VICE PRESIDENT GLOBAL BUSINESS

DEVELOPMENT, MCAFEE

RAMON PEYPOCHCHIEF ARCHITECT

AND CTO, APPLICATION

SECURITY AND IDENTITY

PRODUCTS, INTEL

ANDY THURAI

WEB, MOBILITY AND CLOUD SECURITY

Building a Secure Bridge to the CloudRamon Peypoch – Vice President, Network & Cloud Security

Andy Thurai – Intel® Application Security & Identity Products Group, CTO & Chief Architect

An Intel Company

Application complexity is increasing with the

Cloud ecosystem1

Cloud Computing

Cloud Computingeverything and the kitchen sink

App Server

Database

Kitchen Sink

PC

Mobile

Code

Application Complexity is Growing

Using context-driven security

models to build trust2

Financial Services

Telecom

Government

Enterprise

Social Media

Cloud Apps

Reputation

Trust Management

Attestation

Relationship Management

Context

Cloud transparencyis a BIG challenge3

The CloudYour Network

• Application Complexity

• Context-Driven Security

• Cloud Transparency

Cloud Penetrates the Enterprise

84%Enterprises Using It Annual Spending

$112B

• Business agility• Cost efficiencies• Enhanced innovation• Improved IT services

The Power of Cloud Computing

However, security remains the roadblock

• Data loss• Identity• Information governance• Data control

WebAuthentication

EmailData Loss Data Loss

Intrusion Intrusion

Enterprise

Mobile Users Enterprise UsersPrivate CloudApplications

Partners CloudVendors

Applications Customers

Cloud Ecosystem

AppServices

Web AccessControl

DLP Email

+

Web Authentication Email

EnterpriseMobileUsers

EnterpriseUsers

Private CloudApplications

Cloud Security Platform

Global Threat Intelligence

Unified Management, Policy and Reporting, ePO Integration

Mod

ules

SaaS

or A

ppliance

Services Gateway Identity Manager

EmailSecurity

Data LossPrevention

WebSecurity

PartnersCloud

Vendors Applications Customers

Cloud Ecosystem

Intel ASIP solution set

• MIM (McAfee Identity Manager)• MSG (McAfee Service Gateway)

– McAfee Service Gateway– McAfee CSB (Cloud Service Broker) – McAfee API Gateway

• McAfee TB (Tokenization Broker)

April 11, 202319

An Intel Company

McAfee ePO• Integrated monitoring for

Cloud apps

McAfee Web Gateway• To the Cloud- web filtering• From the Cloud- AV &

Malware

McAfee DLP• To /From the Cloud-Data leak

protection

McAfee Global Threat Intelligence• Provides real-time URL and

connection reputation

McAfee Services Gateway• App API & Web Service Security

McAfee Identity Manager• Cloud SSO, Strong Auth,

Provisioning

App-to-Cloud

Consistent Security Across Cloud Traffic Channels

Interoperable Cloud Security Modules or Operate Stand-a-alone

User-to-Cloud

An Intel Company

Enterprise

Single Sign-on to the Cloud

McAfee Cloud Identity Manager

An Intel Company

Provision Access Secure SSO Compliance

• Provision/de-provision user accounts

• AD integration

• Sync Id Profiles

• Rich audit trail of user login showing AuthN level

• De-provision & orphan account reports

• Federate windows/AD log in via SAML, OAuth

• Eliminate insecure passwords

• Cloud Ready Connectors

Adaptive Strong Auth

• 2nd factor OTP AuthN

• Variety of AuthN methods mobile devices, SMS, email

Combining Federal Strong Auth with SSO

More Secure Cloud SSO - Federated User Access

In the CloudUser to Cloud Access

AD

Agency

• Federated SSO is pillar for NSTIC, ICAM, and other federal identity initiatives

• Drives strong auth access and cross agency collaboration

• Supports log-in using private sector identity credentials such as Open Id, Pay Pal, OAuth

• Supports Trust Framework LOA level of access level 3 with SAML ID support

• GSA listed

Direct from Intel or from McAfee as Cloud Identity Manager

Only 3 in 1 Product to Manage User to Cloud Access

An Intel Company

Cloud Access ModelsAn Intel Company

Enterprise

Secure & Simplify Consumption of Enterprise/ Cloud Apps

McAfee Services Gateway

Services/APIs

An Intel Company

Cloud ProviderCloud Provider

Rise of Cloud Service Broker - Widely Recognizedas Key Capability For Cloud

Cloud Service Management

Cloud Service Management

NIST - USG Cloud Computing Reference Architecture

Cloud AuditorCloud

Auditor

Cloud Consumer

Cloud Consumer

Provisioning/ConfigurationProvisioning/Configuration

Portability/Interoperability

Portability/Interoperability

SecurityAudit

SecurityAudit

Privacy Impact Audit

Privacy Impact Audit

Performance Audit

Performance Audit

Business Support

Business Support

Sec

urit

y

Pri

vacy

Cloud Broker

Service Intermediation

Service Aggregation

Service ArbitragePhysical Resource Layer

Hardware

Facility

Resource Abstraction and Control Layer

Service Layer

IaaS

SaaS

PaaS

“By 2015, at least 20% of all cloud services will be intermediated via CSBs” – Daryl Plummer, Managing VP, Gartner Fellow

