Upload
buithuy
View
213
Download
0
Embed Size (px)
Citation preview
1 The intersection of IAM and the cloud
Managing the User LifecycleAcross On-Premises andCloud-Hosted Applications
Theory, practice, pros and cons with a focus on enterprise deployments of IAM and cloudcomputing.
Idan Shoham, CTO | 2011-04-19
2 Agenda
• Overview of cloud computing.• Different types of IAM.• Intersection of IAM and cloud computing.• Discussion.
© 2011 Hitachi ID Systems, Inc. All rights reserved. 1
Slide Presentation
3 Hitachi ID Corporate Overview
Hitachi ID is a leading provider of identityand access management solutions.
• Founded as M-Tech in 1992, a divisionof Hitachi, Ltd. as of 2008.
• Hitachi, Ltd.:
– Founded in 1910.– $105 billion revenue in FY2010.– 360,000 employees.
• Hitachi ID has 840+ customers with acombined 10.4M+ licensed users.
• Offices in North America and partnersoverseas.
• Approximately 140 employees.
Award: SC Magazine Best Buy for the IDManagement Suite.
4 Cloud4.1 Cloud computing
The word cloud... Is a metaphor for the Internet, originating in old network diagrams.
The key concept... Is ambiguity –we do not specify where a service is running.
A cloud service provider... Hosts systems or applications for multiple customers:
• Must be able to ramp up and down quickly.• OpEx replaces CapEx.• Delivered over the Internet.
A business model... Cloud computing is not about new technology –it’s about who runs the apps and where.
© 2011 Hitachi ID Systems, Inc. All rights reserved. 2
Slide Presentation
4.2 Many meanings of ’cloud’
Cloud computing is a marketing buzzword. There is a whole taxonomy of what this might mean.
SaaS PaaS IaaSHost a single application. Software development and
runtime environment.On-demand virtual networklandscape.
Salesforce.com,Google apps.
Force.com,Microsoft Azure.
Amazon EC2,Hosting.com.
Location is also a variable:
• Public.• Private (is this still in the cloud?).• Hybrid.
4.3 Why cloud computing?
SaaS PaaS IaaS General
Theory • Expert athosting theapp.
• Zero setuptime/effort.
• Alwaysup-to-date.
• Scalable. • Adaptivecapacity.
• Lower cost.• Pay for what
you use.
Reality • Frequentupgrades.
• Limitedfeatures.
• Platformlock-in.
• Attractive forlow-demandapps.
• Always-onserversexpensive.
• Dynamiccapacity.
• ReplaceCapEx withOpEx.
© 2011 Hitachi ID Systems, Inc. All rights reserved. 3
Slide Presentation
4.4 Objections and FUD
Common concerns More serious problems
• Is it secure?• High availablity?• Performance?
• Does the contract support transfer ofliability?
• Vendor viability?• Integration with on-premise systems?• Data portable to other providers?• To what jurisdictions will data be moved?
Can you imagine a cloud provider staying inbusiness after a security breach or ifperformance or availability are poor?
Cloud computing is a business model, not atechnology. Real-world problems are mostlybusiness problems.
5 IAM5.1 Definitions
An integration layer linking user lifecycle events to changes in profiles and access rights.
Manage: Authenticate with: Authorize:
• User profiles.• Identity attributes.• Login accounts.• Authentication factors.• Group/role
memberships.
• Passwords.• Security questions.• OTP tokens.• Smart cards / PKI
certificates.• Biometrics.• More (CAPTCHA,
mobile phone, etc.)
• Logins.• Actions.
Account and entitlementadministration.
Authentication factormanagement.
Single sign-on and accesscontrol.
© 2011 Hitachi ID Systems, Inc. All rights reserved. 4
Slide Presentation
5.2 The User Lifecycle
At a high level, the userlifecycle is essentiallythe same in allorganizations andacross all platforms.
5.3 User Lifecycle: Business Challenges
• More IT→ moreusers to manage.
• There arechallengesthroughout theuser lifecycle.
• Support cost.• User service.• Security.
Slow:too much paper,
too many people.
Expensive:too many administrators
doing redundant work.
Role changes:add/remove rights.
Policies:enforced?
Audit:are privileges appropriate?
Org. relationships:track and maintain.
Reliable:notification of terminations.
Fast:response by sysadmins.
Complete:deactivation of all IDs.
Passwords:too many, too weak,often forgotten.
Access:Why can’t I access thatapplication / folder / etc.
6 Intersection
© 2011 Hitachi ID Systems, Inc. All rights reserved. 5
Slide Presentation
6.1 IAM in the Cloud
There is a lot of marketing buzz around "IAM in the cloud" but what does that actually mean?
• An on-premise IAM system managing user access to SaaS applications?• A SaaS IAM system managing user access to on-premise applications?• A SaaS IAM system managing user access to SaaS applications?• A SaaS IAM system augmenting an on-premise system?• Federated access management for corporate users to access SaaS?• An access management for SaaS vendors?
6.2 Moving parts
Participants Locations
• The user signs into...• an application after authenticating to...• an authentication system which is
managed by...• an identity and access management
system.
• The corporate network.• The Internet.• The cloud service provider.
Each participant could be at any of thelocations.
These locations are separated by routers andfirewalls.
