CA Technologies Strategy and Vision for Cloud Identity and Access Management

Transcription

1 WHITE PAPER CLOUD IDENTITY AND ACCESS MANAGEMENT CA TECHNOLOGIES STRATEGY AND VISION FEBRUARY 2013 CA Technologies Strategy and Vision for Cloud Identity and Access Management Sumner Blount Merritt Maxim CA Security Management agility made possible

2 Table of Contents Executive Summary 3 Section 1: 4 Embrace the Hybrid Cloud Securely Section 2: 5 Security Challenges of the Cloud Section 3: 5 Three Perspectives on Cloud Security Section 4: 9 CA Technologies Strategy for Cloud Security Section 5: 14 Conclusions Section 6: 15 About the Authors 2

3 Executive Summary Challenge Cloud computing introduces new security challenges for both consumers and providers of cloud services across all types of IT environments. Organizations are seeking to extend existing investments in identity and access management (IAM) solutions to support cloud services and maintain interoperability between cloud and on-premise identity-based systems. A hybrid IAM solution empowers organizations to migrate to the cloud at a pace that meets their requirements to reduce operational costs and enhance agility. Cloud service providers also face ongoing security challenges relating to their existing and new cloud services, including securing virtualized multi-tenant environments and how to maintain the security and integrity of tenant data. Note: Identity and access management (IAM) is the set of processes and the supporting infrastructure for the creation, management, and use of digital identities and enforcement of access policies. Opportunity Cloud computing offers significant potential economic and operational efficiencies. However, these efficiencies are often accompanied with new regulatory requirements around the security of applications and data that are stored in the cloud. The CA Technologies vision and strategy for cloud-based identity services enable organizations and service providers to: Securely provision to, and access, cloud-based services and on-premise apps Choose the IAM deployment option (on-premise, hybrid, or cloud) that meets their unique organizational and security needs Simplify the management of IAM services across both on-premise and cloud deployments The cloud also provides opportunities for organizations which may have previously viewed IAM as out of reach because of perceived complexity or lack of appropriate internal skillsets. 3

4 Benefits CA CloudMinder offers cloud security solutions that enable organizations to access cloud IAM services and enterprise resources securely and from a centralized consistent interface. CA CloudMinder services enable organizations to centrally control users identities and their access to both SaaS services and on-premise applications in a hybrid environment. This helps organizations utilize the cloud with confidence and adopt a best-of-breed approach that relies on existing onpremise apps and SaaS services, while helping to reduce the cost of security administration. These services enable organizations of all types and sizes to realize efficiency gains while still protecting their critical digital resources, regardless of whether those resources are on-premise or in the cloud. This can result in: Reduced security risk for all systems, applications, and information Reduced administrative expenses and improved efficiency Improved IT agility through flexible deployment options across on-premise and cloud environments Ability to move to the cloud on a comfortable schedule Section 1: Embrace the Hybrid Cloud Securely Introduction CA Technologies has been an active leader in the IAM market for over a decade as part of our overarching strategy to help organizations govern, manage, and secure IT. We have continually expanded our IAM solutions to address a growing set of use cases that organizations face on a daily basis, and to incorporate new and evolving technologies. The cloud is a disruptive, business-driven IT model created in response to the economic realities and mounting pressures to reduce operating costs and increase efficiency, while improving overall business agility. It introduces new (yet familiar) models for consumption and delivery of applications that have a democratizing effect: applications and other IT services that were once only available to companies with large IT shops are now accessible to all. The cloud is the new opportunity leveler, providing the same capabilities to both large and small organizations. A hybrid cloud approach is one that enables organizations to continue to use on-premise IAM solutions while beginning to implement security in the cloud, and have the flexibility to move to the cloud on their own schedule, instead of being forced to adopt an all or nothing approach. One thing that is clear is that identity, and the management and controls dependent on it, are absolutely central to the secure adoption of cloud services. The goal of this paper is to provide the reader with an overview of the CA Technologies CloudMinder strategy and vision for identity and access management. 4

