• No results found

Security whitepaper. CloudAnywhere.

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Security whitepaper. CloudAnywhere."

Copied!
11
0
0

Loading.... (view fulltext now)

Download now ( 11 Page )

Full text

(1)

Security whitepaper

CloudAnywhere

(2)

@Copyright 2011 CLOUDIWAY. All right reserved.

Use of any CLOUDIWAY solution is governed by the license agreement included in your original contract.

The copyright and all other intellectual property rights in the Software are and remain the property of CLOUDIWAY and/or its subsidiaries (“CLOUDIWAY”). The licensee shall not acquire any title, copyright or other proprietary rights in the Software or any copy than specified in.

You may not attempt copy, modify, alter, disassemble, de-compile, translate or convert in human readable form, or reverse engineer all or any part of the Features and/or Data. You acknowledge that the Software and all related products (including but not limited to documentation) are the subject of copyright. You therefore, shall not during or any time after the expiry or termination of this Agreement, permit any act which infringes that

copyright and, without limiting the generality of the foregoing, You specifically acknowledge that You may not copy the Software or Products except as otherwise expressly authorized by this Agreement.

Copyright © by CLOUDIWAY.

CLOUDIWAY provides this publication “as is” without warranty of any either express or implied, including but not limited to the implied warranties of merchantability or fitness for a particular purpose. CLOUDIWAY may revise this publication from time to time without notice. Some jurisdictions do not allow disclaimer of express or implied warranties in certain

transactions; therefore, this statement may not apply to you.

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR

CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

(3)

Content

1 CONTENT OF THIS GUIDE 4

2 OVERVIEW 5

3 CLOUDANYWHERE INTEGRATION 6

3.1 LOCAL DIRECTORY INTEGRATION 6 3.2 SAAS INTEGRATION 6

3.3 PASSWORD SYNCHRONIZATION MECHANISM 7

3.4 CLOUDANYWHERE ACCOUNTS 7

(4)

1

CONTENT OF THIS GUIDE

The CloudAnywhere security guide provides information about: - CloudAnywhere security

- How data is protected

- How password are synchronized

- Encryption protocols used by this product.

Feedback

If you have comments about this guide, please send an email message to [email protected]

(5)

2

OVERVIEW

CloudAnywhere is a cloud based Identity and Access management solution. CloudAnywhere synchronizes your local/on premise directories with your SAAS and ASP providers.

It automates users, groups and contact provisioning and de-provisioning and also synchronizes passwords.

CloudAnywhere, in the heart of your Cloud IT helps you build you IT strategy around the Cloud and guarantees access to any SAAS resource.

CloudAnywhere is shipped with a portal that brings self service reset password and self service access request management. The reset password functionality helps you reduce your helpdesk costs and the access management portal helps you integrate your SAAS resources into your IT. Based on a workflow, users request access to SAAS resources and they are automatically provisioned upon validation.

(6)

3

CLOUDANYWHERE INTEGRATION

3.1

L

OCAL

D

IRECTORY INTEGRATION

CloudAnywhere integrates with your local directory (Active Directory or LDAP Directory) and with your SAAS applications.

Active Directory pulling is done over RPC and data are encrypted using the standard RPC mechanisms. LDAP integration is done through standard LDAP queries. It’s possible to encrypt data using LDAP over SSL.

3.2

SAAS

INTEGRATION

CloudAnywhere integrates with SAAS providers by calling their native apis or webservices. Data exchanges takes place over SSL communications.

It’s possible to selectively determine with which providers passwords will be synchronized. Example:

(7)

3.3

P

ASSWORD SYNCHRONIZATION MECHANISM

Passwords are never sent over the wire in clear text.

Passwords stored in Active Directory are not readable. They are stored in a “write only” attribute and are stored using a non reversible hashing protocol.

Once stored, they cannot be extracted in cleat text. CloudAnywhere approach is to catch the password change.

When a user changes his password (either from his computer or when an administrator changes or resets his password), the password is caught by CloudAnywhere in clear text in the memory of the Active Directory domain controller by using the standard mechanisms offered by Active Directory (Password filter dll).

For this purpose, a password filter dll must be installed on every domain controller.

When a password change occurs, the password is caught by the password filter dll in clear text in the memory of the domain controller. The password is then encrypted using a symmetric key and sent over the wire to the CloudAnywhere server. The server decrypts the password in memory and changes the password in every relevant SAAS Provider using their respective ChangePassword api. Depending on the SAAS provider, the password might be hashed before sending it, or might be sent as is over the SSL session. That would depend on the way the Saas provider has developed his ChangePassword api.

