Navigating the Clouds with an Enterprise IT Strategy (178699088)

7/27/2019 Navigating the Clouds with an Enterprise IT Strategy (178699088)

1/41

Navigating the Clouds with anEnterprise IT Strategy

Should your university be a cloud services leader?

How do you balance the benefits and risks of strategic innovation?

What about identity management in the cloud?

Clayton BurtonJason LongFred Miller

October 17, 2013


2/41

Agenda(and obligatory cloud picture)

IT Strategic Planning and the Cloud

The Role of Various Cloud Models

Identity Management

Shibboleth in Detail

Lessons Learned & Future considerations


3/41

Do you...

1. Do you use cloud services beyond email

and calendar?

2. Have a strategy for what should be in

the cloud, versus on-campus?


4/41

About Furman University

Private liberal arts university

750 acres campus in Greenville, South Carolina

2650 undergraduates

96% live on-campus

Division 1 athletics


5/41

Furmans IT Strategic Plans

2007

II.24.2 Establish an efficient central system that serves as the

information window to Furman University Implement Single Sign-On (SSO)

2011

2. Champion scalable information technology innovationsand best practices.

Enable efficient operations using appropriate vendor,cloud, and open source solutions.

Supporting tactic:

Require SAML 2 SSO for cloud authentication


6/41

Consumers

Industry Govt. / Legal

Consortia

Higher Ed

Institution

Foundations

Our Environment


7/41

Investing in an IT project portfolio


8/41

Strategic Innovations

Infrastructure

Analytics

Transaction ProcessingIncreasing

Risk

Adapted from Ross and Weil, IT Savvy: What Top Executives Must Know to Go from Pain to Gain, Harvard Business Press, 2009, fig. 3-2.

Innovation within the IT Portfolio


9/41

Consumerization & cloud services

IT as a partner, not competitor

Technology contract approvals

Compliance reviews

Leadership agreement on a platform approach

Post-implementation reviews


10/41

Vision: One place for all your Furman stuff...


11/41


12/41

Models of cloud services & risks

Software As A Service: Cloud As A Kit

Infrastructure As A Service: Pay As You Go

Collaboration Opportunities


13/41

SaaSCloud as a Kit

Over 40 Software-As-A-Service contracts

PCI-DSS solutions

Office 365

Box

Risks?


14/41

Some Furman SAAS Vendors


15/41

IaaS - Pay as You Go

Amazon, Moodle & Mobile


16/41

edge.furman.edu


17/41

Questions

1. Are you using Infrastructure As A

Service? If so, for what?

2. Do you have campus single sign-on?

If so, do you use for cloud services?


18/41

Identity management

Identity strategy: provisioning and de-provisioning

The university portal: when is single sign-on appropriate

Shibboleth and federated identity

One place for "all your campus stuff"

Risks? Costs?


19/41

One identity, infinite services

Motivations

Consumerization-driven services expected

Centralization for better usability: fewer passwords, URLs

Easier provisioning and user access control

3

rd

party services never see passwords


20/41

One password, infinite access

Risks

Too much access: one password for (almost) everything

Social engineering weakness

Structural failure point

Less direct control


21/41

SSO choices

Interdependent, overlapping, standard-resistant choices

Not just services you plan on using

New technologies, rapid proliferation


22/41

Additional considerations

Moving from managing systems to managing services

Trust through contracts

Consultants vs. training

Wide net vs. standardizing support

Total cost of architecture

Redundancy of systems

Staffing: anchoring the cloud


23/41

Our original SSO setup


24/41

Future SSO setup


25/41

Furmans choices

Vendors used (SSO Easy, Fischer International) for speedof deployment

Consolidation of architecture in phases

Redundancy of key systems

Moving to shibboleth standard and in-house support


26/41

Question

1. Do you allow cloud vendors to store your

users passwords?

2. Are you using an Internet2 Net+ or other

Shibboleth-based service?


27/41

Where do Shibboleths come from?


28/41

SAML Core: data that's transmitted

assertions, requests, responses

Bindings: how the data's transmitted

ie: SOAP, HTTP POST,

HTTP Redirect (GET)

Profiles: describe use cases in detail

Web Browser SSO Profile

many others

SAML building blocks


29/41

SAML Flowchart - Phase 1

You request a resource


30/41

Here's the login!

(the Single sign-on)


Login, if you havent already


31/41


You get the resource


32/41

SAML FlowchartComplete


33/41

Where Are You From?aka "Discovery"

How the SP knows which IdP

inherent in the URL,ie: furman.SP.com

passed in the URL

ie: SP.com/furman

SAML 2.0 IdP Discovery Protocol

Just ask!

WAYF


34/41

usually maintained by yourFederation

adds security

SPs and IdPs specified

certificates

more maintainable

configuration stored inone place

simplifies process ofadding SPs

Don't mind me! I'm just the Metadata!

SAML Metadata


35/41

For InCommon:

https://wayf.incommonfederation.org/InCommon/InCommon-metadata.xml

About 6 MB

Take care to configure servers properly using HTTPS!

Where's the Metadata?


36/41

Service Logout vs. Session Logout

Shibboleth IdP Clustering

Two factor authentication (cell phone?)

Additional Considerations


37/41

Lessons learned

Identify risks

Educate the community

Manage Change

Leadership support key

TRUST


38/41

Cloud services

for Innovation

On-Campusfor Security

Distributedsupport

Coordinatedsupport

Possible future scenarios

1 2

3 4


39/41

Questions?

How long before all campus servers are

in the cloud?A.Within 3 years

B. 35 years

C.510 years

D.More than 10 years

E. After I retire


40/41

Challenges & opportunities

More Mobile

Virtualization

Data center in the cloud

More collaborations

When to partner?


41/41

Thanks

Clayton BurtonJason LongFred Miller

Documents

Navigating the Clouds with an Enterprise IT Strategy (178699088)