1 The intersection of IAM and the cloud - Hitachi ID Systems · · 2011-04-181 The intersection of IAM and the cloud ... Cloud-Hosted Applications Theory, practice, pros and cons

1 The intersection of IAM and the cloud

Managing the User LifecycleAcross On-Premises andCloud-Hosted Applications

Theory, practice, pros and cons with a focus on enterprise deployments of IAM and cloudcomputing.

Idan Shoham, CTO | 2011-04-19

2 Agenda

• Overview of cloud computing.• Different types of IAM.• Intersection of IAM and cloud computing.• Discussion.

© 2011 Hitachi ID Systems, Inc. All rights reserved. 1

http://Hitachi.com/

http://Hitachi-ID.com/

Slide Presentation

3 Hitachi ID Corporate Overview

Hitachi ID is a leading provider of identityand access management solutions.

• Founded as M-Tech in 1992, a divisionof Hitachi, Ltd. as of 2008.

• Hitachi, Ltd.:

– Founded in 1910.– $105 billion revenue in FY2010.– 360,000 employees.

• Hitachi ID has 840+ customers with acombined 10.4M+ licensed users.

• Offices in North America and partnersoverseas.

• Approximately 140 employees.

Award: SC Magazine Best Buy for the IDManagement Suite.

4 Cloud4.1 Cloud computing

The word cloud... Is a metaphor for the Internet, originating in old network diagrams.

The key concept... Is ambiguity –we do not specify where a service is running.

A cloud service provider... Hosts systems or applications for multiple customers:

• Must be able to ramp up and down quickly.• OpEx replaces CapEx.• Delivered over the Internet.

A business model... Cloud computing is not about new technology –it’s about who runs the apps and where.


Slide Presentation

4.2 Many meanings of ’cloud’

Cloud computing is a marketing buzzword. There is a whole taxonomy of what this might mean.

SaaS PaaS IaaSHost a single application. Software development and

runtime environment.On-demand virtual networklandscape.

Salesforce.com,Google apps.

Force.com,Microsoft Azure.

Amazon EC2,Hosting.com.

Location is also a variable:

• Public.• Private (is this still in the cloud?).• Hybrid.

4.3 Why cloud computing?

SaaS PaaS IaaS General

Theory • Expert athosting theapp.

• Zero setuptime/effort.

• Alwaysup-to-date.

• Scalable. • Adaptivecapacity.

• Lower cost.• Pay for what

you use.

Reality • Frequentupgrades.

• Limitedfeatures.

• Platformlock-in.

• Attractive forlow-demandapps.

• Always-onserversexpensive.

• Dynamiccapacity.

• ReplaceCapEx withOpEx.


Slide Presentation

4.4 Objections and FUD

Common concerns More serious problems

• Is it secure?• High availablity?• Performance?

• Does the contract support transfer ofliability?

• Vendor viability?• Integration with on-premise systems?• Data portable to other providers?• To what jurisdictions will data be moved?

Can you imagine a cloud provider staying inbusiness after a security breach or ifperformance or availability are poor?

Cloud computing is a business model, not atechnology. Real-world problems are mostlybusiness problems.

5 IAM5.1 Definitions

An integration layer linking user lifecycle events to changes in profiles and access rights.

Manage: Authenticate with: Authorize:

• User profiles.• Identity attributes.• Login accounts.• Authentication factors.• Group/role

memberships.

• Passwords.• Security questions.• OTP tokens.• Smart cards / PKI

certificates.• Biometrics.• More (CAPTCHA,

mobile phone, etc.)

• Logins.• Actions.

Account and entitlementadministration.

Authentication factormanagement.

Single sign-on and accesscontrol.


Slide Presentation

5.2 The User Lifecycle

At a high level, the userlifecycle is essentiallythe same in allorganizations andacross all platforms.

5.3 User Lifecycle: Business Challenges

• More IT→ moreusers to manage.

• There arechallengesthroughout theuser lifecycle.

• Support cost.• User service.• Security.

Slow:too much paper,

too many people.

Expensive:too many administrators

doing redundant work.

Role changes:add/remove rights.

Policies:enforced?

Audit:are privileges appropriate?

Org. relationships:track and maintain.

Reliable:notification of terminations.

Fast:response by sysadmins.

Complete:deactivation of all IDs.

Passwords:too many, too weak,often forgotten.

Access:Why can’t I access thatapplication / folder / etc.

6 Intersection


Slide Presentation

6.1 IAM in the Cloud

There is a lot of marketing buzz around "IAM in the cloud" but what does that actually mean?

• An on-premise IAM system managing user access to SaaS applications?• A SaaS IAM system managing user access to on-premise applications?• A SaaS IAM system managing user access to SaaS applications?• A SaaS IAM system augmenting an on-premise system?• Federated access management for corporate users to access SaaS?• An access management for SaaS vendors?

6.2 Moving parts

Participants Locations

• The user signs into...• an application after authenticating to...• an authentication system which is

managed by...• an identity and access management

system.