5 Section 2: Security Challenges of the Cloud As organizations increase their consumption of cloud services, they re becoming more concerned with how they can effectively secure their information and services in the cloud especially since they have limited direct control or visibility over them while remaining obligated to meet data protection legal and regulatory requirements. At the same time, cloud service providers (CSPs) are working to earn the trust of cloud consumers so that they can host increasingly sensitive applications and information. And, some specialized CSPs are looking into delivering security services from the cloud. Whether an organization is looking to provide or consume cloud services, security and control requirements must be addressed. This is true whether those cloud services are complete applications (SaaS), built on hosted application development and deployment services (PaaS) or are focused on basic IT infrastructure as a service (IaaS). Sensitive information and applications will be migrated at least in part to cloud services; the question is whether the cloud will be ready from a security and control perspective. So what needs to happen to make the cloud ready? First, cloud providers and consumers need to recognize that security is an issue and commit to collaborating on solutions. Second, IT professionals need to demonstrate through preparation, actions and investments that acquiring cloud services without such solutions in place is both unwise and unnecessary. Third, CSPs that desire to handle more sensitive workloads and data need to invest in putting greater security control and visibility into the hands of their cloud consumers. Finally, all participants must recognize that cloud security is inherently a joint effort between the cloud consumer and the CSP and that security controls, whether preventive or detective, need to operate reliably without a gap between the players. Section 3: Three Perspectives on Cloud Security TO THE CLOUD Extending IAM services such as provisioning and federated single sign-on to the cloud From the perspective of cloud-consuming organizations many of which already have hundreds of deployed, on-premise applications cloud-based services are implemented in addition to, rather than in place of, existing applications. Security and audit professionals at these organizations are challenged to extend consistent existing security systems and practices which may have continually evolved and improved over the years to encompass their cloud services, whether they are SaaS-, PaaS- or IaaS-based. An example of this would be an organization s extending identity management to the cloud by leveraging the established user identity, authentication and provisioning processes of their on- 5

6 premise applications. In this instance, access to cloud services can be managed as part of existing security systems and processes, thus helping to satisfy relevant security and compliance requirements. Another common use case is providing universal single sign-on (SSO) to cloud services and existing on-premise applications. In this scenario, the organization owns the application and identity and is merely looking to simplify the user experience. For users, the benefits are clear-no more need to remember lots of passwords for different sites, and a single seamless experience across application environments. And in cases where there are elevated concerns around accessing sensitive data in the cloud, organizations can layer strong two-factor authentication as an added security control. The common theme with these examples is that cloud security controls and processes can be implemented by extending existing enterprise systems and processes to the cloud. This approach depends on cloud consumers and providers being able to easily integrate their security systems with one another, normally through standard protocols. Fortunately, multiple well-vetted security standards exist that enable this type of cross-domain security interoperability, such as SAML, WS-Security, XACML, SCIM and more. The following illustrates extending IAM services to the cloud through user provisioning and SSO: Figure A. TO THE CLOUD Extending IAM services such as provisioning and federated single sign-on to the cloud. 6

7 FOR THE CLOUD - Providing privileged user management and data protection for cloud-based services If CSPs want to earn the level of trust required by potential cloud-consuming organizations to handle their most sensitive applications and data, they need to have the most effective and up-to-date security controls in place. For example, they must have sufficient control over application and data access for regular and privileged users as well as adequate control processes for user management, authentication, authorization, logging, reporting, delegated administration and more. Privileged users in the service provider s datacenter are an especially high risk area because they often have complete access to your critical applications and information. Granular access entitlements must be available that help ensure that Admins can perform only those actions that they need to based on their role, and only on appropriate systems. In addition, all privileged users must be uniquely identified and not use shared accounts, in order to reduce risk and simplify compliance audits. Furthermore, CSPs must be able to prove the existence and operation of these controls to both customers and external auditors in order to establish compliance with relevant policies and regulations. On top of that, CSPs security systems and processes must be open and interoperable via standards to the security systems of their cloud-consuming customers. A robust and comprehensive identity and access management platform is necessary to provide the level of security and automation that this requirement demands. When the CSP has deployed these core IAM capabilities, the security and privacy of clients key applications and data is significantly improved, and therefore the compliance profile of the client is also enhanced. The client may live and die by the reputation for security controls that they can establish with their own customer base, so a robust IAM platform in the CSP environment (similar to an on-premise IAM platform) can help enhance that image. The following highlights the key identity capabilities that cloud service providers will need to help ensure the security of their environments: Figure B. FOR THE CLOUD - Providing privileged user management and data protection for cloud-based services. 7

