© 2013 secureauth. all rights reserved. tutorial: constructing and securing applications for...
TRANSCRIPT
© 2013 SecureAuth. All rights reserved.
Tutorial:
Constructing and Securing
Applications for Deployment
in the Cloud
2
WHAT IS THE CLOUD?
Definition:
• Remotely hosted computing resources that are accessible over a network.
• Typically accessed by users using a thin client via a web browser or lightweight desktop/mobile app through the Internet.
• Comprised of:• Infrastructure as a Service
(IaaS)• Platform as a service (PaaS)• Software as a Service (SaaS)
The public cloud is based on a multitenant architecture that allows it to dynamically scale and provision as
customers need.
© 2013 SecureAuth. All rights reserved.
3
WHAT CAN I DO IN THE CLOUD?
• Office & Messaging software• DBMS software• Management software• CAD software• Development software• Virtualization• Accounting• Collaboration• Customer relationship management
(CRM)• Management information systems (MIS)• Enterprise resource planning (ERP)• Invoicing• Human resource management (HRM)• Content management (CM)• Service desk management
© 2013 SecureAuth. All rights reserved.
Cost effective solutions typically on a subscription model.
© 2013 SecureAuth. All rights reserved. 4
THE PUBLIC CLOUD PYRAMID
SaaS
PaaS
IaaS
Virtualization
Hardware
The public cloud is based on a multitenant architecture that allows it to dynamically scale and provision as
customers need.
The services you depend on are based on the infrastructure of your providers. Set your expectations appropriately.
Multi-tenancy advantages:
• Instant provisioning – create new environments with just a few clicks.
• Economies of scale – Individually managing infrastructure is much more onerous and expensive, taking provider focus from innovation and customer success.
• Customer success – Multi-tenancy allows the provider development team to better view how their product is being used by everyone and continually address issues and build out new features.
© 2013 SecureAuth. All rights reserved. 5
AUTHENTICATION AND ACCESS - THE PROBLEMS WE CAN CONTROL…
Individual identities with replayed credentials is no longer adequate.
Issues with this setup:
• Identity information stored at too many locales.
• Identity information easily obtained through social methods.
• Password reset conducted through easily-penetrable (human) methods.
• Multifactor authentication typically missing and not consistent.
• A compromised account can most probably be replayed at other providers.
© 2013 SecureAuth. All rights reserved. 6
AUTHENTICATION AND ACCESS… PART II
A single identity with a single protected access point is ideal.
Transform your organization into an identity provider with the appropriate security controls:
• Retain the “Keys to the kingdom”:
• Retain the identities (ID/Passwords)
• Conduct the Authentication (ID/Password, 2-Factor, AD-SSO, etc.)
• Federate the Identity
• Log the Access
© 2013 SecureAuth. All rights reserved. 7
BECOMING AN IDP
Definition:
• A system that creates, maintains, and manages identity information.
• Provides principal authentication to other service providers (applications) within a federation or distributed network.
• The IdP sends an attribute assertion containing trusted information about the user to the Service Provider (SP) without the user password!
An IdP (Identity Provider) establishes a circle of trust between the User and the Service Provider i.e.
Applications.
1. User directed to IdP2. IdP authenticates user3. User redirected to SP with token
Scope of Trust
1
2
3
EnterpriseIdentity Provider
(IdP)
ServiceProvide
r (SP)
User
8
WHAT WILL BE THE BENEFIT OF BECOMING AN IDENTITY PROVIDER?
© 2013 SecureAuth. All rights reserved.
An Identity Provider can apply the samePOLICIES, PROFILE & PROCEDURES
to Mobile, Cloud & Web/Network
Secure Cloud Deployment
Requirements for the Identity Provider:
• Identify the identity provider information• Single or multiple stores?
• Classify which users in the data store to allow access• In groups or separate stores?
• Determine authentication method per application• Same for all users, or mapped to user groups?
• Determine devices• Desktop and/or Mobile?
• Determine the federation method• SAML, WS-FED, Forms posting, etc.?
• Determine SSO• To other SaaS, Web, Mobile resources?
• Log access• Locally SIEM or cloud?
© 2013 SecureAuth. All rights reserved. 10
IMPLEMENT A SECURE CLOUD DEPLOYMENT (IDP/ SP)
1. Identity the Identity Provider Information Source
• AD, ADAM, LDAP, SQL, ODBC
• AD: Single or multiple domain/forest
Questions:
• Is the data consolidated in single store?