6.3 Baseline
User Authentication System
Alberta OPERATOR’S LICENCENo: 137669-669Class: 5Cond/End: AExpires: 18 JAN 2008
0234-69472
ApplicationIdentity Management
System
Private Corporate Network Cloud-based Software Provider’s Public Network
PublicInternet
6.4 Pros and Cons
Pros Cons
• Well understand architecture.• Direct integration (no firewalls to hop
over).
• Typical deployment only gets upgradedevery 3–4 years.
• Costly physical infrastructure.• Talent to manage this effectively is scarce.
© 2011 Hitachi ID Systems, Inc. All rights reserved. 6
Slide Presentation
6.5 IAM hosted in the cloud
User Authentication System
Alberta OPERATOR’S LICENCENo: 137669-669Class: 5Cond/End: AExpires: 18 JAN 2008
0234-69472
Application Identity Management
System
Private Corporate Network Cloud-based Software Provider’s Public Network
PublicInternet
6.6 Pros and Cons
Pros Cons
• No server hardware, DBMS topurchase/deploy.
• Always running current software.• Fewer skilled workers needed in-house?
• Integration with on-premise applications ishard.
• Where do you find a vendor that:
– Operates a reliable 24x7 NOC; and– Has a consulting team to implement
an IAM?
• Vendor lock-in?
6.7 Managing access to SaaS/cloud
User Authentication System
Alberta OPERATOR’S LICENCENo: 137669-669Class: 5Cond/End: AExpires: 18 JAN 2008
0234-69472
ApplicationIdentity Management
System
Private Corporate Network Cloud-based Software Provider’s Public Network
PublicInternet
© 2011 Hitachi ID Systems, Inc. All rights reserved. 7
Slide Presentation
6.8 Pros and Cons
If this means federated login to a SaaS app:
Pros Cons
• Convenient for users.• May reduce admin burden
(if no persistent IDs on the SaaS app).
• Do mobile users have to setup acorporate VPN before they can sign intothe SaaS app?
• What about non-VPN-capable devices?
If this means identity administration on a SaaS app:
Pros Cons
• Just another IAM integration.• Always good to add "target systems."
• One more connector.
6.9 Outsource the directory
User Authentication System
Alberta OPERATOR’S LICENCENo: 137669-669Class: 5Cond/End: AExpires: 18 JAN 2008
0234-69472
ApplicationIdentity Management
System
Private Corporate Network Cloud-based Software Provider’s Public Network
PublicInternet
© 2011 Hitachi ID Systems, Inc. All rights reserved. 8
Slide Presentation
6.10 Pros and Cons
Pros Cons
• Users might be happy to sign intocorporate apps with their Facebookcredentials.
• Reduce onboarding effort for new hires.• Eliminate some costly infrastructure (e.g.,
AD DCs).
• Do you trust SaaS authentication insidethe corporate perimeter?
• Can legacy apps integrate with this?• Will auditors accept this?
6.11 Remote access for mobile users
User
Authentication System
Alberta OPERATOR’S LICENCENo: 137669-669Class: 5Cond/End: AExpires: 18 JAN 2008
0234-69472
ApplicationIdentity Management
System
Private Corporate Network Cloud-based Software Provider’s Public Network
PublicInternet
6.12 Pros and Cons
Pros Cons
• Mobile workforce.• Lower facility cost.• Staff retention.• Productivity.
• Need a VPN.• Is the VPN redundant when apps move to
SaaS?
6.13 There are 24 base cases
• Even with just one of each participant, there are 24 arrangements.• Each has its own architectural pros and cons.• These are in addition to the general pros and cons of moving any part of the infrastructure into the
cloud.
© 2011 Hitachi ID Systems, Inc. All rights reserved. 9
Slide Presentation
6.14 Architectural considerations
Firewalls Trust/compliance Mobility Connectivity
• Tend to beporous in onedirection.
• Outboundconnectioneasier thaninbound.
• Lead to proxies.
• Can you trustthe CSP?
• To safeguarddata?
• To stay inbusiness?
• Users aremobile.
• Moving apps tothe cloud helps.
• Intenseclient/servertraffic?
• Low bandwidthto Internet?
• High latency?• Link reliability?
OpEx vs. CapEx Dynamic capacity Maturity Retooling
• Budget impact?• Tax treatment?
• Buying ischeaper forheavy use.
• Renting ischeaper forsporadic use.
• Processmaturity?
• Staff skills?
• SaaS worksbest withfederatedaccess.
• Apps may notbe ready.
6.15 Opinions
Baseline • Safe.• Expensive.• Slow.• Mature?
IAM hostedin the cloud
• Limited examples today.• Hosting vendors not good at consulting /
implementation.• Consultants not good at hosting /
operations.
Managing accessto SaaS/cloud
• No different than managing access tointernal apps.
Outsourcethe directory
• New, higher risk profile.• Sign into work system with facebook
account?
Remote accessfor mobile users
• Everyone already does it.• Vendors can outsource VPN, virtual
desktop.
© 2011 Hitachi ID Systems, Inc. All rights reserved. 10
Slide Presentation
7 Content On-Line
• Free White Paper:Intersection of identity management and cloud computing:http://tinyurl.com/4cm7baa
• This presentation:http://tinyurl.com/3rqmkfy
• QUESTIONS?
www.Hitachi-ID.com
500, 1401 - 1 Street SE, Calgary AB Canada T2G 2J3 Tel: 1.403.233.0740 Fax: 1.403.233.0725 E-Mail: [email protected]
File: PRCS:presDate: April 18, 2011