Security to, for, and from the cloud-connected enterprise
Transcript of Security to, for, and from the cloud-connected enterprise
© 2013 CA Inc. All rights reserved. With permission for use granted to ISACA for the 2013 ISACA Webinar Program.
Security to, for, and from the cloud-connected enterprise
January 2013
• Nimrod Vax, VP Product Management
2© 2013 CA Inc. All rights reserved. With permission for use granted to ISACA for the 2013 ISACA Webinar Program.
Welcome!
• Type in questions using the Ask A Question button
• All audio is streamed over your computer– Having technical issues? Click the ? button
• Click Attachments button to find a printable copy of this presentation
• After the webinar, ISACA members may earn 1 CPE credit– Find a link to the Event Home Page on the Attachments button– Click the CPE Quiz link on the Event Home Page to access the quiz– Once you pass the quiz, you’ll receive a link to a printable CPE
Certificate
• Question or suggestion? Email them to [email protected]
3© 2013 CA Inc. All rights reserved. With permission for use granted to ISACA for the 2013 ISACA Webinar Program.
Agenda
Cloud adoption, trends and challenges
How to approach Cloud security:
To
For
From
Summary and Q&A
4© 2013 CA Inc. All rights reserved. With permission for use granted to ISACA for the 2013 ISACA Webinar Program.
Agenda
Cloud adoption, trends and challenges
How to approach Cloud security:
To
For
From
Summary and Q&A
5© 2013 CA Inc. All rights reserved. With permission for use granted to ISACA for the 2013 ISACA Webinar Program.
MARKET SHIFT
Cloud dynamics and Identity
25%About of software purchased for business purposes will be service‐enabled by 2015.
DistributedInternet
Virtual
Mainframe
Cloud
NEW CHALLENGES
NEW SECURITY MODELS
30%
Of the top 5 most important issues for companies migrating to the cloud, the
#1 issue was
IDENTITY AND ACCESS MANAGEMENT(50% of respondents)Ponemon Institute, “Security of Cloud Computing Provider study”. April, 2011
Identity as a Service
By 2016, the delivery of SaaS based software is expected to grow by
Copyright © 2013 CA. All rights reserved.
6© 2013 CA Inc. All rights reserved. With permission for use granted to ISACA for the 2013 ISACA Webinar Program.
Traditional Enterprise with Network Perimeter
Cloud Apps/Platforms& Web Services
SaaS
EnterpriseApps
On Premise
Mobile employee
Customer
Partner User
Internal Employee
…and remote employees …and cloud applications …and external users
VPN Network Perimeter
7© 2013 CA Inc. All rights reserved. With permission for use granted to ISACA for the 2013 ISACA Webinar Program.
Traditional Enterprise with Network Perimeter
Cloud Apps/Platforms& Web Services
SaaS
EnterpriseApps
On Premise
…and remote employees …and cloud applications …and external users
Network Perimeter
Network Perimeter is gone!Mobile employee
Customer
Partner User
Internal Employee
8© 2013 CA Inc. All rights reserved. With permission for use granted to ISACA for the 2013 ISACA Webinar Program.
Multiple cloud security standards are in various states of completion
Standardized Information Gathering (SIG) Questionnaire
Special Publication 800-144: Guidelines on Security and Privacy in Public Cloud Computing
Common Asset Maturity Model
ISO/IEC 27017Cloud Controls MatrixConsensus Assessments Initiative Questionnaire (CAIQ)
Copyright © 2013 CA. All rights reserved.
9© 2013 CA Inc. All rights reserved. With permission for use granted to ISACA for the 2013 ISACA Webinar Program.
How to think about how to approach cloud security: “to”, “for”, “from” the cloud
Extend enterprise security to include security to cloud based applications, including SFDC
Security for cloud providers to ensure they meet the same level of security as within the enterprise
Security as a Service from the cloud including Authentication, Identity Management, Federation and SSO
Copyright © 2013 CA. All rights reserved.
To
For
From
10© 2013 CA Inc. All rights reserved. With permission for use granted to ISACA for the 2013 ISACA Webinar Program.
Challenge: Expanding identity silos is a problem!
Shadow IT creates “Shadow Identity”
… a big risk to enterprise information
Cloud Apps/Platforms& Web Services
SaaS
EnterpriseApps
On Premise
Copyright © 2013 CA. All rights reserved.
