CIS13: Avoiding the Pitfalls of Managing IAM for a Hybrid Environment
•
2 recomendaciones•985 vistas
Chris Bauserman, Senior Director of Product Marketing, Cloud and SaaS, SailPoint This session will discuss how next-generation IAM strategies can holistically address the security and compliance requirements of mission-critical applications and data that span an enterprise's data center, cloud and mobile environments. Chris Bauserman will also provide technical insights to help attendees answer these questions: · How do I provide full account lifecycle management? · How do I ensure consistency across provisioning and runtime access? · How do I provide a single-point for end user self-service? · How do I efficiently and securely manage a bridge to on-prem IT? · How do I implement audit, governance and compliance?
Recomendados
Recomendados
Más contenido relacionado
La actualidad más candente
La actualidad más candente (20)
Destacado
Destacado (15)
Similar a CIS13: Avoiding the Pitfalls of Managing IAM for a Hybrid Environment
Similar a CIS13: Avoiding the Pitfalls of Managing IAM for a Hybrid Environment (20)
Más de CloudIDSummit
Más de CloudIDSummit (20)
Último
Último (20)
CIS13: Avoiding the Pitfalls of Managing IAM for a Hybrid Environment
- 1. Echo in the Silo Avoiding the Pitfalls of Managing IAM for a Hybrid Environment Chris Bauserman, Director of Product Marketing Cloud Identity Summit 2013
- 2. 2 Goals for this Session § Recap challenges in IAM for today’s Hybrid IT § Explore approaches that avoid these pitfalls § How do I provide full account lifecycle management? § How do I ensure consistency across provisioning & runtime access? § How do I provide a single-point for end user self-service? § How do I efficiently and securely manage a bridge to on-prem IT? § How do I implement audit, governance & compliance? § See this approaches in action with customer case studies
- 3. ECHO IN THE SILO
- 4. 4 Echo in the Silo § IAM was born in a world of change & isolation… § Mainframe -> Distributed -> Web § “Silos of management” – designed for IT users § Fragmented, isolated, stand-alone tools & management processes
- 5. 5 Echo in the Silo § But we learned our lessons well… § A single point of visibility, management & controls § Built for the business user § Focus on business models with sustainable controls & governance
- 6. 6 Echo in the Silo § Now infrastructure change is accelerating again… § Cloud, mobile and social - distribution at a new level § User experience is king § Cost reduction is mandatory
- 7. 7 Echo in the Silo § And silo is creeping back! § Management by infrastructure type § Stand-alone tools and administration processes § Fragmentation & isolation of IAM processes & practices CloudIAM AWSIAM MDM SharePoint
- 8. 8 Echo in the Silo § Can you hear the echo? § How do I provide full account lifecycle management? § How do I ensure consistency across provisioning & runtime access? § How do I provide a single-point for end user self-service? § How do I implement audit, governance & compliance?
- 9. THE PITFALLS
- 10. 10 The Red Pill or the Blue Pill?