8 FROM THE CLOUD - Delivering a suite of cloud-based identity and access management services to suit the changing needs of your business from the cloud The emergence of the cloud is revolutionizing all aspects of IT service delivery. Organizations are now rationalizing their entire portfolio of IT applications, deciding which are core differentiators and value creators, and which are commodities that are better provided by suppliers. Security systems and processes are not immune to this reevaluation. In fact, it could be argued that many organizations are not particularly adept at providing their own security. And while good security is important to earning customer and partner trust, security in and of itself is not always a key business differentiator. Thus, there are many compelling business reasons to look to the cloud for the delivery of security services. Identity services from the cloud are particularly compelling. They can provide robust security services that can communicate with on-premise IAM services and identity stores, so as to present a unified, consistent set of security services to the application user or administrator. And, by moving various IAM capabilities to the cloud, enterprises can gain the often significant efficiency and agility benefits that a hybrid approach can provide. Another quickly emerging use case involving cloud-based identity services is around social media and marketing. The explosion of services such as Facebook now means that some organizations can utilize those existing third-party identities for accessing their cloud services. The benefit to the business is that they can utilize their existing trusted identities to develop deeper understanding and analytics of their end users, while the benefit to the end user is a simplified user experience especially around the account creation and registration process. The following highlights the importance of cloud-based identity services, and the flexibility and agility that can be achieved by this deployment model: Figure C. FROM THE CLOUD - Delivering a suite of cloud-based identity and access management services to suit the changing needs of your business from the cloud. 8

9 Although the two previous use case examples are important, this deployment model is the one that many organizations will find the most compelling, even though it requires careful planning and a staged implementation. It is also the model that enables organizations to take best advantage of the cloud s many operational benefits. Section 4: CA Technologies Strategy for Cloud Security Introduction Organizations of all sizes and types must now deal with several significant IT issues including: 1. Pressure to keep IT operating budgets in check Today, IT organizations face flat (or shrinking) budgets, but with an increasing demand for IT security services. As a result, organizations are interested in cloud-based services for things like identity and access management. These cloud IAM services can provide better predictability around budget issues by reducing hardware expenses and moving to more manageable per user utility based pricing. 2. Maintaining appropriate security over increasingly distributed environments In today s world with the need for more and more cooperation between companies, partners and customers, companies are looking to extend their resources to other groups of users outside their company. CA CloudMinder can allow them to simplify the process of getting access to and leveraging the validated identities of others, while still maintaining control. 3. Extending IAM to large new external user communities (B2B/B2C) With the exponential growth in Web-based marketing, organizations that want to grow revenue and reach new markets need to extend their reach to massively large user communities. The cost of managing these identities internally is very high. With cloud-based identity services, this becomes more cost effective, easily scalable, greatly simplifying the IT infrastructure and allowing support for new business models and initiatives. 4. Leveraging third-party identities through social login Social media marketing is becoming a standard marketing practice. The ability to consume and utilize identities issued by other trusted social media identity providers like Facebook, Google, LinkedIn, and others allows the business to direct their customers with seamless single sign-on into their marketing sites, register and track them and leverage the information available by their identity provider. This results in increased customer relationship management. 5. Reducing IT risk While organizations see the benefits of cloud services, they are equally concerned about the security of using a cloud service and are looking for ways that they can maintain the consistent security between on-premise and cloud environments. Therefore, they are looking for cloud services that can deliver consistent security for identities and access for on-premise and cloud environments without unnecessarily increasing risk. 9

