Security whitepaper. CloudAnywhere. http://www.cloudiway.com



Similar documents
Setup Reset Password Portal. CloudAnywhere. Auteur Emmanuel Dreux

FortiAuthenticator Agent for Microsoft IIS/OWA. Install Guide

Documentation. CloudAnywhere. Page 1

Using Self Certified SSL Certificates. Paul Fisher. Quest Software. Systems Consultant. Desktop Virtualisation Group

Active Directory Change Notifier Quick Start Guide

Quest Collaboration Services How it Works Guide

Application Note Gemalto.NET 2.0 Smart Card Certificate Enrollment using Microsoft Certificate Services on Windows 2008

SafeNet Authentication Service

Active Directory Manager Pro New Features

Job Status Guide 3.0

BlackBerry Enterprise Server Express. Version: 5.0 Service Pack: 4. Update Guide

LDAP Synchronization Agent Configuration Guide for

BlackBerry Enterprise Server. BlackBerry Administration Service Roles and Permissions Version: 5.0 Service Pack: 4.

Pulse Redundancy. User Guide

EVault Endpoint Protection 7.0 Single Sign-On Configuration

Self Help Guides. Create a New User in a Domain

New Security Features

Azure Multi-Factor Authentication. KEMP LoadMaster and Azure Multi- Factor Authentication. Technical Note

CA DLP. Release Notes for Advanced Encryption. r12.0

Object Level Authentication

Manage Oracle Database Users and Roles Centrally in Active Directory or Sun Directory. Overview August 2008

PeopleSoft Red Paper Series. E-Learning. By: Gregory Sandford, Benjamin Harr, Leo Popov May 2006

Using SNMP with OnGuard

RSA Two Factor Authentication

Simba ODBC Driver with SQL Connector for Apache Cassandra

Quest Collaboration Services 3.5. How it Works Guide

Dell Recovery Manager for Active Directory 8.6. Quick Start Guide

User Guide. BES12 Self-Service

Citrix Systems, Inc.

How To Use The Programs Of Ancient.Org

Cloud Identity Management Tool Quick Start Guide

END- USER LICENSE AGREEMENT FOR Helpdesk Pilot

Retina CS: Using Strong Certificates

Quick Connect Express for Active Directory

Application Note. SA Server and ADAM

Setting up LDAP settings for LiveCycle Workflow Business Activity Monitor

CA Nimsoft Monitor. Probe Guide for Active Directory Response. ad_response v1.6 series

ORACLE CRM ON DEMAND DEVELOPMENT ADDENDUM TO THE ORACLE PARTNERNETWORK AGREEMENT

BES10 Self-Service. Version: User Guide

Fuse MQ Enterprise Broker Administration Tutorials

Backup Exec Cloud Storage for Nirvanix Installation Guide. Release 2.0

HIGHSEC eid App Administration User Manual

SafeNet Authentication Service

Technical Note. BlackBerry Business Cloud Services

IMX Mobile Proxy Administration

Group Management Server User Guide

Dell InTrust Preparing for Auditing Microsoft SQL Server

MyShortcut. Administrator's Guide

Kerberos Constrained Delegation. Kerberos Constrained Delegation. Feature Description

Defender Delegated Administration. User Guide

SolarWinds Migrating SolarWinds NPM Technical Reference

Radius Integration Guide Version 9

Microsoft SharePoint

RSA Two Factor Authentication. Feature Description

CA Unified Infrastructure Management Server

These TERMS AND CONDICTIONS (this Agreement ) are agreed to between InfluencersAtWork,

SafeNet Authentication Service

Protected Trust Directory Sync Guide

Ektron CMS400.NET Virtual Staging Server Manual Version 7.5, Revision 1

How To Manage A Plethora Of Identities In A Cloud System (Saas)

New Security Features

ADS Integration Guide

CORPORATE HEADQUARTERS Elitecore Technologies Ltd. 904 Silicon Tower, Off. C.G. Road, Ahmedabad , INDIA

Installation & Configuration Guide User Provisioning Service 2.0

January 23, 2010 McAfee SaaS Continuity User Guide

BlackBerry Desktop Manager Version: User Guide

Administration Guide. Wireless software upgrades

SCOPTEL WITH ACTIVE DIRECTORY USER DOCUMENTATION

Dell Spotlight on Active Directory Deployment Guide

1. Install the SOAP Toolkit 3.0 on your computer. This is freely available from msdn.microsoft.com.

Enterprise Manager to Enterprise Console upgrade guide. Sophos Enterprise Manager version 4.7 Sophos Enterprise Console version 4.7.

