inside symantec o3 - voxvox.veritas.com/legacyfs/online/veritasdata/sr b30.pdf · 2. custom portal...
TRANSCRIPT
SR B30 - Inside Symantec O3 1
Inside Symantec O3
Sergi Isasi Senior Manager, Product Management
SYMANTEC VISION 2012
Agenda
SR B30 - Inside Symantec O3 2
SYMANTEC VISION 2012
Cloud: Opportunity And Challenge
SR B30 - Inside Symantec O3 3
‘We should embrace the Cloud to respond to LOB needs, drive business agility and better
manage costs’
Cloud
Private Cloud
‘We lack a comprehensive means to control access, security and compliance across the breadth of cloud
services and applications’ Challenge
SYMANTEC VISION 2012
Cloud-mobile: Opportunity And Challenge
SR B30 - Inside Symantec O3 4
‘We should embrace BYOD, BYOA and the new mobile platform to
augment productivity and innovate new business models’
Mobile
‘How do we layer common protection across cloud and mobile without undermining the convenience of
the mobile experience?’ Challenge
Cloud
Private Cloud
SYMANTEC VISION 2012
Introducing Symantec O3 A New Cloud Information Protection Platform
SR B30 - Inside Symantec O3
Symantec O3™
Private Cloud
Information Protection
Control Security Compliance Access Control
Cloud Visibility
5
SYMANTEC VISION 2012
• Single control point • Context-based • Layered security “as-a-service”
A Platform To Meet The Challenge In Three Dimensions
SR B30 - Inside Symantec O3 6
Control Convenience Compliance
• SIEM and forensics for the cloud • Log and audit trail management • Policy audit and reporting
• Easy access/SSO for cloud/web apps • Use the apps you like • Any device, including mobile
SYMANTEC VISION 2012
Symantec O3 Identity and Access Control Architecture
SR B30 - Inside Symantec O3 7
Leverages Existing IDM Infrastructure • Any corporate directory or identity store • Single ID • SSO
Strong Authentication • VIP OTP • Stepped up (per application policy) • Other forms using custom integration
Authorization • Context-based policy engine • Who (identity-based) • What (device-based)
Federation/Password Management • SAML & OpenID • Gateway-based keychain and wizard • Apps catalog (+ connectors)
Admin User
SYMANTEC VISION 2012
SP initiated
SAML Console
O3 Services – ID Broker And Authentication Model
SR B30 - Inside Symantec O3 8
O3 End-user
O3 Admin
User Devices
O3 Intelligence Center
O3 Gateway
Identity and Access Broker
Information Gateway
GW Portal
SAML Cloud Service
portal
Cloud Service
portal SAML
handler
Client App
Policies and Configuration
HTTP POST Login ceremony
SP SAML Assertion
Service access
O3 SSO Login
Enterprise Customer
AD/ LDAP
IDP
IDP
IDP portal
IDP initiated SAML
IDP SAML Assertion
Dir Auth and Attributes
Custom portal
End-user SSO login options to O3: 1. At O3 gateway portal 2. Custom portal in front of O3-GW 3. External IDP with redirect 4. SAML based SP with redirect
SYMANTEC VISION 2012
Gateway Credential Keychain • Password vault storing SaaS app credentials • Encrypted and locally stored in GW, 1 per user • Work with any web apps (catalog and custom adaptors)
Application Integration
SAML • Gateway proxies user store as IDP • Redirect or proxy mode option • Point and click SAML setup (no SAML expertise required)
HTTP-Federation • HTTP form stuffing
Credential stored in local keychain
• Reverse proxy • Trusted headers (internal web apps)
Keychain Tool • Java tool to pre-populate SaaS app username-passwords
in keychain • Prevents user login @ SaaS app with machine-generated
username-password • Input: spreadsheet of uid/pswd
SR B30 - Inside Symantec O3 9
O3 End-user
User Devices
Client App
O3 Gateway
Identity and Access Broker
Information Gateway
SSO portal Cloud Services
and
Web-enabled applications
IDP
Credential Keychain
SAML HTTP-Fed
SR B30 - Inside Symantec O3 10
Demonstration!
https://intelcenter.symanteco3.com
https://ea0-o3-gw1.symanteco3.com
SYMANTEC VISION 2012
Deployment: Symantec cloud, Your cloud, hybrid
SR B30 - Inside Symantec O3 11
Acme Inc Network
Intelligence Center
(multi-tenant policy mgmt.)
