27
1 Shared Services Canada (SSC) Cloud Computing Architecture Identity, Credential & Access Management Architecture Framework Advisory Committee Transformation, Service Strategy and Design August 29, 2013

Cloud Computing Architecture Identity, Credential & Access ... · PDF file1 Shared Services Canada (SSC) Cloud Computing Architecture Identity, Credential & Access Management Architecture

  • Upload
    doandat

  • View
    226

  • Download
    3

Embed Size (px)

Citation preview

1

Shared Services Canada (SSC)

Cloud Computing Architecture

Identity, Credential & Access Management

Architecture Framework Advisory Committee

Transformation, Service Strategy and Design

August 29, 2013

2

Agenda

TIME TOPICS PRESENTERS

9:00 – 9:10 Opening Remarks, Objectives &

July Meeting Review

B. Long, Chair

W. Daley, Vice-Chair

9:10 – 9:15 Cloud Computing:

Recap from July AFAC meeting

B. Long

9:15 – 9:40 Cloud Computing Architecture J. Danek

9:40 – 10:20 Round Table All

10:20 – 10:30 Health Break

10:30 – 11:00 Identity, Credential & Access

Management

R. Thuppal

11:00 – 11:45 Round Table All

11:45 – 12:00 Closing Remarks Chair

3

Shared Services Canada • Enterprise Architecture

Cloud Computing Architecture

AFAC Meeting 2

August 29, 2013

Jirka Danek

DG – Enterprise Architecture

4

SSC High Level Requirements

• Application mobility between private, public and hybrid cloud

environments

• Ability to manage, orchestrate, administrate, and provision

from a single open interoperable architectural framework

• Ability to provide an environment for open competition and

level playing field among vendors

• To ensure on-going competition (not just at contract award)

low cost / high value to the Crown over the contract life

• Agility – to have flexibility in the architecture that will allow

for scale – both from a capacity perspective and with

respect to change in technology directions driven by our

requirements and marketplace opportunities

5

Portal and Self Service Catalogue

Multi-Cloud Management Services (Orchestration, Governance, Financial Control, Brokering, ICAM, Reporting)

GC Cloud Orchestration Architecture v1

GC Public

Cloud

Services

GC Hybrid

Cloud

Services

GC Community

Cloud

Services

Service, Security, Savings

Agility & Mobility

6

July AFAC Cloud Computing Feedback

Did we hear you correctly??

• OpenStack was considered by some as not mature enough at this time

• OpenStack was seen as a potential option for open cloud interoperability,

however, it was noted that there are very few significant production

implementations at this time

• Fail fast – test it and try application mobility in small initial iterations

• Some participants felt that OpenStack would be good for selective non-mission

critical workloads

• Some AFAC members suggested the cost of the systems integration work for

OpenStack would out-weigh the benefit of application mobility

• OpenStack is complex and implementation skills are not readily available

• Others felt that OpenStack would be good as a long term strategy, but shouldn’t

be the only plank in SSC’s approach to cloud interoperability

• It was observed that OpenStack is just one of a number of cloud open standards

bodies, and no clear winner has emerged at this time

7

SSC DC Challenge Sample – Win/Lintel Only

Mgmt. Mgmt. Mgmt. Mgmt. Mgmt. Mgmt. Mgmt. Mgmt. Mgmt.

Network Network Network Network

Network Network

Network Network Network

Network

Network

Network

Network

Network

Cloud Computing

Compute

OS

Hypervisor

Hardware

Compute

OS

Hypervisor

Hardware

Compute

OS

Hypervisor

Hardware Hardware

OS

Hypervisor

Compute

Storage

Storage

Storage Storage

Storage Storage

8

SSC DC Challenge Sample – Win/Lintel Only

Cloud Computing

Integrated

Mgmt.

Network

OS

Hypervisor

Compute

Storage

VCE

Integrated

Mgmt.

Network

OS

Hypervisor

Compute

Storage

FlexPod

Integrated

Mgmt.

