IDAM in the Cloud. March 11, 2015; Gunnar Peterson

Transcription

1 IDAM in the Cloud March 11, 2015; Gunnar Peterson

2 Session Overview What identity protection can be safely handled in the cloud and what functions still need to be on-premise? How to choose a CSP based on their security controls Know your identity stack Audit requirements and necessary disclosures IANS Research Client & IANS Confidential. 2

3 OWASP Top Ten and Identity IANS Research Client & IANS Confidential. 3

4 Enterprise and the Cloud IANS Research Client & IANS Confidential. 4

5 Secure the Channel Credit: Douglas Purdy IANS Research Client & IANS Confidential. 5

6 What Do We Want Out of Cloud Security Tokens? This Slide Can Not be Shown this is not an Error IANS Research Client & IANS Confidential. 6

7 Two Basic Token Operations Issue Based on an input, issue a token Username/Password -> OAM cookie Kerberos ticket -> SAML token Canadian tire $$ -> New bicycle Validate Check if the token is: Signed Issued by a trusted authority Not expired Intended for the right audience Issue Validate Token IANS Research Client & IANS Confidential. 7

8 First Mile Last Mile Integration First Mile Integrating the authentication service with the security token service Last Mile Integrating the data from the incoming token into the target application Arctec Group IANS Research Client & IANS Confidential. 8

9 Security Protocols in Context IANS Research Client & IANS Confidential. 9

10 Cookie Hygiene Review your session identifiers Expiration policy Secure flag secure HttpOnly Scope domain and path Only send over TLS/SSL IANS Research Client & IANS Confidential. 10

11 TLS/SSL Review your TLS/SSL do not take it for granted Review all versions of protocols and ciphers Limit to only TLS/SSL at all times Build detailed checklist Conduct ongoing testing More info at: SSL Labs IANS Research Client & IANS Confidential. 11

12 Audit Logging Domain Model IANS Research Client & IANS Confidential. 12

13 Audit Logging Domain Model Event observer Collects and records information based on policy Amount and type of information collected based on policy Collects sufficient information and context, example, time and timezone based on policy and event types Output is directed based on configuration Often utilized at chokepoints IANS Research Client & IANS Confidential. 13

14 Audit Logging Domain Model Log Analyzer Reads log data from log source Discriminates based on event types May pull in additional context May perform correlation IANS Research Client & IANS Confidential. 14

15 Audit Logging Domain Model Notifier Used to inform log analyst Facilitates response activities IANS Research Client & IANS Confidential. 15

16 Audit Logging Domain Model Sanitizer Logs often contain sensitive information; the log sanitizer filters or otherwise alters data Can use anonymous and pseudonymous modes Anonymizer Deletes or alters data so the recipient or originator cannot be identified Pseudonymizer Deletes or alters data so the log administrator can perform correlation, such as for demographic purposes IANS Research Client & IANS Confidential. 16

17 Audit Logging Domain Model Browser Review log events Utilized by analyst May use information from: Logger (view raw source) Analyzer (event types) Notifier (event lifecycle) Sanitizer (modes) IANS Research Client & IANS Confidential. 17

18 IDAM Checklist Look for flexibility and standards Federate Rely on enterprise automated provisioning Policy management tools on CSP side Full identity stack including: Session identifiers Tokens Network protocols Accountability and monitoring IANS Research Client & IANS Confidential. 18

19 Questions? Gunnar Peterson Blog: IANS Research Client & IANS Confidential. 19

20 Join Us Next Time Exploring the Dark Side of IoT Apr. 8, 2015 Register: Best Practices in Securing Hybrid Clouds May 13, 2015 Register: IANS Research Client & IANS Confidential. 20

21 Upcoming Forums Toronto March 17-18: Sold out Register for waitlist New York March 25-26: Sold out Register for waitlist Dallas May 6-7: Sold out Register for waitlist Washington, D.C. May 13-14: Register San Francisco May 27-28: Register Minneapolis June 16-17: Register IANS Research Client & IANS Confidential. 21