• Is all the relevant profile information in single store?
• Authentication information
• Profile information for resource or authentication information
• Is the data store local or remote?
• Will their be user data-on boarding
• And how conducted
© 2013 SecureAuth. All rights reserved. 11
IMPLEMENT A SECURE CLOUD DEPLOYMENT (IDP/ SP)
2. Classify Which Users to Allow Access
• AD Groups, LDAP Structure, SQL/ODBC Tables
Questions:
• Which users for the resource do you want to allow access?
• How do you have them stored in your enterprise?
• What mechanisms for organizations? (Groups, OU’s, etc)
• And…• What identity information should be passed to the SaaS app?
• Where is this information?• The identity store
or a separate table?
© 2013 SecureAuth. All rights reserved. 12
IMPLEMENT A SECURE CLOUD DEPLOYMENT (IDP/ SP)
3. Determine Authentication Method for Resource• ID/Password, SMS, Telephony, X.509, CAC/PIV, NFC Prox USB key, PIN, Help Desk, Mobile Token, KBA/KBQ, Kerberos
Questions:
• No your (3) R’s – apply to cloud as much as Enterprise:
• Roles
• Resources
• Regulations
• This will determine the authentication method
• Also…
• Authentication matters based on:
• Location (On-premise, off)
• Country
• Devices (from enterprise portal, other apps)
© 2013 SecureAuth. All rights reserved. 13
IMPLEMENT A SECURE CLOUD DEPLOYMENT (IDP/ SP)
© 2013 SecureAuth. All rights reserved. 14
4. Determine Device(s)
• Desktop and/or Mobile
Questions:
• Is there a separate app for:
• Desktop?
• Mobile?
• Is there just a browser based app?
• Then something like SAML-alone could work
• But…
• If there is a mobile app as well
• What is the vendor’s tie-in between Apps
• Browser/Mobile
• Are they integrated or separate logon/stores?
IMPLEMENT A SECURE CLOUD DEPLOYMENT (IDP/ SP)
© 2013 SecureAuth. All rights reserved. 15
5. Determine the Federation Method
• SAML (1.1, 2.0, IdP-init, SP-init)
• WS-Fed, OAUTH, OpenID, Token, other (forms post)
Questions:
• What identity receiving mechanisms does the resource support?
- Documented/Published/Utilized?
• 3rd Party:
• Is there a GUI for integration?
• Or does support have to be contacts?
• Home Grown:
• Has a system been integrated?
• Should a “SAML-Lite” consumer technology be investigated?
IMPLEMENT A SECURE CLOUD DEPLOYMENT (IDP/ SP)
© 2013 SecureAuth. All rights reserved. 16
6. Determine SSO
• Internal: AD-SSO (Kerberos)
• External: Other SaaS other Web Apps
Questions:• Do you want your users to have “AD-SSO” (Desktop) SSO?
• For internal usage?
• Do you want users to have SSO between:• Other SAAS resources:
• Google, Salesforce, O365, Taleo, Concur, ADP, OracleCRM, Workday
• Web resources:• Sharepoint, ASP.NET, WebLogic, Oracle ERP, IBM, WebLogic, J2EE, Drupal
• Existing WAM resources:• CA SiteMinder, Oracle Access Manager, Tivoli Access Manager, F5 APM, etc.
• Existing Portals
• Other partner Sites
IMPLEMENT A SECURE CLOUD DEPLOYMENT (IDP/ SP)
© 2013 SecureAuth. All rights reserved. 17
7. Log the Event• Syslog or other event logging
Questions:
• How are you going to log the cloud event?
• To your internal/external SIEM?
• Does the vendor have a mechanism?
• Probably not?
• So…
• The IdP/SP model solves this
• All authentications brought back to the enterprise
• For logging and…
• Accounting
• Can bill by group, department, organization
IMPLEMENT A SECURE CLOUD DEPLOYMENT (IDP/ SP)
Hands-on Tutorial
© 2012 SecureAuth. All rights reserved.
Thank you!
Who Title E-mail Phone
Garret Grajek
CTO/COO [email protected]
+1.949.777.6970
Jim Wangler Director Of Sales, MidWest
+1.312.546.9956
Tim Arvanites
Sr. Sales EngineerMidwest
+1.312.985.1997
SecureAuth Contacts
http://www.SecureAuth.com