cloud computing identity management summary
DESCRIPTION
Deloitte Consulting's slide deck on Cloud Computing and Identity Management mentioned on the (ISC)2 ThinkT@nk roundtable from October 13th, 2010.TRANSCRIPT
Leveraging existing IAM systems in a newLeveraging existing IAM systems in a new cloud computing environment
Overview
Deloitte & Touche LLPO t b 2010October 2010
Cloud computing adoption is growing with mainstream organizations piloting targeted deployments……
Business models are Business models are evolving to partnerships and
piloting targeted deployments……
shaping cloud adoption…
networks of companies, forming a product or service delivery chain to the end customer.
Traditional IT is being Executives are demanding increased agility and highlyTraditional IT is being challenged…
Executives are demanding increased agility and highly collaborative IT architectures, challenging traditional IT and resulting in increased demand for cloud computing.
Identity is key to Identity is key to the operation and delivery of any cloud y yenabling services in the
cloud. . .
y y p y yservices. Authentication of users and control of access to services is inherent to the success of cloud computing.
S l ti i t t d f E i ti IAM d ki l i th k tSolutions exist today for cloud environments and
the industry is innovating…
Existing IAM vendors are making a play in the market place. Industry standards like SAML 2.0, WS-* etc. provide an open and interoperable way to enablefederation and trust in a cloud.
2 Copyright © 2010 Deloitte Development LLC. All rights reserved.
… with various business services and deployment models.
Software-as-a-Service (SaaS) Platform-as-a-Service (PaaS) Infrastructure-as-a-Service (IaaS)
Cloud Families
Cloud computing can be broken down into SaaS, PaaS and IaaS
As-a-service delivery of applications targeted at private users (e.g. social
networking, micro-blogging) and business users (e.g. ERP, CRM)
As-a-service delivery of tools for development, testing, deployment, hosting
and application maintenance
As-a-service delivery of virtual CPUs, disk space, and database services
Cloud Implementation Models
Other groupings of Cloud offerings can be made such as the distinction between public (or vendor), private, and hybrid Clouds
Public Private Hybrid
Services from vendors can be accessed across the Internet using systems in one or more data centers shared among multiple
Computing architectures are built , managed, and used internally in an
enterprise using a shared services modelEnvironment in which an organization
provides and manages some resource in
3 Copyright © 2010 Deloitte Development LLC. All rights reserved.
more data centers, shared among multiple customers, and with varying degrees of
data privacy controls
enterprise using a shared services model with variable usage of a common pool of
virtualized computing resources
provides and manages some resource in-house and has others provided externally
As organizations adopt a cloud model, there are many questions around identity management in a cloud environment...y g
Where can identity management help?
How can I leverage an IDM infrastructure to manage various cloud deployment models?How are trust relationships established between my organization and the cloud vendor?
What are the risks and challenges?
What are the top IDM risks when I move to a cloud environment and why?Are there any unique challenges related to Provisioning, Role management, Entitlement management / certification?
What standards exist today?
How does a IDM technical architecture / solution deployment look in a cloud?What standards exist today? What are the gaps? What can be expected in next 1-2 years?What does vendor roadmap look like?p
What is the path to adoption?
What is the process of transition and What are questions to ask?What are solutions to consider?Are there any liability concerns?
What other opportunities exist?
Are there opportunities to put my IDM infrastructure into the cloud? What does that architecture/solution look like?What are the risks? How do I overcome them?
How to assess and How should I assess IDM infrastructure supporting a cloud deployment?
4 Copyright © 2010 Deloitte Development LLC. All rights reserved.
How to assess and operate?
How should I assess IDM infrastructure supporting a cloud deployment?What does the audit plan look like, what questions must it include?What testing should be conducted?
Identity management fits into the cloud computing equation in two operating models …p g
Description
• Extends the functionality of an existing Identity and Access Management infrastructure to manage
IDM for a Cloud
and Access Management infrastructure to manage the identities and services in a cloud.
• Standards defined to provide interoperability between on-premises and in-cloud applications
• Strong authentication and encryption for added it d t ti t d t d t
Cloud Service
Providers
Identity & Access Management
security and protection to data and assets
• Ability to leverage and sustain existing risk, compliance, and privacy controls built within the enterprise
g
Cloud Service
Providers
• An IAM solution hosted in a cloud may be used to managed identities and services in a cloud or outside a cloud.
