CliQr CloudCenter. Multi-Tenancy



Similar documents
CliQr Support and Services Overview

Application Migration & Management

CloudCenter Full Lifecycle Management. An application-defined approach to deploying and managing applications in any datacenter or cloud environment

An Overview of Samsung KNOX Active Directory-based Single Sign-On

identity as the new perimeter: securely embracing cloud, mobile and social media agility made possible

SaaS-enablement for Independent Software Vendors USE CASE

Understanding Enterprise Cloud Governance

Flexible Identity Federation

Egnyte Cloud File Server. White Paper

managing SSO with shared credentials

Protect Everything: Networks, Applications and Cloud Services

CA Federation Manager

THE BLUENOSE SECURITY FRAMEWORK

solution brief February 2012 How Can I Obtain Identity And Access Management as a Cloud Service?

An Overview of Samsung KNOX Active Directory and Group Policy Features

Foundations and Concepts

HP Software as a Service. Federated SSO Guide

Ensuring the Security of Your Company s Data & Identities. a best practices guide

The Jamcracker Enterprise CSB AppStore Unifying Cloud Services Delivery and Management for Enterprise IT

CA Technologies Strategy and Vision for Cloud Identity and Access Management

Securing the Cloud through Comprehensive Identity Management Solution

Secure Multi Tenancy In the Cloud. Boris Strongin VP Engineering and Co-founder, Hytrust Inc.

Dell Active System, Enabling service-centric IT, the path to the Cloud. Pavlos Kitsanelis Enterprise Solutions Lead Greece, Cyprus, Malta

Google Apps Deployment Guide

Building a SaaS Application. ReddyRaja Annareddy CTO and Founder

Identity Federation: Bridging the Identity Gap. Michael Koyfman, Senior Global Security Solutions Architect

Security Services. Benefits. The CA Advantage. Overview

Intel IT Cloud 2013 and Beyond. Name Title Month, Day 2013

BSA Best Practices Webinars Role Based Access Control Sean Berry Customer Engineering

Open Data Center Alliance Usage: Identity Management Interoperability Guide rev. 1.0

SAP Business Objects Security

Leveraging Microsoft Privileged Identity Management Features for Compliance with ISO 27001, PCI, and FedRAMP

SAML-Based SSO Solution

White Paper. Cloud Native Advantage: Multi-Tenant, Shared Container PaaS. Version 1.1 (June 19, 2012)

Security Assertion Markup Language (SAML) Site Manager Setup

The governance IT needs Easy user adoption Trusted Managed File Transfer solutions

Configuring Single Sign-on from the VMware Identity Manager Service to WebEx

APPLICATION ACCESS MANAGEMENT (AAM) Augment, Offload and Consolidate Access Control

Guideline on Implementing Cloud Identity and Access Management

Zendesk SSO with Cloud Secure using MobileIron MDM Server and Okta

Moving to the Cloud: What Every CIO Should Know

TRANSITIONING ENTERPRISE CUSTOMERS TO THE CLOUD WITH PULSE SECURE

Cloud Single Sign-On and On-Premise Identity Federation with SAP NetWeaver Cloud White Paper

TECHNOLOGY BRIEF: INTEGRATED IDENTITY AND ACCESS MANAGEMENT (IAM) An Integrated Architecture for Identity and Access Management

B2C, B2B and B2E:! Leveraging IAM to Achieve Real Business Value

Strategies to Solve and Optimize Management of Multi-tiered Business Services

ProtectV. Securing Sensitive Data in Virtual and Cloud Environments. Executive Summary

Manage all your Office365 users and licenses

Speeding Office 365 Implementation Using Identity-as-a-Service

CA Single Sign-On r12.x (CA SiteMinder) Implementation Proven Professional Exam

EMC ViPR for On-Demand File Storage with EMC Syncplicity and EMC Isilon or EMC VNX

White Paper. What is an Identity Provider, and Why Should My Organization Become One?

CLOUD TECH SOLUTION AT INTEL INFORMATION TECHNOLOGY ICApp Platform as a Service

Enabling Storage Services in Virtualized Cloud Environments

DirX Identity V8.5. Secure and flexible Password Management. Technical Data Sheet

Citrix On-Boarding A target Cloud

An overview of configuring WebEx for single sign-on. To configure the WebEx application for single-sign on from the cloud service (an overview)

Federated single sign-on (SSO) and identity management. Secure mobile access. Social identity integration. Automated user provisioning.

Case Study. Microsoft Azure Cloud Migration For Idea Management Tool. Microsoft Azure.