10 These issues are driving many IT organizations to adopt cloud-based services. But, one major inhibitor of more widespread cloud adoption is concern about the security of applications and information that reside in the cloud. Because of these concerns, customers are adopting cloud services in a phased approach in order to limit risk and help ensure the success of their cloud initiatives. Over time, they will continue to move more applications to the cloud. As IAM becomes available as a service, it must be able to support the security requirements of both cloud and on-premise applications in order to allow customers to gradually and gracefully adopt cloud models over time. One solution approach will not fit all needs. In summary, organizations are adopting cloud models gradually and with caution. They need to be able to access comprehensive identity services, running either on-premise or in the cloud, in order to protect applications running either on-premise or in the cloud. Because of their phased deployment requirements, flexibility in their choice of IAM capabilities and in their choice of deployment options are essential. CA CloudMinder is an IAM cloud platform that organizations can utilize for identity services regardless of whether the services, or the applications being protected, are deployed on-premise or in the cloud. Ultimately, enterprises will be able to choose whether their identity components are running on-premise, or in the cloud, or in a hybrid configuration. And, regardless of where it is deployed, this solution can control access to either on-premise or cloud-based applications. These capabilities enable organizations to have very high flexibility in their deployment options, which leads to improved business agility. The goal of CA CloudMinder is to provide the identity services that organizations need, regardless of whether the services, or the applications being protected, are deployed on-premise or in the cloud. Ultimately, customers will be able to choose whether their identity components are running onpremise, or in the cloud, or in a hybrid configuration. And, regardless of where it is deployed, our solution will be able to control access to either on-premise or cloud-based applications. The CA CloudMinder strategy is to offer very high flexibility to our customers in terms of the IAM components they can choose, and how they access identity services. They can adopt cloud-based IAM services according to their own needs and timetables. They can start with a completely on-premise solution, and then migrate certain components to the cloud, operating in a hybrid manner, as their needs and security considerations dictate. 10

11 CA CloudMinder an Overview CA CloudMinder is a suite of IAM solutions that are delivered as hosted, cloud services. These services are based on CA Technologies existing portfolio of market-leading IAM security solutions and can be deployed individually or together in a modular fashion. The following illustrates the CA CloudMinder approach, and shows how it enables both access to cloud services from on-premise solutions, or identity services deployed in the cloud. CA CloudMinder services enable organizations to centrally control users identities and their access for both SaaS services and on-premise applications. This helps organizations utilize the cloud with confidence and adopt a best-of-breed approach that relies on existing on-premise apps and SaaS services, while helping to reduce the cost of security administration. CA CloudMinder delivers five major operational benefits: 1. Accelerated On-Boarding Process: on-boarding new customers to your service should take just minutes, accelerating your implementation and speeding adoption. 11

