Identity and Access Management Reference Architecture for Cloud Computing
jfbauer
12,485 views
26 slides
Oct 31, 2011
Slide 1 of 26
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
About This Presentation
This presentation will outline a comprehensive reference architecture for meeting the secure access and provisioning demands of outsourcing business and technology processes to “the cloud”. The attendee will walk away with a more solid understanding of what identity and access management challe...
Slide Content
Identity and Access Management
Reference Architecture
for Cloud Computing
John F. Bauer III
[email protected]
Reference Architecture
for Cloud Computing
John F. Bauer III
[email protected]
BIO
Page 2
John F. Bauer III
– Over 20 years of Information Technology and Security
delivery experience.
– Currently the Enterprise Security Architect for Key Bank
Previous leadership positions at:
– British Petroleum
– Cliffs Natural Resources
– MTD Products
– National City/PNC Bank
Spoken previously on the topic of
Information Security at:
– CA World
– Oracle Open World
– Digital ID World
– NACHA Security
conferences.
– Computer Science degree and MBA from Case Western
Reserve University’s Weatherhead School of
Management
– Adjunct Professor on Network Security at Cuyahoga
Community College
– Author: Blog – http://MidwestITSurvival.com
Page 2
John F. Bauer III
– Over 20 years of Information Technology and Security
delivery experience.
– Currently the Enterprise Security Architect for Key Bank
Previous leadership positions at:
– British Petroleum
– Cliffs Natural Resources
– MTD Products
– National City/PNC Bank
Spoken previously on the topic of
Information Security at:
– CA World
– Oracle Open World
– Digital ID World
– NACHA Security
conferences.
– Computer Science degree and MBA from Case Western
Reserve University’s Weatherhead School of
Management
– Adjunct Professor on Network Security at Cuyahoga
Community College
– Author: Blog – http://MidwestITSurvival.com
Quote
"Computing may someday be organized as a public utility just as
the telephone system is a public utility," Professor John
McCarthy said at MIT's centennial celebration in 1961. "Each
subscriber needs to pay only for the capacity he actually uses,
but he has access to all programming languages
characteristic of a very large system ... Certain subscribers
might offer service to other subscribers ... The computer utility
could become the basis of a new and important industry."
Page 3
Cleveland, Ohio, USA
Carl B. Stokes
Public Utilities Building
Completed: 1971
"Computing may someday be organized as a public utility just as
the telephone system is a public utility," Professor John
McCarthy said at MIT's centennial celebration in 1961. "Each
subscriber needs to pay only for the capacity he actually uses,
but he has access to all programming languages
characteristic of a very large system ... Certain subscribers
might offer service to other subscribers ... The computer utility
could become the basis of a new and important industry."
Page 3
Cleveland, Ohio, USA
Carl B. Stokes
Public Utilities Building
Completed: 1971
Agenda
The Hype has Legs, Real Usage of “the Cloud” Growing (SaaS)
Need for a Comprehensive IAM Architecture as Part of Secure
SaaS Success
Business and Technology Architecture
User Access and Directories
Provisioning
Procurement, HR and Legal
SSO and Federation
Authorization
IAM Reference Architecture
Architecture Framework Investment Roadmap
NOTE: All the content of this presentation is the opinion of the author
and not the author's past or current employers.
Page 4
The Hype has Legs, Real Usage of “the Cloud” Growing (SaaS)
Need for a Comprehensive IAM Architecture as Part of Secure
SaaS Success
Business and Technology Architecture
User Access and Directories
Provisioning
Procurement, HR and Legal
SSO and Federation
Authorization
IAM Reference Architecture
Architecture Framework Investment Roadmap
NOTE: All the content of this presentation is the opinion of the author
and not the author's past or current employers.