SAML SSO Configuration

People-Focused Access Management. Software Consulting Support Services

CA Performance Center

GoodData Corporation Security White Paper

DirX Identity V8.4. Secure and flexible Password Management. Technical Data Sheet

About Me. Software Architect with ShapeBlue Specialise in. 3 rd party integrations and features in CloudStack

The Top 5 Federated Single Sign-On Scenarios

Delivering value to the business with IAM

Identity and Access Management (IAM) Across Cloud and On-premise Environments: Best Practices for Maintaining Security and Control

How to leverage SAP NetWeaver Identity Management and SAP Access Control combined solutions

INTEGRATING CLOUD ORCHESTRATION WITH EMC SYMMETRIX VMAX CLOUD EDITION REST APIs

Securing sensitive data at Rest ProtectFile, ProtectDb and ProtectV. Nadav Elkabets Presale Consultant

Lecture 02b Cloud Computing II

SAFENET FOR SERVICE PROVIDERS. Deliver Data Protection Services that Boost Revenues and Margins

Microsoft Design Windows Server 2008 Active Directory

White Paper. Anywhere, Any Device File Access with IT in Control. Enterprise File Serving 2.0

Security for Cloud- and On Premise Deployment. Mendix App Platform Technical Whitepaper

Adobe unlocks creative velocity.

HP Virtualization Performance Viewer

Media Shuttle s Defense-in- Depth Security Strategy

CA SiteMinder SSO Agents for ERP Systems

SOLUTION BRIEF Citrix Cloud Solutions Citrix Cloud Solution for On-boarding

Identity Governance Evolution

Perceptive Experience Single Sign-On Solutions

MANAGEMENT AND ORCHESTRATION WORKFLOW AUTOMATION FOR VBLOCK INFRASTRUCTURE PLATFORMS

VMware vcloud Service Definition for a Public Cloud. Version 1.6

Building an Enterprise Hybrid Cloud with the VMware vcloud Solution

Jenkins World Tour 2015 Santa Clara, CA, September 2-3

Cloud Security Who do you trust?

Getting Started with Multitenancy SAP BI 4.1

Managing Office 365 Identities and Services

Many cloud service providers are interested in supporting resellers as tenants within their cloud.

An overview of configuring Intacct for single sign-on. To configure the Intacct application for single-sign on (an overview)

Automated Data Ingestion. Bernhard Disselhoff Enterprise Sales Engineer

Identity Management Basics. OWASP May 9, The OWASP Foundation. Derek Browne, CISSP, ISSAP

The Need for Service Catalog Design in Cloud Services Development

RightScale mycloud with Eucalyptus

HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT

Avaya Aura System Manager

VMware Identity Manager Administration

SAML-Based SSO Solution

Transcription:

CliQr CloudCenter Multi-Tenancy

CliQr CloudCenter Multi-Tenancy and Multi-User Model Page 2 Table of Contents 1 Executive Summary...2 2 Introduction...3 3 Use Case: Application Onboarding...4 4 Use Case: Multi-Site, Multi-Pod...7 5 Use Case: Public to Private Cloud Migration...9 1 Executive Summary CliQr CloudCenter is an application-centric management platform that securely provisions infrastructure resources and deploys application components and data across more than 19 datacenter, private cloud, and public cloud environments. It offers unparalleled multi-tenant management that delivers complete isolation for peer tenants, partial isolation for parent-child tenants, and flexible sharing options for users within a tenant. With a multi-tenant solution, IT can avoid deploying multiple management tools for multiple tenants, can simplify and reduce their service delivery footprint, and can gain central governance that crosses the boundaries of applications, clouds, and users. CloudCenter delivers multi-tenant capabilities that are powerful enough for many cloud service providers that use CliQr to deliver multi-cloud services to fully isolated customers. But it also is simple enough for enterprise IT to configure a variety of deployment models to meet isolation and sharing needs of any organization, simple or complex. This paper outlines three basic multi-tenant models, highlights tenant administrator functions, and provides some basic deployment considerations.

CliQr CloudCenter Multi-Tenancy and Multi-User Model Page 3 2 Multi-Tenancy Overview CloudCenter is an application-centric cloud management platform. It is purpose-built to manage multiple applications, deployed to multiple clouds, for multiple groups of users. It supports a wide range uses for enterprise IT organizations, from simple application migration, to DevOps automation across various cloud environments, and dynamic capacity augmentation within or between clouds. And, is the foundation for a comprehensive IT as a Service strategy. To support the complexity and broad range of hybrid-cloud use cases, CloudCenter offers several multi-tenant models that give IT architects and administrators a range of options, from simple to complex, for configuring and controlling both isolation and sharing within or between groups of users. Figure 1. CloudCenter tenant isolation, partial isolation, and sharing Enterprise IT customers can easily use multi-tenant capabilities to implement powerful isolation when needed. But CloudCenter also provides easy to configure granular control over how much sharing occurs among users and groups within a tenant, and between tenants and sub tenants. A flexible mix of isolation and sharing allows IT to balance user agility with administrative visibility and control.

