CIS14: Is the Cloud Ready for Enterprise Identity and Security Requirements?
-
Upload
cloudidsummit -
Category
Technology
-
view
77 -
download
2
description
Transcript of CIS14: Is the Cloud Ready for Enterprise Identity and Security Requirements?
Is The Cloud Ready for Enterprise Security
Requirements?
John Tolbert
The Cloud
A Huge Success Story Rent what you need, rather than buy Simplify data center management Scalable Fast provisioning and de-provisioning
Security Requirements
Consumer Privacy Regulatory compliance
SOX HIPAA Export regulations
More Security Requirements
Intellectual Property Licensing and Collaboration Background and Foreground IP Trade Secret Protection
High Security / High Assurance NIST 800-63 Level 3 and 4 authentication Fine-grained access controls Need-to-know
Authorization is like fashion
Informal Attire For a Day at The Lake
Admission to certain venues requires formal wear
http://upload.wikimedia.org/wikipedia/commons/3/39/MITO_Orchestra_Sinfonica_RAI.jpg
Access Control
X OK
Organizations need to collaborate with business partners
The cloud is a natural place for collaboration Easy to set up workspaces as needed Identity management can be a combination of federated identities for
those with robust IAM infrastructures and cloud-managed identities for business partners without the heavy-duty IAM infrastructures
Protecting intellectual property in collaborative environments can be a challenge
Enterprise IAM infrastructure in place
LDAP
SAML
XACML PAP
Enterprise IAM Infrastructure
SSO
XACML PEP XACML PDP
The Cloud
SaaS
IaaS
PaaS
File Repositories
Web Apps
Cloud IAM
Enterprise Applications
SCIM
Evolution of access controls
Time
IAM Solution Complexity Evolves To Meet Scalability and Granularity Requirements
Users Groups
RBAC
ABAC PBAC
Union of Attribute and Policy
Policy
Attribute
Based
Access
Control
Policy/Attribute-based access control
XACML for consistent attribute-based access control in both the cloud and on-premise infrastructure
Profiles for privacy, export controls, intellectual property controls, and data loss prevention
Interoperability at the transport layer Can facilitate the migration to Mandatory Access Control (MAC) model
Fine-grained Authorization Subject identity is just one variable in the authorization equation Resources have identities too! Resource attributes must also be
evaluated in runtime authorization decisions
Subject Resource
Environment Action
Fine-grained AuthZ Two major categories of data necessitate two different approaches: Unstructured data: standardized metadata tags on data objects Structured data: policy-based access controls applied via SQL and web application proxies Backend Attribute Exchange: one domain trusts another to provide authoritative attributes for authenticated users
Metadata tagging and AuthZ Create
Document Content Analysis
Metadata Application
XACML PEP XACML PDP
By United States Air Force.718 Bot at en.wikipedia [Public domain], from Wikimedia Commons http://upload.wikimedia.org/wikipedia/commons/6/62/1948_Top_Secret_USAF_UFO_extraterrestrial_document.png
Read Metadata
Class: Top Secret
Decision
Pass Metadata as Resource Attributes
LDAP
Subject User
Subject Attributes
Policy-based SQL and application proxies
LDAP
XACML PAP
SQL/XACML PEP
XACML PDP
Thick Client App
DB
Web App
WAF/XACML PEP
DB
Certain row/column Results match policies
Certain application Actions match
policies
Backend Attribute Exchange User
authenticates in Domain A
Domain B SSO gets attributes from Domain A
User receives access
in Domain B
User requests access
to resource in Domain B
Assumption: Domain B trusts that Domain A is authoritative for specific attributes about users originating from there.
SSO
LDAP
SAML
SSO SSO
SAML
SSO Web App 1
2
4
3
5 6
7
8 9
Mandatory Access Control Gov't Classification Commercial Analogs
Unclassified Public Domain
Confidential Confidential
Secret Competition Sensitive / Restricted
Top Secret Limited Distribution
No Read Up
No Write Down
Bell-LaPadula
No Read Down
No Write Up
Biba Integrity
Compliance Monitoring and Risk Management
Standardized authentication and authorization mechanisms for consistent enforcement and reporting
Integration with Security Incident and Event Management for real-time alerting
Integration with GRC software
Conclusion Is the cloud ready for enterprise security? Yes, some providers offer solutions in most areas described
above. Cloud service providers will capture more customers with high
security service offerings Resource identities (attributes) are just as important in access
control decisions as subject identities