• Why SSO?
• A Challenge for the Enterprise
• Deployment models
• Hybrid IAM
• Q & A
Optimizing IAM with Single Sign-On from the Cloud to On-Premise
Copyright ©2013 Mycroft Inc. All rights reserved
ModeratorShanley Stern, Sr. Director Marketing, Mycroft Inc.
PresenterLester Rivera, Sr. Business Solutions Architect,Mycroft Inc.
PresenterHerb Mehlhorn, Product Manager, CA Technologies
INTRODUCTIONS
Copyright ©2013 Mycroft Inc. All rights reserved
Why Single Sign-On?
WHY SSO?A CHALLENGE FOR THE ENTERPRISEDEPLOYMENT MODELSHYBRID IAMQ & A
Copyright ©2013 Mycroft Inc. All rights reserved
SSO – SIMPLY STATED
Copyright ©2013 CA. All rights reserved
Mobile employee or Customer
Partner User
Internal Employee
Enterprise or Partner Apps
Cloud Apps/Platfor
ms& Web
Services
SaaS
Data
Identities
App/Resource
App/Resource
Clien
t S
ide
A Challenge for the Enterprise
WHY SSO?A CHALLENGE FOR THE ENTERPRISEDEPLOYMENT MODELSHYBRID IAMQ & A
Copyright ©2013 Mycroft Inc. All rights reserved
WHAT TO LOOK FOR IN SSO PRODUCTS – CLIENT SIDE
Copyright ©2013 CA. All rights reserved
User AdministratorResources
SupportedDevices
SupportedUser
InterfacesBrowser
Mobile Applicatio
nTerminal Emulator
Desktop/Laptop Tablet
Smart Phone
WHAT TO LOOK FOR IN SSO PRODUCTS – RESOURCE SIDE
Copyright ©2013 CA. All rights reserved
User AdministratorResources
Apps/Resources
Location of App
On Premise
Partner Site
Partner App
Access Path
PaaS SiteSaaS App
Rest API via Gateway
Http over corp. Network
Http over Internet
Web Services
WHAT TO LOOK FOR IN SSO PRODUCTS – FROM CLIENT TO RESOURCE
Copyright ©2013 CA. All rights reserved
Administrator
Resources
Authentication
User Experience
User
Password SmartCard + X.509
ArcotID®
OpenIDOAuth
Single Sign onPersonalized Experience
Single Logoff
Enforcement
Context of the authentication
Web Agent Proxy Gateway Native to the App
WHAT TO LOOK FOR IN SSO PRODUCTS – ADMINISTRATION
Copyright ©2013 CA. All rights reserved
User Administrator
Resources
• Managing SSO• Ability to manage the authentication and access via a UI or
programmatic interface
• …with efficiency• for all resource types via a single UI• for all access paths via a single UI• for all authentication policies via single UI
• ….with confidence• provide ability to flexibly segregate and delegate
administration• generating necessary log and audit data for governance and
compliance purposes
SSO also requires:
DON’T FORGET THESE OTHER KEY REQUIREMENTS
Copyright ©2013 CA. All rights reserved
User AdministratorResources
Identity life cycle management
Effective monitoring
Efficient delivery if using physical authentication methods
WHAT’S AVAILABLE IN THE MARKET
Thick Client SSO
Web/Html Client SSO
TIME
Web/Html Client SSO
via Federation
Web/SOAP Client SSO via WS-*
Web & Mobile
native SSO via REST &
API
• Similarities across each of these developments:- SSO experience for the end user- Needed security characteristics of the solution
• Differences- Location of the resource- Access path to the resource
Copyright ©2013 CA. All rights reserved
Deployment Models
WHY SSO?A CHALLENGE FOR THE ENTERPRISEDEPLOYMENT MODELSHYBRID IAMQ & A
Copyright ©2013 Mycroft Inc. All rights reserved
CHOOSE YOUR DEPLOYMENT MODEL
Copyright ©2013 Mycroft Inc. All rights reserved
On-Demand
• Deployed in third-party datacenter
• Subscription pricing model, no hardware required
• Federated SSO everywhere
• No VPN, no Firewall changes
• Fully managed
On-Premise
• Deployed at enterprise datacenter
• Allows for customization
• Requires professional services, longer deployment times
Hosted
• Deployed in third-party datacenter (private cloud)
• Connected to enterprise thru VPN
• Available as Managed Service
CHOOSE YOUR DEPLOYMENT MODEL
Copyright ©2013 Mycroft Inc. All rights reserved
On-Demand
Important to me:
• Tactical solution
• Very quick to market
• OpEX rather than CapEX
• Standardized & ooB
• Local market
• No hardware hassle
• Very small TCO
On-Premise
Important to me:
• Strategic solution
• Innovation
• Individuality
• Differentiate also by services
• Tend to prefer CapEx
• International market
• Ownership
Hosted
Important to me:
• Quick time to market
• Some individuality
• Some innovation
• Tend to prefer OpEx
• Sense of ownership
• TCO
• Differentiate from competition by assortment & price
HOW DO THEY COMPARE?
