How to Provide Secure Single Sign-On and Identity-Based Access Control for Cloud Applications



Similar documents
Symantec App Center. Mobile Application Management and Protection. Data Sheet: Mobile Security and Management

Federated single sign-on (SSO) and identity management. Secure mobile access. Social identity integration. Automated user provisioning.

Two-Factor Authentication

PROTECTED CLOUDS: Symantec solutions for consuming, building, or extending into the cloud

Symantec Mobile Management for Configuration Manager 7.2

Alex Wong Senior Manager - Product Management Bruce Ong Director - Product Management

Symantec Mobile Management 7.2

Identity. Provide. ...to Office 365 & Beyond

The Top 5 Federated Single Sign-On Scenarios

EXTENDING SINGLE SIGN-ON TO AMAZON WEB SERVICES

expanding web single sign-on to cloud and mobile environments agility made possible

Google Identity Services for work

Endpoint Protection Small Business Edition 2013?

NCSU SSO. Case Study

Symantec Managed PKI Service Deployment Options

Flexible Identity Federation

TRANSITIONING ENTERPRISE CUSTOMERS TO THE CLOUD WITH PULSE SECURE

An Overview of Samsung KNOX Active Directory and Group Policy Features

An Overview of Samsung KNOX Active Directory-based Single Sign-On

Don t Lose the Data: Six Ways You May Be Losing Mobile Data and Don t Even Know It

CA Federation Manager

White. Paper. Enterprises Need Hybrid SSO Solutions to Bridge Internal IT and SaaS. January 2013

Symantec Messaging Gateway 10.5

How To Support Bring Your Own Device (Byod)

SECUREAUTH IDP AND OFFICE 365

Mobile Protection. Driving Productivity Without Compromising Protection. Brian Duckering. Mobile Trend Marketing

SYMANTEC ENDPOINT PROTECTION SMALL BUSINESS EDITION

STRONGER AUTHENTICATION for CA SiteMinder

identity as the new perimeter: securely embracing cloud, mobile and social media agility made possible

Authentication Solutions Buyer's Guide

Securing Office 365 with Symantec

Athena Mobile Device Management from Symantec

How To Manage A Plethora Of Identities In A Cloud System (Saas)

Is online backup right for your business? Eight reasons to consider protecting your data with a hybrid backup solution

Connecting Users with Identity as a Service

Integrating Single Sign-on Across the Cloud By David Strom

A Symantec Connect Document. A Total Cost of Ownership Viewpoint

Identity and Access Management (IAM) Across Cloud and On-premise Environments: Best Practices for Maintaining Security and Control

Junos Pulse Secure Access Service Enables Service Providers to Deliver Scalable and On-Demand, Cloud-Based Deployments with Simplicity and Agility

White Paper. What is an Identity Provider, and Why Should My Organization Become One?

Symantec Mobile Management 7.1

How To Use Salesforce Identity Features

Securing the Cloud infrastructure with IBM Dynamic Cloud Security

Identity & Access Management The Cloud Perspective. Andrea Themistou 08 October 2015

Symantec Enterprise Vault.cloud Overview

How Endpoint Encryption Works

The Benefits of an Integrated Approach to Security in the Cloud

Symantec Mobile Management 7.1

managing SSO with shared credentials

Moving Single Sign-on (SSO) Beyond Convenience

Top 8 Identity and Access Management Challenges with Your SaaS Applications. Okta White paper

Best Practices for Running Symantec Endpoint Protection 12.1 on the Microsoft Azure Platform

Symantec Enterprise Vault for Microsoft Exchange

Oracle Documents Cloud Service. Secure Collaboration for the Digital Workplace

Taking the Leap to Virtualization

The Primer: Nuts and Bolts of Federated Identity Management

Preparing for a Cyber Attack PROTECT YOUR PEOPLE AND INFORMATION WITH SYMANTEC SECURITY SOLUTIONS

HOL9449 Access Management: Secure web, mobile and cloud access

Web Protection for Your Business, Customers and Data

How to Unlock Agility by Backing up to, from, and in the Cloud

Identity in the Cloud

Symantec Mobile Security

SYMANTEC DATA CENTER SECURITY: SERVER ADVANCED 6.5

Ensuring the security of your mobile business intelligence

CA Technologies Strategy and Vision for Cloud Identity and Access Management

How cloud computing can transform your business landscape.