• The corporate network.• The Internet.• The cloud service provider.

Each participant could be at any of thelocations.

These locations are separated by routers andfirewalls.

6.3 Baseline

User Authentication System

Alberta OPERATOR’S LICENCENo: 137669-669Class: 5Cond/End: AExpires: 18 JAN 2008

0234-69472

ApplicationIdentity Management

System

Private Corporate Network Cloud-based Software Provider’s Public Network

PublicInternet

6.4 Pros and Cons

Pros Cons

• Well understand architecture.• Direct integration (no firewalls to hop

over).

• Typical deployment only gets upgradedevery 3–4 years.

• Costly physical infrastructure.• Talent to manage this effectively is scarce.


Slide Presentation

6.5 IAM hosted in the cloud



0234-69472

Application Identity Management

System


PublicInternet

6.6 Pros and Cons

Pros Cons

• No server hardware, DBMS topurchase/deploy.

• Always running current software.• Fewer skilled workers needed in-house?

• Integration with on-premise applications ishard.

• Where do you find a vendor that:

– Operates a reliable 24x7 NOC; and– Has a consulting team to implement

an IAM?

• Vendor lock-in?

6.7 Managing access to SaaS/cloud



0234-69472


System


PublicInternet


Slide Presentation

6.8 Pros and Cons

If this means federated login to a SaaS app:

Pros Cons

• Convenient for users.• May reduce admin burden

(if no persistent IDs on the SaaS app).

• Do mobile users have to setup acorporate VPN before they can sign intothe SaaS app?

• What about non-VPN-capable devices?

If this means identity administration on a SaaS app:

Pros Cons

• Just another IAM integration.• Always good to add "target systems."

• One more connector.

6.9 Outsource the directory



0234-69472


System


PublicInternet


Slide Presentation

6.10 Pros and Cons

Pros Cons

• Users might be happy to sign intocorporate apps with their Facebookcredentials.

• Reduce onboarding effort for new hires.• Eliminate some costly infrastructure (e.g.,

AD DCs).

• Do you trust SaaS authentication insidethe corporate perimeter?

• Can legacy apps integrate with this?• Will auditors accept this?

6.11 Remote access for mobile users

User

Authentication System


0234-69472


System


PublicInternet

6.12 Pros and Cons

Pros Cons

• Mobile workforce.• Lower facility cost.• Staff retention.• Productivity.

• Need a VPN.• Is the VPN redundant when apps move to

SaaS?

6.13 There are 24 base cases

• Even with just one of each participant, there are 24 arrangements.• Each has its own architectural pros and cons.• These are in addition to the general pros and cons of moving any part of the infrastructure into the

cloud.


Slide Presentation

6.14 Architectural considerations

Firewalls Trust/compliance Mobility Connectivity

• Tend to beporous in onedirection.

• Outboundconnectioneasier thaninbound.

• Lead to proxies.

• Can you trustthe CSP?

• To safeguarddata?

• To stay inbusiness?

• Users aremobile.

• Moving apps tothe cloud helps.

• Intenseclient/servertraffic?

• Low bandwidthto Internet?

• High latency?• Link reliability?

OpEx vs. CapEx Dynamic capacity Maturity Retooling

• Budget impact?• Tax treatment?

• Buying ischeaper forheavy use.

• Renting ischeaper forsporadic use.

• Processmaturity?

• Staff skills?

• SaaS worksbest withfederatedaccess.

• Apps may notbe ready.

6.15 Opinions

Baseline • Safe.• Expensive.• Slow.• Mature?

IAM hostedin the cloud

• Limited examples today.• Hosting vendors not good at consulting /

implementation.• Consultants not good at hosting /

operations.

Managing accessto SaaS/cloud

• No different than managing access tointernal apps.

Outsourcethe directory

• New, higher risk profile.• Sign into work system with facebook

account?

Remote accessfor mobile users

• Everyone already does it.• Vendors can outsource VPN, virtual

desktop.


Slide Presentation

7 Content On-Line

• Free White Paper:Intersection of identity management and cloud computing:http://tinyurl.com/4cm7baa

• This presentation:http://tinyurl.com/3rqmkfy

• QUESTIONS?

www.Hitachi-ID.com

500, 1401 - 1 Street SE, Calgary AB Canada T2G 2J3 Tel: 1.403.233.0740 Fax: 1.403.233.0725 E-Mail: [email protected]

File: PRCS:presDate: April 18, 2011

http://hitachi-id.com/cgi-bin/emaildoc?document=intersection-of-identity-management-and-cloud-computing.pdf

http://hitachi-id.com/largedocs/presentation-kc-iam-cloud-2011/start.html

http://Hitachi-ID.com/

Documents

1 The intersection of IAM and the cloud - Hitachi ID Systems · · 2011-04-181 The intersection of IAM and the cloud ... Cloud-Hosted Applications Theory, practice, pros and cons