Identity and Access Management

Transcription

1 Identity and Access Management Prospettiva di un Software vendor Marco Venuti Compliance Sales Lead - Novell EMEA marco.venuti@novell.com

2 Identity and Access Management Agenda Il Mercato della Sicurezza Logica Produttori - Chi fa cosa Consumatori Chi compra cosa e perche Soluzioni di Sicurezza Logica Identity Management Access Management Event Management Implicazioni del trend verso il Cloud Conclusioni 2 Novell Inc. All rights reserved

3 Making the Connection Il Perchè dell'identity Management IDENTIFY MANAGE MANAGE SECURE

4 Novell at a Glance Countries Years of Experience Partners Million in Revenue Employees Inventions Billion in Cash Customers 4

5 IT Landscape Mixed IT Environments Consulting, Systems Integration Vendors Application Vendors Systems Software Vendors Novell Hardware Vendors 5

6 IT Landscape Mixed IT Environments Consulting, Systems Integration Vendors ACN CAP Atos Solution Providers Application Vendors Systems Software Vendors Hardware Vendors EMC Sun HP SAP Novell Dell Lenovo MS Oracle Hitachi Fujitsu NEC IBM 6

7 IT Landscape Mixed IT Environments Infrastructure Software Stack Consulting, Systems Integration Vendors Application Server Middleware Application Vendors Security Systems Software Vendors Hardware Vendors Novell Systems Management Database Operating Systems 7

8 Novell - Your Needs, Our Capabilities Data Center End-User Computing Identity and Security 8

9 Sicurezza Di cosa ci occupiamo oggi? GESTISCI CHI CONOSCI DIFENDITI DA CHI NON CONOSCI 9

10 Security & Identity Italia Finance & Telco Large Enterprise Public Sector Medium Enterprise Camera dei Deputati 10 Agosto 2008

11 Shrinking Budgets, Growing Concerns Governance Privacy Security Transparency Risks Compliance 11 Novell Inc. All rights reserved

12 Risk Management The set of policies, procedures, practices and organizational structures to proactively manage the risks that the organization is exposed to Kuppinger Cole - A GRC Reference Architecture

13 Compliance The set of policies, procedures, practices and organizational structures to assure the organization behaves according to the laws and regulations it is exposed to Kuppinger Cole - A GRC Reference Architecture

14 Compliance and Risk Management In-success case Vodafone Turkey Sept

15 Greek Watergate Vodafone.gr 2005: - wiretapping of more then 100 Vodafone mobile phone belonging to government members - Identity of the perpetrator never discovered for various reason: - Uncertain identity of admin users on production systems - Lack of details on the activities performed - Too many candidates (employees, IBM, Ericcson) 15

16 Growing Risk, Growing Regulations PCI-DSS Gramm-Leach-Bliley Basel II Sarbanes-Oxley FISMA Privacy Act Solvency II HIPAA 16

17 Market Conditions Compliance Costs are Rising GRC Spending Breakdown $12,640 $12,549 $13,126 Head Count $7,336 $8,945 $9,357 Services Technology $9,881 $10,568 $11, Source: The Governance, Risk Management, and Compliance Spending Report, : Inside the $32B GRC Market AMR Research

18 Normative e requisiti IT Cosa bisogna fare o verificare Regulation Mandating Organization IT Control Requirements (Security) Affected Companies Sarbanes-Oxley US Securities and Exchange Commission (SEC) CobiT framework--authentication, access controls, user account management, credential lifecycle management, nonrepudiation and audit controls Companies publicly traded on US exchanges 21 CFR Part 11 US Food and Drug Administration (FDA) Authentication, access controls, data integrity controls, audit controls, encryption and digital signatures Companies regulated by FDA (i.e. pharmaceuticals) Basel II Basel Committee on Banking Supervision FFIEC framework--access rights administration, authentication, network access, operating system access, application access, remote access, logging and data collection Global financial service organizations 95/46/EC Data Protection Directive European Union (EU) Measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access Companies conducting business in EU member nations 18