Network

OS

Hypervisor

Compute

Storage

vStart

Integrated

Mgmt.

Network

OS

Hypervisor

Compute

Storage

CloudSystem

Integrated

Mgmt.

Network

OS

Hypervisor

Compute

Storage

HItachi

Integrated

Mgmt.

Network

OS

Hypervisor

Compute

Storage

PureFlex

Integrated

Infrastructure

Systems

9

SSC DC Challenge Sample – Win/Lintel Only

Cloud Computing

Integrated

Mgmt.

Network

OS

Hypervisor

Compute

Storage

Oracle Exadata

DBMS

Integrated

Application

Systems

Integrated

Mgmt.

Network

OS

Hypervisor

Compute

Storage

IBM PureApplication

Integrated

Mgmt.

Network

OS

Hypervisor

Compute

Storage

HP AppSystem

10

Roadmap of Cloud-based Services

• Enterprise HR Service

• Enterprise Finance Service

• Enterprise Document Management Service

• Enterprise Web Hosting Service

• GCNet Services

• Unified Communications Services

• Enterprise Data Centre IaaS and PaaS Services

• Partner-based SaaS implementations (except ETI)

• Multi-Services, Service Providers and Service Layers

• Private, Public and Hybrid Cloud Environments

• Roadmap includes:

11

The Emerging Broker Role

NIST Cloud Reference Architecture: http://www.nist.gov/customcf/get_pdf.cfm?pub_id=909505

Cloud Broker Roles

1. Service Intermediation • Enhances via value-added

services

2. Service Aggregation • Cloud services integration

from multiple CSPs

3. Service Arbitrage • Managing capacity dynamically, or managing service across a number of

providers to meet, for example, SLA or optimum cost metrics.

12

Broker Use Cases

1. Management of New Hires: • A new government employee joins the government. Their HR

information is with Cloud Service Provider #1 (CSP #1) and their

financial information and pay systems are with CSP #2. Their

email is with CSP #3. How does SSC orchestrate interoperability

among the systems? What is a broker role? How do we manage

ICAM, and directory services? How do we manage custom

interoperability?

2. Fail Over and DR: • SSC implements a mission critical application internally and

wishes to fail over based on capacity thresholds to a hybrid cloud

or public cloud provider.

3. Dynamic Allocation: • SSC implements an IaaS service for a government web site that is

anticipating dramatic changes in capacity that cannot be

estimated. Can we implement a pool of cloud providers and

allocate workloads based on price or capacity thresholds?

13

Questions

1. How do we architect to effectively manage the future

state environment?

2. Do we architect for separate management and

orchestration systems and processes for each service?

3. Are there mature enterprise reference architecture

models that bridge SaaS to PaaS from different service

providers?

4. How do we ensure vendor neutrality in this kind of

situation?

5. How should we architect to manage “cloud sprawl”?

14

Shared Services Canada • Enterprise Architecture

Identity, Credential & Access

Management

AFAC Meeting 2

August 29, 2013

Raj Thuppal

DG – Cyber & IT Security Transformation

15

Purpose

• Present GC ICAM proposed plan and Early

Releases

• Seek feedback and input

• Questions/Discussion

16

July 2013 AFAC ICAM Feedback

• Build in increments according to need and priorities – make it as simple as possible

• Have very clear business goals

• Make it something “attractive” that users want to get

• Scaling to a new identity might be a challenge – incrementally connect the islands and migrate from the islands to a consolidated approach

• Consider all open standards, protocols (e.g. SAML and others)

• Awareness – one of the costs impacts of ICAM is the admin of credentials:

Consolidate credentials

Be cost effective

Bring as much capability as possible to Help Desk (SSC & Partner)

• Work on the security posture

• “Privacy by Design” – some provinces have some of the best privacy practices

Did we hear you correctly??

17

IT Security Transformation (Draft)

Transformation from multiple network domains to single GC domain requires shift

from network based security to identity and data based security.

