CIS14: Is the Cloud Ready for Enterprise Identity and Security Requirements?

20
Is The Cloud Ready for Enterprise Security Requirements? John Tolbert

description

John Tolbert, Fortune 50 Company An examination of the often complex mix of scalability, interoperability, and security requirements that certain industries face, and what is needed for these types of organizations to be able to fully leverage the benefits of the cloud.

Transcript of CIS14: Is the Cloud Ready for Enterprise Identity and Security Requirements?

Page 1: CIS14: Is the Cloud Ready for Enterprise Identity and Security Requirements?

Is The Cloud Ready for Enterprise Security

Requirements?

John Tolbert

Page 2: CIS14: Is the Cloud Ready for Enterprise Identity and Security Requirements?

The Cloud

A Huge Success Story Rent what you need, rather than buy Simplify data center management Scalable Fast provisioning and de-provisioning

Page 3: CIS14: Is the Cloud Ready for Enterprise Identity and Security Requirements?

Security Requirements

Consumer Privacy Regulatory compliance

SOX HIPAA Export regulations

Page 4: CIS14: Is the Cloud Ready for Enterprise Identity and Security Requirements?

More Security Requirements

Intellectual Property Licensing and Collaboration Background and Foreground IP Trade Secret Protection

High Security / High Assurance NIST 800-63 Level 3 and 4 authentication Fine-grained access controls Need-to-know

Page 5: CIS14: Is the Cloud Ready for Enterprise Identity and Security Requirements?

Authorization is like fashion

Informal Attire For a Day at The Lake

Page 6: CIS14: Is the Cloud Ready for Enterprise Identity and Security Requirements?

Admission to certain venues requires formal wear

http://upload.wikimedia.org/wikipedia/commons/3/39/MITO_Orchestra_Sinfonica_RAI.jpg

Page 7: CIS14: Is the Cloud Ready for Enterprise Identity and Security Requirements?

Access Control

X OK

Page 8: CIS14: Is the Cloud Ready for Enterprise Identity and Security Requirements?

Organizations need to collaborate with business partners

The cloud is a natural place for collaboration Easy to set up workspaces as needed Identity management can be a combination of federated identities for

those with robust IAM infrastructures and cloud-managed identities for business partners without the heavy-duty IAM infrastructures

Protecting intellectual property in collaborative environments can be a challenge

Page 9: CIS14: Is the Cloud Ready for Enterprise Identity and Security Requirements?

Enterprise IAM infrastructure in place

LDAP

SAML

XACML PAP

Enterprise IAM Infrastructure

SSO

XACML PEP XACML PDP

The Cloud

SaaS

IaaS

PaaS

File Repositories

Web Apps

Cloud IAM

Enterprise Applications

SCIM

Page 10: CIS14: Is the Cloud Ready for Enterprise Identity and Security Requirements?

Evolution of access controls

Time

IAM Solution Complexity Evolves To Meet Scalability and Granularity Requirements

Users Groups

RBAC

ABAC PBAC

Page 11: CIS14: Is the Cloud Ready for Enterprise Identity and Security Requirements?

Union of Attribute and Policy

Policy

Attribute

Based

Access

Control

Page 12: CIS14: Is the Cloud Ready for Enterprise Identity and Security Requirements?

Policy/Attribute-based access control

XACML for consistent attribute-based access control in both the cloud and on-premise infrastructure

Profiles for privacy, export controls, intellectual property controls, and data loss prevention

Interoperability at the transport layer Can facilitate the migration to Mandatory Access Control (MAC) model

Page 13: CIS14: Is the Cloud Ready for Enterprise Identity and Security Requirements?

Fine-grained Authorization Subject identity is just one variable in the authorization equation Resources have identities too! Resource attributes must also be

evaluated in runtime authorization decisions

Subject Resource

Environment Action

Page 14: CIS14: Is the Cloud Ready for Enterprise Identity and Security Requirements?

Fine-grained AuthZ Two major categories of data necessitate two different approaches: Unstructured data: standardized metadata tags on data objects Structured data: policy-based access controls applied via SQL and web application proxies Backend Attribute Exchange: one domain trusts another to provide authoritative attributes for authenticated users

Page 15: CIS14: Is the Cloud Ready for Enterprise Identity and Security Requirements?

Metadata tagging and AuthZ Create

Document Content Analysis

Metadata Application

XACML PEP XACML PDP

By United States Air Force.718 Bot at en.wikipedia [Public domain], from Wikimedia Commons http://upload.wikimedia.org/wikipedia/commons/6/62/1948_Top_Secret_USAF_UFO_extraterrestrial_document.png

Read Metadata

Class: Top Secret

Decision

Pass Metadata as Resource Attributes

LDAP

Subject User

Subject Attributes

Page 16: CIS14: Is the Cloud Ready for Enterprise Identity and Security Requirements?

Policy-based SQL and application proxies

LDAP

XACML PAP

SQL/XACML PEP

XACML PDP

Thick Client App

DB

Web App

WAF/XACML PEP

DB

Certain row/column Results match policies

Certain application Actions match

policies

Page 17: CIS14: Is the Cloud Ready for Enterprise Identity and Security Requirements?

Backend Attribute Exchange User

authenticates in Domain A

Domain B SSO gets attributes from Domain A

User receives access

in Domain B

User requests access

to resource in Domain B

Assumption: Domain B trusts that Domain A is authoritative for specific attributes about users originating from there.

SSO

LDAP

SAML

SSO SSO

SAML

SSO Web App 1

2

4

3

5 6

7

8 9

Page 18: CIS14: Is the Cloud Ready for Enterprise Identity and Security Requirements?

Mandatory Access Control Gov't Classification Commercial Analogs

Unclassified Public Domain

Confidential Confidential

Secret Competition Sensitive / Restricted

Top Secret Limited Distribution

No Read Up

No Write Down

Bell-LaPadula

No Read Down

No Write Up

Biba Integrity

Page 19: CIS14: Is the Cloud Ready for Enterprise Identity and Security Requirements?

Compliance Monitoring and Risk Management

Standardized authentication and authorization mechanisms for consistent enforcement and reporting

Integration with Security Incident and Event Management for real-time alerting

Integration with GRC software

Page 20: CIS14: Is the Cloud Ready for Enterprise Identity and Security Requirements?

Conclusion Is the cloud ready for enterprise security? Yes, some providers offer solutions in most areas described

above. Cloud service providers will capture more customers with high

security service offerings Resource identities (attributes) are just as important in access

control decisions as subject identities