IBM Software
Tivoli
Highlights
● Improve security by knowing who is
connecting to on- and off-premise
services
● Increase business flexibility by reducing
the complexity of adding new services
● Facilitate compliance by enabling end-
to-end auditing of user access
Solution Brief
IBM Tivoli Access
Management for cloud
and SOA environments
Enabling secure access to new service delivery
platforms
Organizations today are continually seeking new ways to deliver
applications and services efficiently and cost effectively. Many are
already using Web services or service-oriented architecture (SOA)
implementations to provide access to on-premise and off-premise
applications, while increasing numbers are exploring cloud computing
as a delivery platform. These alternatives to traditional IT infrastruc-
tures can help reduce IT and application development costs, increase
opportunities for collaboration, and drive business growth. At the same
time, however, they can create new vulnerabilities, exposing access to
applications and services beyond traditional organizational boundaries.
Organizations therefore require more than traditional IT security to
manage and protect access to these applications and services.
IBM Tivoli® Access Management solutions are designed to enable
secure access to applications and services in nontraditional delivery
platforms such as cloud and SOA deployments. They specifically pro-
vide capabilities that are essential to:
● Secure access to on- and off-premise deployments of applications and
services by reducing the risk of inconsistent security policies.
● Manage user access in SOA deployments where the introduction of
Web services is transforming the IT environment.
● Secure access to hybrid cloud deployments, in which organizations
leverage the benefits of the cloud while still protecting sensitive
information that may be at risk.
IBM Software Solution Brief
Tivoli

Secure access to on- and off-premise

deployments
Securing access to on- and off-premise
Many public sector organizations—particularly those engaged
applications and services
heavily in customer services—increasingly interact, collabo-
Government
rate and exchange data with other organizations in order to Revenue Agency Trusted Partner/
deliver services efficiently and cost effectively. For example, Hybrid Cloud
On-premise
in the scenario illustrated below, a government revenue Private Cloud
agency needs to be able to engage and exchange information
with trusted partners such as providers of tax preparation Tax Preparation Service
services, as well as with entities such as credit score service
Tax Form Application
companies. In this scenario, numerous internal and external
users will require access to both on-premise and off-premise • Federated Identity
Dynamic • Security Events
applications, in environments including Software as a Service Infrastructure
• Data Entitlements
deployments and cloud computing.
Public Cloud
The key to securing access to both on- and off-premise appli-
cations and services in this scenario is to build on the existing
identity and access management infrastructure and use it to
Credit Score Service
support a scalable and highly available solution for secure
access to transformed resources. Additional requirements for
the existing infrastructure include federated access control
and data entitlement management. These enable organiza-
tions to establish the user’s identity and organizational trust Collaboration requires secure user access to on-premise and off-premise
applications by internal and external users.
necessary to achieving secure collaboration. For example, in
the following diagram, the credit score service provider oper-
ating in the public cloud has to be certain that the party security domains and facilitates secure access to applications
requesting information really is the government revenue in on- and off-premise deployments. Data entitlement man-
agency or tax preparer they claim to be, as opposed to a agement provides a centralized approach to managing and
hacker seeking unauthorized access to the information in an enforcing security policies to control access to data and appli-
individual’s credit history. cations. When multiple applications and services are being
deployed, this alternative provides significant benefits over
Federated access control and data entitlement management implementing distinct security policies to control access to
also reduce the risk of inconsistent access to on- and each one separately.
off-premise applications and services. In particular, federated
access control simplifies the process of integrating ever-
increasing amounts of information contained in different