19 Problemi Tipici 1.Unidentified or unresolved segregation of duties issues 2.Insecure access controls in O/S supporting applications or portal 3.Insecure access controls in database supporting applications 4.Development staff can run business transactions in production 5.Large number of users with access to super user" status 6.Former employees or consultants still have access 7.Posting periods not restricted within GL application 8.Custom programs, tables & interfaces are not secured 9.Procedures for manual processes non-existent or not followed 10.System documentation does not match actual proces Source: Ken Vander Wal, Partner, National Quality Leader, E&YISACA Sarbanes Conference, 4/6/04 19

20 Problemi Tipici Top Three secondo Deloitte Inability to certify that the right people have the right access to sensitive information Inability to track who is logged into sensitive accounts Inability to track the activities of people who do have access to sensitive information or accounts 20

21 Identity & Access Management In Sintesi: Collegare Persone a Risorse Per ciascuna Persona: Una sola identità Per ciascuna Risorsa: Chi può fare cosa? Come può accedere? Quando/cosa ha acceduto? 21

22 DoITT NYC.ID Executive Overview November, Prepared by Dept. of Information Technology & Telecommunication

23 The Identity Management Problem LAN ID Remote Access App A App B App C Jberry Esiegel Jrowland Mfriedel Sbenson Thanks Jwayne Tcarrol Sharris Bwhite Ddailey Eheiden Lball Hwiggins Cjohnson r_patel Mthomas Browland Mprehn Bbanks Lsulley Lbitmore Ltimble Aboyle Bcoldwel Dparis Clriot Etear Smackay Mturner Mmclain Mcpasch Jpasch rakeshp Tdean Jtorville Cdean Nreagan Rnixon A49320 A39943 A49454 A93934 A39485 A49382 A48382 A49382 A39485 A29483 A49583 A49382 A49302 A42845 A20184 A49284 A49248 A50824 A42948 A49274 Cooperl Tinleyj Harrisd patelr Rowlandr Bensons Quinleys Harminb Travolta Francek Lipperd Skatee Marinoe Flamingo Russiak Crowd Pazzaz Daoudc Louf Peizerat Frenetc Smileys Entrald Novacho Alvarag Narlersh Woodst Nicklausj Hoganb Palmera Dimarcoc Perryk Beards cw33 Fusar RP738 Margaglio Lithowan Vanagas Lightes Sequensh Welchj Pettyr Robertsj Julianr Nantpre Enaget Jhancock Clayton Johnh Woo Hanwayv Composi Initalialy rpatel Stickler Bourne Fusar Margoliao Navka Koskoma Hackinsa Rakesh Patel AD- r_patel Exchange- rakeshp Remote Access- A Application A- patelr Application B- RP738 Application C- rpatel Today Silos of identity information in multiple directories and applications Multiple user names the result? Confusing and inconsistent identity data Bottom line No way to create a single view of all an individual's access privileges 23 Prepared by Dept. of Information Technology & Telecommunication

24 The Identity Management Problem Agency 1 Agency 2 Agency 3 The problem is compounded consider number of agencies Many users have access to resources in multiple agencies The result? Further account proliferation and identity management complexity 24 Prepared by Dept. of Information Technology & Telecommunication

