Upload
rightscale
View
236
Download
2
Embed Size (px)
Citation preview
MULTI-CLOUD
IDENTITY AND ACCESS MANAGEMENT
• Bart Falzarano
• Director, Security and Compliance, RightScale
• Andrew Nelson
• Product Manager, RightScale
Panelists
1
• The multi-cloud IAM challenge
• Understanding cloud IAM
• RightScale and multi-cloud IAM
Agenda
2
POLLS
Multi-Cloud is an Enterprise Reality
Single private 6%
Single public 9%
No plans 3%
Multiple private 11%
Multiple public 16%
Hybrid cloud 55%
Enterprise Cloud Strategy 1000+ employees
Multi-Cloud
82%
Source: RightScale 2016 State of the Cloud Report
# of Clouds Used Public Clouds
All respondents
Private Clouds All respondents
Running applications 1.5 1.7
Experimenting 1.5 1.3
Total 3.0 3.0
Average # of Clouds Used
1. Operate anywhere
2. Leverage existing investments
3. Optimize costs
4. Access unique capabilities
5. Create resilient architectures
6. Maintain vendor leverage
7. Future-proof your cloud strategy
8. Multi-cloud happens
The Multi-Cloud Drivers
6
Resource Pools
Public Cloud 1
Requirements
Filters
Performance
Cost
Compliance
Geo-location
Security
Match Application Requirements to Clouds
Vendors
Existing DC
App 1 App 2
Application
Portfolio
App 1
App 2
App 3
App n
…
App 4
App 5
Public Cloud 2
Hosted Private
Internal Private
Virtualized
App 3
App 4
App 5
App 6
App 7
7
IAM Solutions Differ Across Clouds
8
vCenter Server™
ESXi
VMware® vSphere®
Data Center
Private Cloud / Virtualization Public Clouds
How do I
effectively
implement
multi-cloud
IAM?
Area Reviewed Amazon AWS IAM Azure I+AM / Azure WAAD Google Cloud IAM
Policies/ Roles/ Permissions/
Tools
EC2 API permissions 180+
AWS IAM Policy Generator
IAM Policy Generator
Dir-Sync between AD and Azure
AD /Azure AD B2C extensible
policy framework
Azure Role-Based Access Control
–over 180 roles and permissions
Primitive and Curated Roles. 30+
Roles NOTE: Some Curated
Roles in Beta
API Integration Y Y -PowerShell, REST API for
currently Users, Groups
Relationships, Licenses, SSO
Y -version 1 currently
Managing Secrets e.g. SSH key
creation, rotation, removal of
key when user is removed from
project
Y for single user accessing via ssh
the key can be created e.g. key
pair .pem file
creation is manual for adding more
users
Y -VMAccessForLinux extension
with the Azure CLI
Y –for RDP via AD, AAD, and
Group policy
Y using gcloud tool allows for
some automation for creation,
auto key rotation and deletion for
when a user is removed from a
project. There are also manual
options
Some Key IAM Differences
9
Decentralized Cloud IAM Management
No!!
11
Modern Authentication
Protocols
o WS-Federation
o SAML 2.0
o OAuth 2.0
o OpenID Connect
Design Approach
o Federation Approach
o Security Considerations
o Identity Synchronization
o 2FA/MFA options
o Reporting / Auditing /
Logging
Design/Architecture Considerations
Key players
for Identity
Management
Services
IDaaS Gartner 2016
• Authentication and Authorization
Security Controls
• Govern and enforce user access
• Access of least privilege
• Configure Role Management
• Context Based Access Control
• Enable Audit reporting
• Integration w/ 3rd Party Identity
Providers i.e. Okta, Ping Identity,
One Login, etc.
• SSO SAML, 2FA/MFA, Oauth, ADFS,
Azure Active Directory
Access Control/ Management Considerations
12
“Should this person (user) who
performs this job function and
therefore has these roles assigned
(role) be allowed to access this type
of data as it applies to this particular
account (context)?”
