Identity and Access Management & The Cloud, conflicting or collaborating? NetIQ - All Rights Reserved

Transcription

1 Identity and Access Management & The Cloud, conflicting or collaborating? NetIQ - All Rights Reserved

2 Agenda The cloud (re)defined Identity & Access Management infrastructures Conflicts Collaboration: products tips & tricks 2

3 The Cloud

4 What is the Cloud Wikipedia: Cloud computing refers to the delivery of computing and storage capacity as a service to a heterogeneous community of end-recipients. The name comes from the use of clouds as an abstraction for the complex infrastructure it contains in system diagrams. Cloud computing entrusts services with a user's data, software and computation over a network.

5 What is the Cloud

6 What is the Cloud Hybrid Public Google Apps, Salesforce.com O365 HRM-CRM SaaS Windows Azure, Google App Engine IBM IT Factory Heroku PaaS Amazon EC2, Rackspace Cloud IBM Blue Private Intranet software Windows Azure Platform Appliance Storage IaaS Servers DaaS? Networks VMWare, OpenStack, KVM Idaas?

7 We're talking about Identity & Access Hybrid Public Google Apps, Salesforce.com O365 HRM-CRM SaaS Windows Azure, Google App Engine IBM IT Factory Heroku PaaS Amazon EC2, Rackspace Cloud IBM Blue Private Intranet software Windows Azure Platform Appliance Storage IaaS Servers DaaS? Networks VMWare, OpenStack, KVM Idaas?

8 Hosted Software & the Cloud Public Google Apps, Salesforce.com O365 HRM-CRM Fake Cloud Providers HRM-CRM Hybrid SaaS Private Intranet software On Premise Let's treat them equally in the eyes of IAM

9 Software services for Education Google Apps Social media Google Apps, Salesforce.com O365 HRM-CRM Cloud & Hosted! O365 ADP RAET Blackboard Osiris Magister SOMToday It's Learning Banner Procuro Infinite Campus SIS PeopleSoft AFAS...

10 Why should we go to the Cloud Flexibiliteit Cost Control Access Anywhere Scalable On demand deployment Google Apps Social media O365 ADP RAET Blackboard Osiris Magister SOMToday It's Learning Banner Procuro PeopleSoft AFAS...

11 Why should we NOT go to the Cloud Loss of control over business assets (data) Dependency Lack of audibility Lack of transparancy Compliance Fail (new dutch law!) Migration, Backup and updates Security, privacy and compliancy Lack of automated processes I(dentification)A(uthenthication) A(utorisation)A(uditing) Google Apps Social media O365 ADP RAET Blackboard Osiris Magister SOMToday It's Learning Banner Procuro PeopleSoft AFAS...

12 And what if... The cloud is down (Real vs Fake) Updates changes usability Performance is poor The Bad Boys show up Google Apps Social media O365 ADP RAET Blackboard Osiris Magister SOMToday It's Learning Banner Procuro PeopleSoft AFAS...

13 Identity & Access Management Infrastructures

14 What is in the IAM Infrastructure Authentication Authorisation Identification Governance User provisioning Information Store Single Sign On Self service Compliancy Risk Management Role based management Claim Context Based Corporate Identity Federated Identity Law's and regulation Password Synchronisation Information Consistency Attestation WorkFlow (Businessflow) Access management & control Auditing Cloud

15 And what if... System users Employees Students Federation Systems Security Vault Access Management Authentication Services Presentation Identity Vault User interfaces Identity Management Queries Provisioning Monitoring, logging, auditing Authentication, federation, SSO Services App layer Data layer Self Service Other

16 Conflicting areas

17 Warning NetIQ - All Rights Reserved

18 What we get Corporate credentials in the cloud SaaS No single sign-on or strong authentication Compliance reporting Manual process Security Cost No reporting Business user experience IT Department Business flexibility

19 What we want SaaS Single sign-on and strong authentication Compliance reporting Automated process Security Full reporting Cost Business user experience Corporate credentials secured IT Department Business flexibility

