Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
Managing Security in the Cloud
A Virtualized Identity and Context Service
Case Studies
• Internal Constituents
• Employees
• Contractors
• Partners
• External Constituents
• Customers
• Vendors
• Partners
• Employees
• Contractors
Internal Case Study
• Fortune 5000 Enterprise
• SaaS when possible • Replaced Peoplesoft with Workday
• Replace Remedy with ServiceNow
• Replace Siebel with Salesforce
• Repalce ____ with _______...
• Opportunity/Challenge
• Business
• Leverage Saas/Cloud applications to provide key business functions at a
lower cost
• Provide SSO and profile management across disparate SaaS/Cloud
applications
• Technical
• Reduce multiple passwords
• Reduced support cost for User Management
• Single place to enforce Security Policies
• Single source of Identity Analytics & Identity Governance
• Single Multi-Factor Authentication Support
• Leverage investment in existing enterprise identity infrastructure
• SaaS Vendor says – • Integration is easy; we support industry standards such as SAML
• Or, we have Web Services you can call
• Or, expose your Corporate AD on the internet
• Every Access Management product has multiple technology options for SaaS SSO Integration including “SAML” support
• Oh! Buy this add-on to our product…
What the marketing brochures told them…
• Business and IT VP:
• We bought a SaaS product and we are going live in 30 days.
• Vendors say that they support all the standards for SSO; piece of cake
• The IDM Guy:
• Does my Access Management product meet this requirement?
• Oh but I have only a week to do this
• No time to discuss with vendors
• No time to go through procurement
• Let’s build something for now…
• Vendor – can we have a“Design Pattern chat…….”
• Agreement Reached
• Result:
• Solution Implemented; Everyone is happy
• But…
• TCO has gone up
• Many more SaaS deployments – each one is different
First SaaS SSO Project
What Was Needed
• Expose internal directories to cloud/SaaS apps
• Create, Update, Delete accounts in Cloud/SaaS apps based on
events inside the enterprise
• Support federated authentication and authorization
• Build unified identity profile across enterprise and Cloud/SaaS
apps
• Key Technology Enablers • SiteMinder
• Radiant Logic • Virtual Directory
• Synchronization
• User Management / Provisioning • The Radiant Logic technology
• Web Services based provisioning (SPML)
• Single Sign On • Leverage the SiteMinder technology as the policy enforcement & decision point
• Communicate with the SaaS provider using multiple methods…
Built Architecture to Enable Multiple
Initiatives
SiteMinder R12 Cluster
Virtual Directory (VDS) Cluster
Sun LDAP Active Directory
Load Balancer
Load Balancer
AD Replication
SAAS Gateway (JBoss) ChandlerSA
AS
Ap
ps
SaaS App 1 (Web Server)
SaaS App 2 (Web Server)
• SaaS vendors support SSO, but not all support SAML consistently
• Plan early, coordinate technical design approach as early as practical in the procurement cycle
• Don’t build for the first SaaS integration; plan ahead – you know more
are coming!
• Refactor, reevualte as SaaS vendors and COTS products evolve their offerings
Lessons Learned
External Case Study
• Fortune 5000 Enterprise
• Customers are large enterprises
• Enterprise owns many products
• Many people within enterprise work with each product
• M&A a significant part of the strategy
• Partners are important and influential
• Opportunity/Challenge
• Business
• Leverage Saas/Cloud applications to build a web based platform for
constituents to interact with company
• Create a cohesive experience for all constituents across disparate
SaaS/Cloud applications
• Technical
• Leverage SaaS/Cloud
• Leverage standards based Federation
• Leverage investment in existing enterprise identity infrastructure
The Experience
Challenges
Integrating & managing disparate populations and their
profiles/entitlements across data silos.
WAM/ Portal / Federation/Cloud
Partners Customers Vendors Employees
Security Domain A Security Domain B
Security Domain C
The Challenge of Multiple Identity
& Security Silos
Services are not flexible and are tightly coupled with the underlying data silos
Security
Domain A
Security
Domain B
Security
Domain C Groups Roles Context
Population
C
Groups Roles Context
Groups Roles Context
Population
B
Population
A
Applications
Applications
Applications
Identity as a service through Virtualization The Key to Solving the Identity Integration Challenge
Acting as an abstraction layer between applications and the underlying identity
silos, virtualization isolates applications from the complexity of back-ends
Aggre
gation
Co
rre
latio
n
Inte
gra
tion
Virtualization
Population
C
Population
B
Population
A
Groups Roles
LDAP
SQL
Web
Services
/SOA
App A
App B
App C
App D
App E
App F
Contexts
Se
rvic
es
Customer Surveys(Customers and Partners)
Communities Portal(Customers, Partners and Employees)
Education Portal(Customers, Partners and Employees)
Partner Portal(Partners)
DMZ
SiteMinderPolicy Server
Radiant LogicVDS
Active Directory(Employees)
CA Directory(Customers, Partners and Employees)
SiteMinderWeb Agent w/
Federation SecurityServices
(SAML Gateway)
InternalSalesforce
CRMIdeation
PRM(Customers, Partners and Employees)
www.ca.comw/SiteMinderWeb Agent
(Common Login and
Registration)
SAML 2
SAML 2
SAML 1
SAML 1
SAML 2
LDAP
LDAP
LDAP
SiteMinder
SiteMinder
Acquisition Identity Sources
Virtualize Your Identity for a New World of Opportunity
Manage Globally, Act Locally
Building a Global Identifier
Building a Global Profile
Deployment and Protocol Support
LDAP but also SQL, Web Services, REST
Role Management/
Delegated Administration
Services Provisioning
Web Access Management
Portal
Identity
Correlation
Common Access Protocol
(LDAP, SQL & Web Services)
A World of Services and Opportunity
Opening the whole world
Cloud and Federation Service
Together with VDS, RadiantOne CFS builds robust tokens, delivering attributes
from across your identity infrastructure to claims-aware applications, and enabling
SSO and fine-grained authorization in the cloud.
Identity and context service as
Authentication and Attribute Server
VDS can act as the authentication provider supporting an IdP, as a complete
IdP, or as an attribute server for the Relying Party.
Identity and Context Virtualization Process
Identity Correlation
Link identity to context
Regroup Objects into Sentences, and sentences into Contexts
The global data
model and identity
linking.
Contextual views based
on existing relationships
Identity and Context Virtualization Service
Example
2
4
Diving into one sentence from the contextual
search result
Navigating the different sentences returned in the
context search:
Account the Great Outdoors purchased Order 21
Navigating the different sentences returned in the
context search:
SalesRep Nancy Davolio has account The Great
Outdoors