12
Leveraging existing IAM systems in a new Leveraging existing IAM systems in a new cloud computing environment Overview Deloitte & Touche LLP Otb 2010 October 2010

Cloud computing identity management summary

Embed Size (px)

DESCRIPTION

Deloitte Consulting's slide deck on Cloud Computing and Identity Management mentioned on the (ISC)2 ThinkT@nk roundtable from October 13th, 2010.

Citation preview

Page 1: Cloud computing identity management summary

Leveraging existing IAM systems in a newLeveraging existing IAM systems in a new cloud computing environment

Overview

Deloitte & Touche LLPO t b 2010October 2010

Page 2: Cloud computing identity management summary

Cloud computing adoption is growing with mainstream organizations piloting targeted deployments……

Business models are Business models are evolving to partnerships and

piloting targeted deployments……

shaping cloud adoption…

networks of companies, forming a product or service delivery chain to the end customer.

Traditional IT is being Executives are demanding increased agility and highlyTraditional IT is being challenged…

Executives are demanding increased agility and highly collaborative IT architectures, challenging traditional IT and resulting in increased demand for cloud computing.

Identity is key to Identity is key to the operation and delivery of any cloud y yenabling services in the

cloud. . .

y y p y yservices. Authentication of users and control of access to services is inherent to the success of cloud computing.

S l ti i t t d f E i ti IAM d ki l i th k tSolutions exist today for cloud environments and

the industry is innovating…

Existing IAM vendors are making a play in the market place. Industry standards like SAML 2.0, WS-* etc. provide an open and interoperable way to enablefederation and trust in a cloud.

2 Copyright © 2010 Deloitte Development LLC. All rights reserved.

Page 3: Cloud computing identity management summary

… with various business services and deployment models.

Software-as-a-Service (SaaS) Platform-as-a-Service (PaaS) Infrastructure-as-a-Service (IaaS)

Cloud Families

Cloud computing can be broken down into SaaS, PaaS and IaaS

As-a-service delivery of applications targeted at private users (e.g. social

networking, micro-blogging) and business users (e.g. ERP, CRM)

As-a-service delivery of tools for development, testing, deployment, hosting

and application maintenance

As-a-service delivery of virtual CPUs, disk space, and database services

Cloud Implementation Models

Other groupings of Cloud offerings can be made such as the distinction between public (or vendor), private, and hybrid Clouds

Public Private Hybrid

Services from vendors can be accessed across the Internet using systems in one or more data centers shared among multiple

Computing architectures are built , managed, and used internally in an

enterprise using a shared services modelEnvironment in which an organization

provides and manages some resource in

3 Copyright © 2010 Deloitte Development LLC. All rights reserved.

more data centers, shared among multiple customers, and with varying degrees of

data privacy controls

enterprise using a shared services model with variable usage of a common pool of

virtualized computing resources

provides and manages some resource in-house and has others provided externally

Page 4: Cloud computing identity management summary

As organizations adopt a cloud model, there are many questions around identity management in a cloud environment...y g

Where can identity management help?

How can I leverage an IDM infrastructure to manage various cloud deployment models?How are trust relationships established between my organization and the cloud vendor?

What are the risks and challenges?

What are the top IDM risks when I move to a cloud environment and why?Are there any unique challenges related to Provisioning, Role management, Entitlement management / certification?

What standards exist today?

How does a IDM technical architecture / solution deployment look in a cloud?What standards exist today? What are the gaps? What can be expected in next 1-2 years?What does vendor roadmap look like?p

What is the path to adoption?

What is the process of transition and What are questions to ask?What are solutions to consider?Are there any liability concerns?

What other opportunities exist?

Are there opportunities to put my IDM infrastructure into the cloud? What does that architecture/solution look like?What are the risks? How do I overcome them?

How to assess and How should I assess IDM infrastructure supporting a cloud deployment?

4 Copyright © 2010 Deloitte Development LLC. All rights reserved.

How to assess and operate?

How should I assess IDM infrastructure supporting a cloud deployment?What does the audit plan look like, what questions must it include?What testing should be conducted?

Page 5: Cloud computing identity management summary

Identity management fits into the cloud computing equation in two operating models …p g

Description

• Extends the functionality of an existing Identity and Access Management infrastructure to manage

IDM for a Cloud

and Access Management infrastructure to manage the identities and services in a cloud.

• Standards defined to provide interoperability between on-premises and in-cloud applications

• Strong authentication and encryption for added it d t ti t d t d t

Cloud Service

Providers

Identity & Access Management

security and protection to data and assets

• Ability to leverage and sustain existing risk, compliance, and privacy controls built within the enterprise

g

Cloud Service

Providers

• An IAM solution hosted in a cloud may be used to managed identities and services in a cloud or outside a cloud.