25 The Identity Management Solution LAN ID Remote Access App A App B App C Jberry Esiegel Jrowland Mfriedel Sbenson Thanks Jwayne Tcarrol Sharris Bwhite Ddailey Eheiden Lball Hwiggins Cjohnson r_patel Mthomas Browland Mprehn Bbanks Lsulley Lbitmore Ltimble Aboyle Bcoldwel Dparis Clriot Etear Smackay Mturner Mmclain Mcpasch Jpasch rakeshp Tdean Jtorville Cdean Nreagan Rnixon A49320 A39943 A49454 A93934 A39485 A49382 A48382 A49382 A39485 A29483 A49583 A49382 A49302 A42845 A20184 A49284 A49248 A50824 A42948 A49274 Cooperl Tinleyj Harrisd patelr Rowlandr Bensons Quinleys Harminb Travolta Francek Lipperd Skatee Marinoe Flamingo Russiak Crowd Pazzaz Daoudc Louf Peizerat Frenetc Smileys Entrald Novacho Alvarag Narlersh Woodst Nicklausj Hoganb Palmera Dimarcoc Perryk Beards cw33 Fusar RP738 Margaglio Lithowan Vanagas Lightes Sequensh Welchj Pettyr Robertsj Julianr Nantpre Enaget Jhancock Clayton Johnh Woo Hanwayv Composi Initalialy rpatel Stickler Bourne Fusar Margoliao Navka Koskoma Hackinsa Rakesh Patel AD- r_patel Exchange- rakeshp Remote Access- A Application A- patelr Application B- RP738 Application C- rpatel 25 Identity Management links a user in these identity silos together Identity Management creates a platform for standardizing username and synchronizing passwords Identity Management creates a way to create a single view of all an individual's access privileges Prepared by Dept. of Information Technology & Telecommunication

26 Identity Strategy Long-Term goals for the City Unique Identity for any individual, regardless of their relationship with city, e.g. Employee, Consultant, Vendor, Resident, Business Partner, Permit Holder, etc. Automated Provisioning and De-Provisioning Centralized Authentication Registration of Identities Provide self-registration for non-employees Reduced / Single Sign-On Policies and Standards - Enforce policy Improve Auditing and Reporting 26 Prepared by Dept. of Information Technology & Telecommunication

27 Available NYC.ID Service Offerings Password Self Service Automated De-Provisioning Application Integration Desktop Single-Sign-On 27 Prepared by Dept. of Information Technology & Telecommunication

28 Service Offering Password Self Service Provides a web-based password self-service solution for entire NYC.ID internal user population Reduce help desk calls Supplements agencybased desktop password self service features 28 Prepared by Dept. of Information Technology & Telecommunication

29 Service Offering Automated De-provisioning Automatically disable accounts in NYC.ID and agency directories upon HR employee separation Reduce administrative workload Catch employee separation events reliably Enforce agency-specific business and technical termination processes 29 Prepared by Dept. of Information Technology & Telecommunication

30 Conclusion (by Novell) Higher efficiency Improved quality of service for citizens Supporting the city marketing strategy 30 Prepared by Dept. of Information Technology & Telecommunication

31 Identity Identity Access And ans Security Security Management Management Prospettiva Architetturale Solutions 31

32 Identity and Security Framework

33 General Architecture Users JAVA > Term Servr CSO LDAP AD, edirectory, OpenLDAP, etc. ERP / DB SAP, SQLServ, Oracle, DB/2, etc. HOST RACF, ACF/2, AS400, etc. COLLAB Exchange, Notes, Groupwise, etc. I T 33

34 General Architecture Metadirectory Users JAVA > Term Servr CSO LDAP AD, edirectory, OpenLDAP, etc. ERP / DB SAP, SQLServ, Oracle, DB/2, etc. HOST RACF, ACF/2, AS400, etc. COLLAB Exchange, Notes, Groupwise, etc. Metadirectory & Password Sync I T 34

35 User Provisioning General Architecture Metadirectory + Provisioning = Identity Management Users JAVA > Term Servr CSO LDAP AD, edirectory, OpenLDAP, etc. ERP / DB SAP, SQLServ, Oracle, DB/2, etc. HOST RACF, ACF/2, AS400, etc. COLLAB Exchange, Notes, Groupwise, etc. Metadirectory & Password Sync I T 35