IT Security Target State IT Security Current State

DEFENCE IN DEPTH

Focus on network, perimeter protection and

network authentication Focus on data, through layers of protection,

separation and active detection

Dept …

Dept …

Dept … GCNet

Data in

Processing

Data at

Rest

Data at

Rest Data in

Transit

Unified Credential Single Identity

Centralized

Access

Controls

Multiple Identities Multiple Identities Multiple Identities

Multiple Credentials

Consolidated

Back office

Apps

Mission

Specific

Apps

Mission

Specific

Apps Consolidated

Back office

Apps

Mission

Specific

Apps

Mission

Specific

Apps

Data at

Rest

Mission

Specific

Apps

Mission

Specific

Apps

Back office

Apps Back office

Apps

Multiple

Access

Controls

Multiple

Access

Controls

Data in

Transit

Data in

Processing

18

ICAM Challenges and Requirements

• Lack of comprehensive access controls and

management of admin privileges, and dormant

accounts

• Limited GC policy and standards enforcement

capability

SSC Initiatives

• Blackberry 10

• GC-Wifi

• GCNet

• GC converged

communications

• GC Secret infrastructure

• Data centre consolidation

• Workplace technology

devices

TBS Initiatives

• HR

• Web

• Fin

• GCDocs

• Mobility

• Lack of single GC identity repository

• Partner specific ICAM, difficult to implement GC

wide services

• Hard coded dependency on ICAM solutions

inhibits service evolution

• Duplication and fragmented technologies,

processes and service management

• Lack of GC wide capability forces application

specific ICAM solutions (ex: ETI)

Increase Security

DRIVERS CHALLENGES EMERGING

REQUIREMENTS

Improve Service

Generate Savings

19

GC ICAM – Scope (Proposed)

Scope: • A Government of Canada solution

• Internal GC workers (e.g. employees, contractors, agents of the Crown, integrees, trusted

guests, retirees) and non-person entities (e.g. devices, applications)

• Logical (IT systems/applications) and physical (building) access management

• Designated (to Protected B*) and Classified (to Secret) identities, credentials and resources

will be managed

• Current ICAM-related processes and technologies will be transformed to the new ICAM

solution, and new ones will be created as needed

Out-of-Scope: • Individuals and businesses external to the Government of Canada

*Note: Protected C requirements are handled as part of the Classified environment

20

Program Management: Project Management, Reporting, Communications, Governance, Stakeholder Engagement, Finance

Jun. 2013

Sep. Dec. 2016 2017 Sept Apr 2015 2018 2019

GC ICAM – Schedule (Proposed)

Implement Rn

(…) Detailed

Plans

Current State

Requirements

End State

Plan and Procure

Implement Rn

(…)

Implement Future State

(…)

• Inventory of infrastructure and systems

• Lessons learned

• Partner and enterprise requirements

• End-state architecture and design

• Service strategy, design, delivery model

• Business case(s)

• Consolidation and transformation roadmap

• Implementation plan

2014

21

Current State

PWGSC Industrial Security Program • Workers Security Clearance Attributes

Email Transformation Initiative • Employee Attributes

•ETI Onboarding

PenMod • Employee Attributes

GEDS • Employee Attributes

Identity

Management

Access

Management

Credential

Management

myKey ICM Service • Person PKI Key & Onboarding

• PKI Directory services

Departments (DND, RCMP, CRA) • Person PKI Key

• PKI Directory services

• Others (e.g. SSL…) HR Applications (43 Partners ++) • Employees Attributes

Line of Business Applications • Embedded credential

Departments tools and

policies

Secure Remote Access

Departments

• Facilities Management

Requirements and Support to Transformation Programs

(e.g. Network, Email, Data Centre…)

22

Opportunities

• TBS back office application modernisation initiatives (HR, Fin, Web,

GCDocs)

• IT service specific ICAM solutions are being designed due to lack of GC

wide solution (Ex: ETI), there is an urgent need for a GC ICAM solution

(SSC and TBS led initiatives)

