1. Identity and Securing
Continuous Services in
Discontinuous Infrastructure
Steve Coplan, Analyst
CLIENT EVENT: BOSTON, DECEMBER 1, 2010
2. The 451 Group
Analyzing the business of Enterprise IT
Innovation
Unique Analysis of the Hosting, Managed
Service, Third-Party Datacenter and
Internet Infrastructure sectors
The Uptime Institute is the leading
independent think tank and research body
serving the global datacenter industry.
3. About
§ Longstanding member of the 451 analyst team
§ Startup experience at acquired security vendor
§ Expertise in M&A, networks
§ Only security analyst with a degree in Zulu
3 Client Event: Security |
4. Agenda
§ What do mean by identity in the cloud?
§ Cloud security models from an IAM perspective
§ Security models and compliance
§ Cloud, security and identity in the cloud
§ The transition from identity in the cloud to cloud identity
§ What's the identity in the cloud opportunity?
4 Client Event: Security |
5. The Intersection of Cloud and Identity
Enterprise identity Cloud service providers
§ Authenticated employee § Customer
§ Group member § Service provisioning construct (revenue
§ Provisioning Target event)
§ Role-defined § Customer profile
§ Authorization set § Service contention priority
§ SLA input
Cloud can be a:
●
Shared resource (customer, partner, employee)
●
Private cloud
●
Off-premise servers, storage, applications
●
Hybrid
Cloud users can be:
●
IT administrators buying cloud resources
●
Enterprise users consuming SaaS applications
●
Developers running applications/QA on PaaS
●
Cloud service providers running a set of services for enterprises
5 Client Event: Security |
6. Objective and Outcome-Oriented Security
Outcome: Objective:
§ Ensure everyone does what § Secure the infrastructure
they are supposed to and IT operations
§ Establish a normative set of § Keep out the bad guys
behaviors around the • How to translate this objective to
transfer and consumption of a discontinuous infrastructure?
information
• How to translate this outcome to
a set of continuous services?
6 Client Event: Security |
7. Defining Outcome-Oriented Security
§ Outcome-oriented security is contingent on a set of
policy statements
§ Policy - A principle or rule to guide decisions and
achieve rational outcome(s)
Central policy definition is great, but what about
exceptions?
Policy is king, but a king in a constitutional
monarchy
§ Business owners, application owners need delegation
capabilities
7 Client Event: Security |
8. Outcome-Oriented Security and Compliance
Growing overlap in spending, definitions and
operations between compliance and policy
§ Need to drive automation of compliance processes
leads to governance, eg access certification
§ Visibility is compliance’s greatest gift
8
8 Client Event: Security |
9. Defining Outcome-Oriented Security
Questions remain:
§ How can we enforce stated policy?
A stated policy does not an enforced policy make
How do we define current state against stated outcome?
Visibility is only a precursor to enforcement
§ Where does trust, privacy and liability fit in?
9
9 Client Event: Security |
10. What does this have to do with identity and the cloud?
Identity is important because:
§ Compliance requirements invoke identity attributes or definitions, access
controls and authentication
§ Identity pivot construct in defining access controls for the cloud
• Need to know who you are to describe what you can/can’t do
§ Identity single control construct for multiple resources
• SSO functions as a normalized event stream for a user
• Cloud Hybridization, Desktop Virtualization, Device Proliferation escalate
need for a consolidated identity and abstracted attributes
10 Client Event: Security |
11. What does this have to do with identity and the cloud?
Identity in the cloud is important because:
§ Identity is the common point of reference for discontinuous infrastructure
§ Identity is the a key parameter for making sense of visibility
§ Who is the first question from a business context and by extension policy
11 Client Event: Security |
13. The Intersection of Cloud and Identity
Identity management Cloud service providers
vendors are from Venus
are from Mars § View identity as a platform
§ View identity as a middleware component
layer or service § View identity as an service
§ View cloud, virtualization and enablement construct
mobile
Different understanding of the function of identity
§ Identity management vendors still dealing with technical challenges
of portable identity
§ Cloud service providers see need for portable identity associated
with portable image
Need for a match.com broker?
13 Client Event: Security |
14. Identity in the cloud: A maturity model
Managed
Operational Native Portability
portability
Portability (Architecture)
(Infrastructure)
14 Client Event: Security |
15. From Identity In the Cloud to Cloud Identity: Maturity Model
Maturity
stage Customers Technology Elements Providers Delivery Model
Operational Enterprise SSO Identity management Hybrid: On-premise gateways
Portability (Identity providers) Authentication vendors (Incumbents, Federation gateways
Service Providers venture-funded partners)
Federation (SAML, Federation hubs
(relying parties) OpenID, OAuth, WS-Fed) Platform vendors
SaaS providers Application Access
Paas Providers Control
Infrastructure Identity Providers Authorization (XACML Paas/SaaS Providers From the cloud Authentication,
(Managed Cloud Service Providers Provisioning/Governance Identity management SSO, trust services
Portability) Identity as a Service Cloud access gateways vendors To the cloud
Providers Trust brokers Cloud service providers Provisioning
User privacy stores In the cloud:
Directory in the cloud
Architecture Enterprise Embedded middleware Cloud service providers In the cloud -service federation,
Cloud service providers Attribute sources PaaS providers image federation
(Native
Attribute assurance Identity Providers Run-time authentication,
Portability) authorization and provisioning
Trust brokers Identity as a service
Cloud federation vendors
Incumbents
15 Client Event: Security |
17. Identity in the cloud: A tale of many markets
Enterprise ID Services Transactional
Extension (to, from, in the cloud) (Identity providers)
17 Client Event: Security |
18. Identity in the cloud: Meta-issues
Liability Trust/Assurance Value
18 Client Event: Security |
19. From Identity In The Cloud to Cloud Identity: Requirements
Maturity
stage Characteristics Affinities Meta-Issues
Portability Automation (+++) Compliance Automation Liability (++)
Security (+) Governance Trust/Assurance (++)
Granularity (+/-) Value (+)
Infrastructure Automation (+++) Policy Management Liability (++)
Security (++) Information Management Trust/Assurance (++)
Granularity (+) Software Infrastructure as a Value (++)
Service
Architecture Automation (++++) Service Enablement Liability (+++)
Security (++) Big Data Trust/Assurance (+++)
Granularity (+++) Value (+++)
19 Client Event: Security |
20. Identity In the Cloud: Strategic But Also Lucrative?
Arms dealer Services Transactiona
§
Incumbents To, from and for l
transitioning from the cloud
enterprise sales §
Diversity of new Model
model Consumerization of
players §
§
Architecture enterprise identity
§
New market
question still Trust substrate
segments open §
unresolved §
Tollgate model
§
Build or embed?
20 Client Event: Security |
21. Identity In the Cloud: Winners and Losers?
It’s how you play the game
End users
§ Getting automation, granularity right yields security
§ Sets the stage to answer the question “what could you
do in the cloud”
Identity management vendors
§ Architectural issues, sales model major challenges
§ Their game to lose
Independent identity as a
service/federation/authorization
vendors
§ New markets, technology categories opening up
21 Client Event: Security |
22. Identity In the Cloud: Winners and Losers?
It’s how you play the game
Platform vendors forge into the new frontier
§ VMWare, Microsoft duke it out for end user tier
§ PaaS players make a development, embedded run-time play
Identity providers
§ If you build it, they come
§ Value contingent on required trust, attribute assurance
for transaction
Cloud service providers
§ Associating a portable image with a portable identity
§ Unified cloud environment/integration provider
22 Client Event: Security |