36 Identity Management Lifecycle 36

37 ... Identity Management features Administer my resources or workgroup PeopleSoft Notes Search / browse users or resources Identity and provisioning environment Windows Server Databases Request access to resources Approved Identity Vault Mainframes Recover forgotten password Self-administration BMC Remedy Novell Identity Manager delivers: User Provisioning and Deprovisioning Identity Integration / Password Management Delegated Administration / Self Service Automated workflows Avaya PBX LDAP Directories 37

38 Indentity Management Drivers out of the box 38 As of: Mar '09

39 Novell Identity Manager Balancing provisioning mechanism Roles Rules Approvals 39

40 Identity Manager Unified End-User Console 40

41 User Provisioning General Architecture Metadirectory + Provisioning = Identity Management Users JAVA > Term Servr CSO LDAP AD, edirectory, OpenLDAP, etc. ERP / DB SAP, SQLServ, Oracle, DB/2, etc. HOST RACF, ACF/2, AS400, etc. COLLAB Exchange, Notes, Groupwise, etc. Metadirectory & Password Sync I T 41

42 User Provisioning General Architecture Identity Management + SSO Users Access Management & Single Sign On JAVA > Term Servr CSO LDAP AD, edirectory, OpenLDAP, etc. ERP / DB SAP, SQLServ, Oracle, DB/2, etc. HOST RACF, ACF/2, AS400, etc. COLLAB Exchange, Notes, Groupwise, etc. Metadirectory & Password Sync I T 42

43 L'Utente e i Servizi Oggi L'utente accede a più servizi dello stesso ente http App. 1 Network Authent https Su ogni servizio deve ri-autenticarsi Se si usa la smart card ogni applicazione deve essere abilitata per l'autenticazione via certificato Il controllo accessi è delegato ad ogni singola applicazione Per gli utenti interni: nessun riuso dell'autenticazione di rete App. n AD/eDir/LDAP 43

44 L'Utente e i Servizi SSO tra servizi Intra-azienda L'utente accede a più servizi dello stesso ente e beneficia del Single Sign On http(s) Access Manager http(s) App. 1 L'utente si autentica una sola volta L'utente può acconsentire al passaggio automatico di informazioni sulla sua identità tra le applicazioni = evita ri-digitazioni Per gli utenti interni posso riusare l'autenticazione di rete ed evitare così qualsiasi riautenticazione Posso verificare centralmente i diritti di accesso alle singole URL sulla base del profilo utente Network Authent ldap App. n AD/eDir/LDAP Se si usa la Smart card o altri metodi non è necessario modifcare le applicazioni, l'autenticazione è gestita dal AM server e passata alle applicazioni in modo tradizionale 44

45 Access Manager Overview Agentless Integration of existing applications Identity Server Identity Store 1 45 Access Gateway Web server configured Web server configured to accept header-based to accept header-based or form-based or form-based authentication authentication

46 Access Manager Overview Agentless Integration of existing applications 2 1 Identity Server Identity Store 1. User Accesses protected resource 2. User is redirected to Identity Server and is presented with an http login form requesting their username and password 3. The Identity Server verifies the username and password against the Identity Store 4. Once the user's identity is validated, the Access Gateway retrieves the user's common name and password 5. The Access Gateway injects the username and password into the authentication header or form and allows access to the encrypted Web content Access Gateway Web server configured to accept header-based or form-based authentication 46

47 L'Utente e i Servizi Federazione dei servizi Inter-azienda L'utente accede a più servizi Federati di enti distinti (o di divisioni distinte di una stessa azienda) http(s) Access Manager http(s) App. 1 L'utente può scegliere se avere SSO tra le applicazioni = si autentica una sola volta L'utente può acconsentire al passaggio automatico di informazioni sulla sua identità tra le applicazioni di enti distinti = evita ri-digitazioni L'utente percepisce una integrazione tra i servizi di enti distinti Le aziende devono concordare i contenuti usando standard SAML o essere Liberty Alliance compatibili Network Authent ldap Novell o altro SAML/Liberty Federation Server App. n AD/eDir/LDAP App. 1 App. n 47