• Log Aggregation
• Syslogs
• SIEM Integration
• HIDs
Design Approach
• Auditing for Cloud,
OS/System, Application
• Alerts/ Notifications
• WORM Option
• User Behavior/Insider
threat Analytics
Auditing / Logging Design Considerations
13
Centralized Logging
SIEM
Logs
What you get:
• Aggregate accounts
across clouds
• Hierarchical organization
of accounts
• Security and access
controls
• SSO integration
RightScale Multi-Cloud Access Controls
14
User B User A User E User D User C
Enterprise Account
Cloud
Account
Cloud
Account
Cloud
Account
Cloud
Account
Cloud
Account
Cloud
Account
Account 2 Account 1
RightScale
Access
Control
Authenticate with
passwords or SSO
Authenticate with cloud
credentials
15
• Using Cloud IAM with
RightScale
o Our support portal page
contains information on using
for example Amazon AWS
IAM with RightScale
o By following this configuration
guideline we do not require
our customers to register their
master AWS Access ID and
Secret key account with us.
o Similar technique for setting
up service account cloud
credentials can be used with
other Cloud Providers IAM
offerings, i.e. WAAD, and
Google Cloud IAM
Secure AWS Access Control
http://support.rightscale.com/06-FAQs/How_do_I_use_Amazon_IAM_with_RightScale%3F
Control Cloud Credentials
• AD Agents/Connectors
• Okta, Ping Identity, OneLogin
• Enterprise Directory Services
• Active Directory Federation Services ADFS
• Windows Azure Active Directory WAAD
• Large Scale Provisioning
• RightScale API for user provisioning
• AD / LDAP integration
http://tinyurl.com/m269g4j
Active Directory / LDAP Integration
16
Diagram of Multi-Cloud IAM
17
User A User B
User C User D User E
Active Directory
ADFS
SAML SSO enabled users 4. Identity Provider (ADFS) provides
AuthN response
5. User A
authentication
complete
Authorization
6. User A only authorized to
access Account 1 and RBAC/
User role configuration
determines privilege access
levels to account 1
DIRECTORY SERVICE INTEGRATION
Central Directory Service • Your primary repository for user information and
organization
• Azure Active Directory, MS Active Directory, OpenLDAP,
etc…
SAML Identity Provider
Integration
• RightScale has existing capability to provide SSO
through SAML integrated IdP (PingOne, ADFS, etc…)
• New users authenticating through SSO are
automatically provisioned in the RightScale platform
• Permissions for different cloud resources are enforced
at the RightScale account Level
SAML Single Sign-On
19
Directory Service Integration
20
-
Identity Provider
RightScale
Governance
RightScale Cloud
Management
Resources
Corporate Directory Service
SAML 2.0
SAML Assertions • SAML authority asserts a subject has certain attributes
• Your directory service asserts that an authenticated user
is a member of specific groups
SAML Provisioning
Templates
• XSL based
• Used to extract specific assertion information such as
group membership
Group Mapping Rules • Regular expression based rules map extracted group
information for an authenticated user to RightScale
groups
RightScale Groups • Contain collections of permissions for group members
across one or more RightScale accounts
SAML Group Mapping
21
22
23
24
25
26
27
Linux Servers
• RightLink 10 enabled
Identity
• SSH key-based authentication
• Manage SSH keys independent of cloud provider
• Ability to set user definable custom login name for users
Access Control • Group mapping from directory services can enforce who
has rights for interactive login to server resources
• server_login can log into running servers
• server_superuser can also run sudo commands
RightScale Managed Login
28
Application Catalog • Self-Service access to application catalog for launching
into cloud
Access Control
• Self-Service only end-user
• Can only interact with Application Catalog
Policy • Cloud Application Template (CAT) defines the design
and policy behind applications in the catalog
• Curate available clouds, availability zones, VPCs,
instance types, etc…
Curated Access to Cloud Resources
29
Central Management • Much easier to manage user access & permissions
across different accounts, clouds, deployments, etc…
• Group mapping from your directory service let’s you
manage user grouping in one central place
• Leverage existing user group organization already in
your directory service
Automation • New API for building automation to leverage User
Groups, SAML Provisioning Templates & Rules, and
future governance controls
Scaling Up
30
• The Definitive Guide to Enterprise Cloud Governance: A
Frictionless Approach
• www.rightscale.com/governance
Q&A
31