Security Brokers connecting to
1-20 SaaS applications
© Novell, Inc. All rights reserved.25
SaaSConnections
...
Tenant A
Security Brokers
Tenant B
Tenant C
CustomerConnections
Provider Console
Customer Console
Audit Collection/Reporting
Cost Accounting Collection/Reporting
Multi-tenant Operations
DirectorCluster
DatabaseCluster
NCSS Medium Deployment
• Multi-tenant Director Cluster**– 1-8 Directors
• 1-N Tenants, each with:– 1 Secure Bridge– 1-5 Security Brokers connecting to
1-50 SaaS applications
** Requires clustered DB server deployment
© Novell, Inc. All rights reserved.26
SaaSConnections
...
Tenant A
Security Brokers
Tenant B
Tenant C
CustomerConnections
** Requires clustered DB server deployment
DirectorCluster
Database Cluster
Cost AccountingCluster
AuditCluster
NCSS Large Deployment• Multi-tenant Director Cluster**
– 1-5 Directors> Console hosting> Multi-tenant Operations
– 1-5 Audit Servers – 1-5 Billing Servers
• 50-N Tenants, each with:– 1 Security Broker– 1-5 Security Brokers connecting
to 1-100 SaaS applications
© Novell, Inc. All rights reserved.27
Surface Connectors to External SaaS Applications, SSO Only
Deep Connectors to Rackspace Internal and App Store Apps
Internal LDAP Directory Only. Uses NCSS Secure Bridge
Internal Identity management System with Federation
No User Accounts on Customer Premises
Novell Cloud Security Service(NCSS)
Novell Identity Manager
Tenant A
Security Brokers
Tenant B
Tenant C
Provider Console
Customer Console
Audit Collection/ReportingCost Accounting Collection/ReportingMulti-tenant Operations
DirectorCluster
...
Questions and Answers
Unpublished Work of Novell, Inc. All Rights Reserved.This work is an unpublished work and contains confidential, proprietary, and trade secret information of Novell, Inc. Access to this work is restricted to Novell employees who have a need to know to perform tasks within the scope of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Novell, Inc. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability.
General DisclaimerThis document is not to be construed as a promise by any participating company to develop, deliver, or market a product. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. Novell, Inc. makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. The development, release, and timing of features or functionality described for Novell products remains at the sole discretion of Novell. Further, Novell, Inc. reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners.
Recommended