48 IAM in contesto multi-azienda Identity Federation L'identity Federation permette all'utente di: non doversi ricordare userame/password distinte nel passaggio tra siti federati evitare di ridigitare informazioni sulla sua identità più volte L'utente ha un passaporto virtuale valido per i siti federati Vuoi federare? il tuo account X con Y? Se accetti verrano passati ad Y i seguenti dati: nome, cognome... Vuoi Federarti Si/No? 48

49 Liberty Alliance Board and Sponsor members Sponsor Members Management Board Members Feb. '06 49

50 SECURITY SECURITY SECURITY Governemnt of Hong Kong Contesto Oltre 100 Uffici/Dipartimenti - indpendenti nelle scelte IT Circa utenti In-land Revenue Department Officer KenS - xxx In-land Revenue Dep. Treasury Department Officer BellS - yyy Treasury Dep. Police Department Policemen zzz I n t r a n e t Police Dep. 50 Requisiti Single Sign On per gli utenti che usano app di più dipartimenti/uffici Evitare la presenza di un repositori centrale a favore di uno per ogni dipartimento Evitare l'obbligo di unanimità della scelta tecnologica

51 SECURITY infr. SECURITY INFRASTRUCTURE Governemnt of Hong Kong Soluzione Sistema federato di autenticazione. Una singolo logon valido per tutti i servizi autonomia dei singoli Dipartimenti nella gestione delle utenze autonomia dei Dipartimenti nella scelta della soluzione tecnologica (purchè conforme allo standard SAML) In-land Revenue Department Officer SmithK - yyy In-land Revenue Dep. Treasury Department Officer ScottB - xxx Treasury Dep. Police Department Policemen JeffW - xxx I n t r a n e t Police Dep. 51

52 Federated Provisioning Star Alliance Use Case Example 52

53 User Provisioning General Architecture Identity Management + SSO Users Access Management & Single Sign On JAVA > Term Servr CSO LDAP AD, edirectory, OpenLDAP, etc. ERP / DB SAP, SQLServ, Oracle, DB/2, etc. HOST RACF, ACF/2, AS400, etc. COLLAB Exchange, Notes, Groupwise, etc. Metadirectory & Password Sync I T 53

54 Event Management User Provisioning General Architecture Identity Management + SSO + Security Information Event Management Users Access Management & Single Sign On JAVA > Term Servr CSO LDAP AD, edirectory, OpenLDAP, etc. ERP / DB SAP, SQLServ, Oracle, DB/2, etc. HOST RACF, ACF/2, AS400, etc. COLLAB Exchange, Notes, Groupwise, etc. Metadirectory & Password Sync I T 54

55 The Problem To many data 55

56 SIEM Typical needs addressed Low visibility on current state: dashboard and KPI production difficult an imprecise Unstructured resolution process: same problem different path each time Slow reactivity to critical events due to lack of real time detection and proactive remediation systems High cost of compliance audit preparation because of high amount of manual work and hight data source number 56

57 SIEM solution RACF ACF 2 Top Secret 57

58 SIEM Logical Architecture Dashboard Policy Compliance Forensic Reporting KPI Security Datawarehouse Datamart Muldimensional Historical DB Event Management Collect Filter Normalize Taxonomy Correlation Monitoring Allarms Incident Management Real time statistics Event Analysis Router I.D.S Firewall 58 Content Filtering Infrastr. IAM Applications IT Infrastucture Database Vulnerability Scanner Proxy Unix system Windows systems Mainframe

59 Log Management vs. SIEM Log Management is sometimes referred to as Security Information Management or SIM Security Event Management or SEM is focused on real-time monitoring, alerting, incident response SEM Event correlation Robust alerts Incident response Dashboards Data enrichment Filtering Data collection Ad-hoc query alerts Reports Log Management Compression Forensics Data integrity Unknown log support Data retention Raw log forwarding 59