CliQr CloudCenter Multi-Tenancy and Multi-User Model Page 4 Powerful Isolation With CloudCenter, each tenant can be fully isolated from other peer tenants. In this way, two completely independent business units can use a single CloudCenter instance while being completely isolated from each other. Many cloud service providers already rely on CloudCenter as the backbone of their multi-cloud service delivery systems, offering shared services to multiple completely isolated customers who are tenants in a single CloudCenter deployment. From a technical perspective, an enterprise IT organization would need to enable tenancy only if the organization has more than one authentication source. But from a business perspective, there are many reasons that a company may want to enable tenancy: Multiple independent business units have independent IT departments A common central IT service is shared by multiple IT departments that also have autonomous service delivery portfolios Some groups require a custom UI with unique brand or logo Segregation of duties due to regulatory requirements Need to offer strictly isolated tenancy to ensure maximum information security This powerful tenancy capability allows CliQr customers or business groups to securely use one installation of CloudCenter to reduce costs and increase operational efficiency, while implementing various degrees of isolation or sharing. Other cloud management solutions require a separate installation for each tenant. Separate installations increase rollout and maintenance costs, reduce IT s ability to centrally deliver services, and restrict central governance and control. Flexible Sharing CloudCenter facilitates sharing within each tenant. Powerful features for sharing application profiles, application services, deployment environments, and more multiplies the speed and agility benefits of an application-centric management solution. Examples of information that can be shared within a tenant include: ( links to product documentation) Cloud accounts Deployment environments Application profiles Application services Application marketplace

CliQr CloudCenter Multi-Tenancy and Multi-User Model Page 5 Artifact repositories Tags and Rules Policies User groups provide a powerful sharing feature. Each user may belong to one or more groups, and different user groups, such dev, test, and production may be supported by a single tenant. Users within a tenant can share application profiles, images, and services to provide seamless and automated SDLC. But, as part of specific groups, users may only access specific cloud accounts, controlled by usage plans or bundles, different chargeback or showback mechanisms, and may be limited on their ability to promote deployment from test to staging to production. In addition, roles can be assigned to both users and to user groups. A role is a named collection of global privileges or permissions that relate to functions within CloudCenter. Roles can be used to govern what functionality a user can perform (for example, the ability to create application profiles or add a cloud account) and support an effective scheme for the segregation of duties. In addition to user roles, CloudCenter provides granular access control lists (ACLs) and sharing permissions to objects within CloudCenter. Sharing permissions include the ability to view a specific deployment environment, the ability to share a specific Application Profile with other users or user groups, and so on. Parent Child Partial Isolation In addition to strict isolation between peer tenants and flexible sharing within each tenant, CloudCenter offers an option for partial isolation between parent and child tenants. There are cases in which a central IT organization offers shared services, delivered either on premises or via cloud service provider, that are consumed by various business units that are otherwise independent. For otherwise independent IT departments, central IT may want to enforce OS image standards, require the use of specific artifact repositories, or have a common rules-based governance framework. In addition, IT may offer shared services that are funded by a collection of BUs. Those BUs many also have IT organizations that deliver other IT or cloud services that are separately funded. Partial isolation that is controlled via tenant parent child relationship enables these scenarios.

CliQr CloudCenter Multi-Tenancy and Multi-User Model Page 6 Parent child sharing is limited to: Cloud accounts Application services Artifact repositories Tags and Rules Policies By enforcing the separation of various tenants and offering one platform and shared governance for applications, clouds, and users, parent child partial isolation minimizes costs and optimizes efficiency. 3 Initial Set Up Considerations When CloudCenter is first installed, it is set up with one root tenant, and with one root tenant administrator who acts as the overall platform administrator. The root admin is responsible for setting up clouds, configuring initial cloud accounts, creating users, and (optionally) creating additional tenants. With the hosted delivery SaaS model, CliQr is the root tenant and serves the role of root admin. In this model, CliQr creates additional tenants for each customer who uses the SaaS version of CloudCenter. This model is also used by cloud service providers who use a single CliQr CloudCenter installation to deliver shared services to fully isolated customers. For dedicated CloudCenter installations, CliQr customers designate a root admin. As shown in Figure 2, the root admin can add multiple layers of tenants to meet the isolation and sharing requirements of an organization. Figure 2. CloudCenter s tenancy model