- 11. 11 Cloud (network) Centric Identity Enterprise (domain) Centric Identity The Blue Pill - How We’d Like Things To Be MobileCloud Social Enterprise Applications LAN HR Business Process Policy & Control Process Identity & Attribute Data Session & User Experience
- 12. 12 Cloud Cloud (network) Centric Identity Enterprise (domain) Centric Identity The Red Pill – How Things Often Really Are MobileCloud Enterprise Applications LAN HR Business Process Social MDM Active Directory Sync
- 13. 13 Cloud IAM Pitfalls § Pure AD sync cloud propagation for SSO & provisioning § Firewall & agent issues § The group overloading and de-provisioning issues § No business engagement / oversight / controls § Account-level provisioning § Lack of fine-grained entitlements § No understanding of “entitlement” § Loosely attached to corporate JML § Making it stand-alone! § Isolated user experience § No common policy or controls § Not integrated with enterprise IAM
- 14. 14 Mobile IAM Pitfalls § AD sync for mobile account propagation § Infrastructure focused & “fragile” § The group overloading and de-provisioning issues § No business engagement / oversight / controls § SSO model inconsistencies § Lack of a commonly adopted standards for mobile app SSO § No common keychain or account store § Separate platforms, approaches and user experiences § MDM Tools are not IAM centric § Device centric not identity centric § Everything's the same but everything is different… § Not integrated with enterprise IAM processes
- 16. 16 Cloud (network) Centric Identity Enterprise (domain) Centric Identity Avoiding the Pitfalls MobileCloud Social Enterprise Applications LAN HR Business Process Policy & Control Process Identity & Attribute Data Session & User Experience
- 17. 17 Avoiding the Pitfalls Cloud (network) Centric Identity Enterprise (domain) Centric Identity MobileCloud Social Enterprise Applications LAN HR Business Process Internal IAM Control Point External IAM Control Point Identity Data Access Data Controls Context Policy Data
- 18. 18 Avoiding the Pitfalls Cloud (network) Centric Identity Enterprise (domain) Centric Identity MobileCloud Social Enterprise Applications LAN HR Business Process IAM Gateway IDaaS Control Point Push Change Pull Change
- 19. 19 Avoiding the Pitfalls § Extend enterprise IAM to meet the cloud § Connectors for leading SaaS apps § Provisioning & SSO working hand-in-hand § Connected business processes § Inter-connected IAM & Mobile Device Management (MDM) § Treat the MDM platform like a provisioning connector § Connect & model “entitlements” § Provision as part of existing Joiner/Mover/Leaver flows § Full governance visibility and control § Capture and correlate full record of app usage: cloud and internal § Drive additional AuthN requirements based on ‘whole identity’ § Incorporate SaaS and BYOA in certifications and self-attestations
- 20. 20 Avoiding the Pitfalls § Resiliency to operate ‘disconnected’ from cloud § Avoid unnecessary cloud to on-premises round trips § Cache policy and sessions for local app SSO § Firewall-friendly, self-managing on-prem integration point § Don’t expose inbound firewall ports or use costly VPNs § Consolidate with self-updating, self-monitoring virtual appliance § Remember what we’ve learned so far § Consistent business-level user interface § Integrated visibility, controls & governance § IAM does not work in a silo!
- 21. 21 A Secure IAM Gateway Appliance SailPoint Access Management Managed Virtual Appliance Request Queue REST/SSL Request REST/SSL Response Identity & Access Management Payload Standard 443 Port Long Polling
- 22. 22 Virtual Appliance Organization Authentication Pass Phrase Managed Virtual Appliance The Gateway Process… Organization Customer REST API Managed Virtual Appliance Reverse Proxy Gateway Management Management Queue Config & State Request Response Registration Code & Configuration Cloud Connector Gateway
- 23. 23 Deployment Scenario On-PremEnterpriseIDaaSCloud SailPoint Access Management Active Directory SAP SharePoint Concur TripIt Box LinkedIn SFDC SAML Service Now Gmail Workday RACF Portal IWA & PTA Password Managed IAM Appliance Reverse Proxy Managed IAM Appliance Cloud Connector Gateway
- 25. 25 Manufacturer Transitioning to “Cloud First” Business Drivers § Increased SaaS adoption § Internal WAM missing SLAs Solution § Hybrid IAM: SSO as SaaS, IAG/provisioning on-premises § Web-proxy virtual appliance Results § Greater SSO uptime § Cost savings via soft tokens § Smarter certifications based on actual usage
- 26. 26 Retailer Creates 360o Consumer Experience Business Drivers § Build interactive community § Support huge traffic spikes Solution § B2C portal with social sign-on and step-up assurance § SaaS IdP to partner apps § REST APIs to analytics Results § Elastic capacity to handle peak loads at substantial cost saving § Lowers user registration friction while meeting PCI § Rich set of data for marketing
- 27. 27 “Those who cannot remember the past are condemned to repeat it” George Santayana
- 28. Q&A