For security reasons, the user password are never stored or persisted by CloudAnywhere. They remain in the memory of the Active Directory or CloudAnywhere server in an encrypted way until they are “delivered”. Different retry mechanisms are implemented between the Active Directory and the CloudAnywhere server and between the Cloudanywhere server and the SAAS provider.

If a power outage occurs, passwords not delivered are lost.

3.4

C

LOUD

A

NYWHERE

A

CCOUNTS

CloudAnywhere Service Account

This account is used to execute the service that periodically synchronizes the resources.

Like any account that is running a service, it must have the permission to “Open a session as a service”.

To give the service account this priviledge, follow this procedure: Launch the mmc snapin gpedit.msc

Go to Computers / Computer Configuration / Windows Parameters / Security Parameters / Local Policies / User account permissions.

Edit the policy “Open a session as as service” and add the account that you have choosen to execute the service.

Active Directory Pullling Service accounts

These accounts are used by CloudAnwyhere to pull the source Active Directories and get the changes.

The service account doesn’t need to be domain Administrator.

The only permission it needs is to Replicate Directory Changes at the root of the domain.

(8)

It also needs Read permission on the Deleted Object Container in Active Directory:

Example: (See kb http://support.microsoft.com/kb/892806 )

C:\Users\administrator.SOURCE>dsacls "CN = Deleted Objects, DC = source, DC = local" /g source\svccloud:LCRP

This procedure is giving the pemission to Replicate Directory Changes to the given account.

Open the Active Directory Management console : Select the Domain

Node.

Right Click and click

(9)

Go to the Security

tab.

Click Add .

Select the service account and click OK

Select the service account that you have just added. Click Allow :

- Replicate

Directory Changes

- Replicate

Directory Changes All

This gives permission only to the top level container.

Now you must give this permission to all child containers

(10)

Click Advanced. Select the row that must be modified. Click Edit.

(Repeat this step for each row separately)

Apply Onto :

The default is « This Object Only » Change it to This object and all child objects

(11)

4

SELF SERVICE PORTAL

This feature is optional.

The self service portal implements different levels of access:

- Standard users access

- Helpdesk access

- Administrator access

Authentication is performed using the Active Directory account and level of access depends of Active Directory group membership.

When a user forgets a SAAS password, he has different ways to reset it.

If password synchronization is in place, it should not occur: his SAAS passwords should remain synchronized with his local password. If a user forgets his local password, he shall ask his helpdesk to reset his password. This would automatically synchronize the new password with the SAAS providers. CloudAnywhere is also shipped with a Reset Password portal. A user must first register on this portal. He must connect to it a least one time and answer secret questions. If he does not remember his password, he shall connect to the portal and authenticate using his secret answers. Once authenticated he can change his password. The password is changed in every SAAS applications where the user has an account. If configured, the password can also be changed in the Active Directory.

References

Download now ( PDF - 11 Page - 545.21 KB )

Related documents

Content Uniformity (CU) testing for the 21 st Century: CDER Perspective

– Limits on individual values and they may vary according to the sample mean. • PTIT testing offers greater flexibility and appears to have greater statistical relevance provided the

SBA 504 Loan Program. Presented by Linda Reilly Acting Director Office of Financial Assistance/ 504 Program Chief U.S. Small Business Administration

• $5.5 Million SBA loan for project involving a Small Manufacturer or Eligible Energy Project of $13.75 Million or more Total Project Cost.. Advantages of 504 Loan • Offers up to

Polymorphic variants in oxidative stress genes and acute toxicity in breast cancer patients receiving radiotherapy

The results of univariate analysis showed no significant association of the polymorphisms in oxidative stress genes with risk for development of acute skin reactions (cut-off

Social Suffering and Healing Among the Rwandan Diaspora in Finland and Belgium

The aim of the third study was twofold: to investigate (1) the trauma experienced by women who were raped and (2) the trauma of children born as a result of rape, during the

Breast implant-associated anaplastic large cell lymphoma — how to diagnose and treat?

Moreover, according to the recommendation of the con- sensus established during the Maurizio Bruno Nava (MBN) 2016 Aesthetic Breast Meeting, all confirmed BIA-ALCL cases should

Certified Installation Providers

TransCOR brings you the best of breed in rugged mobile wireless computers, Gamber-Johnson vehicle mounts and complete installation services, mobile data software &

ACADEMIC FREEDOM AND AUTONOMY IN THE UNIVERSITIES: PAST AND PRESENT

The growth of structures like the Vice- Chancellors, Ghana (VCG), the National Accreditation Board (NAB) and the National Council for Tertiary Education (NCTE) as

Comparison of Foaming Properties between Chelated Reconstituted SMP and Caseinates

The addition of calcium chelating salts may pull up the foamability of reconstituted SMP to the same level as caseinate solutions, but overdosing was shown to decrease the