Page 4
Moving to the Cloud
Page 5
Page 5
Moving to the Cloud
Forrester The Software Market in … 2011
http://www.gartner.com/it/page.jsp?id=1438813
http://itredux.com/2009/10/11/defining-
cloud-computing-for-business-users/
Source: Ismael Chang Ghalimi http://itredux.com/2009/10/11/defining-cloud-computing-for-business-users/
Page 6
Forrester The Software Market in … 2011
http://www.gartner.com/it/page.jsp?id=1438813
http://itredux.com/2009/10/11/defining-
cloud-computing-for-business-users/
Source: Ismael Chang Ghalimi http://itredux.com/2009/10/11/defining-cloud-computing-for-business-users/
Page 6
Cloud Econ 101
The lower total operating costs afforded by cloud SaaS
offerings resonates with IT and business leaders.
Booz Allen Senior Associate Gwen
Morton and Associate Ted Alford
compared the life cycle cost to run 1,000
servers in a managed environment in-
house, through a cloud offering from a
commercial provider, from a centralized
in-house cloud, and a hybrid of a public
and private cloud.
Source: Booz Allen, http://www.boozallen.com/insights/insight-detail/42656904
Page 7
The lower total operating costs afforded by cloud SaaS
offerings resonates with IT and business leaders.
Booz Allen Senior Associate Gwen
Morton and Associate Ted Alford
compared the life cycle cost to run 1,000
servers in a managed environment in-
house, through a cloud offering from a
commercial provider, from a centralized
in-house cloud, and a hybrid of a public
and private cloud.
Source: Booz Allen, http://www.boozallen.com/insights/insight-detail/42656904
Page 7
Cloud IAM – There still is Time
Page 8
Page 8
IAM Cloud Strategy Needed
Business Architecture
Procurement
Legal
Human Resources
Technology Architecture
Access
Directory
Provisioning
Federation
Authorization
Page 9
Business Architecture
Procurement
Legal
Human Resources
Technology Architecture
Access
Directory
Provisioning
Federation
Authorization
Page 9
Business Architecture - Procurement
With just a credit card, any
business user can start
using SalesForce.com for
$15 a month per user
without IT involvement.
Source: http://www.salesforce.com/crm/editions-pricing.jsp
“What?!?! The sales
department signed
up for a SaaS CRM
service last
month?”
Page 10
With just a credit card, any
business user can start
using SalesForce.com for
$15 a month per user
without IT involvement.
Source: http://www.salesforce.com/crm/editions-pricing.jsp
“What?!?! The sales
department signed
up for a SaaS CRM
service last
month?”
Page 10
Business Architecture - Procurement
Get plugged into your procurement life-
cycle
Source: http://indirectpurchasing.com/lifecycle.html
Get buy-in to
participate in the
SaaS selection
process
Provide RFI/RFP
questions around
IAM for SaaS
Page 11
Get plugged into your procurement life-
cycle
Source: http://indirectpurchasing.com/lifecycle.html
Get buy-in to
participate in the
SaaS selection
process
Provide RFI/RFP
questions around
IAM for SaaS
Page 11
Business Architecture - Legal
Educate legal on the
need for IAM language
in SaaS contracts
Get buy-in that IAM
language reduces risk
and drives down costs
Assist with default MSA and other template
language
Page 12
Educate legal on the
need for IAM language
in SaaS contracts
Get buy-in that IAM
language reduces risk
and drives down costs
Assist with default MSA and other template
language
Page 12
Business Architecture - HR
Educate HR on how employees using SaaS
affects them
Get HR buy-in that SaaS provisioning needs IT
participation
Do SaaS roles match
HR job codes?
Do employees get de-
provisioned in SaaS when
terminated in the HR
platform?
Page 13
Educate HR on how employees using SaaS
affects them
Get HR buy-in that SaaS provisioning needs IT
participation
Do SaaS roles match
HR job codes?
Do employees get de-
provisioned in SaaS when
terminated in the HR
platform?
