how to implement cloud security: the nuts and bolts of novell cloud security service

Dale Olds, Distinguished EngineerBen Fjeldstet, Sr. EngineerNovell Cloud Security ServiceMarch 24, 2010

M

How to Implement Novell® Cloud Security ServicesNuts and Bolts

Dale Olds, Distinguished EngineerBen Fjeldstet, Sr. EngineerTom Cecere, Product StrategyNovell Cloud Security ServiceMarch 24, 2010

© Novell, Inc. All rights reserved.2

SaaS adoption is projected to increase three-fold to US$14 Billion by 2012, according to Gartner.

“SaaS sprawl” is causing IT administration and security nightmare for enterprises.

Enforcing consistent policies for internal and cloud applications is key to effective governance.

Novell® Cloud Security Service allows organizations to extend its internal policies, roles and workflow and manage a multi-SaaS environment consistently.

Novell is a leading provider of identity and security solutions and has been for over 20 years.

Key Takeaways


Why Novell® Cloud Security Service (NCSS)?

What Is NCSS and How Does It Work?

Architecture

Deployment Options

Agenda


Users

User data/permissions





Creating IT Administration Nightmare


Systems/tools

Directory

AppsIT Department Enterprise Challenge

• Multiple usernames/passwords• Multiple identity silos• Disparate administration tools• Challenge in timely deprovisioning accounts of ex-employees


• DuPont: “When a sales person leaves the company, it takes 10 days to de-provision their account in SalesForce.com. Until then, the sales person has access to his account. This is a real problem.”

• International Fragrances & Flavors: At an executive briefing told us, “We cannot use SaaS until it uses our identity management systems.”

• “What’s keeping us from getting more large enterprise customers? Trust.” –David Carroll, Salesforce.com evangelist

And Concerns Over Security




Architecture

Deployment Options

Agenda


NCSS handles both use cases: A user directly logging into a cloud service or user logging into their enterprise system first.

How Does NCSS Work?

Novell CloudSecurity Services

IdP

AuthN ServiceUser Store

EnterpriseUser Store

Relying PartyParticipant

SaaS Application

1 UserAuthentication 3User Access

SaaS Resources

2

SAML 1,SAML 2,WS-Fed

NCSSecureBridge

1


NCSS Enterprise Connections with LDAP Identity Stores• Secure Bridge Service

– SSH Tunneling Services for Identity Verification for NCSS– Audit Reporting

• Secure Bridge Appliance (Post 1.0)– Identity Federation to NCSS– SSH Tunneling Services for Audit Reporting

Identity Store(s)

Audit Server(s)

Enterprise FirewallSecure Bridge


NCSS Enterprise Connections with Existing AM Solutions• Secure Bridge Service

– SSH Tunneling Services for Audit Reporting• Access Management Solution Integration

– Quick Start Integration for Common Identity Providers– SAML 2.0, POST capabilities required

Identity Store(s)

Audit Server(s)

Enterprise Firewall

Secure Bridge


Provider Console

Customer Console

Audit Collection/Reporting

Cost Accounting Collection/ReportingMulti-tenant Operations

Identity Federation

Event RoutingTenant A

Identity Federation

Event Routing

Identity Federation

Event Routing

Director

Security Brokers

NCSS Provider Components

• Multi-tenant Director– Console hosting– Audit Collection/Reporting– Cost Accounting Collection/Reporting– Multi-tenant Operations Management

• Per-tenant Security Brokers– Identity Federation– Event Routing for

Audit/Billing/Operations

Tenant B

Tenant C


NCSS SaaS Connections

• Quick Customer On-boarding

• Per-Customer Services– Identity Federation (SAML 2.0)– Audit Reporting

• Large Supported Platform Base– Java Spring– Apache– ...

Identity

Events

Hoster/MSP Firewall

SaaSConnections




Architecture

Deployment Options

Agenda


SSH Protocol Tunnel

Cloud SecurityBroker

CSS DirectorAdministration

Operations Mgmt SaaS/PaaSConnections

PivotLink

SharePoint

GoogleAppEngine

Secure BridgeServices

ProtocolMapping

EventDistribution

WorkflowInitiation

Authentication

Federation

Event Distribution

High Availability

Limited Workflow

Attribute Aggregation

Identity Federationand R

ESTful APIs

CSS: Identity and Compliance Services System Architecture


Secure Bridge Services Stack

SSH Tunnel

CSB Connection Manager

LDAP ServerMapping

HTTP SvcsMapping

EventReceptor

LimitedWorkflow API

EventDistribution

Secure BridgeServicesProtocolMapping

EventDistribution

WorkflowInitiation


CSS - Director Stack

Administration

Provider Consoles

Operations Management

REST APIs Event ReceptorConfiguration Distributor

CABEProcessorsOperations Director Security Manager

HTML JavaScript

GWT

CustomerConsoles


Operations Mgmt

Infrastructure Service FoundationMessaging Stack(ActiveMQ)

HTTP Stack (Apache)

IaaS Management APIs(Cloud Vendor) SSH Tunnel SQL Database

(SQLite)

CSS CoreInstanceCommunication

ServicesManager

Event Receptor(REST)

SecurityManager

Session Broker(Clustering)

Data Store Mgmt(Clustering)

CSS Service Foundation

XERCESXALANXMLSEC

Apache / Tomcat

JPA (Hibernate) JMS/CMSJAX-RSAXISWS* Log4j/cxx

Cloud Service Bus


CSS - Director Stack

AdministrationProvider Consoles

Customer AdminIdentity ServicesCABE ServicesOperations ManagementSecurity AuditorBilling AuditorHelp Desk

Operations Management

REST APIs Event ReceptorConfiguration Distributor

CABEProcessors

Report GenerationEvent Correlation/AggregationEvent Receptor/StorageBilling Processing

Operations Director

CSB RegistryConfig Query APIsConfiguration DistributionSB Query APIsBackup/RestoreSystem MonitoringService Migration/Upgrade

Security Manager

Tenant SegregationCert/Key Distribution

HTML JavaScript

GWT

CustomerConsoles

Identity ServicesCABE ServicesSecurity AuditorReports (billing, etc.)


