MULTI-CLOUD

IDENTITY AND ACCESS MANAGEMENT

• Bart Falzarano

• Director, Security and Compliance, RightScale

• Andrew Nelson

• Product Manager, RightScale

Panelists

1

• The multi-cloud IAM challenge

• Understanding cloud IAM

• RightScale and multi-cloud IAM

Agenda

2

POLLS

Multi-Cloud is an Enterprise Reality

Single private 6%

Single public 9%

No plans 3%

Multiple private 11%

Multiple public 16%

Hybrid cloud 55%

Enterprise Cloud Strategy 1000+ employees

Multi-Cloud

82%

Source: RightScale 2016 State of the Cloud Report

# of Clouds Used Public Clouds

All respondents

Private Clouds All respondents

Running applications 1.5 1.7

Experimenting 1.5 1.3

Total 3.0 3.0

Average # of Clouds Used

1. Operate anywhere

2. Leverage existing investments

3. Optimize costs

4. Access unique capabilities

5. Create resilient architectures

6. Maintain vendor leverage

7. Future-proof your cloud strategy

8. Multi-cloud happens

The Multi-Cloud Drivers

6

Resource Pools

Public Cloud 1

Requirements

Filters

Performance

Cost

Compliance

Geo-location

Security

Match Application Requirements to Clouds

Vendors

Existing DC

App 1 App 2

Application

Portfolio

App 1

App 2

App 3

App n

…

App 4

App 5

Public Cloud 2

Hosted Private

Internal Private

Virtualized

App 3

App 4

App 5

App 6

App 7

7

IAM Solutions Differ Across Clouds

8

vCenter Server™

ESXi

VMware® vSphere®

Data Center

Private Cloud / Virtualization Public Clouds

How do I

effectively

implement

multi-cloud

IAM?

Area Reviewed Amazon AWS IAM Azure I+AM / Azure WAAD Google Cloud IAM

Policies/ Roles/ Permissions/

Tools

EC2 API permissions 180+

AWS IAM Policy Generator

IAM Policy Generator

Dir-Sync between AD and Azure

AD /Azure AD B2C extensible

policy framework

Azure Role-Based Access Control

–over 180 roles and permissions

Primitive and Curated Roles. 30+

Roles NOTE: Some Curated

Roles in Beta

API Integration Y Y -PowerShell, REST API for

currently Users, Groups

Relationships, Licenses, SSO

Y -version 1 currently

Managing Secrets e.g. SSH key

creation, rotation, removal of

key when user is removed from

project

Y for single user accessing via ssh

the key can be created e.g. key

pair .pem file

creation is manual for adding more

users

Y -VMAccessForLinux extension

with the Azure CLI

Y –for RDP via AD, AAD, and

Group policy

Y using gcloud tool allows for

some automation for creation,

auto key rotation and deletion for

when a user is removed from a

project. There are also manual

options

Some Key IAM Differences

9

Decentralized Cloud IAM Management

No!!

11

Modern Authentication

Protocols

o WS-Federation

o SAML 2.0

o OAuth 2.0

o OpenID Connect

Design Approach

o Federation Approach

o Security Considerations

o Identity Synchronization

o 2FA/MFA options

o Reporting / Auditing /

Logging

Design/Architecture Considerations

Key players

for Identity

Management

Services

IDaaS Gartner 2016

• Authentication and Authorization

Security Controls

• Govern and enforce user access

• Access of least privilege

• Configure Role Management

• Context Based Access Control

• Enable Audit reporting

• Integration w/ 3rd Party Identity

Providers i.e. Okta, Ping Identity,

One Login, etc.

• SSO SAML, 2FA/MFA, Oauth, ADFS,

Azure Active Directory

Access Control/ Management Considerations

12

“Should this person (user) who

performs this job function and

therefore has these roles assigned

(role) be allowed to access this type

of data as it applies to this particular

account (context)?”