Increase the Security of Your Box Account With Single Sign-On

PRACTICAL IDENTITY AND ACCESS MANAGEMENT FOR CLOUD - A PRIMER ON THREE COMMON ADOPTION PATTERNS FOR CLOUD SECURITY

White Paper. Anywhere, Any Device File Access with IT in Control. Enterprise File Serving 2.0

Symantec Encryption Solutions for , Powered by PGP Technology

owncloud Architecture Overview

E l i m i n a t i n g Au t hentication Silos and Passw or d F a t i g u e w i t h Federated Identity a n d Ac c e s s

Adding Stronger Authentication to your Portal and Cloud Apps

nexus Hybrid Access Gateway

Top Eight Identity & Access Management Challenges with SaaS Applications. Okta White Paper

TECHNOLOGY BRIEF: INTEGRATED IDENTITY AND ACCESS MANAGEMENT (IAM) An Integrated Architecture for Identity and Access Management

Security of Cloud Computing for the Power Grid

Payment Card Industry Data Security Standard

How cloud computing can transform your business landscape

Cyber Security Services: Data Loss Prevention Monitoring Overview

Citrix OpenCloud Access. Accelerate cloud computing adoption and simplify identity management.

How Drive Encryption Works

When millions need access: Identity management in an increasingly connected world

CA Technologies Solutions for Criminal Justice Information Security Compliance

Symantec Desktop and Laptop Option 7.6

Safeguarding the cloud with IBM Dynamic Cloud Security

Single Sign On. SSO & ID Management for Web and Mobile Applications

Identity Implementation Guide

Outline. What is cloud computing? History Cloud service models Cloud deployment forms Advantages/disadvantages

A Standards-based Mobile Application IdM Architecture

Why Digital Certificates Are Essential for Managing Mobile Devices

WHITEPAPER. NAPPS: A Game-Changer for Mobile Single Sign-On (SSO)

Transcription:

SOLUTION BRIEF: PROTECTING ACCESS TO THE CLOUD........................................ How to Provide Secure Single Sign-On and Identity-Based Access Control for Cloud Applications Who should read this paper This paper provides an access control and single sign-on overview for business managers, information technology managers, application and security architects, and information technology staff who manage cloud applications or identity and access management infrastructure.

Content Executive summary..................................................................................................... 1 Ensuring IT oversight for cloud innovation................................................................................ 1 Enterprise cloud security challenges..................................................................................... 2 A security broker for enterprise access control............................................................................ 2 Symantec O3 : A central control point for cloud applications............................................................... 3 How Symantec O3 protects the enterprise................................................................................ 3 Includes Single Sign-on for internal applications.......................................................................... 4 Mobile user SSO and security............................................................................................ 4 Audit and compliance................................................................................................... 6 Controlling access to your cloud applications............................................................................. 6

