identity and access management reference architecture for cloud computing
DESCRIPTION
This presentation will outline a comprehensive reference architecture for meeting the secure access and provisioning demands of outsourcing business and technology processes to “the cloud”. The attendee will walk away with a more solid understanding of what identity and access management challenges face organizations looking to move application and business process support to cloud computing providers as well as offer a reference architecture that outlines how to build standards based solutions for each challenge. John F. Bauer III has over 20 years of Information Technology and Security delivery experience. John is currently the Enterprise Security Architect for Key Bank and has previous held leadership positions at British Petroleum, Cliffs Natural Resources, MTD Products, and National City/PNC Bank. John has spoken previously on the topic of Information Security at CA World, Oracle Open World, Digital ID World and NACHA conferences. John has both a Computer Science degree and MBA from Case Western Reserve University’s Weatherhead School of Management and is a frequent Adjunct Professor on Network Security at Cuyahoga Community College. John also maintains an active blog: MidwestITSurvival.com.TRANSCRIPT
Identity and Access Management Reference Architecture
for Cloud Computing
John F. Bauer [email protected]
BIO
Page 2
John F. Bauer III
– Over 20 years of Information Technology and Security delivery experience.
– Currently the Enterprise Security Architect for Key Bank
Previous leadership positions at:
– British Petroleum
– Cliffs Natural Resources
– MTD Products
– National City/PNC Bank
Spoken previously on the topic of Information Security at:
– CA World
– Oracle Open World
– Digital ID World
– NACHA Security conferences.
– Computer Science degree and MBA from Case Western Reserve University’s Weatherhead School of Management
– Adjunct Professor on Network Security at Cuyahoga Community College
– Author: Blog – http://MidwestITSurvival.com
Quote
"Computing may someday be organized as a public utility just as the telephone system is a public utility," Professor John McCarthy said at MIT's centennial celebration in 1961. "Each subscriber needs to pay only for the capacity he actually uses, but he has access to all programming languages characteristic of a very large system ... Certain subscribers might offer service to other subscribers ... The computer utility could become the basis of a new and important industry."
Page 3
Cleveland, Ohio, USA
Carl B. Stokes
Public Utilities Building
Completed: 1971
Agenda The Hype has Legs, Real Usage of “the Cloud” Growing (SaaS) Need for a Comprehensive IAM Architecture as Part of Secure
SaaS Success Business and Technology Architecture
User Access and Directories Provisioning Procurement, HR and Legal SSO and Federation Authorization
IAM Reference Architecture Architecture Framework Investment Roadmap
NOTE: All the content of this presentation is the opinion of the author and not the author's past or current employers.
Page 4
Moving to the Cloud
Page 5
Moving to the Cloud
Forrester The Software Market in … 2011
http://www.gartner.com/it/page.jsp?id=1438813
http://itredux.com/2009/10/11/defining-cloud-computing-for-business-users/
Source: Ismael Chang Ghalimi http://itredux.com/2009/10/11/defining-cloud-computing-for-business-users/Page 6
Cloud Econ 101
The lower total operating costs afforded by cloud SaaS offerings resonates with IT and business leaders.
Booz Allen Senior Associate Gwen Morton and Associate Ted Alford compared the life cycle cost to run 1,000 servers in a managed environment in-house, through a cloud offering from a commercial provider, from a centralized in-house cloud, and a hybrid of a public and private cloud.
Source: Booz Allen, http://www.boozallen.com/insights/insight-detail/42656904Page 7
Cloud IAM – There still is Time
Page 8
IAM Cloud Strategy Needed
Business Architecture Procurement Legal Human Resources
Technology Architecture Access Directory Provisioning Federation Authorization
Page 9
Business Architecture - Procurement
With just a credit card, any business user can start using SalesForce.com for $15 a month per user without IT involvement.
Source: http://www.salesforce.com/crm/editions-pricing.jsp
“What?!?! The sales department signed up for a SaaS CRM service last month?”
Page 10
Business Architecture - Procurement
Get plugged into your procurement life-cycle
Source: http://indirectpurchasing.com/lifecycle.html
Get buy-in to participate in the SaaS selection process
Provide RFI/RFP questions around IAM for SaaS
Page 11
Business Architecture - Legal
Educate legal on the need for IAM language in SaaS contracts
Get buy-in that IAM language reduces risk and drives down costs
Assist with default MSA and other template language
Page 12
Business Architecture - HR Educate HR on how employees using SaaS affects them Get HR buy-in that SaaS provisioning needs IT participation
Do SaaS roles match HR job codes?
Do employees get de-provisioned in SaaS when
terminated in the HR platform?
Page 13
IAM Cloud Strategy Needed
Business Architecture Procurement Legal Human Resources
Technology Architecture Access Directory Provisioning Federation Authorization
Page 14
Technology Architecture - Directory Identify a “central” directory for linking user groups to
SaaS LDAP capable technology will integrate most easily with
access platforms
Page 15
Technology Architecture - Access
Shift to “externalized access thinking”
Invest in access control products
Consider vendor products that offer both web access management as well as federation capabilities
Integrate externalized access technology with your “centralized” directory
Page 16
Technology Architecture - Provisioning Shift to centralized provisioning thinking Identify systems of record by user relationship Invest in enterprise provisioning products
Page 17Page 17
Technology Architecture - Federation
Invest in a Federation solution:
“Federated Identity Management amounts to having a common set of policies, practices and protocols in place to manage the identity and trust into IT users and devices across organizations”
Source = Wikipedia, http://en.wikipedia.org/wiki/Federated_Identity_ManagementPage 18
Technology Architecture - Federation
Federation approach is driven by your partner relationships
Page 19
Technology Architecture - Federation
Page 20
Technology Architecture - Provisioning
Federation needs users provisioned in SaaS platforms:
… but consider extending your identity federation exchange
Established Standard
{heavy weight, complex}
Emerging Standard
{light weight, unproven}
Page 21
… with “Just in Time” provisioning<saml:Attribute Name="Fullname">
<saml:AttributeValue xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
John F. Bauer III
</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="AppRole">
<saml:AttributeValue xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
Manager2
</saml:AttributeValue>
During the federation exchange, populate attributes with provisioning details
Technology Architecture - Provisioning
Page 22
Technology Architecture - Authorization
Shift to “externalized authorization thinking”
Vendors
Established Standard
Page 23
Reference Architecture
Page 24
Roadmap
Page 25
Questions?
John F. Bauer III
http://midwestitsurvival.com
http://twitter.com/jfbauer
Page 26