Managing Security in the Cloud

A Virtualized Identity and Context Service

Case Studies

• Internal Constituents

• Employees

• Contractors

• Partners

• External Constituents

• Customers

• Vendors

• Partners

• Employees

• Contractors

Internal Case Study

• Fortune 5000 Enterprise

• SaaS when possible • Replaced Peoplesoft with Workday

• Replace Remedy with ServiceNow

• Replace Siebel with Salesforce

• Repalce ____ with _______...

• Opportunity/Challenge

• Business

• Leverage Saas/Cloud applications to provide key business functions at a

lower cost

• Provide SSO and profile management across disparate SaaS/Cloud

applications

• Technical

• Reduce multiple passwords

• Reduced support cost for User Management

• Single place to enforce Security Policies

• Single source of Identity Analytics & Identity Governance

• Single Multi-Factor Authentication Support

• Leverage investment in existing enterprise identity infrastructure

• SaaS Vendor says – • Integration is easy; we support industry standards such as SAML

• Or, we have Web Services you can call

• Or, expose your Corporate AD on the internet

• Every Access Management product has multiple technology options for SaaS SSO Integration including “SAML” support

• Oh! Buy this add-on to our product…

What the marketing brochures told them…

• Business and IT VP:

• We bought a SaaS product and we are going live in 30 days.

• Vendors say that they support all the standards for SSO; piece of cake

• The IDM Guy:

• Does my Access Management product meet this requirement?

• Oh but I have only a week to do this

• No time to discuss with vendors

• No time to go through procurement

• Let’s build something for now…

• Vendor – can we have a“Design Pattern chat…….”

• Agreement Reached

• Result:

• Solution Implemented; Everyone is happy

• But…

• TCO has gone up

• Many more SaaS deployments – each one is different

First SaaS SSO Project

What Was Needed

• Expose internal directories to cloud/SaaS apps

• Create, Update, Delete accounts in Cloud/SaaS apps based on

events inside the enterprise

• Support federated authentication and authorization

• Build unified identity profile across enterprise and Cloud/SaaS

apps

• Key Technology Enablers • SiteMinder

• Radiant Logic • Virtual Directory

• Synchronization

• User Management / Provisioning • The Radiant Logic technology

• Web Services based provisioning (SPML)

• Single Sign On • Leverage the SiteMinder technology as the policy enforcement & decision point

• Communicate with the SaaS provider using multiple methods…

Built Architecture to Enable Multiple

Initiatives

SiteMinder R12 Cluster

Virtual Directory (VDS) Cluster

Sun LDAP Active Directory

Load Balancer

Load Balancer

AD Replication

SAAS Gateway (JBoss) ChandlerSA

AS

Ap

ps

SaaS App 1 (Web Server)

SaaS App 2 (Web Server)

• SaaS vendors support SSO, but not all support SAML consistently

• Plan early, coordinate technical design approach as early as practical in the procurement cycle

• Don’t build for the first SaaS integration; plan ahead – you know more

are coming!

• Refactor, reevualte as SaaS vendors and COTS products evolve their offerings

Lessons Learned

External Case Study

• Fortune 5000 Enterprise

• Customers are large enterprises

• Enterprise owns many products

• Many people within enterprise work with each product

• M&A a significant part of the strategy

• Partners are important and influential

• Opportunity/Challenge

• Business

• Leverage Saas/Cloud applications to build a web based platform for

constituents to interact with company

• Create a cohesive experience for all constituents across disparate

SaaS/Cloud applications

• Technical

• Leverage SaaS/Cloud

• Leverage standards based Federation

• Leverage investment in existing enterprise identity infrastructure

The Experience

Challenges

Integrating & managing disparate populations and their

profiles/entitlements across data silos.

WAM/ Portal / Federation/Cloud

Partners Customers Vendors Employees

Security Domain A Security Domain B

Security Domain C

The Challenge of Multiple Identity

& Security Silos

Services are not flexible and are tightly coupled with the underlying data silos

Security

Domain A

Security

Domain B

Security

Domain C Groups Roles Context

Population

C

Groups Roles Context

Groups Roles Context

Population

B

Population

A

Applications

Applications

Applications

Identity as a service through Virtualization The Key to Solving the Identity Integration Challenge

Acting as an abstraction layer between applications and the underlying identity

silos, virtualization isolates applications from the complexity of back-ends

Aggre

gation

Co

rre

latio

n

Inte

gra

tion

Virtualization

Population

C

Population

B

Population

A

Groups Roles

LDAP

SQL

Web

Services

/SOA

App A

App B

App C

App D

App E

App F

Contexts

Se

rvic

es

Customer Surveys(Customers and Partners)

Communities Portal(Customers, Partners and Employees)

Education Portal(Customers, Partners and Employees)

Partner Portal(Partners)

DMZ

SiteMinderPolicy Server

Radiant LogicVDS

Active Directory(Employees)

CA Directory(Customers, Partners and Employees)

SiteMinderWeb Agent w/

Federation SecurityServices

(SAML Gateway)

InternalSalesforce

CRMIdeation

PRM(Customers, Partners and Employees)

www.ca.comw/SiteMinderWeb Agent

(Common Login and

Registration)

SAML 2

SAML 2

SAML 1

SAML 1

SAML 2

LDAP

LDAP

LDAP

SiteMinder

SiteMinder

Acquisition Identity Sources

Virtualize Your Identity for a New World of Opportunity

Manage Globally, Act Locally

Building a Global Identifier

Building a Global Profile

Deployment and Protocol Support

LDAP but also SQL, Web Services, REST

Role Management/

Delegated Administration

Services Provisioning

Web Access Management

Portal

Identity

Correlation

Common Access Protocol

(LDAP, SQL & Web Services)

A World of Services and Opportunity

Opening the whole world

Cloud and Federation Service

Together with VDS, RadiantOne CFS builds robust tokens, delivering attributes

from across your identity infrastructure to claims-aware applications, and enabling

SSO and fine-grained authorization in the cloud.

Identity and context service as

Authentication and Attribute Server

VDS can act as the authentication provider supporting an IdP, as a complete

IdP, or as an attribute server for the Relying Party.

Identity and Context Virtualization Process

Identity Correlation

Link identity to context

Regroup Objects into Sentences, and sentences into Contexts

The global data

model and identity

linking.

Contextual views based

on existing relationships

Identity and Context Virtualization Service

Example

2

4

Diving into one sentence from the contextual

search result

Navigating the different sentences returned in the

context search:

Account the Great Outdoors purchased Order 21

Navigating the different sentences returned in the

context search:

SalesRep Nancy Davolio has account The Great

Outdoors