Executive summary The lure of the cloud promises faster pursuit of business goals and liberation from perceived obstacles within enterprise-approved solutions. While enterprises are quickly shifting some IT services into the cloud, so are departments and individual users sometimes without knowledge or approval of IT management. The motivations to deploy cloud applications are worthy since this technology can allow organizations to be more agile, provide a higher quality of service at a lower cost, and reduce capital investment and staffing costs. However, there can be unintended consequences to such rapid expansions of new technology, such as new risks to IT security and exposure to noncompliance with laws and regulations. To meet these challenges, IT leaders are looking for secure access control solutions to embrace the cloud while managing associated risks. However, IT must be mindful that if security measures create a poor user experience they will harm productivity and drive up support costs, undoing the cloud's benefits. This paper describes how single sign-on (SSO) provides a convenient and simple user interface to all cloud services and Web applications used by an enterprise. It explains how a well architected SSO and access control solution allows IT to maintain oversight with policy-based controls that leverage an existing identity management system or external identity provider. And it describes how an enterprise can use the solution to maintain the appropriate compliance posture required for sensitive data that is created, stored, and used in cloud applications and services. Ensuring IT oversight for cloud innovation For most enterprises, the advantages of cloud applications are driving significant operational changes in IT. Among the leading enterprise applications being moved into the cloud are enterprise resource planning, human resources, finance, and sales and marketing, according to a member survey of the Open Data Center Alliance. The survey reported members are scaling cloud adoption 15 percent faster than previously forecast. Half say they will run more than 40 percent of their IT operations in a private cloud by 2015. One fourth of respondents plan to run more than 40 percent of operations in a public cloud. Three fourths plan to run hybrid applications deployed in public and private clouds. 1 There are three typical deployment options for private, public, and hybrid cloud applications: Infrastructure-as-a-Service (IaaS), Platform-asa-Service (PaaS), and Software-as-a-Service (SaaS). The options deployed depend upon how much an organization wants to retain oversight of particular aspects of application delivery. For example, if an organization wants to run its own applications in a commercial cloud, it would use an IaaS such as Amazon Web Services, Rackspace, or Microsoft Azure. If its preference is using a cloud-based virtual platform to create and deploy its own applications, the choice would be a PaaS such as Google Apps. In cases where the cloud hosts everything for a particular application, the organization would use SaaS such as Web-based email (Gmail, Windows Live Mail), storage (DropBox or Google Drive), or business applications (SalesForce.com, Microsoft Office 365, and SharePoint ). 1- Open Data Center Alliance Survey, 10 Sept. 2012 at http://www.opendatacenteralliance.org/newsroom/mediaresources#alliancereleases 1

Enterprise cloud security challenges For any of these cloud deployment models, as with premise-based applications, enterprises must secure access to its cloud applications and the sensitive data that is stored and used in the cloud. Access controls are particularly important because they must be strong without impeding the usability of cloud applications. Of course, since the application is no longer hosted on premise, existing security measures must be evaluated against new threats and potential vulnerabilities. Each application may require different measures. In addition, new operational challenges may stem from the use of multiple cloud suppliers, which complicates collection of event logs for meeting compliance requirements to safeguard sensitive data. An unexpected hurdle that some organizations face in meeting these security requirements is that departments or individual users sometimes unilaterally deploy cloud applications without consideration of enterprise policies or compliance rules. Deploying SaaS is easy; users can turn on a cloud application with a browser and credit card. In the end, even when it s not involved in the original selection process, corporate IT is usually expected to support those siloed deployments and almost certainly gets blamed when those cloud applications miss expectations for security, service, or performance. The result of a "freelance" cloud deployment or complications from using multiple applications can dampen the quality of the user experience and negatively affect the success of a cloud initiative. The experience must be simple and easy-to-use, regardless of whether access is from work, a remote site, or with a mobile device. A bad user experience, such as having to manually juggle multiple log-on procedures and credentials for different cloud applications, leads to a poor perception of IT service. Complexity confuses users. They forget processes and passwords, or inappropriately store them in violation of security policy. As a consequence, security is weakened, productivity suffers, and support costs rise. In response, many enterprises that use multiple cloud applications feel SSO is a fundamental requirement, because it solves both security and usability issues. In seeking a solution to these challenges, IT leaders should look for a single authentication and control point for executing and enforcing enterprise policy for all cloud applications. To fully leverage the cloud opportunity, the solution should embrace all cloud models; satisfy all users with a simple, consistent experience whether they use cloud resources from internal, remote, or mobile devices; and allow the enterprise to retain oversight and visibility to ensure policy compliance. A security broker for enterprise access control The market provides several alternatives for implementing secure SSO for the enterprise. Some enterprise security vendors provide legacy authentication software that extends to the Web. Some large software vendors offer specialized approaches for federating access which utilize an application or service platform such as from Salesforce.com or Oracle ; an identity management federation service such as the Microsoft Active Directory Federation Services; or using a social media identity provided Google, Facebook, or Twitter. A third method, used by Symantec O3, is to act as a standards-based "Security Broker". It uniquely provides a central SSO control point to securely interface to standard identity management sources, and enforce user entitlements via standard authentication and authorization protocols supported by cloud applications. 2