• Ability to pay only for the IAM functionality required
IDM in a Cloud Identity &
Access Management
required
• Reduction in costs related to maintenance of IAM solutions
• Limited in-house expertise required to support the IAM infrastructure and business processes
5 Copyright © 2010 Deloitte Development LLC. All rights reserved.
p
• On-demand increase of capacity, functionality, pre-determined SLAs, and accountability
Integration is achieved by leveraging existing IAM technology and standards…
IaaS / PaaS Provider SaaS ProviderIaaS / PaaS Provider
Hybrid Cloud Public Cloud
Users
Identity & Access Management
Users Identity & Access Management
• Establishes a site-to-site VPN or similar secure connectivity with the Cloud Service Provider (CSP)
• Leverages widely accepted standards such as Security Assertion Markup Language (SAML) and WS Federation
Users
Corporate Directory Secure Enterprise Network
Corporate Directory
with the Cloud Service Provider (CSP)• Integrates the existing IAM solution with the CSP platform
(IaaS / PaaS) in a less complex manner• Flexible to use a centralized directory or localized directory
for user authentication
Assertion Markup Language (SAML) and WS-Federation for authentication and authorization
• Provisions using standards such as Security Provisioning Markup Language (SPML)
• Integration with the CSP may have some technical challenges
6 Copyright © 2010 Deloitte Development LLC. All rights reserved.
g
While IDM solutions continue to face challenges in the context of cloud computing, these are not new and can be addressed…
Challenges What Can you Do?• Cross domain user provisioning
• Segregation of the user management activities
p g,
User Provisioning
• Single directory authentication • De-provisioning of users• Limited connectors for cloud• Integration with on-demand applications
Proliferating on demand user accounts
• Segregation of the user management activities• SLAs and contractual agreements with CSP• Maturity of existing solution• Interoperability with cloud systems• Standards adoption (XACML)
• Proliferating on-demand user accounts
Access Management
• Cross-domain, web-based single sign-on and cross-domain user attribute exchange.
• Interoperability of proprietary solutions with new IAM cloud solutions.
• Authentication and Authorization standards leveraged (e.g. SAML, SPML, etc.)
• Identity Assurance and Credentialized solutionsManagement• Supporting non-repudiation• Adequacy of access control solutions
y• Certifying access across disparate systems
• Cross-domain role/entitlement management• Access Certification - Integration with existing • Role Based vs. Claims Based Access
Role/Entitlement Management
• Access Certification - Integration with existing processes.
• Lack of transparency into proprietary components
• Restructuring of the role management framework to meet the needs of the cloud
o e ased s C a s ased ccess• Maintenance and management of the
entitlement warehouse• Existing in-house proprietary solutions• Hosted IAM vendor’s role and entitlement vision
7 Copyright © 2010 Deloitte Development LLC. All rights reserved.
framework to meet the needs of the cloud
Adoption of an IDM cloud solution requires organizations to take key first steps…p
Identify Shape Execute
Articulate a IDM cloud strategy and vision and determine
readiness
Identify optimal solution – IDM for cloud or IDM in the Cloud
Execute IDM cloud strategy and deploy IDM cloud solution
• Evaluate the CSPs IDM practices/procedures
• Determine the standards for the IDM functionality to adopt in the near
• Identify the service model and the role of IDM for the cloud deployment model
• Define the operating model for
• Develop a migration/ implementation plan
• Execute management, monitoring and migrationfunctionality to adopt in the near
future
• Define IDM in/for cloud architecture and conduct a readiness assessment
• Define the operating model for IDM (IDM for a Cloud or IDM in a cloud)
• Conduct a TCO analysis including future growth
and migration
• Conduct training and awareness sessions for stakeholders and end users
• Determine ownership, maintenance, and liability of data.
• Define contractual requirements with CSPs
• Determine the security and compliance requirements
• Identify the impact to current IDM strategy
8 Copyright © 2010 Deloitte Development LLC. All rights reserved.
Periodic assessment of IDM solutions supporting the clouds is critical to successful adoption…p
Input Assessment Activities Output
Provisioning / De- Step 1provisioning;
AuthenticationFederation;
User Profile Management;
Review IAM requirements for cloud based services &
Assess Architecture Solution
Requirements and architecture gap analysis
Compliance Management; Data Privacy Risks; Data
Ownership; Organizational Standards
Step 2Determine Risks associated
with each architecture / solution
Risk matrix including potential vulnerabilities and
risk ratings
Current ControlsPlanned/Modified Controls
Step 3 Review security and compliance controls
Control gaps and recommendations
Step 4 Access Recertification
Violations and remediation requirementsUser Access Snapshot
9 Copyright © 2010 Deloitte Development LLC. All rights reserved.
Key Takeaways..
Cloud computing is a reality. It is happening and organizations need to address the security and risk components of clouds -- IDM solutions can help.p
Federation is key to enable IDM for cloud computing. Organizations need to address liability, trust, and privacy issues as they embark upon the IDM and cloud journey.
Vendors are developing innovative solutions to help accelerate IDM adoption p g p pfor cloud computing.
Organizations need to develop a comprehensive approach to IDM that g p p ppincludes an assessment/measurement component.
THE KEY TO SUCCESS IS BEING ON THE PATH TO ADOPTION
10 Copyright © 2010 Deloitte Development LLC. All rights reserved.
THE KEY TO SUCCESS IS BEING ON THE PATH TO ADOPTION.
Contact information
For additional informationplease contact:pIrfan SaifPrincipalEnterprise Risk Servicesi if@d l [email protected]+1 408 704 4109
11 Copyright © 2010 Deloitte Development LLC. All rights reserved.