Symantec O3 Gateway
(single-tenant) AD
Symantec O3 Secure Infrastructure
IAAS/PAAS SAAS
Any SAAS
Any Public Cloud
Private Cloud
Symantec O3 Gateway Cloud or Partner Virtualized Infrastructure
Symantec O3 Gateway
(single-tenant on IAAS)
Identity Sec Policy
Information Sec Policy
Policy Synch
Managed Devices Unmanaged Devices
SYMANTEC VISION 2012
Customer-Hosted Deployment Overview
Cloud Applications
Symantec Network
Symantec O3 Intelligence
Center
Customer Network
Symantec O3 Gateway
Customer AD/LDAP
Customer Administrator
Employees
Internal SaaS Applications
A. Customer admin defines employee access policies at hosted O3 IC B. Policies published to on-prem O3 gateway(s) C. Internal and External Employees authenticate to O3 gateway to gain access to applications D. O3 gateway delegates authentication to customer AD/LDAP E. O3 gateway enforces Identity based access and information protection policies F. Employees gain access to applications upon successful authorization
A
B
C
D F F
E
Roaming Employees
C
Policies and configuration
SR B30 - Inside Symantec O3 12
SYMANTEC VISION 2012
Symantec-Hosted Deployment Overview
Cloud Applications
Symantec Network
Symantec O3
Intelligence Center
Customer Network
Symantec O3
Gateway
Customer AD/LDAP
Customer Administrator
Employees
Internal SaaS Applications
A. Customer admin defines employee access policies at hosted O3 IC B. Policies published to Symantec Hosted O3 gateway(s) C. Internal and External Employees authenticate to O3 gateway to gain access to applications D. O3 gateway delegates authentication to customer AD/LDAP E. O3 gateway enforces Identity based access and information protection policies F. Employees gain access to applications upon successful authorization
A
F F
E
Roaming Employees
C
B
Symantec O3 ID Link
D
13 SR B30 - Inside Symantec O3
SR B30 - Inside Symantec O3 14
Roadmap
SYMANTEC VISION 2012
Roadmap Disclaimer
This information is about pre-release software. Any unreleased update to the product or other planned modification is subject to ongoing evaluation by Symantec and therefore subject to change. This information is provided without warranty of any kind, express or implied. Customers who purchase Symantec products should make their purchase decision based upon features that are currently available.
SR B30 - Inside Symantec O3 15
SYMANTEC VISION 2012 SR B30 - Inside Symantec O3 16
Symantec O3 – Information Security Architecture
DLP for information classification • Leverages existing DLP deployment • Identity context • Any device, any cloud
Silent File Encryption • Leverages existing PGP™ deployment • Key management option • Other forms using custom portal
integration
iPad Secure Sandbox App • “Bring your iPad to work” • Integrated with gateway (SSL VPN
with 2FA) • Sandbox data at rest encryption
Availability: 2H CY2012
SR B30 - Inside Symantec O3 17
Demonstration!
https://gw.ea7.symanteco3.com/
SYMANTEC VISION 2012
Roadmap Disclaimer
This information is about pre-release software. Any unreleased update to the product or other planned modification is subject to ongoing evaluation by Symantec and therefore subject to change. This information is provided without warranty of any kind, express or implied. Customers who purchase Symantec products should make their purchase decision based upon features that are currently available.
SR B30 - Inside Symantec O3 18
SYMANTEC VISION 2012
O3 As The Cloud Information Protection Platform
SR B30 - Inside Symantec O3 19
O3 Gateway
Reverse Proxy services
User Devices
Client App
Default SSO portal
Custom portal
Gateway web-services
Non-native 2FA
Symantec 2FA • MPKI • FDS
3rd party 2FA • RSA • Certificates
Info Protection (ICAP) • DLP • PGP / Key-management • Archiving / eDiscovery
O3 Intelligence Center • Multi-tenant • Policy Management • GW configuration and status
External Cloud Applications
Legacy web-enabled applications
Authentication delegation
Cloud SP connectors
External User-Store
• OpenID • SAML • Oauth
Enterprise User-Dir.
• AD / LDAP • ODBC / JDBC • WS / REST
Symantec VIP • OTP
IDP
/ Usr-Sto
re
Co
nn
ectors
Federation Services (SAML, OA, OID, WSF)
Context Based Policy Enforcement
eSSO HTTP-FED
IC sync
O3 connectors • AD/LDAP ID-link • AD IWA
O3 Logs
•Audit and Access • System logs
Symantec Log Management • SSIM • Minimum Security Standards
(MSS) Log management • Symantec DeepSight™,
Symantec Global Intelligence Network
Cloud Access and Information Protection 1. End-user SSO session portal 2. Brokered authentication and authorization 3. Policy and configuration synchronization 4. Information protection 5. Audit and access logs
Thank you!
Copyright © 2012 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.
SR B30 - Inside Symantec O3 20
Sergi Isasi