Symantec O3 : A central control point for cloud applications Symantec O3 is a unique SSO and access control solution for the challenges and requirements discussed above. Symantec O3 establishes a new control point above the cloud, which allows an enterprise to simultaneously provide simple cloud access with SSO, enforce access control policies, provide full visibility and proof of compliance for all cloud applications. Symantec O3 enables a simple SSO user experience across all cloud and Web applications and services. The solution readily integrates with existing identity sources such as Microsoft Active Directory, LDAP directories, and legacy identity stores such as relational databases to federate authentication for the various cloud and Web applications. Figure 1. Symantec O3 acts as a security broker between users and cloud applications. How Symantec O3 protects the enterprise In practice, Symantec O3 acts as a single integration point for seamlessly brokering user interaction with the cloud. Symantec O3 bridges across services such as user identity management systems and strong two-factor authentication; data protection services such as data loss prevention and encryption; event monitoring and logging for policy compliance shielding the user from the complexity of cloud application delivery infrastructure. When a user wants to access a cloud application the person is actually logging onto Symantec O3. Role-based enterprise access control is enabled through the integration of existing identity management (IDM) systems. Symantec O3 looks up the user in the IDM to validate log-on credentials, and checks the policy for that user's application privileges then completes the cloud application log-on process on the user's behalf if so permitted. Cloud applications can be configured to only allow enterprise log-ons from the URL or IP address that belongs to its Symantec O3 deployment. In this way, the enterprise can prevent "side door" access, always making Symantec O3 the secure path to all Web applications. Key technical integrations include: 3

Existing IDM infrastructure Uses existing corporate directory, user store, or Identity Provider (IDP) via LDAP, SunDS, Active Directory, a relational database, or Web Services Application Programming Interface (API). Supports customization with APIs (REST/WS). Strong authentication Provides native support for Symantec VIP one-time passwords and may be stepped up per application policy. Supports a custom portal API for integration with third-party tokens such as RSA, risk-based authentication, and/or client certificates. Authentication methods include Active Directory/LDAP, integrated Windows Authentication, and OAUTH. Federation and authorization security A context-based policy engine enforces both identity-based authorization ("who") and devicebased authorization ("what"). Federation and password management includes support for SAML and OpenID based federated applications, and non-federated Web applications. Figure 2. Symantec O3 leverages existing identity management and authentication infrastructure. Includes Single Sign-on for internal applications SSO reduces the complexity for end users who access multiple cloud applications. The SSO service allows the user to remember only one password, and if required, use a strong authentication credential just once to securely access all cloud applications. Symantec O3 can also enable SSO for corporate Web applications, allowing an organization to provide a comprehensive solution spanning both the cloud and internal Web applications. Mobile user SSO and security For mobile SSO and access security, users require more protection than desktop users due to the inherent risks of remote access and the potential for theft or loss of portable devices. A core premise of Symantec O3 is to provide an enterprise with SSO for any device connected 4