• Log Aggregation

• Syslogs

• SIEM Integration

• HIDs

Design Approach

• Auditing for Cloud,

OS/System, Application

• Alerts/ Notifications

• WORM Option

• User Behavior/Insider

threat Analytics

Auditing / Logging Design Considerations

13

Centralized Logging

SIEM

Logs

What you get:

• Aggregate accounts

across clouds

• Hierarchical organization

of accounts

• Security and access

controls

• SSO integration

RightScale Multi-Cloud Access Controls

14

User B User A User E User D User C

Enterprise Account

Cloud

Account

Cloud

Account

Cloud

Account

Cloud

Account

Cloud

Account

Cloud

Account

Account 2 Account 1

RightScale

Access

Control

Authenticate with

passwords or SSO

Authenticate with cloud

credentials

15

• Using Cloud IAM with

RightScale

o Our support portal page

contains information on using

for example Amazon AWS

IAM with RightScale

o By following this configuration

guideline we do not require

our customers to register their

master AWS Access ID and

Secret key account with us.

o Similar technique for setting

up service account cloud

credentials can be used with

other Cloud Providers IAM

offerings, i.e. WAAD, and

Google Cloud IAM

Secure AWS Access Control

http://support.rightscale.com/06-FAQs/How_do_I_use_Amazon_IAM_with_RightScale%3F

Control Cloud Credentials

• AD Agents/Connectors

• Okta, Ping Identity, OneLogin

• Enterprise Directory Services

• Active Directory Federation Services ADFS

• Windows Azure Active Directory WAAD

• Large Scale Provisioning

• RightScale API for user provisioning

• AD / LDAP integration

http://tinyurl.com/m269g4j

Active Directory / LDAP Integration

16

Diagram of Multi-Cloud IAM

17

User A User B

User C User D User E

Active Directory

ADFS

SAML SSO enabled users 4. Identity Provider (ADFS) provides

AuthN response

5. User A

authentication

complete

Authorization

6. User A only authorized to

access Account 1 and RBAC/

User role configuration

determines privilege access

levels to account 1

DIRECTORY SERVICE INTEGRATION

Central Directory Service • Your primary repository for user information and

organization

• Azure Active Directory, MS Active Directory, OpenLDAP,

etc…

SAML Identity Provider

Integration

• RightScale has existing capability to provide SSO

through SAML integrated IdP (PingOne, ADFS, etc…)

• New users authenticating through SSO are

automatically provisioned in the RightScale platform

• Permissions for different cloud resources are enforced

at the RightScale account Level

SAML Single Sign-On

19

Directory Service Integration

20

-

Identity Provider

RightScale

Governance

RightScale Cloud

Management

Resources

Corporate Directory Service

SAML 2.0

SAML Assertions • SAML authority asserts a subject has certain attributes

• Your directory service asserts that an authenticated user

is a member of specific groups

SAML Provisioning

Templates

• XSL based

• Used to extract specific assertion information such as

group membership

Group Mapping Rules • Regular expression based rules map extracted group

information for an authenticated user to RightScale

groups

RightScale Groups • Contain collections of permissions for group members

across one or more RightScale accounts

SAML Group Mapping

21

22

23

24

25

26

27

Linux Servers

• RightLink 10 enabled

Identity

• SSH key-based authentication

• Manage SSH keys independent of cloud provider

• Ability to set user definable custom login name for users

Access Control • Group mapping from directory services can enforce who

has rights for interactive login to server resources

• server_login can log into running servers

• server_superuser can also run sudo commands

RightScale Managed Login

28

Application Catalog • Self-Service access to application catalog for launching

into cloud

Access Control

• Self-Service only end-user

• Can only interact with Application Catalog

Policy • Cloud Application Template (CAT) defines the design

and policy behind applications in the catalog

• Curate available clouds, availability zones, VPCs,

instance types, etc…

Curated Access to Cloud Resources

29

Central Management • Much easier to manage user access & permissions

across different accounts, clouds, deployments, etc…

• Group mapping from your directory service let’s you

manage user grouping in one central place

• Leverage existing user group organization already in

your directory service

Automation • New API for building automation to leverage User

Groups, SAML Provisioning Templates & Rules, and

future governance controls

Scaling Up

30

• The Definitive Guide to Enterprise Cloud Governance: A

Frictionless Approach

• www.rightscale.com/governance

Q&A

31