architecting a cloud-scale identity fabric
Post on 08-Jun-2015
1.065 Views
Preview:
DESCRIPTION
TRANSCRIPT
Execution
Environments for
Distributed
Computing
Architecting a Cloud-
Scale Identity Fabric
EEDC
34
33
0
Master in Computer Architecture,
Networks and Systems - CANS
Homework number: 5
Group number: EEDC-4
Group members: Josep Subirats
Arinto Murdopo
Juan Luis Pérez
2
Introduction
Cloud => EVERYWERE
But not for critical workloads
Concerning about security
3
Introduction
Identity management in the Cloud is difficult:
– Its cross-cutting nature.
– Its impact across architectural and organizational domains.
– Many companies not equipped to manage identities.
New approach:
Identity Fabric
4
Not only performance scalability
Management scalability
– Speed at which an organization can deploy, integrate and
administer a system over the time.
Scalability
Infrastructure Identity management
5
Before: Identities stored in directories and database
Identity management
6
Identity management
Today: Identity as a Fabric
Cloud Apps Enterprise Apps
7
Cloud-scale identity fabric
Access control and authorization.
Authentication, federation and SSO.
User account management and provisioning.
Auditing and compliance.
Cloud platform architectural requirements.
8
Access control and authorization
Users outside the private network
– Authorization: Distributed model to support users outside the
firewall.
Raising number of users
– ACL not practical anymore
– Authorization: can be scaled by using a distributed, federated
model
Authorization decisions must happen quickly and
support high volumes of traffic
9
Authentication, federation and SSO
Federation concept based on a trust model between
entities.
Modern federations base this trust model in a XML-
based open standard – SAML
– But SAML only 10% adoption => excessive costs
Solution: focus on the core HTTP authentication
standard.
10
User account management and provisioning
Managing data about users is a challenge in Cloud.
– App-specific user management
– User management APIs are neither consistent nor standardized.
– Absence of universal user schemas for directories makes
building general-purpose management tools difficult
11
Auditing and compliance
Users using external apps can not be monitored.
Laws are complex and often contradictory depending
on the jurisdiction.
The industry needs a framework to met global
jurisdictional challenges
12
Cloud platform architectural requirements
IaaS providers offer storage, databases as a service
… but what about identity and access management?
Virtual platforms can not handle access management
overhead.
Solution: Proxy based approach that doesn’t
overload the Web/Application servers.
13
Identity must integrate, extend and abstract
10.000 users 15 apps ------------------------------ 150.000 credentials x $30 management cost ------------------------------ $4.5 million in management $50.000 cost per connection X 15 apps ------------------------------ $750.000 integration expense
10.000 users 15 apps ------------------------------ 10.000 credentials 93% Reduction -------------------------------- $50.000 integration expense
14
Identity must integrate, extend and abstract
Identity network effect
– A benefit of a new identity deployment extend to other networks
members by being connected.
Abstraction
– App developers built identity into the app itself
– Externalizing identity:
• Developers focus on improving their apps
• Enterprises can manage identity across multiple apps more
efficiently
15
Identity infrastructure as a service
Identity management for the cloud must evolve to:
– Being standardized.
– Accessible by multiple applications and users.
Companies need to think less about identity
technology and focus instead on
– Service-level agreements
– Service management
16
Identity infrastructure as a service
Image obtained from http://www.symplified.com/us/products/symplified/features.html
17
Conclusions
New Cloud environment requires new approach to
identity management.
Identity fabric in a federation.
Identity infrastructure as a service.
Execution
Environments for
Distributed
Computing
Architecting a Cloud-
Scale Identity Fabric
EEDC
34
33
0
Master in Computer Architecture,
Networks and Systems - CANS
Homework number: 5
Group number: EEDC-4
Group members: Josep Subirats
Arinto Murdopo
Juan Luis Pérez
top related