CliQr CloudCenter Multi-Tenancy and Multi-User Model Page 7 The root tenant can optionally create one or more peer tenants. Peer tenants might be customer organizations or business units that require tenant-level isolation and their own UI customization, cloud management, user management, application marketplace, governance models, and so on. Each tenant is assigned a tenant admin who has access to all global permissions and privileges at the tenant level. At this level, tenant administrators can create users and user groups, and can create sub-tenant organizations as isolated tenants. Sub-tenants can add their own sub-tenants. There is no limit to the number of sub tenant hierarchies that can be created. 4 Tenant Administrator Functions A root admin can create tenant organizations and assign a tenant administrator for each. When creating a tenant, the root admin can: White-label the tenant UI with a tenant logo Change the tenant UI look-and-feel (colors and fonts) Enable all or a subset of parent tenant clouds for the tenant The root admin controls the following global permissions for each tenant organization and tenant admin: Allow the tenant admin to add tenant-specific orchestrators. If this permission is not granted, tenant organizations will only access clouds through orchestrators that are set up by the platform administrator. Allow tenant admins to set up their own cloud accounts. If this permission is not granted, tenants can use only the cloud accounts that are set up and shared by their root admin. Allow the tenant admin to create and maintain a private application marketplace. Set permissions for publishing application profiles to the platform public marketplace. Tenants are treated as independent customer organizations, and tenant admins have complete independence for managing their users and user groups. Each tenant admin can perform the following user management functions: Create, deactivate or delete a user Change a user password Create and assign groups Create and assign roles

CliQr CloudCenter Multi-Tenancy and Multi-User Model Page 8 Authenticating Users within Tenants A key aspect of a multi-tenant setup is user authentication. Authentication is configured and managed at the tenant level. Each tenant can use it s own authentication scheme. CloudCenter supports SAML-based (SAML 2.0) integration with an existing user directory such as LDAP or AD. CloudCenter also supports indirect AD authentication using Single Sign-On (SSO) between the CloudCenter as a Service Provider (SP) and a customer s Identity Provider (IDP) such as ADFS. Activation Profiles offer a fast and easy way to onboard new users. Activation Profiles are predefined sets of mappings of CloudCenter groups, roles, and cloud settings to CloudCenter s Role Based Access Control (RBAC). Mappings can be created based on properties that are associated with users in an LDAP or AD server. When a directory is imported into CloudCenter, the appropriate Activation Profile is used to activate that user in CloudCenter. 5 Model 1 Single Tenant In the single tenant deployment model, the root tenant is the only tenant for all users and groups. This model is appropriate for a centralized organization that doesn t need isolation between users and user groups. In this model, shown in Figure 3, all users who log in to the system come from one SAML SSO authentication source. These users can be mapped to zero, one, or many groups. Figure 3. Single tenant with sharing between users and groups

CliQr CloudCenter Multi-Tenancy and Multi-User Model Page 9 The main benefit of deploying CliQr with the single tenant model is that all users and objects can be managed collectively. Role based access, object level sharing, and control across the tenant provide the following capabilities: Role based access control: Set access for users for specific applications Apply roles to any user or group Enforce least restrictive aggregated permissions Object-level sharing and permission control within the tenant: Set access for users to perform actions such as deploy to specific clouds. Create and share deployment environments with specific users. (A deployment environment is a specific cloud, cloud region, and cloud account combination.) Make all services available to users to model application profiles in the topology modeler Share code repositories when deploying application profiles Share application profiles with other uses Allow users to publish applications to their tenant private marketplace The disadvantage of the single tenant model is that administrators have access to every user, cloud, and governance policy. This access might not be appropriate in larger organizations that have multiple IT teams with resources that they pay for and manage independently. 6 Model 2 Peer Tenant In the peer tenant deployment model, the root tenant s only role is administering the platform. Individual tenant admins are fully responsible for configuring and supporting their own tenant environment, and delivering IT services. This model is appropriate for an enterprise IT organization that has a decentralized IT team and wants to obtain cost and operational efficiencies by using one platform for managing applications, clouds, and users. But either don t need sharing between tenants that each independently manage their own service portfolio, or they have compelling reason to prohibit sharing between tenants for reasons such as regulatory compliance. In this model, shown in Figure 4, all users who log in to the system authenticate against different SAML SSO sources. These users can be mapped to zero, one, or many groups within

