Identity and Access Management & The Cloud, conflicting or collaborating? NetIQ - All Rights Reserved
Agenda The cloud (re)defined Identity & Access Management infrastructures Conflicts Collaboration: products tips & tricks 2
The Cloud
What is the Cloud Wikipedia: Cloud computing refers to the delivery of computing and storage capacity as a service to a heterogeneous community of end-recipients. The name comes from the use of clouds as an abstraction for the complex infrastructure it contains in system diagrams. Cloud computing entrusts services with a user's data, software and computation over a network.
What is the Cloud
What is the Cloud Hybrid Public Google Apps, Salesforce.com O365 HRM-CRM SaaS Windows Azure, Google App Engine IBM IT Factory Heroku PaaS Amazon EC2, Rackspace Cloud IBM Blue Private Intranet software Windows Azure Platform Appliance Storage IaaS Servers DaaS? Networks VMWare, OpenStack, KVM Idaas?
We're talking about Identity & Access Hybrid Public Google Apps, Salesforce.com O365 HRM-CRM SaaS Windows Azure, Google App Engine IBM IT Factory Heroku PaaS Amazon EC2, Rackspace Cloud IBM Blue Private Intranet software Windows Azure Platform Appliance Storage IaaS Servers DaaS? Networks VMWare, OpenStack, KVM Idaas?
Hosted Software & the Cloud Public Google Apps, Salesforce.com O365 HRM-CRM Fake Cloud Providers HRM-CRM Hybrid SaaS Private Intranet software On Premise Let's treat them equally in the eyes of IAM
Software services for Education Google Apps Social media Google Apps, Salesforce.com O365 HRM-CRM Cloud & Hosted! O365 ADP RAET Blackboard Osiris Magister SOMToday It's Learning Banner Procuro N@tSchool Tribe/KRD Live@EDU @VO Infinite Campus SIS PeopleSoft AFAS...
Why should we go to the Cloud Flexibiliteit Cost Control Access Anywhere Scalable On demand deployment Google Apps Social media O365 ADP RAET Blackboard Osiris Magister SOMToday It's Learning Banner Procuro N@tSchool Tribe/KRD Live@EDU @VO PeopleSoft AFAS...
Why should we NOT go to the Cloud Loss of control over business assets (data) Dependency Lack of audibility Lack of transparancy Compliance Fail (new dutch law!) Migration, Backup and updates Security, privacy and compliancy Lack of automated processes I(dentification)A(uthenthication) A(utorisation)A(uditing) Google Apps Social media O365 ADP RAET Blackboard Osiris Magister SOMToday It's Learning Banner Procuro N@tSchool Tribe/KRD Live@EDU @VO PeopleSoft AFAS...
And what if... The cloud is down (Real vs Fake) Updates changes usability Performance is poor The Bad Boys show up Google Apps Social media O365 ADP RAET Blackboard Osiris Magister SOMToday It's Learning Banner Procuro N@tSchool Tribe/KRD Live@EDU @VO PeopleSoft AFAS...