with a Web browser to any cloud or Web application. By requiring mobile users to exclusively use Symantec O3 for cloud access, an organization can ensure that policies are followed and only authorized users can access only authorized cloud or Web applications. If required, an organization can step up mobile security with one-time password technology. Symantec VIP strong authentication functionality for mobile users is included in Symantec O3 as an option. Symantec O3 also supports third-party authentication solutions. Figure 3. Symantec O3 supports both mobile and internal users. By using Symantec O3 for both mobile and internal SSO and cloud access control, organizations can also eliminate mobile side-door blind spots, which happen when users outside the enterprise network are allowed to directly access a cloud application without the benefit of a single control point. Data container application ensures mobile data data security Mobile users require more protection than desktop users due to the potential for theft or loss of portable devices. Symantec O3 allows an enterprise to protect sensitive data stored on a mobile device by creating a data container on the mobile devices (known as a sandbox in security terms). The data container encrypts and isolates data moving from the cloud onto an endpoint, such as an Apple iphone or ipad. This control satisfies security and compliance requirements for strong encryption of data at rest on mobile devices. The mobile data container restricts access to data in its sandbox so that only authorized users who are logged in can see it. In effect the data container completely separates the enterprise application and data environment from the device user's personal information if it is a personal consumer device. This capability allows an enterprise to securely implement a "Bring Your Own Device" program. 5

The Symantec O3 mobile data container is a convenient mobile security features which works in "airplane mode" to still let the user get at the data if they are not connected to an application or network. But the container ensures that the data in its sandbox has access rights properly revoked when needed. If a user is removed from the corporate directory, Symantec O3 ensures that person immediately loses access to data in the container via de-provisioning, which disables access to the container's data. The container can also enforce rights revocation based on a set time period of inactivity. The Symantec O3 data container also includes a control for data forwarding, which ensures that data moved from the cloud to a mobile device stays in the container. It can prevent the user from forwarding this data as an email attachment or copying to a non-approved destination such as a USB drive or personal Dropbox account. Audit and compliance To meet requirements for audits and compliance, Symantec O3 provides enterprises with similar operational event data required for noncloud applications or infrastructure. The solution captures event data from all cloud applications and generates logs to provide visibility and intelligence. Since logs for internal and mobile users are consolidated in one place in the standard Syslog format, they provide a complete and accurate record for compliance. Logs can be streamed to a Security Information and Event Management (SIEM) system for enabling event correlation across internal and external systems. Figure 4. Symantec O3 can stream logs to an external Security Information and Event Manager. Controlling access to your cloud applications Symantec O3 will help your enterprise make its cloud initiatives a success by providing the convenience of SSO, and enabling secure control, and compliance auditing across all cloud users and applications. Your users will have a better experience with a single, secure log-on to all cloud applications, which leverages your existing identity infrastructure. With Symantec O3, your enterprise will be able to enforce identitybased access with granular, context-based policy. The solution will also consolidate application logs to reduce the effort and lower costs of compliance and provide demonstrable and collectible proof for auditors. We invite you to learn more about how your enterprise can use Symantec O3 to enforce security policy for all cloud applications used anywhere in the organization. Please visit our website at www.symantec.com/o3 or contact your Symantec representative. 6

About Symantec Symantec protects the world s information, and is a global leader in security, backup, and availability solutions. Our innovative products and services protect people and information in any environment from the smallest mobile device, to the enterprise data center, to cloud-based systems. Our worldrenowned expertise in protecting data, identities, and interactions gives our customers confidence in a connected world. More information is available at www.symantec.com or by connecting with Symantec at go.symantec.com/socialmedia. For specific country offices and contact numbers, please visit our website. Symantec World Headquarters 350 Ellis St. Mountain View, CA 94043 USA +1 (650) 527 8000 1 (800) 721 3934 www.symantec.com Disclaimer: Any forward-looking indication of plans for products is preliminary and all future release dates are tentative and are subject to change. Any future release of the product or planned modifications to product capability, functionality, or feature are subject to ongoing evaluation by Symantec, and may or may not be implemented and should not be considered firm commitments by Symantec and should not be relied upon in making purchasing decisions. Copyright 2013 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, and the Checkmark Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. 2/2013 21284264-1

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information