Page 13
IAM Cloud Strategy Needed
Business Architecture
Procurement
Legal
Human Resources
Technology Architecture
Access
Directory
Provisioning
Federation
Authorization
Page 14
Business Architecture
Procurement
Legal
Human Resources
Technology Architecture
Access
Directory
Provisioning
Federation
Authorization
Page 14
Technology Architecture - Directory
Identify a “central” directory for linking user groups to
SaaS
LDAP capable technology will integrate most easily with
access platforms
Page 15
Identify a “central” directory for linking user groups to
SaaS
LDAP capable technology will integrate most easily with
access platforms
Page 15
Technology Architecture - Access
Shift to “externalized access thinking”
Invest in access control products
Consider vendor products
that offer both web access
management as well as
federation capabilities
Integrate externalized
access technology with your
“centralized” directory
Page 16
Shift to “externalized access thinking”
Invest in access control products
Consider vendor products
that offer both web access
management as well as
federation capabilities
Integrate externalized
access technology with your
“centralized” directory
Page 16
Technology Architecture - Provisioning
Shift to centralized provisioning thinking
Identify systems of record by user relationship
Invest in enterprise provisioning products
Page 17Page 17
Shift to centralized provisioning thinking
Identify systems of record by user relationship
Invest in enterprise provisioning products
Page 17Page 17
Technology Architecture - Federation
Invest in a Federation solution:
“Federated Identity Management amounts to
having a common set of policies, practices and
protocols in place to manage the identity and
trust into IT users and devices across
organizations”
Source = Wikipedia, http://en.wikipedia.org/wiki/Federated_Identity_Management
Page 18
Invest in a Federation solution:
“Federated Identity Management amounts to
having a common set of policies, practices and
protocols in place to manage the identity and
trust into IT users and devices across
organizations”
Source = Wikipedia, http://en.wikipedia.org/wiki/Federated_Identity_Management
Page 18
Technology Architecture - Federation
Federation approach is driven by your
partner relationships
Page 19
Federation approach is driven by your
partner relationships
Page 19
Technology Architecture - Federation
Page 20
Page 20
Technology Architecture - Provisioning
Federation needs users provisioned in
SaaS platforms:
… but consider extending your identity
federation exchange
Established Standard
{heavy weight, complex}
Emerging Standard
{light weight, unproven}
Page 21
Federation needs users provisioned in
SaaS platforms:
… but consider extending your identity
federation exchange
Established Standard
{heavy weight, complex}
Emerging Standard
{light weight, unproven}
Page 21
… with “Just in Time” provisioning
<saml:Attribute Name="Fullname">
<saml:AttributeValue xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
John F. Bauer III
</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="AppRole">
<saml:AttributeValue xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
Manager2
</saml:AttributeValue>
During the federation exchange, populate
attributes with provisioning details
Technology Architecture - Provisioning
Page 22
<saml:Attribute Name="Fullname">
<saml:AttributeValue xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
John F. Bauer III
</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="AppRole">
<saml:AttributeValue xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
Manager2
</saml:AttributeValue>
During the federation exchange, populate
attributes with provisioning details
Technology Architecture - Provisioning
Page 22
Technology Architecture - Authorization
Shift to “externalized authorization thinking”
Vendors
Established Standard
Page 23
Shift to “externalized authorization thinking”
Vendors
Established Standard
Page 23
Reference Architecture
Page 24
Page 24
Roadmap
Page 25
Page 25
Questions?
John F. Bauer III
[email protected]
http://midwestitsurvival.com
http://twitter.com/jfbauer
Page 26
John F. Bauer III
[email protected]
http://midwestitsurvival.com
http://twitter.com/jfbauer
Page 26
Download
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 12,485
- Slides 26
- Favorites 14
- Age 5144 days
Related Slideshows
1
DTI BPI Pivot Small Business - BUSINESS START UP PLAN
MeljunCortes
28 views
1
CATHOLIC EDUCATIONAL Corporate Responsibilities
MeljunCortes
30 views
11
Karin Schaupp – Evocation; lançamento: 2000
alfeuRIO
28 views
10
Pillars of Biblical Oneness in the Book of Acts
JanParon
26 views
31
7-10. STP + Branding and Product & Services Strategies.pptx
itsyash298
27 views
44
Business Legislation PPT - UNIT 1 jimllpkggg
slogeshk98
29 views