2
IBM Software
Tivoli
Secure access in SOA and Web services
deployments
Many organizations are implementing SOA to transform
their IT and application environments and deploy large num-
bers of Web services to support business needs. For example,
utility companies that install smart meters on customers’
premises are introducing more Web services into their tech-
nology environments. One of the advantages of installing
smart meters is more efficient, lower-cost operations, because
the smart meters can send customer usage data directly to the
utility company’s SOA-based IT environment—rather than
requiring their employees to physically go out and read the
meters. Because the meters use Web service interfaces to
transmit this data, those Web services must be secured within
the SOA environment.
Web services can be secured by offering security as an
operational service that can be consumed directly by the
applications and services within the architecture. The key is
to take a policy-based approach that incorporates security
management capabilities and runtime security services that
can be integrated easily within existing SOA components
such as the XML firewall, enterprise service bus (ESB), and
service registries and repositories. Effective security policy
management must include message protection and fine-
grained entitlement management capabilities for strengthen-
ing data security by centrally administering and enforcing
permissions and data-level controls within applications
and services.
Enabling security as a service for SOA environments can help
utility companies and other organizations that provide serv-
ices to reduce deployment costs as they roll out new services,
by reducing the complexity of securely bringing new services
online.
3
Solution Brief
Secure hybrid cloud and SaaS
deployments
Throughout the consumer and public sectors, cloud comput-
ing is proving a flexible and cost-effective means of delivering
IT services over the Internet. Cloud resources can be rapidly
deployed and easily scaled, with applications and services pro-
visioned on demand, regardless of user location. This brings
benefits such as the ability to increase service delivery effi-
ciencies, streamline IT management, and align IT services
with business requirements. But for many organizations,
these benefits are perceived to have an associated cost and
risk: the challenge of security. In addition to the usual
challenges of developing secure IT systems, cloud computing
can add risk because essential services are often externalized
in the cloud model. In a hybrid cloud model, an organization
could engage a cloud provider to host their services while
maintaining ownership of the data. This requires a high
level of trust in the providers and how they bring security to
the organization’s critical data.
There are several types of clouds, and not all of them have
the same security requirements. Clouds can be private, in
which the cloud is owned by a single organization, or public,
in which the cloud is available to anyone with Internet access.
The categories of service delivered in cloud models include
Software as a Service (SaaS), Platform as a Service (PaaS) and
Infrastructure as a Service (IaaS). Many organizations elect to
combine the private and public models to form a hybrid
cloud to meet specific business and technology requirements.
IBM Software Solution Brief
Tivoli

Addressing security requirements for different clouds

Collaboration CRM/ERP/HR
(Federation)
SaaS

Security Enabled
Business Industry
Processes Applications

Software as a Service

Web 2.0 Application Java Runtime

Runtime (Security) Security as Runtime
PaaS

Middleware Database Development

Tooling

Platform as a Service

Servers Data Center Security Security as Service

Fabric (IAM and SIEM)
laaS

Networking Storage

Infrastructure as a Service

Different types of clouds may have different security requirements.

With the SaaS deployment, most of the responsibility for
security management lies with the cloud provider, who can
take advantage of a number of ways to control access, includ-
ing user identity management. The PaaS deployment allows
the organization that is employing the cloud to assume
more responsibility for managing the security of middleware,
database software and application runtime environments. The
IaaS deployment transfers even more control to the organiza-
tion. In a hybrid environment, organizations can leverage the
benefits of these models without the security risk inherent in
a public deployment.
The key to securing these cloud-based services is leveraging
an end-to-end security strategy that brings together the
identity and access management foundation (including data
entitlement management capabilities) that exists within the
organization and the federated access control and runtime
security services that are deployed in the cloud. To do this
successfully requires having data center network and virtual-
ization security in place so that migration of applications and
services to the cloud is inherently secure.

