Inside Symantec O3 - VOXvox.veritas.com/legacyfs/online/veritasdata/SR B30.pdf · 2. Custom portal...

SR B30 - Inside Symantec O3 1

Inside Symantec O3

Sergi Isasi Senior Manager, Product Management

SYMANTEC VISION 2012

Agenda



Cloud: Opportunity And Challenge


‘We should embrace the Cloud to respond to LOB needs, drive business agility and better

manage costs’

Cloud

Private Cloud

‘We lack a comprehensive means to control access, security and compliance across the breadth of cloud

services and applications’ Challenge


Cloud-mobile: Opportunity And Challenge


‘We should embrace BYOD, BYOA and the new mobile platform to

augment productivity and innovate new business models’

Mobile

‘How do we layer common protection across cloud and mobile without undermining the convenience of

the mobile experience?’ Challenge

Cloud

Private Cloud


Introducing Symantec O3 A New Cloud Information Protection Platform

SR B30 - Inside Symantec O3

Symantec O3™

Private Cloud

Information Protection

Control Security Compliance Access Control

Cloud Visibility

5


• Single control point • Context-based • Layered security “as-a-service”

A Platform To Meet The Challenge In Three Dimensions


Control Convenience Compliance

• SIEM and forensics for the cloud • Log and audit trail management • Policy audit and reporting

• Easy access/SSO for cloud/web apps • Use the apps you like • Any device, including mobile


Symantec O3 Identity and Access Control Architecture


Leverages Existing IDM Infrastructure • Any corporate directory or identity store • Single ID • SSO

Strong Authentication • VIP OTP • Stepped up (per application policy) • Other forms using custom integration

Authorization • Context-based policy engine • Who (identity-based) • What (device-based)

Federation/Password Management • SAML & OpenID • Gateway-based keychain and wizard • Apps catalog (+ connectors)

Admin User


SP initiated

SAML Console

O3 Services – ID Broker And Authentication Model


O3 End-user

O3 Admin

User Devices

O3 Intelligence Center

O3 Gateway

Identity and Access Broker

Information Gateway

GW Portal

SAML Cloud Service

portal

Cloud Service

portal SAML

handler

Client App

Policies and Configuration

HTTP POST Login ceremony

SP SAML Assertion

Service access

O3 SSO Login

Enterprise Customer

AD/ LDAP

IDP

IDP

IDP portal

IDP initiated SAML

IDP SAML Assertion

Dir Auth and Attributes

Custom portal

End-user SSO login options to O3: 1. At O3 gateway portal 2. Custom portal in front of O3-GW 3. External IDP with redirect 4. SAML based SP with redirect


Gateway Credential Keychain • Password vault storing SaaS app credentials • Encrypted and locally stored in GW, 1 per user • Work with any web apps (catalog and custom adaptors)

Application Integration

SAML • Gateway proxies user store as IDP • Redirect or proxy mode option • Point and click SAML setup (no SAML expertise required)

HTTP-Federation • HTTP form stuffing

Credential stored in local keychain

• Reverse proxy • Trusted headers (internal web apps)

Keychain Tool • Java tool to pre-populate SaaS app username-passwords

in keychain • Prevents user login @ SaaS app with machine-generated

username-password • Input: spreadsheet of uid/pswd


O3 End-user

User Devices

Client App

O3 Gateway

Identity and Access Broker

Information Gateway

SSO portal Cloud Services

and

Web-enabled applications

IDP

Credential Keychain

SAML HTTP-Fed


Demonstration!

https://intelcenter.symanteco3.com

https://ea0-o3-gw1.symanteco3.com











Deployment: Symantec cloud, Your cloud, hybrid


Acme Inc Network

Intelligence Center

(multi-tenant policy mgmt.)