An Intel Company

CSB

On Prem CSB 3rd party Intermediary

• Identity as a Service• Security as a Service• Trust as a Service

• Vale added processing• Packaged API Level Policies• Security, Governance, Integration• Solves Complexity, Overhead

Capabilities Available Today Using Gateway Cloud Service Broker Appliance Software

IT Departments Can Run On-prem

An Intel Company

Cloud Provider

Cloud Provider

APIs are New Cloud Control Point – 1/3 of theenterprise traffic is now API based

Applications move

off premise

Leverage third-party services

1/3 of Enterprise Traffic is via APIs

Enterprise

API API

An Intel Company

APIs are Strategic Control Points for Cloud

API BrokerAPI Broker

Core Apps• CRM• Workflow• Doc Mgt• IAM• ERP/Mainframe

Apps• SaaS CRM• Partner B2B• Social Mashups

API Management Control

• Performance Management

• Integration & Service Lifecycle Management

• Enforce Access & ID Token Translation

• Threat Protect - DoS, Content Threats

• Visibility, Auditing, Usage Xxx takeaway

An Intel Company

Service Gateway Revealed

• FIPS 140-2 Level 3 Crypto (Optional)• Common Criteria EAL4+ • DoD STIG Ready & PKI Certified• HSM PKI key storage (Optional)• Cavium crypto acceleration• Form factors: software, virtual, and tamper

resistant• GSA listed

• REST,SOAP, JSON• XML, Binary, ASCII• HTTP, FTP, TCP,

JMS, MQ, Custom

Tech Agnostic

• Optimized for Intel chips

• Tie-in to chiproadmap

• Efficient XMLparsing at chip level

Performance

• Simple visualworkflow building tool

No Programming

CODING

• Routing • Transform• Validation• Service Call-outs• Firewall rules

Flexible

An Intel Company

Program Intel / McAfee Solution

Identity Credential and Access Management (ICAM), BAE, HSPD-12, PIV

Enabling Federated access, Cloud SSO. Account Provisioning, Strong Auth Software One Time Passwords;

Authenticating Web Services, SOAP, REST, Expose secure APIs

NSTIC - Provides an “identity ecosystem” for individuals/organizations to utilize secure identity solutions to access online services.

Enabling Federated access, Cloud SSO. Account Provisioning, Strong Auth Software One Time Passwords.

DoD Public Key Infrastructure - Data integrity, user identification and authentication, user non repudiation, data confidentiality, encryption and digital signature Services

Ability to authenticate and validate certificates against DoD root authority.

NIEM National Information Exchange Model - NIEM will be the method by which state, local, and tribal agencies will share information with federal agencies.

Service gateways provide a fast path to handle the complex XMLprocessing requirements for NIEM.

OMB Cyberscope - Provide federal agencies an automated method for submitting FISMA audit results.

McAfee Policy Auditor - SCAP validated product that workswith the IPS and endpoint products to report audit information.The Vulnerability Manager / CyberScope Data Feed Generator tool helpsgenerate a data feed report that can be submitted to the CyberScope application.

Federal InitiativesAn Intel Company

An Intel Company

Tokenization Broker

• Flexible Software ApplianceForm Factor

• Secure Appliance Form Factor• Tokenization

Feature Summary• Token Vault• Authentication & Access Control• High Performance, optimized

for Intel® Multi-Core

Benefit Summary

Reduce or remove payment applications and databases fromPCI scope

Own and manage PAN data on-premise with a secure hardware appliance

Easily Choose the tokenization scheme appropriate for your business

Minimize change to existing applications compared to E2E Encryption

Address more than 200 PCI compliance requirements through gateway tokenization

An Intel Company

Internal Tokenization: Use Case

Downstream applications receive

documents with tokens rather than PANs &

benefit from reduced/ eliminated PCI scope.

Point of Capture Application

Output documents contain tokens in

place of PAN data in print-equivalent or machine readable

XML.

Documents containing PAN

data arrive at point of capture

application.

TB generates tokens for PAN data,

encrypts/stores PANs, and routes documents

to their destination.

Intel® Expressway Tokenization Broker

Application forwards document

to backend Applications.

PCI Scope

Reduced scope or out of scope

Token Exchange Benefits:

• Wide Range of Formats

• Wide Range of Protocols

• Strong Authentication• Secure Channel• Enterprise IDM• Format-Preserving

Surrogate Tokens

• Single-Use or Multi-Use Tokens

• Secure Vault• Strong PAN

Protection• Multiple Token

Generation Options• Physical Security

(Appliance SKU Only)

Intel® Expressway Tokenization BrokerReverse the token from

SecureVault

An Intel Company

One Trusted Vendor to Address Your CriticalCloud Security Needs

XML

Transformation

Monitoring & Reporting

Policy

Enforcement

ID

BrokeringTrust

Federal PKI/DoD Bridge

FIPS L3 Crypto

Multi-ProtocolContent

Inspection

Cyber Defense

Cloud API

An Intel Company

Federal Cloud Security Paper

Test Drive

Cloud Access 360 Data SheetService Gateway Data Sheet

Other Webinars in Info Library:

• NIEM enablement in 60 days

• Portable Security Architecture to Establish Cross

Domain

• How to Combat Advanced Persistent Threats

www.intel.com/go/identity

email: intelsoainfo@intel.com

An Intel Company

An Intel Company

An Intel Company