4
IBM Software
Tivoli
Security plays two key roles in cloud deployments: to enable
organizations to establish secure cloud-based service deploy-
ments, and to offer security as a service in the cloud to
support new applications that are being built for cloud
deployment. The practical security solution for hybrid cloud
computing is a defense in depth approach that addresses both
the ability to use powerful internal security capabilities as a
basis for extending into cloud computing and the ability to
use security as a service to easily run access federation,
entitlements management and other security runtime
enforcement capabilities directly in the cloud.
Enhance security with IBM Tivoli Access
Management for cloud and SOA
IBM security solutions provide key capabilities required in
the identity and access management infrastructure to secure
access for cloud and SOA environments, including the fol-
lowing offerings.
IBM Tivoli Federated Identity Manager provides federated
single sign-on (SSO) techniques to secure user access to
on- and off-premise applications and services and simplify
application, SaaS and cloud-based services integration using
multiple forms of user credentials. It facilitates secure infor-
mation sharing between trusted partners, and it incorporates
an identity mediation service to manage, map and propagate
user identities without having to manage them in the cloud.
It supports broad consumer and user-centric federation func-
tionality and provides identity awareness and auditable access
across SOA and Web services deployments.
IBM Tivoli Security Policy Manager is a powerful data
and application entitlement management solution that equips
organizations with centralized security policy management
5
Solution Brief
and distributed policy enforcement across cloud-based serv-
ices. Data entitlement management makes it possible to man-
age and enforce data security policies associated with
different services and applications, rather than having to
deal with multiple policies that all have product-specific
definitions. With the rapid deployment of Web services, this
capability helps reduce the time and cost to manage security
policies and also reduces the risk of deploying inconsistent
access control policies and providing unintended access to
sensitive data.
IBM WebSphere® DataPower® SOA Appliances are connec-
tivity and XML firewall devices that can help secure and
accelerate your SOA and Web services transformation. By
providing on-demand integration as part of the SOA infra-
structure, WebSphere DataPower SOA Appliances represent
one of the few non-disruptive technologies for application
optimization and integration. Tivoli Access Management
solutions for SOA environments are designed specifically to
integrate out of the box with WebSphere DataPower SOA
Appliances and support centralized SSO, user session man-
agement, and consistent security policy management to help
demonstrate compliance.
IBM Security Virtual Server Protection for VMware is an
essential component of the underlying infrastructure on
which to build secure cloud deployments for services delivery.
By delivering integrated and optimized security for virtual-
ized data centers, Virtual Server Protection for VMware
helps ensure that the virtualized environment itself is secure
when applications and services are moved out into the cloud.
For more information
To learn more about IBM security solutions for cloud
and SOA environments, please contact your IBM sales
representative or IBM Business Partner, or visit
ibm.com/tivoli/security
Identity and access management
services
IBM Identity and Access Management Services can help you
design, implement, deploy and maintain an integrated iden-
tity management system. Such a system can standardize
access management across platforms for users, devices, appli-
cations and business processes, as well as physical security
points such as biometric, smart-card and badge readers.
Additionally, financing solutions from IBM Global Financing
can enable effective cash management, protection from tech-
nology obsolescence, improved total cost of ownership and
return on investment. Also, our Global Asset Recovery
Services help address environmental concerns with new, more
energy-efficient solutions. For more information on
IBM Global Financing, visit: ibm.com/financing
© Copyright IBM Corporation 2010
IBM Corporation Software Group
Route 100
Somers, NY 10589
U.S.A.
Produced in the United States of America
March 2010
All Rights Reserved
IBM, the IBM logo, ibm.com, and Tivoli are trademarks or
registered trademarks of International Business Machines Corporation
in the United States, other countries, or both. If these and other
IBM trademarked terms are marked on their first occurrence in this
information with a trademark symbol (® or ™), these symbols indicate
U.S. registered or common law trademarks owned by IBM at the time
this information was published. Such trademarks may also be registered
or common law trademarks in other countries. A current list of
IBM trademarks is available on the Web at “Copyright and trademark
information” at ibm.com/legal/copytrade.shtml
Other company, product and service names may be trademarks or service
marks of others.
References in this publication to IBM products and services do not imply
that IBM intends to make them available in all countries in which
IBM operates.
No part of this document may be reproduced or transmitted in any form
without written permission from IBM Corporation.
Product data has been reviewed for accuracy as of the date of initial
publication. Product data is subject to change without notice. Any
statements regarding IBM’s future direction and intent are subject
to change or withdrawal without notice, and represent goals and
objectives only.
THE INFORMATION PROVIDED IN THIS DOCUMENT
IS DISTRIBUTED “AS IS” WITHOUT ANY WARRANTY,
EITHER EXPRESS OR IMPLIED. IBM EXPRESSLY DISCLAIMS
ANY WARRANTIES OF MERCHANTABILITY, FITNESS
FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT.
IBM products are warranted according to the terms and conditions of
the agreements (e.g. IBM Customer Agreement, Statement of Limited
Warranty, International Program License Agreement, etc.) under which
they are provided.
The customer is responsible for ensuring compliance with legal
requirements. It is the customer’s sole responsibility to obtain advice of
competent legal counsel as to the identification and interpretation of any
relevant laws and regulatory requirements that may affect the customer’s
business and any actions the customer may need to take to comply with
such laws. IBM does not provide legal advice or represent or warrant that
its services or products will ensure that the customer is in compliance
with any law or regulation.
Please Recycle
TIS14053-USEN-00