security to, for, and from the cloud-connected enterprise

© 2013 CA Inc. All rights reserved. With permission for use granted to ISACA for the 2013 ISACA Webinar Program.

Security to, for, and from the cloud-connected enterprise

January 2013

• Nimrod Vax, VP Product Management

2© 2013 CA Inc. All rights reserved. With permission for use granted to ISACA for the 2013 ISACA Webinar Program.

Welcome!

• Type in questions using the Ask A Question button

• All audio is streamed over your computer– Having technical issues? Click the ? button

• Click Attachments button to find a printable copy of this presentation

• After the webinar, ISACA members may earn 1 CPE credit– Find a link to the Event Home Page on the Attachments button– Click the CPE Quiz link on the Event Home Page to access the quiz– Once you pass the quiz, you’ll receive a link to a printable CPE

Certificate

• Question or suggestion? Email them to [email protected]


Agenda

Cloud adoption, trends and challenges

How to approach Cloud security:

To

For

From

Summary and Q&A


Agenda



To

For

From

Summary and Q&A


MARKET SHIFT

Cloud dynamics and Identity

25%About of software purchased for business purposes will be service‐enabled by 2015.

DistributedInternet

Virtual

Mainframe

Cloud

NEW CHALLENGES

NEW SECURITY MODELS

30%

Of the top 5 most important issues for companies migrating to the cloud, the

#1 issue was

IDENTITY AND ACCESS MANAGEMENT(50% of respondents)Ponemon Institute, “Security of Cloud Computing Provider study”. April, 2011

Identity as a Service

By 2016, the delivery of SaaS based software is expected to grow by

Copyright © 2013 CA. All rights reserved.


Traditional Enterprise with Network Perimeter

Cloud Apps/Platforms& Web Services

SaaS

EnterpriseApps

On Premise

Mobile employee

Customer

Partner User

Internal Employee

…and remote employees …and cloud applications …and external users

VPN Network Perimeter

GOOGLE


Traditional Enterprise with Network Perimeter


SaaS

EnterpriseApps

On Premise

…and remote employees …and cloud applications …and external users

Network Perimeter

GOOGLE

Network Perimeter is gone!Mobile employee

Customer

Partner User

Internal Employee


Multiple cloud security standards are in various states of completion

Standardized Information Gathering (SIG) Questionnaire

Special Publication 800-144: Guidelines on Security and Privacy in Public Cloud Computing

Common Asset Maturity Model

ISO/IEC 27017Cloud Controls MatrixConsensus Assessments Initiative Questionnaire (CAIQ)



How to think about how to approach cloud security: “to”, “for”, “from” the cloud

Extend enterprise security to include security to cloud based applications, including SFDC

Security for cloud providers to ensure they meet the same level of security as within the enterprise

Security as a Service from the cloud including Authentication, Identity Management, Federation and SSO


To

For

From


Challenge: Expanding identity silos is a problem!

Shadow IT creates “Shadow Identity”

… a big risk to enterprise information


SaaS

EnterpriseApps

On Premise

GOOGLE


To


Challenge: Your cloud service providers’ DC are a “black box”


For


Challenge: What about customers?Is Security enabling the business?

Please create a new username and password before you do any business with us

Please create a Please create a new username and password before you do any business

with us

Please sign in Please sign in with a

username and password

before doing any business

with us

ONLINE STOREONLINE STORE

Customers already have an identityThey don’t want to use a new one to work with you

GOOGLE


From


Agenda



To

For

From

Summary and Q&A


Security function needs to evolve

Business Service Brokerage

USER

BUSINESSSERVICE

BUSINESSSERVICE

BUSINESSSERVICE

USER

Virtualization

Operating System

Middleware DB

Application

Virtualization

Operating System

Middleware DB

Application

NETWORK

Infrastructure Build & Secure


To


EXTERNAL BUSINESS SERVICE

IAM will remain in our direct control

BUSINESSSERVICE

USER

1Infrastructure and

Application Security

2Identity and Access Management Security


To


We need to pull these Cloud-based Identities back into our control


SaaS

EnterpriseApps

On Premise

GOOGLE


To



SaaS

EnterpriseApps

On Premise

Identity Access and Management TO Cloud Application

Authenticate users strongly

OTP, Risk ModelCentralized

identity service to control access

GOOGLE

Manage user accounts

Provisioning, SCIM

Manage Access and Single Sign‐On

SAML

To


Agenda



To

For

From

Summary and Q&A


Administrators

Mobile

E-mail

Cloud

Employees, sub-contractors, partners

MainframesDatabases Servers

Virtual Machines &Hypervisors

IAM can bring visibility into a cloud service provider’s datacenter


For


DATACENTER 1

App 2 App 3App 1

What about privileged administrators?

Administrators (Privileged Users)

Federation(token translation)

Now need access across multiple data centersCloud Providers need to show control of administrators


For


DATACENTER 2

DATACENTER 2

Centralize privileged user access

Administrators (Privileged Users)

DATACENTER 1

App 1 App 2 App 3


SessionCentralized checkout

for privileged user access


For


How will you enable compliance?

What you should ask your potential Cloud Service Provider

Where will my data be located?

2 Who will have access to my servers and data?

3 How will my systems and data be secured?

What activity data will be captured and logged?

