© 2013 secureauth. all rights reserved. tutorial: constructing and securing applications for...

© 2013 SecureAuth. All rights reserved.

Tutorial:

Constructing and Securing

Applications for Deployment

in the Cloud

2

WHAT IS THE CLOUD?

Definition:

• Remotely hosted computing resources that are accessible over a network.

• Typically accessed by users using a thin client via a web browser or lightweight desktop/mobile app through the Internet.

• Comprised of:• Infrastructure as a Service

(IaaS)• Platform as a service (PaaS)• Software as a Service (SaaS)

The public cloud is based on a multitenant architecture that allows it to dynamically scale and provision as

customers need.


3

WHAT CAN I DO IN THE CLOUD?

• Office & Messaging software• DBMS software• Management software• CAD software• Development software• Virtualization• Accounting• Collaboration• Customer relationship management

(CRM)• Management information systems (MIS)• Enterprise resource planning (ERP)• Invoicing• Human resource management (HRM)• Content management (CM)• Service desk management


Cost effective solutions typically on a subscription model.

© 2013 SecureAuth. All rights reserved. 4

THE PUBLIC CLOUD PYRAMID

SaaS

PaaS

IaaS

Virtualization

Hardware

The public cloud is based on a multitenant architecture that allows it to dynamically scale and provision as

customers need.

The services you depend on are based on the infrastructure of your providers. Set your expectations appropriately.

Multi-tenancy advantages:

• Instant provisioning – create new environments with just a few clicks.

• Economies of scale – Individually managing infrastructure is much more onerous and expensive, taking provider focus from innovation and customer success.

• Customer success – Multi-tenancy allows the provider development team to better view how their product is being used by everyone and continually address issues and build out new features.


AUTHENTICATION AND ACCESS - THE PROBLEMS WE CAN CONTROL…

Individual identities with replayed credentials is no longer adequate.

Issues with this setup:

• Identity information stored at too many locales.

• Identity information easily obtained through social methods.

• Password reset conducted through easily-penetrable (human) methods.

• Multifactor authentication typically missing and not consistent.

• A compromised account can most probably be replayed at other providers.


AUTHENTICATION AND ACCESS… PART II

A single identity with a single protected access point is ideal.

Transform your organization into an identity provider with the appropriate security controls:

• Retain the “Keys to the kingdom”:

• Retain the identities (ID/Passwords)

• Conduct the Authentication (ID/Password, 2-Factor, AD-SSO, etc.)

• Federate the Identity

• Log the Access


BECOMING AN IDP

Definition:

• A system that creates, maintains, and manages identity information.

• Provides principal authentication to other service providers (applications) within a federation or distributed network.

• The IdP sends an attribute assertion containing trusted information about the user to the Service Provider (SP) without the user password!

An IdP (Identity Provider) establishes a circle of trust between the User and the Service Provider i.e.

Applications.

1. User directed to IdP2. IdP authenticates user3. User redirected to SP with token

Scope of Trust

1

2

3

EnterpriseIdentity Provider

(IdP)

ServiceProvide

r (SP)

User

8

WHAT WILL BE THE BENEFIT OF BECOMING AN IDENTITY PROVIDER?


An Identity Provider can apply the samePOLICIES, PROFILE & PROCEDURES

to Mobile, Cloud & Web/Network

Secure Cloud Deployment

Requirements for the Identity Provider:

• Identify the identity provider information• Single or multiple stores?

• Classify which users in the data store to allow access• In groups or separate stores?

• Determine authentication method per application• Same for all users, or mapped to user groups?

• Determine devices• Desktop and/or Mobile?

• Determine the federation method• SAML, WS-FED, Forms posting, etc.?

• Determine SSO• To other SaaS, Web, Mobile resources?

• Log access• Locally SIEM or cloud?


IMPLEMENT A SECURE CLOUD DEPLOYMENT (IDP/ SP)

1. Identity the Identity Provider Information Source

• AD, ADAM, LDAP, SQL, ODBC

• AD: Single or multiple domain/forest

Questions:

• Is the data consolidated in single store?

• Is all the relevant profile information in single store?

• Authentication information

• Profile information for resource or authentication information

• Is the data store local or remote?

• Will their be user data-on boarding

• And how conducted



2. Classify Which Users to Allow Access

• AD Groups, LDAP Structure, SQL/ODBC Tables

Questions:

• Which users for the resource do you want to allow access?

• How do you have them stored in your enterprise?

• What mechanisms for organizations? (Groups, OU’s, etc)

• And…• What identity information should be passed to the SaaS app?

• Where is this information?• The identity store

or a separate table?



3. Determine Authentication Method for Resource• ID/Password, SMS, Telephony, X.509, CAC/PIV, NFC Prox USB key, PIN, Help Desk, Mobile Token, KBA/KBQ, Kerberos

Questions:

• No your (3) R’s – apply to cloud as much as Enterprise:

• Roles

• Resources

• Regulations

• This will determine the authentication method

• Also…

• Authentication matters based on:

• Location (On-premise, off)

• Country

• Devices (from enterprise portal, other apps)




4. Determine Device(s)

• Desktop and/or Mobile

Questions:

• Is there a separate app for:

• Desktop?

• Mobile?

• Is there just a browser based app?

• Then something like SAML-alone could work

• But…

• If there is a mobile app as well

• What is the vendor’s tie-in between Apps

• Browser/Mobile

• Are they integrated or separate logon/stores?



5. Determine the Federation Method

• SAML (1.1, 2.0, IdP-init, SP-init)

• WS-Fed, OAUTH, OpenID, Token, other (forms post)

Questions:

• What identity receiving mechanisms does the resource support?

- Documented/Published/Utilized?

• 3rd Party:

• Is there a GUI for integration?

• Or does support have to be contacts?

• Home Grown:

• Has a system been integrated?

• Should a “SAML-Lite” consumer technology be investigated?



6. Determine SSO

• Internal: AD-SSO (Kerberos)

• External: Other SaaS other Web Apps

Questions:• Do you want your users to have “AD-SSO” (Desktop) SSO?

• For internal usage?

• Do you want users to have SSO between:• Other SAAS resources:

• Google, Salesforce, O365, Taleo, Concur, ADP, OracleCRM, Workday

• Web resources:• Sharepoint, ASP.NET, WebLogic, Oracle ERP, IBM, WebLogic, J2EE, Drupal

• Existing WAM resources:• CA SiteMinder, Oracle Access Manager, Tivoli Access Manager, F5 APM, etc.

• Existing Portals

• Other partner Sites



7. Log the Event• Syslog or other event logging

Questions:

• How are you going to log the cloud event?

• To your internal/external SIEM?

• Does the vendor have a mechanism?

• Probably not?

• So…

• The IdP/SP model solves this

• All authentications brought back to the enterprise

• For logging and…

• Accounting

• Can bill by group, department, organization


Hands-on Tutorial


Thank you!

Who Title E-mail Phone

Garret Grajek

CTO/COO [email protected]

+1.949.777.6970

Jim Wangler Director Of Sales, MidWest

[email protected]

+1.312.546.9956

Tim Arvanites

Sr. Sales EngineerMidwest

[email protected]

+1.312.985.1997

SecureAuth Contacts

http://www.SecureAuth.com

mailto:[email protected]






http://www.gosecureauth.com/

© 2013 secureauth. all rights reserved. tutorial: constructing and securing applications for...

Documents

identity information

access slide

identity provider

cloud slide

service paas software

service desk management

service saas

single identity