60 Log Management Long term storage of event in original format for forensic purposes Compression Signing Google like Search 60

61 Log Retention Compliance requirements differ per industry and regulation Some are concrete, others vague All require some retention Regulation Retention Requirement PCI SOX HIPAA GLBA/FFIEC* NERC/FERC* FISMA* Basel II* 1 year 7 years 6 years 6 years 3 years 3 years 7 years 61 Novell Inc. All rights reserved

62 Log Manager Data Storage and Archiving 62

63 Log Manager Reporting and Search 63

64 Seamless Search Search UI Online Storage Compressed Offline Storage (SAN or NAS) 64

65 Security Event Management Event flow analysis for violation detection and real time remediation or containment Correlation Event enrichment with business data Automatic firing of countermeasure (tech or process) Business Relevance 65

66 Novell Sentinel Automates Monitoring and Reporting of IT Controls Collect and consolidate feeds from multi-vendor sensors Normalize logs from across the enterprise seamlessly Monitor & Correlate and analyse for control violations in real time Respond to violations. incident mgt tied to existing workflows Report on the effectiveness of the control environment Firewalls Identity Mgmt Real-time View of Event Logs Manage incidents Databases IDS Routers AntiVirus Webservers Aggregate - Normalize - Correlate - Respond - Report 66

67 Correlation: IDS Events (1) Traditional signature-based IDS produces alerts These can be sent to a log management system, central IDS console, or SIEM. [**] [1:1807:10] WEB-MISC Chunked-Encoding transfer attempt [**] [Classification: Web Application Attack] [Priority: 1] 01/20-14:20: :3602 -> a.b.c.d:80 TCP TTL:128 TOS:0x0 ID:35630 IpLen:20 DgmLen:1500 DF ***A**** Seq: 0xBFF2387E Ack: 0x9D37BACD Win: 0xFAF0 TcpLen: 20 [**] [119:16:1] (http_inspect) OVERSIZE CHUNK ENCODING [**] [Classification: Web Application Attack] [Priority: 1] 01/20-15:39: :3602 -> a.b.c.d:80 TCP TTL:128 TOS:0x0 ID:35630 IpLen:20 DgmLen:1500 DF ***A**** Seq: 0xBFF2387E Ack: 0x9D37BACD Win: 0xFAF0 TcpLen: 20 These alerts may be in a proprietary format False positives are common as well 67 Novell Inc. All rights reserved

68 Correlation: Vulnerability Assessments (1) Scan results from Nessus and other tools can provide large quantities of data Unfocused scans are often less useful Too much data is just as bad as too little! 68 Novell Inc. All rights reserved

69 Sentinel Themes Baseline and Trending 69

70 IT Controls Monitoring Log Management + Security Event Management Business Relevance 70

71 Identity Identity Access And ans Security Security Management Management Prospettiva Architetturale Solutions 71

72 Novell Sentinel Architecture 72

73 Pre-defined Collectors Novell Products Access Manager Audit edirectory Identity Manager Netware NMAS SecretStore SecureLogin SUSE Linux Firewalls CISCO PIX Check Point NGX Juniper Netscreen Symantec Intrusion Prevention ISS Proventia Juniper IDP McAfee Entercept McAfee IntruShield Symantec ManHunt Configuration Management Tripwire Enterprise Tripwire for Servers Intrusion Detection (network-based) CISCO SIDS Enterasys Dragon ISS SiteProtector Juniper Netscreen NFR Sentivist Snort Sourcefire Defense Center Incident Management BMC Remedy HP Service Desk Authentication RSA SecurID Policy Monitoring McAfee epolicy Orchestrator TippingPoint SMS Intrusion Detection (host-based) ISS RealSecure McAfee Entercept/HIDS Symantec Intruder Alert Vulnerability Assessment eeye Retina Foundstone Enterprise ISS Proventia ncircle IP360 Qualys QualysGuard Rapid7 NeXpose Tenable Nessus Operating Systems Hewlett-Packard HP-UX IBM AIX Microsoft Windows NT Microsoft Windows 2000/3 Microsoft Windows XP Sun Solaris 8/9/10 Sun Trusted Solaris/BSM Red Hat Linux SUSE Linux 9/10 Mainframe/Midrange ACF2, RACF, Top Secret AS/400 HP NonStop z/os Anti-Virus McAfee VirusScan Symantec AntiVirus Trend Micro VirusWall Web Servers/Proxy Apache Blue Coat Microsoft IIS Microsoft Proxy Directory Services LDAP (standard) Microsoft Active Directory Novell edirectory Routers & Switches Cisco all Juniper M-series Nortel all VPN CISCO Juniper Nortel Databases Microsoft SQL 2000/2005 MySQL Oracle 9i/10g Miscellaneous Cisco ACS Intersect Alliance Snare Nmap 73 Novell, Novell Inc, Inc. Confidential All rights reserved. & Proprietary As of 10/07