Identity & Access Management Infrastructures
What is in the IAM Infrastructure Authentication Authorisation Identification Governance User provisioning Information Store Single Sign On Self service Compliancy Risk Management Role based management Claim Context Based Corporate Identity Federated Identity Law's and regulation Password Synchronisation Information Consistency Attestation WorkFlow (Businessflow) Access management & control Auditing Cloud
And what if... System users Employees Students Federation Systems Security Vault Access Management Authentication Services Presentation Identity Vault User interfaces Identity Management Queries Provisioning Monitoring, logging, auditing Authentication, federation, SSO Services App layer Data layer Self Service Other
Conflicting areas
Warning NetIQ - All Rights Reserved
What we get Corporate credentials in the cloud SaaS No single sign-on or strong authentication Compliance reporting Manual process Security Cost No reporting Business user experience IT Department Business flexibility
What we want SaaS Single sign-on and strong authentication Compliance reporting Automated process Security Full reporting Cost Business user experience Corporate credentials secured IT Department Business flexibility
Requirements for Cloud Services Automated (de)provisioning (Identity Management) Identification Authentication & Authorization (Access Management) (web) Single Sign On User Self Service Auditing Monitoring
NetIQ Products involved l Identity Manager Drivers BlackBoard (On Premise) Google Apps O365 SOAP JDBC (Over the internet?) CSV Scripting Access Manager or Cloud Access Federation Strong Authentication Sentinel edirectory l l l l l l l l l l l l
Product Tips, Tricks & Pitfalls
edirectory
edirectory Scalable Edirectory (Security Vault Setup) EduRoam/VPN/Wifi l
IDM Drivers
Google Apps Driver Like AD Driver: very elaborated Easy to deploy Tip: keep all business logic local to IV; Synchronise results Alternative Scripting against interface Pitfalls Speed of development at Google Connection changes Many policies in the driver, difficult to change
O365 Driver Like AD Driver: very elaborated Easy to deploy Tip : keep all business logic local to IV. Synchronise results Specials with PSExecute Pitfalls Difference in On-Prem Hybrid & Cloud PSExecute limitations Hard to customize Comparison with DirSync ;-)
Blackboard Driver Like AD Driver: very elaborated because of Ease of Use Blackboard interface Uses special schema Tip: keep all business logic local to IV. Synchronize results Tip: Do Users, Courses & Enrollments
SOAP REST Driver Fall back for non dedicated drivers. Like LDAP/JDBC/CSV/Scripting etc Most commonly used for Cloud services (de)provisioning
Proper way to develop SOAP Driver Is a standard? No, it is a protocol specification. Examine WSDL Analyse data with SoapUI Build the Soap Output Transforms (xslt) Build the Soap Input Transforms (xslt) Build the rest of the logic No issue, no pitfalls...?!?
Soap output can be surprising...
Soap output can be surprising...
Soap output can be surprising...
Soap input can be surprising...
Soap input can be surprising... EventID
Soap input can be surprising...
Soap input can be surprising...
Soap input can be surprising...
Soap input can be surprising...
Flexibility
Flexibility
Authentication & Authorization
Products involved CloudAccess NetIQ Access Manager
CloudAccess Appliance with IDM/NAM IDP/Sentinel Had own delevopment track Great features: Mobile Apps External DB @ login Fallback for any SAML based application
CloudAccess Suited for CSP's or sites without NAM Focussed on Authentication en Autorisation
Access Manager
Access Manager Besides User/Browser 1 Google Apps (Service Provider) 1. 2. 3. 4. 5. 3 Access Manager (Identity Provider) User accesses Google Apps Google generates SAML request and redirects user to IdP. User logs into IdP and gets SAML response (assertion) User is redirected back to Google and sends SAML response Google verifies response and allows user into application
Access Manager
Access Manager
Access Manager Insanity: doing the same thing over and over again and expecting different results. Consensus of SAML configuration!!!
Access Manager l Federation configuration
Access Manager Like SOAP, protocol with many many implementations Compliancy to SAML Standards AuthContextClassRef, Weird implementations
NetIQ - All Rights Reserved
NetIQ - All Rights Reserved
This document could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein. These changes may be incorporated in new editions of this document. NetIQ Corporation may make improvements in or changes to the software described in this document at any time. Copyright 2015 NetIQ Corporation. All rights reserved. ActiveAudit, ActiveView, Aegis, AppManager, Change Administrator, Change Guardian, Compliance Suite, the cube logo design, Directory and Resource Administrator, Directory Security Administrator, Domain Migration Administrator, Exchange Administrator, File Security Administrator, Group Policy Administrator, Group Policy Guardian, Group Policy Suite, IntelliPolicy, Knowledge Scripts, NetConnect, NetIQ, the NetIQ logo, PSAudit, PSDetect, PSPasswordManager, PSSecure, Secure Configuration Manager, Security Administration Suite, Security Manager, Server Consolidator, VigilEnt, and Vivinet are trademarks or registered trademarks of NetIQ Corporation or its subsidiaries in the United States.