manage identity & access – for the cloud & from the cloud
DESCRIPTION
While your applications have migrated to the Cloud, have your IAM solutions embraced the change? In this era of Mobile, Cloud & Social interactions, the IAM expertise needs to be passed on to novice users or developers who have little to no practical experience with Security. Developers want to leverage Cloud platforms for collaboration and hence need easily consumable IAM solutions for self service. Security, although critically important, cannot be an inhibitor to the innovation that Cloud enables. At the other end, Enterprises want to focus on their core business and let experts manage their IAM challenges. View the full on-demand webcast: https://www2.gotomeeting.com/register/165268274TRANSCRIPT
© 2013 IBM Corporation
IBM Security Systems
1 1 © 2014 IBM Corporation
Manage Identity & Access – for the Cloud & from the Cloud
© 2014 IBM Corporation
IBM Security Systems
2 2
We live in a moment of enormous possibility and transformation
Drive people-centric
Engagementfor new profit channels
Exploit
Dataas the new basis of
competitive advantage
Leverage
Cloudas a growth engine
for business
Three methods of new value creation:
© 2014 IBM Corporation
IBM Security Systems
3 3
Staying away from cloud is no longer an option
55%of CIOs plan to source all their critical applications in
the cloud by 2020. - Gartner
91%of net new software will be built for cloud delivery in
2014.- IDC
90%of leading companies are gaining major competitive
advantage from Cloud.- IBM Business Tech Trends Report
Cloud Delivery Models
Infrastructure Services (IaaS) Development Services (PaaS)
Bluemix
Business Applications (SaaS)
© 2014 IBM Corporation
IBM Security Systems
4 4
Security is still considered as a top inhibitor to cloud adoption
73%of firms discovered cloud
usage outside of IT or security policies.1
50%of firms are worried about
unauthorized access of leakage of sensitive data.2
75%of security breaches take
days, weeks or even months to discover.3
Unauthorized or malicious access via multiple
perimeters / channels
New vulnerabilities introduced by new apps built
outside of IT with rapid development cycles
Shortage of skills to monitor, analyze, prioritize and
respond to threats
1. 2013, IDC US Cloud Security Survey2. Sept 2013, Information Week Cloud Security and Risk Survey3. Verizon 2014 Data Breach Investigations Report
Unrestricted Access to Cloud Services
Data and Applications Outside Your Control
Damaging Security Breaches
© 2014 IBM Corporation
IBM Security Systems
5 5
Securing cloud needs holistic approach to manage access, protect data and gain visibility
Manage AccessSafeguard people, applications
and devices
Protect DataIdentify vulnerabilities and
prevent attacks
Gain VisibilityMonitor the cloud for security
breaches
SaaSPaaSIaaS
Unrestricted Access to Cloud Services
Data and Applications Outside Your Control
Damaging Security Breaches
© 2014 IBM Corporation
IBM Security Systems
6 6
Identity & Access Management is a key line of defense for a multi-perimeter world
• Operational management
• Compliance driven
• Static, Trust-based
• Security risk management
• Business driven
• Dynamic, context-based
Today: Administration
Tomorrow: Assurance
© 2014 IBM Corporation
IBM Security Systems
7 7
Enterprise security concerns and objectives when adopting Cloud
Services Acquired
Organization / Buyers
Security Responsibilities and Objectives
Infrastructure as a Service (IaaS)
CIO, IT teams
Protect the cloud infrastructure to securely deploy workloads and meet compliance objectives
Have full operational visibility across hybrid cloud deployments, and govern usage
Platform as a Service (PaaS)
Application teams, LOBs
Enable developers to compose secure cloud applications and APIs, with enhanced user experience
Visibility and protection against fraud and applications threats
Software as a Service (SaaS)
CxOs (CIO, CMO, CHRO, ...)
Complete visibility to enterprise SaaS usage and risk profiling
Identity Federation, SSO and Governance of user access to SaaS
© 2014 IBM Corporation
IBM Security Systems
8 8
For the Cloud - Managing identities & governing user access
Securing infrastructure and workloads
Secure usage of business applications
Secure service composition and apps
Bluemix
Manage cloud administration and workload access
• Privileged admin management
• Access management of web workloads
Integrate identity into services and applications
• DevOps access management
• Authentication and authorization APIs
Enable employees to connect securely to SaaS•Identity federation•SaaS access governance
PaaS
SaaS
IaaS
© 2014 IBM Corporation
IBM Security Systems
9 9
Manage administrative access: Privileged Identity Manager
IBM Security Privileged Identity Manager
Key release highlights Control shared access to sensitive user IDs
– Check-in / check-out using secure credential vault
Request, approve and re-validate privileged access – Reduce risk, enhance compliance
Track usage of shared identities– Provide accountability
Automated password management– Automated checkout of IDs, hide password from requesting
employee, automate password reset to eliminate password theft
Optional Privileged Session Recorder– Visual recording of privileged user activities with on demand
search and playback of stored recordings
DatabasesDatabasesAdminID
AdminID
IBM security solution Privileged Identity Management (PIM) solution providing
complete identity management and enterprise single sign-on capabilities for privileged users
Priv. SessionRecorder(option)
Centrally manage, audit and control shared identities across the enterprise and Cloud
IaaS
© 2014 IBM Corporation
IBM Security Systems
10 10
Manage access to web, mobile & APIs: A Multi-channel gatewayMigrate access security solution to the Cloud along with your application workloads
IBM DataPowerGateway
Access Manager for Mobile
Access Manager Module
Access Manager Module
• IBM DataPower Gateway with IBM Security Access Manager (ISAM) module provides converged security policy enforcement point for all workloads and provides traffic control, app acceleration, transport bridging & message transformation
• Integrated with ISAM for Mobile provides context-based access, mobile single sign on, strong and multi-factor authentication
IaaS
© 2014 IBM Corporation
IBM Security Systems
11 11
Bring your own identity (BYO-ID): IBM Single Sign On for Bluemix
“Making access easy, with a familiar, fast, fun and secure user experience is key to attaining and
retaining new customers.”