HTTP Stack (Apache)


(SQLite)


ServicesManager


SecurityManager




XERCESXALANXMLSEC

Apache / Tomcat


Cloud Service Bus


Operations Mgmt


CSS – Cloud Security Broker Stack


HTTP Stack (Apache)



ServicesManager


SecurityManager




XERCESXALANXMLSEC

Java / Apache


Cloud Security BrokerAuthentication

Federation

Event DistributionHigh Availability

Limited Workflow


EventRecptor

Identity Event Distribution

High Availability

Workflow

FederationProtocols

AuthenticationMethods

SessionAttributeManagement

Event Processors(Audit, Billing, Operations With Customer & Provider Views)

CSB & ServicesMonitor/Scale

ProvisioningTriggers


CSS – Cloud Security Broker Stack


HTTP Stack (Apache)



ServicesManager


SecurityManager




XERCESXALANXMLSEC

Java / Apache


Cloud Security BrokerAuthentication

Federation

Event DistributionHigh Availability

Limited Workflow


EventRecptor

Identity Event Distribution

High Availability

Workflow

FederationProtocols

AuthenticationMethods

SessionAttributeManagement

Event Processors CSB Cluster Director

Annexation

SAML 1.1

SAML 2

WS-*

Card Space

LDAP

OAuth

X-509

Aggregation

Security

Audit

Billing

Operations

CustomerService Health Monitor

CSB ClusterMonitor

UserDe-provision

User Provision


Enterprise SaaS/PaaS

SB

EnterpriseIdentity Store

SaaSServicesIdentity

FederationProtocol

Identity Connector

Event Connector

SB Daemon

AEB Mapping

LDAP Mapping

Secure DataMarshaling

CSB


Enterprise Console


SBAudit Store

SaaSServices

REST API with 0Auth

Identity Connector

Event Connector

SB Daemon

AEB Mapping

LDAP Mapping

CSB




SB

Identity Store

SaaSServices

Identity FederationProtocol

Identity Connector

Event Connector

SB Daemon

AEB Mapping

LDAP Mapping

CSB

Audit Store

REST API with 0Auth




SB

Identity Store

SaaSServices

Identity Connector

Event Connector

SB Daemon

AEB Mapping

LDAP Mapping

CSB

Audit Store

CSSD

ProviderData Store

Federation

REST API

REST API





Architecture

Deployment Options

Agenda


SaaSConnections

...

Provider Console

Customer Console


Cost Accounting Collection/ReportingMulti-tenant Operations

Tenant A

Director

Security Brokers

Tenant B

Tenant C

CustomerConnections

NCSS Small Deployment

• 1 Multi-tenant Director– With configuration backup/restore services

• 1-N Customers/Tenants, each with:– 1 Secure Bridge and– 1-2 Security Brokers connecting to

1-20 SaaS applications


SaaSConnections

...

Tenant A

Security Brokers

Tenant B

Tenant C

CustomerConnections

Provider Console

Customer Console


Cost Accounting Collection/Reporting

Multi-tenant Operations

DirectorCluster

DatabaseCluster

NCSS Medium Deployment

• Multi-tenant Director Cluster**– 1-8 Directors

• 1-N Tenants, each with:– 1 Secure Bridge– 1-5 Security Brokers connecting to

1-50 SaaS applications

** Requires clustered DB server deployment


SaaSConnections

...

Tenant A

Security Brokers

Tenant B

Tenant C

CustomerConnections

** Requires clustered DB server deployment

DirectorCluster

Database Cluster

Cost AccountingCluster

AuditCluster

NCSS Large Deployment• Multi-tenant Director Cluster**

– 1-5 Directors> Console hosting> Multi-tenant Operations

– 1-5 Audit Servers – 1-5 Billing Servers

• 50-N Tenants, each with:– 1 Security Broker– 1-5 Security Brokers connecting

to 1-100 SaaS applications


Surface Connectors to External SaaS Applications, SSO Only

Deep Connectors to Rackspace Internal and App Store Apps

Internal LDAP Directory Only. Uses NCSS Secure Bridge

Internal Identity management System with Federation

No User Accounts on Customer Premises

Novell Cloud Security Service(NCSS)

Novell Identity Manager

Tenant A

Security Brokers

Tenant B

Tenant C

Provider Console

Customer Console

Audit Collection/ReportingCost Accounting Collection/ReportingMulti-tenant Operations

DirectorCluster

...

Questions and Answers

Unpublished Work of Novell, Inc. All Rights Reserved.This work is an unpublished work and contains confidential, proprietary, and trade secret information of Novell, Inc. Access to this work is restricted to Novell employees who have a need to know to perform tasks within the scope of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Novell, Inc. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability.

General DisclaimerThis document is not to be construed as a promise by any participating company to develop, deliver, or market a product. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. Novell, Inc. makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. The development, release, and timing of features or functionality described for Novell products remains at the sole discretion of Novell. Further, Novell, Inc. reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners.

how to implement cloud security: the nuts and bolts of novell cloud security service

Documents