CA Performance Center

Activelock Customer Management 1.0

Shrew Soft VPN Client Configuration for GTA Firewalls

Strong Authentication for Juniper Networks

Guide to Using DoD PKI Certificates in Outlook 2000

Dell One Identity Cloud Access Manager How to Configure for High Availability

Contents Notice to Users

BlackBerry Web Desktop Manager. Version: 5.0 Service Pack: 4. User Guide

Web Remote Access. User Guide

ENTERPRISE EDITION INSTALLER END USER LICENCE AGREEMENT THIS AGREEMENT CONSISTS OF THREE PARTS:

Enterprise Self Service Quick start Guide

User Management Resource Administrator. Managing LDAP directory services with UMRA

Security Guide. BES12 Cloud

Managing User Accounts

Open Source Used In Cisco Instant Connect for ios Devices 4.9(1)

On-Core Software, LLC. 893 Sycamore Ave. Tinton Falls, NJ United States of America

RedBlack CyBake Online Customer Service Desk

Integrated Citrix Servers

BlackBerry Web Desktop Manager. User Guide

Microsoft Dynamics GP. Workflow Installation Guide Release 10.0

CITRIX SYSTEMS, INC. SOFTWARE LICENSE AGREEMENT

Oracle s PeopleSoft 9.0 Recruiting and Admissions Changes and Updates for CS Bundle #38

NCD ThinPATH Load Balancing Startup Guide

Dell Recovery Manager for Active Directory 8.6.0

Guide to Securing Microsoft Windows 2000 Encrypting File System

Dell One Identity Cloud Access Manager How to Configure vworkspace Integration

Oracle Directory Services Integration with Database Enterprise User Security O R A C L E W H I T E P A P E R F E B R U A R Y

CA Spectrum and CA Embedded Entitlements Manager

Transcription:

Security whitepaper CloudAnywhere http://www.cloudiway.com

@Copyright 2011 CLOUDIWAY. All right reserved. Use of any CLOUDIWAY solution is governed by the license agreement included in your original contract. The copyright and all other intellectual property rights in the Software are and remain the property of CLOUDIWAY and/or its subsidiaries ( CLOUDIWAY ). The licensee shall not acquire any title, copyright or other proprietary rights in the Software or any copy than specified in. You may not attempt copy, modify, alter, disassemble, de-compile, translate or convert in human readable form, or reverse engineer all or any part of the Features and/or Data. You acknowledge that the Software and all related products (including but not limited to documentation) are the subject of copyright. You therefore, shall not during or any time after the expiry or termination of this Agreement, permit any act which infringes that copyright and, without limiting the generality of the foregoing, You specifically acknowledge that You may not copy the Software or Products except as otherwise expressly authorized by this Agreement. Copyright by CLOUDIWAY. CLOUDIWAY provides this publication as is without warranty of any either express or implied, including but not limited to the implied warranties of merchantability or fitness for a particular purpose. CLOUDIWAY may revise this publication from time to time without notice. Some jurisdictions do not allow disclaimer of express or implied warranties in certain transactions; therefore, this statement may not apply to you. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. Page 2/11

Content 1 CONTENT OF THIS GUIDE 4 2 OVERVIEW 5 3 CLOUDANYWHERE INTEGRATION 6 3.1 LOCAL DIRECTORY INTEGRATION 6 3.2 SAAS INTEGRATION 6 3.3 PASSWORD SYNCHRONIZATION MECHANISM 7 3.4 CLOUDANYWHERE ACCOUNTS 7 4 SELF SERVICE PORTAL 11 Page 3/11

1 CONTENT OF THIS GUIDE The CloudAnywhere security guide provides information about: - CloudAnywhere security - How data is protected - How password are synchronized - Encryption protocols used by this product. Feedback If you have comments about this guide, please send an email message to contact@cloudiway.com Page 4/11

2 OVERVIEW CloudAnywhere is a cloud based Identity and Access management solution. CloudAnywhere synchronizes your local/on premise directories with your SAAS and ASP providers. It automates users, groups and contact provisioning and de-provisioning and also synchronizes passwords. CloudAnywhere, in the heart of your Cloud IT helps you build you IT strategy around the Cloud and guarantees access to any SAAS resource. CloudAnywhere is shipped with a portal that brings self service reset password and self service access request management. The reset password functionality helps you reduce your helpdesk costs and the access management portal helps you integrate your SAAS resources into your IT. Based on a workflow, users request access to SAAS resources and they are automatically provisioned upon validation. Page 5/11