“Making access easy, with a familiar, fast, fun and secure user experience is key to attaining and
retaining new customers.”
PaaS
LibertyLiberty
OpenID ConnectOpenID Connect
SocialIDs and IBM ID
SocialIDs and IBM ID
CloudDirectory
CloudDirectory
On-PremiseDirectory
On-PremiseDirectory
LDAPSCIMLDAPSCIM
SAMLSAML
OauthSAMLOauthSAML
SDKSDK
Native Bluemix
Setup
Native Bluemix
Setup
Single Sign OnService
Single Sign OnService
Multi-Tenant
IAM Platform
Multi-Tenant
IAM Platform
Enable Cloud developers to build secure web & mobile apps without security expertise
Cloud is an enabler for developers driving innovation. Security is
paramount, but it cannot stand in the way.
Cloud is an enabler for developers driving innovation. Security is
paramount, but it cannot stand in the way.
© 2014 IBM Corporation
IBM Security Systems
12 12
Manage access to SaaS: Federated Identity ManagerEnable single sign on and identity federation to apps running outside of the enterprise
Partners usingWS-Federation
Partners using OpenID
Partners using SAML
SAML OpenID WS-Federation
CRM Application Portal Service
Traditional Web SSO
Security AccessManager
FederatedIdentity Manager
SAML,
OpenID,OAuth
FederatedWeb SSO
Workstation
Enterprise SSO
Internal SSO
Desktop Apps
SSO Client
SaaS
© 2014 IBM Corporation
IBM Security Systems
13 13
Ready for Cloud and Social Business
REST/JSON interface for user & group management
User on-boarding for SaaS applications and/or IaaS/PaaS
Service as well as a connector
REST/JSON interface for user & group management
User on-boarding for SaaS applications and/or IaaS/PaaS
Service as well as a connector
Support for SCIM (System for Cross-domain Identity Management) for user management in cloud
SCIM Connector
(Directory Integrator)
SaaS
Repository
SCIM Enabled Targets
Identity
Manager
SCIM Service(Directory Integrator)
EnterpriseRepository
SaaS
REST / JSON
Directory Server
Access ManagerAccess
ManagerIdentity
ManagerIdentity
Manager White PagesWhite Pages OthersOthers
SaaS
User provisioning to SaaS: Security Directory IntegratorEnable access governance for SaaS applications with automated on & off boarding
© 2014 IBM Corporation
IBM Security Systems
14 14
From the Cloud – delivering IAM as a managed service
IAM service from Cloud(IBM Cloud Identity Service)
Consumers
Employees BYOD
Cloud delivery models(IaaS, PaaS, SaaS)
On-Premise Infrastructure
Employees
© 2014 IBM Corporation
IBM Security
15 15
Identity Management
Access Management
IdentityFederation
User provisioning Automated lifecycle management User self-service Role governance and compliance
Web single-sign-on Centralized access control policy Strong authentication
Federated SSO Business-to-business federation
Full spectrum of IAM capabilities delivered from the Cloud
Key Statistics14M+ users 57+ countries of user origin Millions of hourly transactions Enterprise, B2B,and B2C users
Capabilities and TechnologyComprehensive Cloud-based IAM solution built upon IBM’s best-in-class IAM softwareGlobal delivery capabilities provided by IBM’s market leading Managed Security ServicesUnlike competitive cloud IAM services, IBM’s Cloud Identity Service provides deep functionality for enterprise clients Automation and templates result in rapid integration and faster time to value
IBM’s Cloud Identity Service provides a less expensive and faster-time-to value alternative to traditional IAM deployments
IBM’s Cloud Identity Service provides a less expensive and faster-time-to value alternative to traditional IAM deployments
Identity & access from the Cloud: IBM Cloud Identity Service
© 2014 IBM Corporation
IBM Security
16 16
Conclusion – A comprehensive approach to Cloud Security led by Identity and Access Management
Security requirements for each of the cloud delivery models – IaaS, PaaS, and SaaS – are different from each other.A comprehensive approach to cloud security can help organizations manage access, protect data and gain visibility across the cloud environment.
SaaS
PaaS
IaaS
Managing Access in Cloud IBM’s holistic IAM capabilities
Manage cloud administration and workload access through
• Privileged Admin Management• Access Management of web workload
Integrate identity into services and applications through• DevOps access management• Authentication and authorization APIs
Enable employees to connect securely through• Identity federation• SaaS access governance
• IBM Security Access Manager (virtual appliance for web & mobile access)
• Multi-channel Security Gateway (IBM Security Access Manager module with DataPower appliance)
• IBM Security Privileged Identity Manager
• IBM Single Sign On Service (Self-service for Bluemix Platform)
• IBM Security Identity Manager
• IBM Federated Identity Manager
• IBM Security Directory Integrator
• IBM Cloud Identity Service (IAM service delivered from the Cloud)
© 2014 IBM Corporation
IBM Security
17 17
www.ibm.com/Identity-Access-Management