12 2. Increased Usage: reliable, seamless SSO access to your service accelerates adoption and usage, translating to a broader service footprint and higher renewal rates. 3. Predictable TCO: with a flat-rate pricing model, you keep your cost of ownership low and predictable. 4. High-Performance: SaaS operates at the speed of cloud, so cloud identity and access management must ensure high-availability, multi-tenant architecture and secure SAML-based SSO to enable performance. 5. Increased Usage: reliable, seamless SSO access to your service accelerates adoption and usage, translating to a broader service footprint and higher renewal rates. CA CloudMinder currently consists of the following distinct services: Advanced Authentication CA CloudMinder Advanced Authentication provides a centralized versatile authentication service which consolidates the management of authentication methods across heterogeneous IT environments. This service provides support for a broad range of authentication methods including password, security Q&A, one-time password via SMS/ and OATH tokens. In addition, it offers unique two-factor authentication credentials that are more cost effective and user friendly than traditional methods. The Advanced Authentication capabilities also include soft tokens that provide greater security over the familiar hard tokens, without all the management hassles and expense of continually re-licensing these tokens. Software tokens provide the same user experience as passwords, while providing significantly greater security for user authentications, at a lower TCO. In addition to strong authentication, the capability to detect and prevent potential fraudulent activities on the part of users is also important to reducing overall security risk. The risk of online identity fraud continues to grow with attackers often targeting identity credentials and using them to access sensitive systems. CA CloudMinder Advanced Authentication also includes a cloud-based fraud detection and prevention service based on our on-premise solution, CA RiskMinder. This capability provides protection against online fraud by monitoring online access attempts and calculating a risk score based on a broad set of variables. The risk score can then be used to determine whether to allow access or initiate additional action; the risk score is also shared with other CA CloudMinder components, like CA CloudMinder Single Sign-On. CA CloudMinder Advanced Authentication thereby provides an effective way to improve the security of user authentication while maintaining a convenient experience for users. Identity Management The growth in users, and systems for which they require access, is leading to a growth in digital identities that needs to be managed. The management of identities throughout their lifecycle includes multiple aspects including account creation, identity-proofing, assignment of access rights, fielding access requests and managing related identity attributes. Organizations require a solution which allows them to centrally aggregate and control identities for use across the IT and cloud environment. 12

13 CA CloudMinder Identity Management includes three critical capabilities for managing users across on-premise and cloud environments. User Management provides cloud-based identity management capabilities including user self-service, profile creation, password reset and distribution of forgotten user names. Provisioning automates the process of adding, modifying and deleting user accounts, including user attributes and role associations which can be used to assign privileges on target systems. Provisioning to popular SaaS applications such as Google Apps, SalesForce.com, and others are supported both from CA CloudMinder and from our on-premise provisioning solution, CA IdentityMinder. Access Request Management provides the capability for users to submit access requests online. The cloud service can then route requests through workflow approvals based on defined policies and, where appropriate, provision the user to those systems automatically. Single Sign-On Business boundaries are quickly expanding beyond the IT domains directly controlled by your organization as users regularly need to access partner applications or those hosted in the cloud. Many of these sites are secured, requiring proper credentials and authentication, yet users do not want to be burdened with managing separate sets of credentials for disparate applications. The ultimate experience is a seamless single sign-on experience regardless of who actually owns the application. CA CloudMinder Single Sign-On provides cross-domain federated single sign-on for both identity and service providers, through federation of identities across partner sites. Once users have properly authenticated, their credentials and related attributes will be securely shared to enable authentication to partner sites without requiring user action. CA CloudMinder Single Sign-On provides pre-tested application support for many common SAML applications and also provides support for a wide range of identity federation standards, including SAML 1.1 as well as 2.0, WS-Fed 1.2, OpenID 2.0, OAuth 2.0 and WS-Trust 1.4. In addition, CloudMinder support for standards like OpenID allows consumers to use their existing social identity to easily access your websites and applications in a simple and secure way. This streamlines the user experience but also enables organizations to track consumer identities and potentially even reduce the increasing costs of customer acquisition. It also provides Just-in-Time (JIT) Provisioning that allows a user who does not have an account on a specific application to have account creation and SSO into that application via a single seamless step. This includes leveraging a user s association to a given group or role to assign them certain privileges on target systems. CA Cloud Security looking to the future The overall CA Technologies strategy for CA CloudMinder is to provide flexibility in how our customers access and deploy identity services, and how they transition from their current environment. To that end, we will continue to offer additional identity services as both on-premise and cloud-based services. These additional cloud services would include, for example, access governance and privileged user management, among others. In this way, we will be able to provide organizations and managed service providers with very high flexibility in how they deploy critical identity services. The business agility that results from this flexibility can enable you to more effectively leverage the efficiency benefits of cloud services, while also improving your overall security posture. 13

