SaaS at Pfizer Challenges, Solutions, Recommendations
Agenda How are Cloud and SaaS different in practice? What does Pfizer s SaaS footprint look like? Identity is the Issue: Federation (SSO) and Provisioning/De-provisioning How is Pfizer addressing these challenges? How does it look when these issues are handled? Recommendations for BP 2
Cloud vs. SaaS in Practice at Pfizer Cloud Large, Enterprise Wide Replace Platforms Involve Several Teams Significant Investment Extended I&AM model SaaS Often Small Deployments Replace Software Conducted in Isolation Pay with Corporate AMEX OpenID, SAML, etc 3
Agenda How are Cloud and SaaS different in practice? What does Pfizer s SaaS footprint look like? Identity is the Issue: Federation (SSO) and Provisioning/De-provisioning How is Pfizer addressing these challenges? How does it look when these issues are handled? Recommendations for BP 4
The Cloud & SaaS Opportunity Savings/Cost Avoidance/Agility/Flexibility SaaS Opportunity In-House Opportunity IPP (CIA=Confidentiality, Integrity, Availability) LEGEND: A couple specific examples.. Estimated Diminishing Returns Diminishing Returns Deviation 5
Rationale Visitor Watch to ivisitor Outgoing vendor lacked will to develop browser based solution Obvious scalability issues EU data privacy and Safe Harbor required Local expertise/support for application not available Cost Justification All peripherals reusable No software installation required One more please 6
Rationale D3 in-house to SaaS Deployment speed an important consideration Seamless data migration from Perspective Single point of contact for issues SAS 70 Type 2 certified Safe Harbor compliant Global scalability previously demonstrated SLA provides rebate for failure to meet uptime standards Cost Justification Upfront software license cost provided 18 months of service, and no setup fee. Data migration fee negligible. No burden for PM, nor Software Lifecycle (SLC) The big challenges are around security and integration 7
Agenda How are Cloud and SaaS different in practice? What does Pfizer s SaaS footprint look like? Identity is the Issue: Federation (SSO) and Provisioning/De-provisioning How is Pfizer addressing these challenges? How does it look when these issues are handled? Recommendations for BP Let s establish a common lexicon. 8
What is Cloud security? Security Requirement Answers This Question: Why it s Different with Cloud? Access Control Who has access to our data and apps? No company firewall to prevent application access. Authentication How do we verify someone is who they claim to be? Cloud apps don t have access to this information currently managed inside firewall Auditing How can we report on user activity and data access to meet auditor s requests? Application-specific audit formats are inconsistent and must be gathered from multiple providers Administration How do we quickly and systematically revoke users access to Cloud apps when they leave the company? User identity information is kept inside the firewall and not accessible by Cloud apps Compliance Is access to our data under control and can we demonstrate this to auditors? Each Cloud provider has varying degrees of SAS 70, PCI and other certifications, and access control is fragmented across multiple applications Privacy Is our company s data separate from other users of the Cloud? Multi-tenant architectures are a concern for many 9
What is life like without SSO? Today s knowledge worker might access 30 different applications daily, both inside and outside the firewall. SaaS Apps are numerous and growing rapidly, many of which contain PII (personally identifiable information) 10
Cloud Challenge: De-Provisioning IT may remove user from Active Directory but: 1.Cloud apps can be accessed from anywhere 2.IT may not know what apps a user had access to 3.Users continue to have access after they leave company zombie accounts 11
The Old End Around» SaaS apps are coming into the enterprise - often bypassing IT.»Security and integration not fully considered before purchase decision. 12
Agenda How are Cloud and SaaS different in practice? What does Pfizer s SaaS footprint look like? Identity is the Issue: Federation (SSO) and Provisioning/De-provisioning How is Pfizer addressing these challenges? How does it look when these issues are handled? Recommendations for BP 13
4 Different Mechanisms Oracle Access Manager Hardware and Software @ Pfizer Software only for SaaS vendor Symplified Hardened Identity Router @ Pfizer Exposed API needed from vendor Service Mesh Virtual Service Appliance @ Pfizer Exposed API needed from vendor MyOneLogin.com True SaaS solution, nothing to host @ Pfizer Many built in connectors, adding new can be accomplished w/o vendor 14
Oracle Access Manager Overview Identity System The market leading solution for managing user identities, groups and organizations, all driven by differentiating features such as delegated administration and identity workflow. Access System Centralized authentication, authorization and auditing to enable single sign-on and secure access control across enterprise resources. Access System Employees Identity System Partners Enterprise Resources & Applications Customers Oracle Access Manager 15
Oracle Access Manager Identity System Self Service Delegated administration Identity Workflow Password management User management Group management Organization management IdentityXML web service Benefits Lowest cost of administration through delegated administration, self service, and password management Security driven by user identity based access privileges Best user experience through real-time change management Access System Benefits Best user experience by eliminating multiple logins Authentication Integrate strong security Authorization Auditing Personalization enablement Granular control over security to heterogeneous web applications and systems Security administration Centralized policy management resulting in stronger security Web single sign-on 16
Oracle Access Manager - Access System Web Server WebGate Enterprise Resources HTTP(s) HTTP(s) Web Server WebGate Single Sign-on to Enterprise Applications Users (Employees, Partners, Customers, Suppliers, etc) Access Server Secure Protocol over SSL User Identities for Authentication and Authorization LDAP over SSL LDAP Directory Server Security Policies for Authentication and Authorization 17
