451 Research Client Event Nov 10

Identity and Securing Continuous Services in Discontinuous Infrastructure Steve Coplan, Analyst

CLIENT EVENT: BOSTON, DECEMBER 1, 2010

Analyzing the business of Enterprise IT Innovation

Unique Analysis of the Hosting, Managed Service, Third-Party Datacenter and Internet Infrastructure sectors

The 451 Group

The Uptime Institute is the leading independent think tank and research body serving the global datacenter industry.

About

§ Longstanding member of the 451 analyst team

§ Startup experience at acquired security vendor

§ Expertise in M&A, networks

§ Only security analyst with a degree in Zulu

3 Client Event: Security | Boston 2010

Agenda

§ What do mean by identity in the cloud?

§ Cloud security models from an IAM perspective

§ Security models and compliance

§ Cloud, security and identity in the cloud

§ The transition from identity in the cloud to cloud identity

§ What's the identity in the cloud opportunity?


The Intersection of Cloud and Identity

Cloud can be a:

● Shared resource (customer, partner, employee)

● Private cloud

● Off-premise servers, storage, applications

● Hybrid

Cloud users can be:

● IT administrators buying cloud resources

● Enterprise users consuming SaaS applications

● Developers running applications/QA on PaaS

● Cloud service providers running a set of services for enterprises

§ Identity management vendors still dealing with technical challenges of portable identity

§ Cloud service providers see need for portable identity associated with portable image


Enterprise identity § Authenticated employee§ Group member § Provisioning Target § Role-defined § Authorization set

Cloud service providers § Customer§ Service provisioning construct (revenue

event) § Customer profile § Service contention priority§ SLA input

Objective and Outcome-Oriented Security

Outcome:

§ Ensure everyone does what they are supposed to

§ Establish a normative set of behaviors around the transfer and consumption of information

• How to translate this outcome to a set of continuous services?

Objective:

§ Secure the infrastructure and IT operations

§ Keep out the bad guys

• How to translate this objective to a discontinuous infrastructure?

Client Event: Security | Boston 2010

6

Defining Outcome-Oriented Security

§ Outcome-oriented security is contingent on a set of policy statements

§ Policy - A principle or rule to guide decisions and achieve rational outcome(s)

Central policy definition is great, but what about exceptions?

Policy is king, but a king in a constitutional monarchy

§ Business owners, application owners need delegation capabilities


Outcome-Oriented Security and Compliance

Growing overlap in spending, definitions and operations between compliance and policy

§ Need to drive automation of compliance processes leads to governance, eg access certification

§ Visibility is compliance’s greatest gift


8

8

Defining Outcome-Oriented Security

Questions remain:

§ How can we enforce stated policy?

A stated policy does not an enforced policy make

How do we define current state against stated outcome?

Visibility is only a precursor to enforcement

§ Where does trust, privacy and liability fit in?

9

9


What does this have to do with identity and the cloud?

Identity is important because: § Compliance requirements invoke identity attributes or definitions, access

controls and authentication

§ Identity pivot construct in defining access controls for the cloud

• Need to know who you are to describe what you can/can’t do

§ Identity single control construct for multiple resources

• SSO functions as a normalized event stream for a user

• Cloud Hybridization, Desktop Virtualization, Device Proliferation escalate need for a consolidated identity and abstracted attributes


What does this have to do with identity and the cloud?

Identity in the cloud is important because: § Identity is the common point of reference for discontinuous infrastructure

§ Identity is the a key parameter for making sense of visibility

§ Who is the first question from a business context and by extension policy



The new frontier

The Intersection of Cloud and Identity

Different understanding of the function of identity

§ Identity management vendors still dealing with technical challenges of portable identity

§ Cloud service providers see need for portable identity associated with portable image


Identity management vendors are from Mars§ View identity as a middleware

layer or service§ View cloud, virtualization and

mobile

Cloud service providers are from Venus§ View identity as a platform

component§ View identity as an service

enablement construct

Need for a match.com broker?

Identity in the cloud: A maturity model


14

Operational Portability

Managed portability

(Infrastructure)

Native Portability (Architecture)

From Identity In the Cloud to Cloud Identity: Maturity Model


15

Maturity stage Customers Technology Elements Providers Delivery Model

Operational Portability

Enterprise (Identity providers)Service Providers (relying parties)SaaS providers Paas Providers

SSOAuthenticationFederation (SAML, OpenID, OAuth, WS-Fed)Application Access Control

Identity management vendors (Incumbents, venture-funded partners)Platform vendors

Hybrid: On-premise gatewaysFederation gatewaysFederation hubs

Infrastructure (Managed Portability)

Identity ProvidersCloud Service Providers Identity as a Service Providers

Authorization (XACMLProvisioning/GovernanceCloud access gatewaysTrust brokers User privacy stores

Paas/SaaS Providers Identity management vendorsCloud service providers

From the cloud Authentication, SSO, trust servicesTo the cloudProvisioningIn the cloud: Directory in the cloud

Architecture(Native Portability)

EnterpriseCloud service providers

Embedded middlewareAttribute sourcesAttribute assuranceTrust brokersCloud federation

Cloud service providersPaaS providersIdentity ProvidersIdentity as a service vendorsIncumbents

In the cloud -service federation, image federation Run-time authentication, authorization and provisioning

Security

Cloud Identity: Characteristics


16

Granularity Automation

Identity in the cloud: A tale of many markets


17

Enterprise ID Extension

Services (to, from, in the cloud)

Transactional (Identity providers)

Identity in the cloud: Meta-issues


18

Liability Trust/Assurance Value

From Identity In The Cloud to Cloud Identity: Requirements


19

Maturity stage Characteristics Affinities Meta-Issues

Portability Automation (+++) Security (+)Granularity (+/-)

Compliance AutomationGovernance

Liability (++)Trust/Assurance (++)Value (+)

Infrastructure Automation (+++)Security (++)Granularity (+)

Policy Management Information ManagementSoftware Infrastructure as a Service

Liability (++)Trust/Assurance (++)Value (++)

Architecture Automation (++++)Security (++)Granularity (+++)

Service EnablementBig Data

Liability (+++)Trust/Assurance (+++)Value (+++)

Identity In the Cloud: Strategic But Also Lucrative?


Arms dealer § Incumbents

transitioning from enterprise sales model

§ Architecture question still unresolved

§ Build or embed?

ServicesTo, from and for the cloud§ Diversity of new

players§ New market

segments open

TransactionalModel§ Consumerization of

enterprise identity§ Trust substrate§ Tollgate model

Identity In the Cloud: Winners and Losers?

It’s how you play the game

End users§ Getting automation, granularity right yields security

§ Sets the stage to answer the question “what could you do in the cloud”

Identity management vendors § Architectural issues, sales model major challenges

§ Their game to lose

Independent identity as a service/federation/authorization vendors

§ New markets, technology categories opening up


Identity In the Cloud: Winners and Losers?

It’s how you play the game

Platform vendors forge into the new frontier§ VMWare, Microsoft duke it out for end user tier

§ PaaS players make a development, embedded run-time play

Identity providers§ If you build it, they come

§ Value contingent on required trust, attribute assurance for transaction

Cloud service providers § Associating a portable image with a portable identity

§ Unified cloud environment/integration provider


Identity In The Cloud

• Q&A


Q&A

Identity In The Cloud

• Q&A


Thank You.Questions? [email protected]