3 CLOUDANYWHERE INTEGRATION 3.1 LOCAL DIRECTORY INTEGRATION CloudAnywhere integrates with your local directory (Active Directory or LDAP Directory) and with your SAAS applications. Active Directory pulling is done over RPC and data are encrypted using the standard RPC mechanisms. LDAP integration is done through standard LDAP queries. It s possible to encrypt data using LDAP over SSL. 3.2 SAAS INTEGRATION CloudAnywhere integrates with SAAS providers by calling their native apis or webservices. Data exchanges takes place over SSL communications. It s possible to selectively determine with which providers passwords will be synchronized. Example: Page 6/11

3.3 PASSWORD SYNCHRONIZATION MECHANISM Passwords are never sent over the wire in clear text. Passwords stored in Active Directory are not readable. They are stored in a write only attribute and are stored using a non reversible hashing protocol. Once stored, they cannot be extracted in cleat text. CloudAnywhere approach is to catch the password change. When a user changes his password (either from his computer or when an administrator changes or resets his password), the password is caught by CloudAnywhere in clear text in the memory of the Active Directory domain controller by using the standard mechanisms offered by Active Directory (Password filter dll). For this purpose, a password filter dll must be installed on every domain controller. When a password change occurs, the password is caught by the password filter dll in clear text in the memory of the domain controller. The password is then encrypted using a symmetric key and sent over the wire to the CloudAnywhere server. The server decrypts the password in memory and changes the password in every relevant SAAS Provider using their respective ChangePassword api. Depending on the SAAS provider, the password might be hashed before sending it, or might be sent as is over the SSL session. That would depend on the way the Saas provider has developed his ChangePassword api. For security reasons, the user password are never stored or persisted by CloudAnywhere. They remain in the memory of the Active Directory or CloudAnywhere server in an encrypted way until they are delivered. Different retry mechanisms are implemented between the Active Directory and the CloudAnywhere server and between the Cloudanywhere server and the SAAS provider. If a power outage occurs, passwords not delivered are lost. 3.4 CLOUDANYWHERE ACCOUNTS CloudAnywhere Service Account This account is used to execute the service that periodically synchronizes the resources. Like any account that is running a service, it must have the permission to Open a session as a service. To give the service account this priviledge, follow this procedure: Launch the mmc snapin gpedit.msc Go to Computers / Computer Configuration / Windows Parameters / Security Parameters / Local Policies / User account permissions. Edit the policy Open a session as as service and add the account that you have choosen to execute the service. Active Directory Pullling Service accounts These accounts are used by CloudAnwyhere to pull the source Active Directories and get the changes. The service account doesn t need to be domain Administrator. The only permission it needs is to Replicate Directory Changes at the root of the domain. Page 7/11

It also needs Read permission on the Deleted Object Container in Directory: Active Example: (See kb http://support.microsoft.com/kb/892806 ) C:\Users\administrator.SOURCE>dsacls "CN = Deleted Objects, DC = source, DC = local" /g source\svccloud:lcrp This procedure is giving the pemission to Replicate Directory Changes to the given account. Select the Domain Node. Right Click and click Properties. Open the Active Directory Management console : Page 8/11

Go to the Security tab. Click Add. Select the service account and click OK Select the service account that you have just added. Click Allow : - Replicate Directory Changes - Replicate Directory Changes All This gives permission only to the top level container. Now you must give this permission to all child containers Page 9/11

Click Advanced. Select the row that must be modified. Click Edit. (Repeat this step for each row separately) Apply Onto : The default is «This Object Only» Change it to This object and all child objects Page 10/11

4 SELF SERVICE PORTAL This feature is optional. The self service portal implements different levels of access: - Standard users access - Helpdesk access - Administrator access Authentication is performed using the Active Directory account and level of access depends of Active Directory group membership. When a user forgets a SAAS password, he has different ways to reset it. If password synchronization is in place, it should not occur: his SAAS passwords should remain synchronized with his local password. If a user forgets his local password, he shall ask his helpdesk to reset his password. This would automatically synchronize the new password with the SAAS providers. CloudAnywhere is also shipped with a Reset Password portal. A user must first register on this portal. He must connect to it a least one time and answer secret questions. If he does not remember his password, he shall connect to the portal and authenticate using his secret answers. Once authenticated he can change his password. The password is changed in every SAAS applications where the user has an account. If configured, the password can also be changed in the Active Directory. Page 11/11

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information