14 Section 5: Conclusions Leveraging enterprise security services from the cloud can deliver many important benefits to your organization, including: Elasticity The identity services your organization needs can be expanded, or contracted, based on your current needs. In addition, cloud licensing models mean you only pay for what you use. Low cost of entry The cloud-based model can eliminate the need for you to procure hardware, facilities and other costly IT infrastructure that is often needed to support enterprise security solutions. Quick time-to-value The ability to get up and running with cloud-based security applications quickly gives you the business agility you need to effectively respond to changing competitive or market events Low cost of ownership Ongoing solution support and maintenance is handled by trusted service providers allowing you to focus your resources on initiatives that differentiate your business. The elasticity provided by this cloud model also allows you to maintain a cost that accurately reflects your usage of the service. Shorter deployment cycles Installation and configuration of the software solution s underlying cloud services has already been taken care of by service providers, meaning you can sign up for and implement services quickly and easily. CA Technologies has a clear and innovative strategy and vision for providing identity services for the cloud to our customers, based on the CA CloudMinder suite of solutions. CA CloudMinder gives you the flexibility to securely adopt cloud computing on your own schedule, according to your own needs. With CA Cloudminder, customers can leverage CA Technologies proven IAM capabilities to securely extend IAM services to new large external user communities that support your rapidly evolving business requirements for cloud services as well as existing on-premise applications while reducing the total cost of ownership. This gives organizations maximum flexibility and enables them to support new emerging business models in exponentially growing user communities in a cost effective and predictable manner while allowing them to focus on their core business. We empower you to securely and confidently adopt IAM in the cloud with a choice of capabilities and deployment models. 14

15 Section 6: About the Authors Sumner Blount has been associated with the development and marketing of software products for over 25 years. He has managed the large computer operating system development group at Digital Equipment and Prime Computer, and managed the Distributed Computing Product Management Group at Digital. More recently, he has held a number of product management positions, including product manager for the SiteMinder product family at Netegrity. He is currently focusing on security and compliance solutions at CA Technologies. Merritt Maxim has 15 years of product management and product marketing experience in the information security industry, including stints at RSA Security, Netegrity and OpenPages. In his current role at CA Technologies, Merritt handles product marketing for the CA Technologies identity management and cloud security initiatives. The co-author of Wireless Security Merritt blogs on a variety of IT security topics, and can be followed at Merritt received his BA cum laude from Colgate University and his MBA from the MIT Sloan School of Management. Agility Made Possible: The CA Technologies Advantage CA Technologies (NASDAQ: CA) provides IT management solutions that help customers manage and secure complex IT environments to support agile business services. Organizations leverage CA Technologies software and SaaS solutions to accelerate innovation, transform infrastructure and secure data and identities, from the data center to the cloud. CA Technologies is committed to ensuring our customers achieve their desired outcomes and expected business value through the use of our technology. To learn more about our customer success programs, visit ca.com/ customer-success. For more information about CA Technologies go to ca.com. Copyright 2013 CA. All rights reserved. Windows Server and Active Directory are registered trademarks or trademarks of Microsoft Corporation in the United States and/ or other countries. All trademarks, trade names, service marks and logos referenced herein belong to their respective companies. This document is for your informational purposes only. CA assumes no responsibility for the accuracy or completeness of the information. To the extent permitted by applicable law, CA provides this document as is without warranty of any kind, including, without limitation, any implied warranties of merchantability, fitness for a particular purpose, or noninfringement. In no event will CA be liable for any loss or damage, direct or indirect, from the use of this document, including, without limitation, lost profits, business interruption, goodwill, or lost data, even if CA is expressly advised in advance of the possibility of such damages. CA does not provide legal advice. Neither this document nor any software product referenced herein serves as a substitute for your compliance with any laws (including but not limited to any act, statute, regulation, rule, directive, standard, policy, administrative order, executive order, and so on (collectively, Laws )) referenced herein or any contract obligations with any third parties. You should consult with competent legal counsel regarding any such Laws or contract obligations. CS3516_0213