Upload
stavvmc
View
419
Download
1
Embed Size (px)
Citation preview
Identity and Securing Continuous Services in Discontinuous Infrastructure Steve Coplan, Analyst
CLIENT EVENT: BOSTON, DECEMBER 1, 2010
Analyzing the business of Enterprise IT Innovation
Unique Analysis of the Hosting, Managed Service, Third-Party Datacenter and Internet Infrastructure sectors
The 451 Group
The Uptime Institute is the leading independent think tank and research body serving the global datacenter industry.
About
§ Longstanding member of the 451 analyst team
§ Startup experience at acquired security vendor
§ Expertise in M&A, networks
§ Only security analyst with a degree in Zulu
3 Client Event: Security | Boston 2010
Agenda
§ What do mean by identity in the cloud?
§ Cloud security models from an IAM perspective
§ Security models and compliance
§ Cloud, security and identity in the cloud
§ The transition from identity in the cloud to cloud identity
§ What's the identity in the cloud opportunity?
4 Client Event: Security | Boston 2010
The Intersection of Cloud and Identity
Cloud can be a:
● Shared resource (customer, partner, employee)
● Private cloud
● Off-premise servers, storage, applications
● Hybrid
Cloud users can be:
● IT administrators buying cloud resources
● Enterprise users consuming SaaS applications
● Developers running applications/QA on PaaS
● Cloud service providers running a set of services for enterprises
§ Identity management vendors still dealing with technical challenges of portable identity
§ Cloud service providers see need for portable identity associated with portable image
5 Client Event: Security | Boston 2010
Enterprise identity § Authenticated employee§ Group member § Provisioning Target § Role-defined § Authorization set
Cloud service providers § Customer§ Service provisioning construct (revenue
event) § Customer profile § Service contention priority§ SLA input
Objective and Outcome-Oriented Security
Outcome:
§ Ensure everyone does what they are supposed to
§ Establish a normative set of behaviors around the transfer and consumption of information
• How to translate this outcome to a set of continuous services?
Objective:
§ Secure the infrastructure and IT operations
§ Keep out the bad guys
• How to translate this objective to a discontinuous infrastructure?
Client Event: Security | Boston 2010
6
Defining Outcome-Oriented Security
§ Outcome-oriented security is contingent on a set of policy statements
§ Policy - A principle or rule to guide decisions and achieve rational outcome(s)
Central policy definition is great, but what about exceptions?
Policy is king, but a king in a constitutional monarchy
§ Business owners, application owners need delegation capabilities
7 Client Event: Security | Boston 2010
Outcome-Oriented Security and Compliance
Growing overlap in spending, definitions and operations between compliance and policy
§ Need to drive automation of compliance processes leads to governance, eg access certification
§ Visibility is compliance’s greatest gift
Client Event: Security | Boston 2010
8
8
Defining Outcome-Oriented Security
Questions remain:
§ How can we enforce stated policy?
A stated policy does not an enforced policy make
How do we define current state against stated outcome?
Visibility is only a precursor to enforcement
§ Where does trust, privacy and liability fit in?
9
9
Client Event: Security | Boston 2010
What does this have to do with identity and the cloud?
Identity is important because: § Compliance requirements invoke identity attributes or definitions, access
controls and authentication
§ Identity pivot construct in defining access controls for the cloud
• Need to know who you are to describe what you can/can’t do
§ Identity single control construct for multiple resources
• SSO functions as a normalized event stream for a user
• Cloud Hybridization, Desktop Virtualization, Device Proliferation escalate need for a consolidated identity and abstracted attributes
10 Client Event: Security | Boston 2010
What does this have to do with identity and the cloud?
Identity in the cloud is important because: § Identity is the common point of reference for discontinuous infrastructure
§ Identity is the a key parameter for making sense of visibility
§ Who is the first question from a business context and by extension policy
11 Client Event: Security | Boston 2010
The Intersection of Cloud and Identity
Different understanding of the function of identity
§ Identity management vendors still dealing with technical challenges of portable identity
§ Cloud service providers see need for portable identity associated with portable image
13 Client Event: Security | Boston 2010
Identity management vendors are from Mars§ View identity as a middleware
layer or service§ View cloud, virtualization and
mobile
Cloud service providers are from Venus§ View identity as a platform
component§ View identity as an service
enablement construct
Need for a match.com broker?
