Scribd Logo
Upload

Welcome to Scribd!

  • Identity and Access Management Reference Architecture For Cloud Computing

    Uploaded by

    Jose Rosario
    54 views26 pages
    Iam

    Original Title

    identityandaccessmanagementreferencearchitectureforcloudcomputing-111031112732-phpapp02

    Copyright

    © © All Rights Reserved

    Available Formats

    PPT, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    Iam

    Copyright:

    © All Rights Reserved
    Download as PPT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    54 views26 pages

    Identity and Access Management Reference Architecture For Cloud Computing

    Uploaded by

    Jose Rosario
    Iam

    Copyright:

    © All Rights Reserved
    Download as PPT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 26

    Identity and Access Management

    Reference Architecture
    for Cloud Computing
    John F. Bauer III
    jfbauer@jfbauer.com

    BIO
    John F. Bauer III

    Over 20 years of Information Technology and Security delivery


    experience.

    Currently the Enterprise Security Architect for Key Bank

    Previous leadership positions at:

    British Petroleum

    Cliffs Natural Resources

    MTD Products

    National City/PNC Bank

    Spoken previously on the topic of


    Information Security at:

    CA World

    Oracle Open World

    Digital ID World

    NACHA Security
    conferences.
    Computer Science degree and MBA from Case Western
    Reserve Universitys Weatherhead School of
    Management

    Adjunct Professor on Network Security at Cuyahoga


    Community College

    Author: Blog http://MidwestITSurvival.com

    Page 2

    Quote
    "Computing may someday be organized as a public utility just as
    the telephone system is a public utility," Professor John
    McCarthy said at MIT's centennial celebration in 1961. "Each
    subscriber needs to pay only for the capacity he actually uses,
    but he has access to all programming languages
    characteristic of a very large system ... Certain subscribers
    might offer service to other subscribers ... The computer utility
    could become the basis of a new and important industry."
    Cleveland, Ohio, USA
    Carl B. Stokes
    Public Utilities Building
    Completed: 1971
    Page 3

    Agenda

    The Hype has Legs, Real Usage of the Cloud Growing (SaaS)
    Need for a Comprehensive IAM Architecture as Part of Secure
    SaaS Success
    Business and Technology Architecture

    User Access and Directories

    Provisioning

    Procurement, HR and Legal

    SSO and Federation

    Authorization

    IAM Reference Architecture

    Architecture Framework Investment Roadmap


    NOTE: All the content of this presentation is the opinion of the author
    and not the author's past or current employers.
    Page 4

    Moving to the Cloud

    Page 5

    Moving to the Cloud

    Source: Ismael Chang Ghalimi http://itredux.com/2009/10/11/defining-cloud-computing-for-business-users/

    Page 6

    Cloud Econ 101


    The lower total operating costs afforded by cloud SaaS
    offerings resonates with IT and business leaders.
    Booz Allen Senior Associate Gwen
    Morton and Associate Ted Alford
    compared the life cycle cost to run 1,000
    servers in a managed environment inhouse, through a cloud offering from a
    commercial provider, from a centralized
    in-house cloud, and a hybrid of a public
    and private cloud.

    Source: Booz Allen, http://www.boozallen.com/insights/insight-detail/42656904

    Page 7

    Cloud IAM There still is Time

    Page 8

    IAM Cloud Strategy Needed


    Business Architecture

    Technology Architecture

    Procurement

    Access

    Legal

    Directory

    Human Resources

    Provisioning

    Federation

    Authorization

    Page 9

    Business Architecture - Procurement


    With just a credit card, any
    business user can start
    using SalesForce.com for
    $15 a month per user
    without IT involvement.

    Source: http://www.salesforce.com/crm/editions-pricing.jsp

    What?!?! The sales


    department signed
    up for a SaaS CRM
    service last
    month?

    Page 10

    Business Architecture - Procurement

    Get plugged into your procurement lifecycle


    Get buy-in to
    participate in the
    SaaS selection
    process
    Provide RFI/RFP
    questions around
    IAM for SaaS

    Source: http://indirectpurchasing.com/lifecycle.html

    Page 11

    Business Architecture - Legal

    Educate legal on the


    need for IAM language
    in SaaS contracts
    Get buy-in that IAM
    language reduces risk
    and drives down costs
    Assist with default MSA and other template
    language
    Page 12

    Business Architecture - HR
    Educate HR on how employees using SaaS
    affects them

    Get HR buy-in that SaaS provisioning needs IT


    participation

    Do employees get deprovisioned in SaaS when


    terminated in the HR
    platform?

    Do SaaS roles match


    HR job codes?

    Page 13

    IAM Cloud Strategy Needed


    Business Architecture

    Technology Architecture

    Procurement

    Access

    Legal

    Directory

    Human Resources

    Provisioning

    Federation

    Authorization

    Page 14

    Technology Architecture - Directory

    Identify a central directory for linking user groups to


    SaaS
    LDAP capable technology will integrate most easily with
    access platforms

    Page 15

    Technology Architecture - Access

    Shift to externalized access thinking

    Invest in access control products

    Consider vendor products


    that offer both web access
    management as well as
    federation capabilities

    Integrate externalized
    access technology with your
    centralized directory

    Page 16

    Technology Architecture - Provisioning

    Shift to centralized provisioning thinking

    Identify systems of record by user relationship

    Invest in enterprise provisioning products

    Page 17

    Technology Architecture - Federation


    Invest in a Federation solution:
    Federated Identity Management amounts to
    having a common set of policies, practices and
    protocols in place to manage the identity and
    trust into IT users and devices across
    organizations

    Source = Wikipedia, http://en.wikipedia.org/wiki/Federated_Identity_Management

    Page 18

    Technology Architecture - Federation


    Federation approach is driven by your
    partner relationships

    Page 19

    Technology Architecture - Federation

    Page 20

    Technology Architecture - Provisioning


    Federation needs users provisioned in
    SaaS platforms:

    Established Standard

    Emerging Standard

    {heavy weight, complex}

    {light weight, unproven}

    but consider extending your identity


    federation exchange
    Page 21

    Technology Architecture - Provisioning


    with Just in Time provisioning
    <saml:Attribute Name="Fullname">
    <saml:AttributeValue xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
    John F. Bauer III
    </saml:AttributeValue>
    </saml:Attribute>
    <saml:Attribute Name="AppRole">
    <saml:AttributeValue xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
    Manager2
    </saml:AttributeValue>

    During the federation exchange, populate


    attributes with provisioning details
    Page 22

    Technology Architecture - Authorization


    Shift to externalized authorization thinking
    Established Standard

    Vendors

    Page 23

    Reference Architecture

    Page 24

    Roadmap

    Page 25

    Questions?
    John F. Bauer III
    jfbauer@jfbauer.com
    http://midwestitsurvival.com
    http://twitter.com/jfbauer

    Page 26

    You might also like