4

5

1


For


The CSA offers identity guidance for securing cloud environments

• Identity should not just be viewed as a reference for authenticating the entity but also gathers more information about the user for making access decisions. Identity also includes the identities of the devices that applications run on (VM image identity), privileged users that manage the VM image (could be both enterprise users as well as service provider users), identities for other applications and services that application needs to interact with, identities of administrative users to manage the application, and external identities outside of the enterprise that need access to the application like B2B, B2C, etc.

--

Cloud Security Alliance, “Security Guidance for Critical Areas of Focus in Cloud Computing V3.0”. 2011.



Agenda



To

For

From

Summary and Q&A



SaaS

EnterpriseApps

On Premise

Identity is the new network perimeter

Centralized identity service to control access to all enterprise applications(SaaS & on‐premise)Mobile

employee

Customer

Partner User

Internal Employee

GOOGLE


To



Centralized identity service to control access to all enterprise applications(SaaS & on‐premise)Mobile

employee

Customer

Partner User

Internal Employee

OpenID, OAuth

OTP, Risk Model

Consumer identity providers for low risk applications

Federated identity for business partner networks

SAML

Adaptive, multi‐factor auth for high risk transactions


To



SaaS

EnterpriseApps

On Premise


Cloud Service Providers no longer do authentication of users

SAML

Centralized identity service to control access to all enterprise applications(SaaS & on‐premise)

GOOGLE


To


Inside the datacenter

Application Users

User Account Profiles

DATACENTER 1

SAML

App 1 App 2 App 3



For


There are many benefits of cloud-based security

Reduce risk and improve compliance

Leverage elastic service levels, and flexible, hybridcloud deploymentoptions

Rapidly achieve business agility

Protect your critical assets across on-premise, and cloud with enterprise grade IAM

Support new services more quickly and securely. Add value to lines of business beyond security and compliance

Accelerate new business services



Enable customers with their existing identity

Sign in with stronger credentials when needed for high value transactions

Use Consumer Identity for initial customer acquisition and low risk transactions

Simple new user registration increases sign up rate

Collecting identity attributes allows for immediate personalized marketing

No sign-in for loyalty balance viewing and other simple transactions increases visits

Simple new user registration increases sign up rate

Collecting identity attributes allows for immediate personalized marketing

No sign-in for loyalty balance viewing and other simple transactions increases visits

GOOGLE


From


Agenda



To

For

From

Summary and Q&A


How to think about how to approach cloud security: “to”, “for”, “from” the cloud

Extend enterprise security to include security to cloud based applications, including SFDC

Security for cloud providers to ensure they meet the same level of security as within the enterprise

Security as a Service from the cloud including Authentication, Identity Management, Federation and SSO


To

For

From


Identity and Access Management is now being provided from the Cloud itself

Customers

Partners

Employees

Benefits to the BusinessImprove IT agilityImprove operational cost efficienciesAccelerate new business servicesExpedite security services

Benefits to the BusinessImprove IT agilityImprove operational cost efficienciesAccelerate new business servicesExpedite security services

Information Protection

Access Management

Identity Management

Identity Management

Advanced Authentication

Federated Single Sign‐on

Identity Governance

Privileged Identity Mgt

Identity Governance

CA CloudMinder™

Cloud platforms

SaaS Apps

Cloud Gateway or

Bridge

Enterprise Applications

On‐Premise (Private Cloud)


CA CloudMinder

http://www.ca.com/us/cloud-identity.aspx


Questions?



Let’s keep the discussion going…

NIMROD VAXCA [email protected]

CATechnologies

@CASecurity

community.ca.com/blogs/iam/

www.security.com



legal notice

Copyright © 2013 CA. All rights reserved. Microsoft is a registered trademark or trademark of Microsoft Corporation in the United States and/or other countries. All trademarks, trade names, service marks and logos referenced herein belong to their respective companies. No unauthorized use, copying or distribution permitted.

THIS PRESENTATION IS FOR YOUR INFORMATIONAL PURPOSES ONLY. CA assumes no responsibility for the accuracy or completeness of the information. TO THE EXTENT PERMITTED BY APPLICABLE LAW, CA PROVIDES THIS DOCUMENT “AS IS” WITHOUT WARRANTY OF ANY KIND, INCLUDING, WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NONINFRINGEMENT. In no event will CA be liable for any loss or damage, direct or indirect, in connection with this presentation, including, without limitation, lost profits, lost investment, business interruption, goodwill, or lost data, even if CA is expressly advised of the possibility of such damages.

Certain information in this presentation may outline CA’s general product direction. This presentation shall not serve to (i) affect the rights and/or obligations of CA or its licensees under any existing or future written license agreement or services agreement relating to any CA software product; or (ii) amend any product documentation or specifications for any CA software product. The development, release and timing of any features or functionality described in this presentation remain at CA’s sole discretion.

Notwithstanding anything in this presentation to the contrary, upon the general availability of any future CA product release referenced in this presentation, CA may make such release available (i) for sale to new licensees of such product; and (ii) in the form of a regularly scheduled major product release. Such releases may be made available to current licensees of such product who are current subscribers to CA maintenance and support on a when and if-available basis.

security to, for, and from the cloud-connected enterprise

Documents