To
11© 2013 CA Inc. All rights reserved. With permission for use granted to ISACA for the 2013 ISACA Webinar Program.
Challenge: Your cloud service providers’ DC are a “black box”
Copyright © 2013 CA. All rights reserved.
For
12© 2013 CA Inc. All rights reserved. With permission for use granted to ISACA for the 2013 ISACA Webinar Program.
Challenge: What about customers?Is Security enabling the business?
Please create a new username and password before you do any business with us
Please create a Please create a new username and password before you do any business
with us
Please sign in Please sign in with a
username and password
before doing any business
with us
ONLINE STOREONLINE STORE
Customers already have an identityThey don’t want to use a new one to work with you
Copyright © 2013 CA. All rights reserved.
From
13© 2013 CA Inc. All rights reserved. With permission for use granted to ISACA for the 2013 ISACA Webinar Program.
Agenda
Cloud adoption, trends and challenges
How to approach Cloud security:
To
For
From
Summary and Q&A
14© 2013 CA Inc. All rights reserved. With permission for use granted to ISACA for the 2013 ISACA Webinar Program.
Agenda
Cloud adoption, trends and challenges
How to approach Cloud security:
To
For
From
Summary and Q&A
15© 2013 CA Inc. All rights reserved. With permission for use granted to ISACA for the 2013 ISACA Webinar Program.
Security function needs to evolve
Business Service Brokerage
USER
BUSINESSSERVICE
BUSINESSSERVICE
BUSINESSSERVICE
USER
Virtualization
Operating System
Middleware DB
Application
Virtualization
Operating System
Middleware DB
Application
NETWORK
Infrastructure Build & Secure
Copyright © 2013 CA. All rights reserved.
To
16© 2013 CA Inc. All rights reserved. With permission for use granted to ISACA for the 2013 ISACA Webinar Program.
EXTERNAL BUSINESS SERVICE
IAM will remain in our direct control
BUSINESSSERVICE
USER
1Infrastructure and
Application Security
2Identity and Access Management Security
Copyright © 2013 CA. All rights reserved.
To
17© 2013 CA Inc. All rights reserved. With permission for use granted to ISACA for the 2013 ISACA Webinar Program.
We need to pull these Cloud-based Identities back into our control
Cloud Apps/Platforms& Web Services
SaaS
EnterpriseApps
On Premise
Copyright © 2013 CA. All rights reserved.
To
18© 2013 CA Inc. All rights reserved. With permission for use granted to ISACA for the 2013 ISACA Webinar Program.
Cloud Apps/Platforms& Web Services
SaaS
EnterpriseApps
On Premise
Identity Access and Management TO Cloud Application
Authenticate users strongly
OTP, Risk ModelCentralized
identity service to control access
Manage user accounts
Provisioning, SCIM
Manage Access and Single Sign‐On
SAML
To
19© 2013 CA Inc. All rights reserved. With permission for use granted to ISACA for the 2013 ISACA Webinar Program.
Agenda
Cloud adoption, trends and challenges
How to approach Cloud security:
To
For
From
Summary and Q&A
20© 2013 CA Inc. All rights reserved. With permission for use granted to ISACA for the 2013 ISACA Webinar Program.
Administrators
Mobile
Cloud
Employees, sub-contractors, partners
MainframesDatabases Servers
Virtual Machines &Hypervisors
IAM can bring visibility into a cloud service provider’s datacenter
Copyright © 2013 CA. All rights reserved.
For
21© 2013 CA Inc. All rights reserved. With permission for use granted to ISACA for the 2013 ISACA Webinar Program.
Administrators
Mobile
Cloud
Employees, sub-contractors, partners
MainframesDatabases Servers
Virtual Machines &Hypervisors
IAM can bring visibility into a cloud service provider’s datacenter
Copyright © 2013 CA. All rights reserved.
For
22© 2013 CA Inc. All rights reserved. With permission for use granted to ISACA for the 2013 ISACA Webinar Program.
DATACENTER 1
App 2 App 3App 1
What about privileged administrators?
Administrators (Privileged Users)
Federation(token translation)
Now need access across multiple data centersCloud Providers need to show control of administrators
Copyright © 2013 CA. All rights reserved.