20 Requirements for Cloud Services Automated (de)provisioning (Identity Management) Identification Authentication & Authorization (Access Management) (web) Single Sign On User Self Service Auditing Monitoring

21 NetIQ Products involved l Identity Manager Drivers BlackBoard (On Premise) Google Apps O365 SOAP JDBC (Over the internet?) CSV Scripting Access Manager or Cloud Access Federation Strong Authentication Sentinel edirectory l l l l l l l l l l l l

22 Product Tips, Tricks & Pitfalls

23 edirectory

24 edirectory Scalable Edirectory (Security Vault Setup) EduRoam/VPN/Wifi l

25 IDM Drivers

26 Google Apps Driver Like AD Driver: very elaborated Easy to deploy Tip: keep all business logic local to IV; Synchronise results Alternative Scripting against interface Pitfalls Speed of development at Google Connection changes Many policies in the driver, difficult to change

27 O365 Driver Like AD Driver: very elaborated Easy to deploy Tip : keep all business logic local to IV. Synchronise results Specials with PSExecute Pitfalls Difference in On-Prem Hybrid & Cloud PSExecute limitations Hard to customize Comparison with DirSync ;-)

28 Blackboard Driver Like AD Driver: very elaborated because of Ease of Use Blackboard interface Uses special schema Tip: keep all business logic local to IV. Synchronize results Tip: Do Users, Courses & Enrollments

29 SOAP REST Driver Fall back for non dedicated drivers. Like LDAP/JDBC/CSV/Scripting etc Most commonly used for Cloud services (de)provisioning

30 Proper way to develop SOAP Driver Is a standard? No, it is a protocol specification. Examine WSDL Analyse data with SoapUI Build the Soap Output Transforms (xslt) Build the Soap Input Transforms (xslt) Build the rest of the logic No issue, no pitfalls...?!?

31 Soap output can be surprising...

32 Soap output can be surprising...

33 Soap output can be surprising...

34 Soap input can be surprising...

35 Soap input can be surprising... EventID

36 Soap input can be surprising...

37 Soap input can be surprising...

38 Soap input can be surprising...

39 Soap input can be surprising...

40 Flexibility

41 Flexibility

42 Authentication & Authorization

43 Products involved CloudAccess NetIQ Access Manager

44 CloudAccess Appliance with IDM/NAM IDP/Sentinel Had own delevopment track Great features: Mobile Apps External login Fallback for any SAML based application

45 CloudAccess Suited for CSP's or sites without NAM Focussed on Authentication en Autorisation

46 Access Manager

47 Access Manager Besides User/Browser 1 Google Apps (Service Provider) Access Manager (Identity Provider) User accesses Google Apps Google generates SAML request and redirects user to IdP. User logs into IdP and gets SAML response (assertion) User is redirected back to Google and sends SAML response Google verifies response and allows user into application

48 Access Manager

49 Access Manager

50 Access Manager Insanity: doing the same thing over and over again and expecting different results. Consensus of SAML configuration!!!

51 Access Manager l Federation configuration

52 Access Manager Like SOAP, protocol with many many implementations Compliancy to SAML Standards AuthContextClassRef, Weird implementations

53 NetIQ - All Rights Reserved

54 NetIQ - All Rights Reserved

55 This document could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein. These changes may be incorporated in new editions of this document. NetIQ Corporation may make improvements in or changes to the software described in this document at any time. Copyright 2015 NetIQ Corporation. All rights reserved. ActiveAudit, ActiveView, Aegis, AppManager, Change Administrator, Change Guardian, Compliance Suite, the cube logo design, Directory and Resource Administrator, Directory Security Administrator, Domain Migration Administrator, Exchange Administrator, File Security Administrator, Group Policy Administrator, Group Policy Guardian, Group Policy Suite, IntelliPolicy, Knowledge Scripts, NetConnect, NetIQ, the NetIQ logo, PSAudit, PSDetect, PSPasswordManager, PSSecure, Secure Configuration Manager, Security Administration Suite, Security Manager, Server Consolidator, VigilEnt, and Vivinet are trademarks or registered trademarks of NetIQ Corporation or its subsidiaries in the United States.