Not only about CAPEX vs. OPEX
• About optimizing 3 Es • Effectiveness• Economy• Efficiency
On-Premise
HostedOn
DemandBenefits of Hosted
Infrastructure Hardware acquisition not required
Implementation
SMEs readily available
Operation 24x7 SOC, no internal management needed
Security Top tier
Most effective, economical & efficientMore effective, economical & efficientEffective, economical & efficient
Copyright ©2013 Mycroft Inc. All rights reserved
THINGS TO CONSIDER
SSO…is even MORE important• Federate, Federate, Federate, Federate, Federate, Federate, Federate, F.E.D.E.R.A.T.E.
• Request for access needs to be simple, powerful, pervasive…not just about user accounts!
• SAML, OAuth, OpenID, WS-FED (Office365)
Provisioning goes Just-In-Time• More SaaS applications supports it
• BUT, no real automated de-provisioning
Identity Governance continues to be important• Governance, risk, & compliance (GRC)
• Ignores the enterprise “fence”; Data and users are mobile
Think APIs…Everything is an API• Keep simple & authorize well
• BUT not every API requires user accounts; sometimes you authorize device, source, etc.
• AND sometimes the point is really identify the source
Security is Policy-based• Security takes place outside of the app
• Programmatic vs. declarative
Copyright ©2013 Mycroft Inc. All rights reserved
Hybrid IAM
WHY SSO?A CHALLENGE FOR THE ENTERPRISEDEPLOYMENT MODELSHYBRID IAMQ & A
Copyright ©2013 Mycroft Inc. All rights reserved
HYBRID IAM
Copyright ©2013 Mycroft Inc. All rights reserved
On-Premise Enterprise Apps
Customers
Partners
Federated SSO
Advanced Authentication
Employees
Privileged Identity Mgt
Identity Governance
Identity Management
Identity Management
Identity Governance
Advanced Authentication
Access Management
Privileged Identity Mgt
On-Premise Connector
Cloud Platforms
SaaS
Enterprise Datacenter
Copyright ©2013 Mycroft Inc. All rights reserved
MYCROFT XSPECTRA ON-DEMAND SERVICE ARCHITECTURE
A single log-on, launch any SaaS application available to you
Copyright ©2013 Mycroft Inc. All rights reserved
MYCROFT XSPECTRA ON-DEMAND SERVICE
IN A NUTSHELL
SSO…is critical• Simple, powerful access to applications a single log on - whether on-premise, in the
cloud or hosted
• Increased user productivity & overall company efficiency
• Essential for security
Deployment Models• Your organization has options
• Cloud vs on-premise vs on-demand. Examine the pros and cons as it relates to your environment, as well as the overall efficiency, effectiveness & economy of each option
Hybrid IAM• It doesn’t matter where your application is – behind the firewall or in the cloud
• Scalable – seamless end-user experience between on-premise & cloud-based applications
Security is Policy-based• Security takes place outside of the app
• Programmatic vs. declarative
Copyright ©2013 Mycroft Inc. All rights reserved