• Internal credential management system is already a GC wide service that

could be transformed (open standards, consolidation, decouple from

applications etc..) to end state service relatively quickly

• ETI directory could be leveraged to populate GC ICAM

• AFAC, industry feedback and previous GC attempts recommend building in

increments according to need and priorities and make it as simple as

possible

23

Program Management: Project Management, Reporting, Communications, Governance, Stakeholder Engagement, Finance

Jun. 2013

Sep. Dec. 2016 2017 Sept Apr 2015 2018 2019

GC ICAM – Schedule (Proposed)

Implement Rn

(…) Detailed

Plans

Current State

Requirements

End State

Plan and Procure

Implement Rn

(…)

Implement Future State

(…)

• Inventory of infrastructure and systems

• Lessons learned

• Partner and enterprise requirements

• End-state architecture and design

• Service strategy, design, delivery model

• Business case(s)

• Consolidation and transformation roadmap

• Implementation plan

2014

Tactical Plan

24

ICAM Transformation Strategy

Release 1 ICAM:

Identity Management:

•Attributes

•Authoritative Sources

•Onboarding process

•Identity Manager

Credential Management:

•Applications Authentication

(UserID/Pw or myKey)

•PKI Transformation

Access Management:

•PiV cards for SSC

•Simple Sign-On

Po

lic

ies

An

aly

sis

, A

cc

es

s

Ma

na

ge

me

nt

IOS

ICA

M D

ire

cto

ry

Release ....:

Identity

Management

Credential

Management

Access

Management

Po

lic

ies

Pro

ce

ss

Go

ve

rna

nc

e

Te

ch

no

log

y

GC ICAM Program

Release 2:

Identity

Management

Credential

Management

Access

Management

Po

lic

ies

Pro

ce

ss

Go

ve

rna

nc

e

Te

ch

no

log

y

2014 Dec. 2016... July 2013 Jan. 2014 Dec. 2015

25

GC ICAM Release 1 (Proposed)

Principles

• Avoid development of application

specific ICAM services

• Leverage existing enterprise ICAM

services (ETI, ICMS etc..)

• Adopt open standards

• Focus on foundation elements that

paves way for future GC ICAM

• Consolidate identities

Scope

• Identity Management Identify attributes and their authoritative

sources

Build GC ICAM directory leveraging ETI directory services and other sources

Establish GC identity manager that hosts user identities and passwords

• Credential Management Transform GC-ICMS and other PKI

services

Application authentication/decoupling (e.g. using SAML)

• Access Management Building access card standard and

pilot

Web application simple sign-on

26

New GC ICAM Service Release 1 - Draft

PWGSC Industrial Security Program • Workers Security Clearance Attributes

Email Transformation Initiative • Employee Attributes

•ETI Onboarding

PenMod • Employee Attributes

GEDS • Employee Attributes

myKey ICM Service • Person PKI Key & Onboarding

• PKI Directory services

Departments (DND, RCMP, CRA) • Person PKI Key

• PKI Directory services

• Others (e.g. SSL…) HR Applications (43 Partners ++) • Employees Attributes

Line of Business Applications • Embedded credential

Departments tools and

policies

Departments

• Facilities Management

Credential Management:

• Applications Authentication

(UserID/Pw or myKey)

• PKI Transformation

Identity Management:

• Attributes

• Authoritative Sources

• Onboarding process

• Identity Manager

New Enterprise Service

Access Management:

• PiV cards for SSC

•Simple Sign-On

Secure Remote Access

Identity

Management

Access

Management

Credential

Management

Requirements and Support to Transformation Programs and TBS Initiatives

(e.g. HR, WEB, Fin, GCDOCS, Network, Email, Data Centre…)

27

For the GC ICAM:

1. Is proposed Release 1 scope sufficient to establish critical foundation for

GC ICAM?

2. Should the strategy for internal ICAM be federated or non-federated?

3. Should the strategy for ICAM authoritative sources be federated or non-

federated?

Questions - Engaging Discussion