Identity in the cloud: A maturity model
Client Event: Security | Boston 2010
14
Operational Portability
Managed portability
(Infrastructure)
Native Portability (Architecture)
From Identity In the Cloud to Cloud Identity: Maturity Model
Client Event: Security | Boston 2010
15
Maturity stage Customers Technology Elements Providers Delivery Model
Operational Portability
Enterprise (Identity providers)Service Providers (relying parties)SaaS providers Paas Providers
SSOAuthenticationFederation (SAML, OpenID, OAuth, WS-Fed)Application Access Control
Identity management vendors (Incumbents, venture-funded partners)Platform vendors
Hybrid: On-premise gatewaysFederation gatewaysFederation hubs
Infrastructure (Managed Portability)
Identity ProvidersCloud Service Providers Identity as a Service Providers
Authorization (XACMLProvisioning/GovernanceCloud access gatewaysTrust brokers User privacy stores
Paas/SaaS Providers Identity management vendorsCloud service providers
From the cloud Authentication, SSO, trust servicesTo the cloudProvisioningIn the cloud: Directory in the cloud
Architecture(Native Portability)
EnterpriseCloud service providers
Embedded middlewareAttribute sourcesAttribute assuranceTrust brokersCloud federation
Cloud service providersPaaS providersIdentity ProvidersIdentity as a service vendorsIncumbents
In the cloud -service federation, image federation Run-time authentication, authorization and provisioning
Security
Cloud Identity: Characteristics
Client Event: Security | Boston 2010
16
Granularity Automation
Identity in the cloud: A tale of many markets
Client Event: Security | Boston 2010
17
Enterprise ID Extension
Services (to, from, in the cloud)
Transactional (Identity providers)
Identity in the cloud: Meta-issues
Client Event: Security | Boston 2010
18
Liability Trust/Assurance Value
From Identity In The Cloud to Cloud Identity: Requirements
Client Event: Security | Boston 2010
19
Maturity stage Characteristics Affinities Meta-Issues
Portability Automation (+++) Security (+)Granularity (+/-)
Compliance AutomationGovernance
Liability (++)Trust/Assurance (++)Value (+)
Infrastructure Automation (+++)Security (++)Granularity (+)
Policy Management Information ManagementSoftware Infrastructure as a Service
Liability (++)Trust/Assurance (++)Value (++)
Architecture Automation (++++)Security (++)Granularity (+++)
Service EnablementBig Data
Liability (+++)Trust/Assurance (+++)Value (+++)
Identity In the Cloud: Strategic But Also Lucrative?
20 Client Event: Security | Boston 2010
Arms dealer § Incumbents
transitioning from enterprise sales model
§ Architecture question still unresolved
§ Build or embed?
ServicesTo, from and for the cloud§ Diversity of new
players§ New market
segments open
TransactionalModel§ Consumerization of
enterprise identity§ Trust substrate§ Tollgate model
Identity In the Cloud: Winners and Losers?
It’s how you play the game
End users§ Getting automation, granularity right yields security
§ Sets the stage to answer the question “what could you do in the cloud”
Identity management vendors § Architectural issues, sales model major challenges
§ Their game to lose
Independent identity as a service/federation/authorization vendors
§ New markets, technology categories opening up
21 Client Event: Security | Boston 2010
Identity In the Cloud: Winners and Losers?
It’s how you play the game
Platform vendors forge into the new frontier§ VMWare, Microsoft duke it out for end user tier
§ PaaS players make a development, embedded run-time play
Identity providers§ If you build it, they come
§ Value contingent on required trust, attribute assurance for transaction
Cloud service providers § Associating a portable image with a portable identity
§ Unified cloud environment/integration provider
22 Client Event: Security | Boston 2010
Identity In The Cloud
• Q&A
24 Client Event: Security | Boston 2010
Thank You.Questions? [email protected]