For
23© 2013 CA Inc. All rights reserved. With permission for use granted to ISACA for the 2013 ISACA Webinar Program.
DATACENTER 2
DATACENTER 2
Centralize privileged user access
Administrators (Privileged Users)
DATACENTER 1
App 1 App 2 App 3
Federation(token translation)
SessionCentralized checkout
for privileged user access
Copyright © 2013 CA. All rights reserved.
For
24© 2013 CA Inc. All rights reserved. With permission for use granted to ISACA for the 2013 ISACA Webinar Program.
How will you enable compliance?
What you should ask your potential Cloud Service Provider
Where will my data be located?
2 Who will have access to my servers and data?
3 How will my systems and data be secured?
What activity data will be captured and logged?
4
5
1
Copyright © 2013 CA. All rights reserved.
For
25© 2013 CA Inc. All rights reserved. With permission for use granted to ISACA for the 2013 ISACA Webinar Program.
The CSA offers identity guidance for securing cloud environments
• Identity should not just be viewed as a reference for authenticating the entity but also gathers more information about the user for making access decisions. Identity also includes the identities of the devices that applications run on (VM image identity), privileged users that manage the VM image (could be both enterprise users as well as service provider users), identities for other applications and services that application needs to interact with, identities of administrative users to manage the application, and external identities outside of the enterprise that need access to the application like B2B, B2C, etc.
--
Cloud Security Alliance, “Security Guidance for Critical Areas of Focus in Cloud Computing V3.0”. 2011.
Copyright © 2013 CA. All rights reserved.
26© 2013 CA Inc. All rights reserved. With permission for use granted to ISACA for the 2013 ISACA Webinar Program.
Agenda
Cloud adoption, trends and challenges
How to approach Cloud security:
To
For
From
Summary and Q&A
27© 2013 CA Inc. All rights reserved. With permission for use granted to ISACA for the 2013 ISACA Webinar Program.
Cloud Apps/Platforms& Web Services
SaaS
EnterpriseApps
On Premise
Identity is the new network perimeter
Centralized identity service to control access to all enterprise applications(SaaS & on‐premise)Mobile
employee
Customer
Partner User
Internal Employee
Copyright © 2013 CA. All rights reserved.
To
28© 2013 CA Inc. All rights reserved. With permission for use granted to ISACA for the 2013 ISACA Webinar Program.
Identity is the new network perimeter
Centralized identity service to control access to all enterprise applications(SaaS & on‐premise)Mobile
employee
Customer
Partner User
Internal Employee
OpenID, OAuth
OTP, Risk Model
Consumer identity providers for low risk applications
Federated identity for business partner networks
SAML
Adaptive, multi‐factor auth for high risk transactions
Copyright © 2013 CA. All rights reserved.
To
29© 2013 CA Inc. All rights reserved. With permission for use granted to ISACA for the 2013 ISACA Webinar Program.
Cloud Apps/Platforms& Web Services
SaaS
EnterpriseApps
On Premise
Identity is the new network perimeter
Cloud Service Providers no longer do authentication of users
SAML
Centralized identity service to control access to all enterprise applications(SaaS & on‐premise)
Copyright © 2013 CA. All rights reserved.
To
30© 2013 CA Inc. All rights reserved. With permission for use granted to ISACA for the 2013 ISACA Webinar Program.
Inside the datacenter
Application Users
User Account Profiles
DATACENTER 1
SAML
App 1 App 2 App 3
Federation(token translation)
Copyright © 2013 CA. All rights reserved.
For
31© 2013 CA Inc. All rights reserved. With permission for use granted to ISACA for the 2013 ISACA Webinar Program.
There are many benefits of cloud-based security
Reduce risk and improve compliance
Leverage elastic service levels, and flexible, hybridcloud deploymentoptions
Rapidly achieve business agility
Protect your critical assets across on-premise, and cloud with enterprise grade IAM
Support new services more quickly and securely. Add value to lines of business beyond security and compliance
Accelerate new business services
Copyright © 2013 CA. All rights reserved.
32© 2013 CA Inc. All rights reserved. With permission for use granted to ISACA for the 2013 ISACA Webinar Program.