• Ability to pay only for the IAM functionality required

IDM in a Cloud Identity &

Access Management

required

• Reduction in costs related to maintenance of IAM solutions

• Limited in-house expertise required to support the IAM infrastructure and business processes

5 Copyright © 2010 Deloitte Development LLC. All rights reserved.

p

• On-demand increase of capacity, functionality, pre-determined SLAs, and accountability

Page 6: Cloud computing identity management summary

Integration is achieved by leveraging existing IAM technology and standards…

IaaS / PaaS Provider SaaS ProviderIaaS / PaaS Provider

Hybrid Cloud Public Cloud

Users

Identity & Access Management

Users Identity & Access Management

• Establishes a site-to-site VPN or similar secure connectivity with the Cloud Service Provider (CSP)

• Leverages widely accepted standards such as Security Assertion Markup Language (SAML) and WS Federation

Users

Corporate Directory Secure Enterprise Network

Corporate Directory

with the Cloud Service Provider (CSP)• Integrates the existing IAM solution with the CSP platform

(IaaS / PaaS) in a less complex manner• Flexible to use a centralized directory or localized directory

for user authentication

Assertion Markup Language (SAML) and WS-Federation for authentication and authorization

• Provisions using standards such as Security Provisioning Markup Language (SPML)

• Integration with the CSP may have some technical challenges

6 Copyright © 2010 Deloitte Development LLC. All rights reserved.

g

Page 7: Cloud computing identity management summary

While IDM solutions continue to face challenges in the context of cloud computing, these are not new and can be addressed…

Challenges What Can you Do?• Cross domain user provisioning

• Segregation of the user management activities

p g,

User Provisioning

• Single directory authentication • De-provisioning of users• Limited connectors for cloud• Integration with on-demand applications

Proliferating on demand user accounts

• Segregation of the user management activities• SLAs and contractual agreements with CSP• Maturity of existing solution• Interoperability with cloud systems• Standards adoption (XACML)

• Proliferating on-demand user accounts

Access Management

• Cross-domain, web-based single sign-on and cross-domain user attribute exchange.

• Interoperability of proprietary solutions with new IAM cloud solutions.

• Authentication and Authorization standards leveraged (e.g. SAML, SPML, etc.)

• Identity Assurance and Credentialized solutionsManagement• Supporting non-repudiation• Adequacy of access control solutions

y• Certifying access across disparate systems

• Cross-domain role/entitlement management• Access Certification - Integration with existing • Role Based vs. Claims Based Access

Role/Entitlement Management

• Access Certification - Integration with existing processes.

• Lack of transparency into proprietary components

• Restructuring of the role management framework to meet the needs of the cloud

o e ased s C a s ased ccess• Maintenance and management of the

entitlement warehouse• Existing in-house proprietary solutions• Hosted IAM vendor’s role and entitlement vision

7 Copyright © 2010 Deloitte Development LLC. All rights reserved.

framework to meet the needs of the cloud

Page 8: Cloud computing identity management summary

Adoption of an IDM cloud solution requires organizations to take key first steps…p

Identify Shape Execute

Articulate a IDM cloud strategy and vision and determine

readiness

Identify optimal solution – IDM for cloud or IDM in the Cloud

Execute IDM cloud strategy and deploy IDM cloud solution

• Evaluate the CSPs IDM practices/procedures

• Determine the standards for the IDM functionality to adopt in the near

• Identify the service model and the role of IDM for the cloud deployment model

• Define the operating model for

• Develop a migration/ implementation plan

• Execute management, monitoring and migrationfunctionality to adopt in the near

future

• Define IDM in/for cloud architecture and conduct a readiness assessment

• Define the operating model for IDM (IDM for a Cloud or IDM in a cloud)

• Conduct a TCO analysis including future growth

and migration

• Conduct training and awareness sessions for stakeholders and end users

• Determine ownership, maintenance, and liability of data.

• Define contractual requirements with CSPs

• Determine the security and compliance requirements

• Identify the impact to current IDM strategy

8 Copyright © 2010 Deloitte Development LLC. All rights reserved.

Page 9: Cloud computing identity management summary

Periodic assessment of IDM solutions supporting the clouds is critical to successful adoption…p

Input Assessment Activities Output

Provisioning / De- Step 1provisioning;

AuthenticationFederation;

User Profile Management;

Review IAM requirements for cloud based services &

Assess Architecture Solution

Requirements and architecture gap analysis

Compliance Management; Data Privacy Risks; Data

Ownership; Organizational Standards

Step 2Determine Risks associated

with each architecture / solution

Risk matrix including potential vulnerabilities and

risk ratings

Current ControlsPlanned/Modified Controls

Step 3 Review security and compliance controls

Control gaps and recommendations

Step 4 Access Recertification

Violations and remediation requirementsUser Access Snapshot

9 Copyright © 2010 Deloitte Development LLC. All rights reserved.

Page 10: Cloud computing identity management summary

Key Takeaways..

Cloud computing is a reality. It is happening and organizations need to address the security and risk components of clouds -- IDM solutions can help.p

Federation is key to enable IDM for cloud computing. Organizations need to address liability, trust, and privacy issues as they embark upon the IDM and cloud journey.

Vendors are developing innovative solutions to help accelerate IDM adoption p g p pfor cloud computing.

Organizations need to develop a comprehensive approach to IDM that g p p ppincludes an assessment/measurement component.

THE KEY TO SUCCESS IS BEING ON THE PATH TO ADOPTION

10 Copyright © 2010 Deloitte Development LLC. All rights reserved.

THE KEY TO SUCCESS IS BEING ON THE PATH TO ADOPTION.

Page 11: Cloud computing identity management summary

Contact information

For additional informationplease contact:pIrfan SaifPrincipalEnterprise Risk Servicesi if@d l [email protected]+1 408 704 4109

11 Copyright © 2010 Deloitte Development LLC. All rights reserved.

Page 12: Cloud computing identity management summary