Symantec O3 Gateway

(single-tenant) AD

Symantec O3 Secure Infrastructure

IAAS/PAAS SAAS

Any SAAS

Any Public Cloud

Private Cloud

Symantec O3 Gateway Cloud or Partner Virtualized Infrastructure

Symantec O3 Gateway

(single-tenant on IAAS)

Identity Sec Policy

Information Sec Policy

Policy Synch

Managed Devices Unmanaged Devices


Customer-Hosted Deployment Overview

Cloud Applications

Symantec Network

Symantec O3 Intelligence

Center

Customer Network

Symantec O3 Gateway

Customer AD/LDAP

Customer Administrator

Employees

Internal SaaS Applications

A. Customer admin defines employee access policies at hosted O3 IC B. Policies published to on-prem O3 gateway(s) C. Internal and External Employees authenticate to O3 gateway to gain access to applications D. O3 gateway delegates authentication to customer AD/LDAP E. O3 gateway enforces Identity based access and information protection policies F. Employees gain access to applications upon successful authorization

A

B

C

D F F

E

Roaming Employees

C

Policies and configuration



Symantec-Hosted Deployment Overview

Cloud Applications

Symantec Network

Symantec O3

Intelligence Center

Customer Network

Symantec O3

Gateway

Customer AD/LDAP

Customer Administrator

Employees

Internal SaaS Applications

A. Customer admin defines employee access policies at hosted O3 IC B. Policies published to Symantec Hosted O3 gateway(s) C. Internal and External Employees authenticate to O3 gateway to gain access to applications D. O3 gateway delegates authentication to customer AD/LDAP E. O3 gateway enforces Identity based access and information protection policies F. Employees gain access to applications upon successful authorization

A

F F

E

Roaming Employees

C

B

Symantec O3 ID Link

D

13 SR B30 - Inside Symantec O3


Roadmap


Roadmap Disclaimer

This information is about pre-release software. Any unreleased update to the product or other planned modification is subject to ongoing evaluation by Symantec and therefore subject to change. This information is provided without warranty of any kind, express or implied. Customers who purchase Symantec products should make their purchase decision based upon features that are currently available.


SYMANTEC VISION 2012 SR B30 - Inside Symantec O3 16

Symantec O3 – Information Security Architecture

DLP for information classification • Leverages existing DLP deployment • Identity context • Any device, any cloud

Silent File Encryption • Leverages existing PGP™ deployment • Key management option • Other forms using custom portal

integration

iPad Secure Sandbox App • “Bring your iPad to work” • Integrated with gateway (SSL VPN

with 2FA) • Sandbox data at rest encryption

Availability: 2H CY2012


Demonstration!

https://gw.ea7.symanteco3.com/


Roadmap Disclaimer

This information is about pre-release software. Any unreleased update to the product or other planned modification is subject to ongoing evaluation by Symantec and therefore subject to change. This information is provided without warranty of any kind, express or implied. Customers who purchase Symantec products should make their purchase decision based upon features that are currently available.



O3 As The Cloud Information Protection Platform


O3 Gateway

Reverse Proxy services

User Devices

Client App

Default SSO portal

Custom portal

Gateway web-services

Non-native 2FA

Symantec 2FA • MPKI • FDS

3rd party 2FA • RSA • Certificates

Info Protection (ICAP) • DLP • PGP / Key-management • Archiving / eDiscovery

O3 Intelligence Center • Multi-tenant • Policy Management • GW configuration and status

External Cloud Applications

Legacy web-enabled applications

Authentication delegation

Cloud SP connectors

External User-Store

• OpenID • SAML • Oauth

Enterprise User-Dir.

• AD / LDAP • ODBC / JDBC • WS / REST

Symantec VIP • OTP

IDP

/ Usr-Sto

re

Co

nn

ectors

Federation Services (SAML, OA, OID, WSF)

Context Based Policy Enforcement

eSSO HTTP-FED

IC sync

O3 connectors • AD/LDAP ID-link • AD IWA

O3 Logs

•Audit and Access • System logs

Symantec Log Management • SSIM • Minimum Security Standards

(MSS) Log management • Symantec DeepSight™,

Symantec Global Intelligence Network

Cloud Access and Information Protection 1. End-user SSO session portal 2. Brokered authentication and authorization 3. Policy and configuration synchronization 4. Information protection 5. Audit and access logs

Thank you!

Copyright © 2012 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.


Sergi Isasi

Inside Symantec O3 - VOXvox.veritas.com/legacyfs/online/veritasdata/SR B30.pdf · 2. Custom portal...

Documents

Transcript of Inside Symantec O3 - VOXvox.veritas.com/legacyfs/online/veritasdata/SR B30.pdf · 2. Custom portal...