Embed Size (px)
DESCRIPTION
Jim Scharf, Amazon What’s different in providing identity and access management for one of the largest cloud providers, some of the key technology and design decisions made along the way, and how AWS is working to make it even easier to federate with existing social and enterprise identity providers.
Citation preview
Jim Scharf @jim_scharf 7/22/2014
Identity Management in the AWS Cloud
Introductions
Jim Scharf General Manager, AWS Identity and Access Management Joined AWS in 2004
Agenda
Identity Requirements For: Infrastructure Services Platform Services Enterprise Applications Mobile Internet of Things
Challenges
AWS Overview
Infrastructure
Foundation Services
Regions Availability Zones
Storage (Object, Block and Archive)
Networking Security & Access Control
Platform Services
Databases
Relational
NoSQL
Caching
Analytics
Hadoop
Real-time
Data warehouse
App Services
Queuing
Orchestration
App streaming
Transcoding
Search
Deployment & Management
Containers
Dev/ops Tools
Resource Templates
Mobile Services
Identity
Sync
Mobile Analytics
Notifications
Enterprise Applications Virtual Desktops
Data Workflows
Usage Tracking
Monitoring and Logs
Compute (VMs, Auto-scaling and Load Balancing)
CDN and Points of Presence
Collaboration and Sharing
Global Availability
10 AWS Regions Worldwide 26 Availability Zones 51 Edge Locations
Infrastructure Services
Last Year @CIS…
Discussed things that made AWS Identity and Access Management a bit different from traditional corporate IAM:
– Scale – Resources
– Customers
AWS Identity and Access Management http://aws.amazon.com/iam
55-min Talk: http://bit.ly/1eZrtbX
Two Minute Overview: http://youtu.be/Ul6FW4UANGc
The Cloud isn’t an ‘All or Nothing’ Choice
Corporate Data Centers
On-Premises Resources
Cloud Resources
Integration SAML 2.0
Identity Federation Partners
Identity Requirements: Infrastructure Services
Infrastructure
Identities IT, DevOps
Scale 1 – 100+
Identity Providers
Cloud Provider, Corporate
Security Controls
Privileged user controls
Admin/ Integration Needs
Federation
Platform Services
Elastic Beanstalk OpsWorks CloudFormation
Application Container Application Automation Templated Provisioning
Identity Requirements: Platform Services
Platform
Identities Developers
Scale 1 – 1,000+
Identity Providers
Cloud Provider, Corporate, Web/Social
Security Controls
Start open, then tighten
Admin/ Integration Needs
Simple programming model
Enterprise Applications
Delivering on the promise of desktop virtualization • Infrastructure & admin tools • End user desktop and mobile
apps
Fully managed, secure document storage and sharing service for the Enterprise • Share documents and folders • Corporate directory integration • Set user sharing policies • Audit logs for document and user
activity
Identity Requirements: Enterprise Applications
Applications
Identities Employees
Scale 10 – 100K+
Identity Providers
Corporate
Security Controls
Enterprise controls,
security, audit
Admin/ Integration Needs
Federation
Mobile
Powering Popular Mobile Businesses Today Mobile Startups on AWS Mobile Apps within Enterprises
Managing Identities Across Devices
Keeping Data in Sync
The Challenge of Multiple Devices
Amazon Cognito Fully Managed User Identity and Data Synchronization Service
Security Identity Synchronization
+ +
Manage unique identities
Supports multiple login providers
Amazon Cognito and Identity
Store app data, preferences & state
Work offline via local data store
Seamlessly sync across devices
Amazon Cognito and Sync
Implement security best practices
Safeguard AWS credentials
Set granular access permissions on AWS resources
Amazon Cognito and Security
Fully Integrated AWS Mobile SDK
• No back-end programming required • Common authentication mechanism across
all services • Automatically handle intermittent network
connections • Cross-platform Support: Android, iOS, Fire
OS • Secure access to global AWS services
Identity Requirements: Mobile Apps
Mobile: Enterprise
Mobile: Consumer
Identities Employees Consumers
Scale 10 – 100K+ 1 M – 1B
Identity Providers
Corporate Web/Social
Security Controls
Enterprise controls,
security, audit
Auto per-user isolation
Admin/ Integration Needs
Simple programming
model, Federation
A few lines of client-side
code
Internet of Things
Amazon Cognito for Unauthenticated Identities
Unique Identifier for Your “Things” “Headless” connected devices can also securely access cloud services.
Save Data to the Cloud Save app and device data to the cloud and merge them after login
Guest User Access Securely access AWS resources and leverage app features without the need to create an account or logging in
Visitor Preferences
Cognito Store
Guest
EC2 S3 DynamoDB Kinesis
Identity Requirements: Internet of Things IoT
Identities Devices
Scale 50 B
Identity Providers
Web/Social/Personal?
Security Controls
Varies
Admin/ Integration Needs
Class/attribute based controls
Recap
Identities
Developers Employees Consumers Devices IT, DevOps
IaaS PaaS
SaaS Mobile: Enterprise
Mobile: Consumer
IoT
Time
Scale Id
entit
ies
101
102 103 104
105
106 107 108
109 1010
Identity Providers
AWS
Web/Social
Corporate
Security Controls
Identity Requirements Infrastructure Platform Applications Mobile:
Enterprise Mobile:
Consumer IoT
Identities IT, DevOps Developers Employees Employees Consumers Devices
Scale 1 – 100+ 1 – 1,000+ 10 – 100K+ 10 – 100K+ 1 M – 1B 50 B
Identity Providers
Cloud Provider, Corporate
Cloud Provider,
Corporate, Web/Social
Corporate Corporate Web/Social Web/Social/
Personal?
Security Controls
Privileged user controls
Start open, then tighten
Enterprise controls,
security, audit
Enterprise controls,
security, audit
Auto per-user isolation
Varies
Admin/ Integration Needs
Federation Simple programming
model
Federation Simple programming
model, Federation
A few lines of client-side
code
Class/attribute based
controls
Challenges
• Billions of identities • Millions of authentications/second, latencies ~1ms
• Becomes a large scale distributed systems challenge
• Authorizing trillions of resources • Audit becomes a big data problem • Global, high-availability system
• Constant tension of security vs. eventual consistency
http://reinvent.awsevents.com/
Thank You
For more information: Website: http://aws.amazon.com/iam AWS Security Blog: http://blogs.aws.amazon.com/security/ Follow: @AWSIdentity