Enable customers with their existing identity
Sign in with stronger credentials when needed for high value transactions
Use Consumer Identity for initial customer acquisition and low risk transactions
Simple new user registration increases sign up rate
Collecting identity attributes allows for immediate personalized marketing
No sign-in for loyalty balance viewing and other simple transactions increases visits
Simple new user registration increases sign up rate
Collecting identity attributes allows for immediate personalized marketing
No sign-in for loyalty balance viewing and other simple transactions increases visits
Copyright © 2013 CA. All rights reserved.
From
33© 2013 CA Inc. All rights reserved. With permission for use granted to ISACA for the 2013 ISACA Webinar Program.
Agenda
Cloud adoption, trends and challenges
How to approach Cloud security:
To
For
From
Summary and Q&A
34© 2013 CA Inc. All rights reserved. With permission for use granted to ISACA for the 2013 ISACA Webinar Program.
How to think about how to approach cloud security: “to”, “for”, “from” the cloud
Extend enterprise security to include security to cloud based applications, including SFDC
Security for cloud providers to ensure they meet the same level of security as within the enterprise
Security as a Service from the cloud including Authentication, Identity Management, Federation and SSO
Copyright © 2013 CA. All rights reserved.
To
For
From
35© 2013 CA Inc. All rights reserved. With permission for use granted to ISACA for the 2013 ISACA Webinar Program.
Identity and Access Management is now being provided from the Cloud itself
Customers
Partners
Employees
Benefits to the BusinessImprove IT agilityImprove operational cost efficienciesAccelerate new business servicesExpedite security services
Benefits to the BusinessImprove IT agilityImprove operational cost efficienciesAccelerate new business servicesExpedite security services
Information Protection
Access Management
Identity Management
Identity Management
Advanced Authentication
Federated Single Sign‐on
Identity Governance
Privileged Identity Mgt
Identity Governance
CA CloudMinder™
Cloud platforms
SaaS Apps
Cloud Gateway or
Bridge
Enterprise Applications
On‐Premise (Private Cloud)
36© 2013 CA Inc. All rights reserved. With permission for use granted to ISACA for the 2013 ISACA Webinar Program.
CA CloudMinder
http://www.ca.com/us/cloud-identity.aspx
37© 2013 CA Inc. All rights reserved. With permission for use granted to ISACA for the 2013 ISACA Webinar Program.
Questions?
Copyright © 2013 CA. All rights reserved.
38© 2013 CA Inc. All rights reserved. With permission for use granted to ISACA for the 2013 ISACA Webinar Program.
Let’s keep the discussion going…
NIMROD VAXCA [email protected]
CATechnologies
@CASecurity
community.ca.com/blogs/iam/
www.security.com
Copyright © 2013 CA. All rights reserved.
39© 2013 CA Inc. All rights reserved. With permission for use granted to ISACA for the 2013 ISACA Webinar Program.
legal notice
Copyright © 2013 CA. All rights reserved. Microsoft is a registered trademark or trademark of Microsoft Corporation in the United States and/or other countries. All trademarks, trade names, service marks and logos referenced herein belong to their respective companies. No unauthorized use, copying or distribution permitted.
THIS PRESENTATION IS FOR YOUR INFORMATIONAL PURPOSES ONLY. CA assumes no responsibility for the accuracy or completeness of the information. TO THE EXTENT PERMITTED BY APPLICABLE LAW, CA PROVIDES THIS DOCUMENT “AS IS” WITHOUT WARRANTY OF ANY KIND, INCLUDING, WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NONINFRINGEMENT. In no event will CA be liable for any loss or damage, direct or indirect, in connection with this presentation, including, without limitation, lost profits, lost investment, business interruption, goodwill, or lost data, even if CA is expressly advised of the possibility of such damages.
Certain information in this presentation may outline CA’s general product direction. This presentation shall not serve to (i) affect the rights and/or obligations of CA or its licensees under any existing or future written license agreement or services agreement relating to any CA software product; or (ii) amend any product documentation or specifications for any CA software product. The development, release and timing of any features or functionality described in this presentation remain at CA’s sole discretion.
Notwithstanding anything in this presentation to the contrary, upon the general availability of any future CA product release referenced in this presentation, CA may make such release available (i) for sale to new licensees of such product; and (ii) in the form of a regularly scheduled major product release. Such releases may be made available to current licensees of such product who are current subscribers to CA maintenance and support on a when and if-available basis.