CliQr CloudCenter Multi-Tenancy and Multi-User Model Page 10 their tenants. Figure 4. No sharing between independent peer tenants The main benefit of deploying CliQr with multiple peer tenants is that one platform can be used for managing applications, clouds, and users, but each tenant can be managed independently as a completely separate entity. Role based access control and object level sharing are restricted to users within each tenant and provide the following capabilities: Role based access control: Limit user access to specific application profiles within the tenant Apply unique roles to any user or group within the tenant Enforce least restrictive aggregated permissions Object-level sharing and permission control No object level sharing and permissions between tenants 7 Model 3 Multiple Tenants With Sub-Tenants The multiple tenants with sub-tenants deployment model is a mix of the benefits of the other two. With this model, the root tenant may be either just platform admin, or may administer shared services. This model supports a shared service approach where one central IT group may offer shared services to other sub tenants. Those sub tenants also have the flexibility to offer additional IT services to their respective organizations. But since the sub tenants are peers, they are otherwise isolated.

CliQr CloudCenter Multi-Tenancy and Multi-User Model Page 11 In this model, shown in Figure 5, all users who log in to the system authenticate against different SAML SSO sources. These users can be mapped to zero, one, or many groups within their own tenant or sub-tenant. Figure 5. Limited sharing between BU and department tenants The main benefit of deploying CliQr using the multiple tenants with sub-tenants model is that each tenant can be managed independently, but still share both centrally managed cloud accounts as well as rolled-up cost reporting from all tenants lower in their hierarchy. For example a banking conglomerate may have multiple divisions that follow enterprise architecture standards and consume shared IT services, but within the investment banking tenant, sell-side and buy-side resources, applications, and users are strictly segregated and isolated in sub-tenant organizations. In this model, role based access and control and object level sharing and control are blends of the functionality of the other two models and provide the following capabilities: Role based access control: Set access for users to access specific applications within the tenant Apply roles to any user or group within the tenant Enforce least restrictive aggregated permissions Object-level sharing and permission control Share common code repositories for modeling applications Create and share cloud accounts with users of a tenant and sub-tenants Make services available to users of both a tenant and sub-tenants to model applications in the topology modeler

CliQr CloudCenter Multi-Tenancy and Multi-User Model 8 Comparison of Deployment Models Example Use Cases Centralized IT Single Tenant One organization Multiple Tenants Decentralized IT Each IT department manages its own resources Separated SSO No Yes Yes Separated groups No Yes Yes Multiple Tenants with Sub- Tenants Centralized IT delivers shared services Each IT department offers additional services RBAC Across tenant Within tenant Within tenant Sharing Within tenant Within tenant None between peer tenants Application Profile Sharing Yes Only with CLI import/export or via public marketplace Advantages Disadvantages All objects and users in one tenant Able to share cloud accounts and applications easily Admins cannot independently manage the infrastructure or cloud accounts they own Users, applications, cloud accounts, and so on are completely separate Not able to share with other tenants Within tenant Parent to child sharing None between peer tenants Only with CLI import/export or via public marketplace Shared service delivery with additional tenant autonomy Not able to share with peer tenants, can share only with child tenants CliQr Technologies 1732 North First St., Suite 100, San Jose, CA 95112 888.837.2739 info@cliqr.com www.cliqr.com 2016 CliQr Technologies. All rights reserved. CliQr, the CliQr logo, and CliQr CloudCenter are trademarks of CliQr Technologies in the United States. All other trademarks and company names are the property of their respective owners. WP-MTM-0416

CliQr CloudCenter Multi-Tenancy and Multi-User Model Example Use Cases Centralized IT Single Tenant One organization Multiple Tenants Decentralized IT Each IT department manages its own resources Separated SSO No Yes Yes Separated groups No Yes Yes Multiple Tenants with Sub- Tenants Centralized IT delivers shared services Each IT department offers additional services RBAC Across tenant Within tenant Within tenant Sharing Within tenant Within tenant None between peer tenants Application Profile Sharing Yes Only with CLI import/export or via public marketplace Advantages Disadvantages All objects and users in one tenant Able to share cloud accounts and applications easily Admins cannot independently manage the infrastructure or cloud accounts they own Users, applications, cloud accounts, and so on are completely separate Not able to share with other tenants Within tenant Parent to child sharing None between peer tenants Only with CLI import/export or via public marketplace Shared service delivery with additional tenant autonomy Not able to share with peer tenants, can share only with child tenants CliQr Technologies 1732 North First St., Suite 100, San Jose, CA 95112 888.837.2739 info@cliqr.com www.cliqr.com 2016 CliQr Technologies. All rights reserved. CliQr, the CliQr logo, and CliQr CloudCenter are trademarks of CliQr Technologies in the United States. All other trademarks and company names are the property of their respective owners. WP-MTM-0416

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information