Identity and Access. Management in Cloud. December 21, 2012

Identity and Access

Management in Cloud

Agenda

2. What is Cloud

4. Risk and Challenges

5. Vendors Landscape

1. Identity and Access Management (IAM)

What is a digital identity?

The digital representation of a user, including a unique identifier, credentials, and both common and

application-specific profiles.

User

User Identity:

• First Name, Last Name, Unique Identifier, Date of Birth Account Credentials:

• Login ID and password

• SecurID card, other strong authentication factors Common Profiles:

• Job Functional Roles • Business Unit

• Office Location • Manager/Supervisor Application Profiles: • Permission levels • Access control items

No SIEM Ineffective Deprovisioning Processes Social Engineering Abuse of privileges SoD Violation

John starts work in the Risk Compliance and Control section of the

bank’s middle office (2000)

Transfers to front office as a trader

(2005)

Flag: Failure to de-provision access

Creates a false portfolio and begins issuing trades circumventing Credit and trade

size controls (late 2006)

Flag: Failure to detect inappropriate access and SOD

violations

Enters fabricated offsetting trades before

nightly reconciliation concealing his fictitious trade

positions (thru 2007)

Flag: Inadequate user activity logging/monitoring

M isappropriate names and passwords of colleagues to

mask his fraud.

Flag: Ineffective user authentication & Identity risk

management _{trading risk control} Outmaneuvers

Framework

Flag: Ineffective IT Risk management

Forges trade acknowledgements from bank that goes unconfirmed triggering an investigation (Jan 2008)

Company loses $7.2B after unwinding the fraudulent trade positions (Jan 24, 2008)

How to relate Identity and Access?

Ensuring that only authorized users have access to information resources means managing Digital

Identities for diverse user populations, with access needs based on their business relationship with the

enterprise.

Control Visibility

Processes for on-boarding, transferring, and off-boarding of employees, third-party business partner

users, contractors, and brokers/agents. Revalidation of these users and recertification of their access

privileges to managed resources integrated with the IAM System are also addressed.

Access management: Resource

access

A system that provides a single point of authentication and authorization for web applications by

implementing security policies across a wide range of Web and application resources.

Increases overall

system security and Improves user experience by providing web single Sign-on.

What is Role Based Access Control?

Systems:

System

Directory

Database

E-mail

Internet

Before

Systems:

System

Directory

Database

E-mail

Internet

After

Service Role Supervisor

Role

•Access Control mess •Compliance problems

•SoD violations

What is Cloud?

Also known as

• IT Resources Accessible Over Web

• Dynamically Scalable Computing Power

• Virtualization

• Abstraction of IT Infrastructure

• On Demand Computing

• Utility based Computing

• Related “Buzzwords”: IaaS, PaaS, SaaS

Cloud Delivery Model

The cloud be in the deployed in three different delivery model

Software-as-a-Service (SaaS)

As-a-service delivery of applications targeted at private users (e.g. social networking, micro-blogging) and business users (e.g. ERP, CRM)

As-a-service delivery of tools for development, testing, deployment, hosting and application

maintenance

As-a-service delivery of virtual CPUs, disk space, and database services

Platform-as-a-Service (PaaS) Infrastructure-as-a-Service (IaaS)

How IAM For A Cloud?

Identity and Access management can be deployed in two operating models within Cloud environment

Model

Description

IAM

for a

Cloud

• Functionality extension of an existing IAM infrastructure

• Standards for interoperability between on-premises and in-cloud applications

• Strong authentication and encryption

• Ability to leverage and sustain existing risk, compliance, and privacy controls built within the enterprise

Cloud Service Providers

How IAM In A Cloud?

Identity and Access management can be deployed in two operating models within Cloud environment

Model

Description

IAM in

a

Cloud

• An IAM solution hosted in a cloud

• Ability to pay only for the IAM functionality required

• Reduction in costs related to IAM maintenance

• Limited in-house expertise required

• On-demand increase of capacity, functionality,

predetermined Service Level Agreements (SLAs), and accountability

Cloud Service Providers

CA

CouldMinder

Risks associated with IAM in cloud environment

Enterprises need to be aware about the risks associated with deploying IAM in a cloud environment.

Some important risks are listed below:

CA

CouldMinder

Service Level Agreements

• Downtime will affect the access to the applications – and can stop a business in its tracks. Sure, short and infrequent IAM system outages may not be as critical as the other business

applications downtime; nonetheless, when people aren't able to access the system it has a negative cascading effect throughout the business.

Security of Identity

• The number one concern for companies opting for the IAM in a cloud. Companies cannot afford to risk compromise of customer / employee identity information. Factors that include are

vendor’s security policies; data encryption; firewalls. Make aware of compliance policies with regards to data handling and the vendor’s liability in case data is compromised

System Integration

• IAM solutions shall be capable to integrate with all the applications . A failure to integrate business information systems across the company results in an increase of manual processes for the identity life cycle management. The Cloud IAM service provider shall provide interfaces and ability to integrate with any enterprise application.

Total Cost of Ownership (TCO)

• While predictable expenditures and a utilization based pricing model are welcome news in the business systems software industry, IAM systems must also deliver a comparable total cost of ownership when stacked against the prior on premise solution

Vendors Stability

Vendor landscape — increased competitive intensity

As Cloud computing grows, an increasing variety of vendors have emerged including traditional IAM

vendors influencing the game with innovative solutions and services.

Product Vendors Service Providers

M a jo r P ro v id e rs CA Entrust Evidian IBM Microsoft Novell OpenIAM Oracle Ping Identity RSA Safew here Siemens Symlabs (Quest Softw are) Ubisecure CA Arcot Clavid Cloud Identity Covisint Exostar FuGen Solutions CryptoCard Gluu PingConnect ProtectNetw ork Signicat SSOCircle Symplified VMw are Horizon App Manager Myonelogin

Key trends that will impact the Cloud providers in the coming years

Specialized hosted identity service companies are trying to expand their reach into the identity federation

space

Niche as well as established technology vendors provide an opportunity to partner

Managed identity service providers are looking to expand their capabilities and cater to multiple market

segments globally