Oracle Access Manager Diagram Web single sign-on for secure access to multiple applications with one authentication step. Flexible authentication support for all popular methods including login forms, digital certificates, and smart cards. 18
Oracle Access Manager in Practice 19
SaaS Access with Enterprise Integration 1. Employee accesses SaaS app through portal Request intercepted by IAM Cloud Gateway, session doesn t exist so user is challenged for authentication 2. Credentials and access permissions checked against enterprise LDAP IAM Cloud Gateway validates credentials against internal directory and validates access permissions 3. Secure session created for end user Session passed into SaaS app through either HTTP or SAML standard federated SSO 4. Activity Logged All activity logged including authentication, access controls, application access and traffic 20
Identity Federation Single Sign-On Enterprise Network ServiceMesh Access 1 SM Login OpenID / Enterprise SSO Login Form Authentication Services (OpenID, SalesForce, Google etc) 3 Token issuance Trust Management Service 6 2 4 Login Redirect (+Token) User SSO Login Token validation 7 User Authentication User authorization Service Provider Saas SaasProvider Provider 5 Provider authentication request Login Form/API SaaS User Data Store AD/LDAP 21
De-Provisioning with Symplified»With Cloud Access Management (CAM), users logons are checked against the enterprise CAM Gateway: Administration costs are reduced since its done centrally Security is improved because of consistency Elimination of Zombie accounts reduces risk and meets compliance Extending enterprise policies to the Cloud is faster not re-inventing wheel 22
Identity Provisioning and De-provisioning Service Provider SaaS Provider SaaS Provider (e.g. SalesForce) Enterprise Network ServiceMesh Access (Pub) Trust Management Service Identity Management Service 1 Directory subscription AD/LDAP Identity Connectors (SalesForce, Google, etc) 2 Identity Publication Identity Management API 3 User provisioning and de-provisioning SaaS User Data Store 23
De-Provisioning with MyOneLogin.com 24
Incorporate SaaS into your ELC (Enterprise Life Cycle) 25
Agenda How are Cloud and SaaS different in practice? What does Pfizer s SaaS footprint look like? Identity is the Issue: Federation (SSO) and Provisioning/De-provisioning How is Pfizer addressing these challenges? How does it look when these issues are handled? Recommendations for BP 26
What would the ultimate solution look like? What do we actually have in place? 27
What has Symplified done for Pfizer? 1. Hosted SSO portal in place with D3 as first SaaS app 2. Authentication and access control linked to Active Directory 3. No engineering effort was required by D3 Symplified did this touch free using the HTTP federation technology D3 Active Directory What does SSO with Symplified look like? 28
SaaS SSO with Symplified How about some Recommendations? 29
Agenda How are Cloud and SaaS different in practice? What does Pfizer s SaaS footprint look like? Identity is the Issue: Federation (SSO) and Provisioning/De-provisioning How is Pfizer addressing these challenges? How does it look when these issues are handled? Recommendations for BP 30
Recommendations for BP Incorporate SaaS guidelines into your existing governance and development models Form a SaaS/Cloud Center of Excellence (COE) Transition wisely to SaaS, accounting for CIA & PII Consider the burden of user provisioning and de-provisioning Put the burden of compliance on SaaS vendor Develop SLA requirements, to include uptime and data escrow Separate SaaS and IAM requirements Ensure help desk in the loop Consider restricting access to SaaS applications from within your network (VPN & NTID) Questions.. 31
Questions? Contact Info Kurt Anderson kurt.d.anderson@pfizer.com 32
Backup Materials Follow 33
34
35
36
1. Buy or scam a list of email addresses Anatomy of a Phishing attack 2. Buy a bogus domain name (http://www.pαypal.com) 3. Steal space in a data center.or three! 4. Write a script that steals information, put it in your stolen data center. 5. Enlist a bot-net army to scavenge unused email server space 6. Send an initial problem email from your new email server, explaining follow on email, to establish credibility. 7. Send second email, directing them to your bogus site, where you ask them to verify their account information. 8. Ca$h in! 37
Phishing sounds hard! Who could help me? Enter the Russian Business Network (aka RBM) Originally an ISP Developed an affiliate marketing method for organized crime to target international markets Malware Wiper and Malware Alarm Distributed network eludes prosecution Fighting back might bring you more trouble. Some Phishing Trends 38
New Phishing Sites by Month April 06-April 07 How Many Brands are being Targeted? 39
Hijacked Brands by Month April 06-07 What Industry s are being Targeted? 40
Most Targeted Industry Sectors April 2007 Where are these attacks coming from? 41
Top 10 Phishing Sites by Hosting Country What can be done? 42
How can we minimize Phishing Risks? Educate Users Extend your Federated Identity Retire proprietary SSO and Open Source SSO Restrict access to SaaS applications from intranet or a subset of IP addresses. Restrict access from mobile devices Ensure BPO and SaaS vendors use your SSO method, rather than theirs. What types of SSO does Pfizer employ? 43
Compliance and Zombies 44
46
As SaaS Becomes Business Critical - Risk Increases Business are relying on SaaS apps, driving the need for specialized management infrastructure to ensure availability & reduce complexity. SaaS applications contain sensitive data raising concerns about risk, security and greater need for access controls. 47
50
Decreased Password Reset Costs (Service Desk) Industry Average $38 per Call (Forrester) Average User Calls Service Desk 19x/year (Gartner) 3.8 Calls/year (20%) Password-related SSO Reduces Password-related Service Desk Calls 95% (IDC) 51
52
53
SaaS Integration Wish List Right! Those are problems, how might we solve them?.. 54