Securing Cloud Platforms with Project Lightwave SECURING CLOUD PLATFORMS WITH PROJECT LIGHTWAVE Directory

  • View
    1

  • Download
    0

Embed Size (px)

Text of Securing Cloud Platforms with Project Lightwave SECURING CLOUD PLATFORMS WITH PROJECT LIGHTWAVE...

  • SECURING CLOUD PLATFORMS WITH PROJECT LIGHTWAVE Multitenant, Multimaster, Geo-Distributed Identity and Access Management for the Cloud

    WHITE PAPER – JUNE 2017

  • Table of Contents

    Introduction 3

    Identity and Access Management Requirements in the Cloud . . . . . . . . . . . . . . . . . . 3

    Security Problems in Cloud Computing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

    Use Cases 4

    Identity Federation Across Data Centers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4

    Hybrid Data Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4

    Stand-Alone Directory Service in the Cloud . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

    Directory Managed by Cloud Provider . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

    Bridge to Identity as a Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

    Implementing Cloud-Scale Security with Lightwave 5

    Directory Services and Identity Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6

    Scalability and Performance 7

    Replication 7

    Architecture 7

    Authentication Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

    Kerberos Key Distribution Center 8

    Features and Capabilities 8

    Certificate Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9

    The Lightwave Certificate Authority 9

    The Lightwave Certificate Store 9

    Addressing the Use Cases 10

    Lightwave in vSphere and vCenter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

    Identity Federation Across Data Centers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 1

    Identity Federation Across Data Centers and Public Cloud . . . . . . . . . . . . . . . . . . . . 12

    Plugging into the Cloud 13

    Instant Integration with Photon OS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

    Deploying Lightwave on Google . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

    Deploying Lightwave on AWS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

    Conclusion 15

    W H I T E PA P E R | 2

    SECURING CLOUD PLATFORMS WITH PROJECT LIGHTWAVE

  • W H I T E PA P E R | 3

    SECURING CLOUD PLATFORMS WITH PROJECT LIGHTWAVE

    Introduction The need for security in the cloud is acute. Extending the security frameworks, standards, and policies of your on-premises infrastructure to your resources in the cloud establishes the level of consistency that’s required to protect the integrity, availability, and confidentiality of your cloud operations.

    To consistently apply your on-premises security controls and policies in the cloud, several requirements for high-quality identity and access management come to the fore:

    • Standards

    • Flexibility, portability, and cloud-platform independence

    • Interoperability

    • Scalability

    • Administrative control

    Identity and Access Management Requirements in the Cloud Standards are a key requirement because they let you apply trusted tools and protocols across disparate environments to reduce the risk of security incidents and compliance problems.

    Flexibility enables you to port your security policies and controls from one environment to another as you move a server or application. As more workloads migrate to the cloud, the cloud-platform independence of your identity service helps you move from one cloud provider to another without having to redeploy or reconfigure identity management systems.

    Interoperability ensures that security mechanisms are compatible with other systems. Scalability addresses the need for cloud-scale as operations expand. And administrative control empowers you to implement the security frameworks and policies that you want while reducing your reliance on cloud providers and third parties.

    Security Problems in Cloud Computing The multitenant environment of public clouds complicates identity and access management. In the cloud, it is important to securely authenticate system users and administrators, giving them access only to the resources they own or need to do their jobs. But authentication and access control become difficult when assets are spread across both on-premises data centers and cloud services. Porting identities and access policies to the cloud depends on how easily you can integrate your corporate identity directories and policies with the service provider’s systems.

    Implementing seamless security across both your on-premises environment and multiple public clouds is increasingly becoming a necessity. Project Lightwave™ is a massively scaled, multitenant, open-source identity platform that solves this problem by delivering a standards-based directory service, Active Directory integration, certificate services, and Kerberos authentication.

  • W H I T E PA P E R | 4

    SECURING CLOUD PLATFORMS WITH PROJECT LIGHTWAVE

    Use Cases As enterprises move workloads to public clouds, hybrid clouds, or private clouds, security administrators seek security functionality on par with the de facto standard for identity management in place in many data centers: Microsoft Active Directory.

    A widely deployed directory service, Active Directory hosts the accounts and credentials of users, machines, and applications. When logging in to a machine that has been joined to an Active Directory domain, a user enters his or her domain credentials. Active Directory authenticates the user and authorizes access to the machine or the resources running on it. For authentication, Active Directory typically uses the highly secure Kerberos protocol. For authorization, Active Directory uses membership in security groups. In addition, certificates play a role as a security mechanism for certain services.

    Public cloud services, to a certain extent, have mirrored this approach. AWS, for example, requires you to create a security group and set it to allow SSH, HTTP, and HTTPS connections so that you can be authorized to access a resource through a port. In addition, Amazon uses the pairing of an RSA user-signing certificate and a private key for handshake verification of SSH connections.

    To support workloads running on Windows or Linux computers, system administrators who are porting their workloads to the cloud or refactoring applications with container technology often look for solutions to one or more use cases, such as enforcing consistent security across a hybrid data center. The use cases that follow define some of the problems that IT and system administrators are grappling with as they seek to streamline application development and deployment while keeping their systems and applications secure.

    Identity Federation Across Data Centers A multinational corporation with four geographically distributed data centers in Tokyo, London, New York, and Los Angeles seeks to implement identity federation across the data centers with local domain controllers and Active Directory replication. The local domain controllers keep the latency of authentication and authorizing requests low. A major problem the company faces as it attempts to implement this approach is scalability. The directory service must be highly scalable. At the same time, the company’s development teams seek to refactor some of their traditional applications as containerized applications using Docker containers and Kubernetes clusters while authenticating developers as they access Kubernetes.

    Hybrid Data Center A company with a headquarters in Tokyo runs many remote offices and data centers in the United States. The company wants to deploy local applications closer to a cloud provider, such as GCP or AWS, but authenticating and authorizing users with the Active Directory domain controllers in Tokyo results in too much latency and other performance problems.

    USE CASES FOR MULTITENANT SECURITY ACROSS ENVIRONMENTS

    • Identity federation across data centers

    • Hybrid data center

    • Stand-alone directory service in the cloud

    • Directory service managed by a cloud provider

    • As a bridge to identity as a service (IDaaS)

  • W H I T E PA P E R | 5

    SECURING CLOUD PLATFORMS WITH PROJECT LIGHTWAVE

    By using a virtual private cloud, the company wants to sync its AD cluster in Tokyo to its projects running in the cloud. If the company can replicate the right Active Directory organizational units to a local directory service running in