74 Identity And Security Management Prospettiva...e il Cloud Architetturale Computing 74

75 L'Enterprise si estende nel Cloud Internal Data Center COMPLIANCE & SECURITY Business Service Management IT Service Management Existing Internal Capacity 75

76 L'Enterprise si estende nel Cloud Internal Cloud (On-Premise) COMPLIANCE & SECURITY Business Service Management Business Service Management IT Service Management IT Service Management Existing Internal Capacity Virtualized Internal Capacity 76 Firewall

77 L'Enterprise si estende nel Cloud Internal Cloud (On-Premise) External Cloud (Off-Premise) COMPLIANCE & SECURITY Business Service Management Business Service Management Business Service Management Software as a Service IT Service Management IT Service Management IT Service Management Platform as a Service Existing Internal Capacity Virtualized Internal Capacity New External Capacity Infrastructure as a Service 77 Firewall

78 Creating IT Administration Nightmare User data/ permissions User data/ permissions User data/ permissions User data/ permissions Enterprise Challenge IT Department Multiple Username/ passwords Users Apps User data/ permissions Multiple identity silos Disparate administration tools 78 Challenge in timely Directoryde-provisioning User data/ accounts Systems/ of ex-employees permissions tools Novell Inc, Confidential & Proprietary

79 Quali Preoccupazioni / Challenge per i Clienti che si indirizzano verso Cloud Serv? Source: Tier 1 research Cloud Infrastructure Services Managed Hosters based on poll of top 50 managed hosters in US and Europe 79 Proprietary & Confidential

80 Cloud Security Service (CSS) NCSS is a Web-based identity and access solution that enables an enterprise to manage a multi-saas environment and enforce its policies, roles and workflows in the cloud. User Identity and Roles Enterprise with any credentials system Simplified Single Sign-on Enterprise-directed Provisioning/Deprovisioning Leveraging Enterprise-defined Identities & Roles Security Montioring/Compliance Reporting Inspecting WRT Specific Tenants Cloud vendor with NCSS Compliance Events 80

81 How Does NCSS Work? Enterprise User Store User Store NCS Secure Bridge Novell Cloud Security Services IdP AuthN Service 2 SAML 1, SAML 2, WS-Fed Relying Party Participant SaaS Application 1 User User Access 3 Authentication SaaS Resources 1 NCSS handles both use cases: A user directly logging into a cloud service or user logging into their enterprise system first. 81

82 Cloud Security Service Cloud Security Service is a Web-based security service that makes SaaS more secure and manageable. It gives enterprises the ability to: - Manage user access to applications and data hosted in the cloud - Break down trust-related adoption barriers to SaaS by providing: - Single sign-on (SSO) - Provisioning/deprovisioning - Service access and consolidated reporting - Automated rules for user account management and audit reporting Extends on-premise identity infrastructure, policies, roles and workflow compliance enforcement to the cloud. 82

83 Identity and Security Framework

84 Identity and Security Questions? 84