CIS14: Is the Cloud Ready for Enterprise Identity and Security Requirements?

Post on 08-Sep-2014

77 Views

Category:

Technology

2 Downloads

Preview:

Click to see full reader

DESCRIPTION

John Tolbert, Fortune 50 Company An examination of the often complex mix of scalability, interoperability, and security requirements that certain industries face, and what is needed for these types of organizations to be able to fully leverage the benefits of the cloud.

Transcript

Is The Cloud Ready for Enterprise Security

Requirements?

John Tolbert

The Cloud

A Huge Success Story Rent what you need, rather than buy Simplify data center management Scalable Fast provisioning and de-provisioning

Security Requirements

Consumer Privacy Regulatory compliance

SOX HIPAA Export regulations

More Security Requirements

Intellectual Property Licensing and Collaboration Background and Foreground IP Trade Secret Protection

High Security / High Assurance NIST 800-63 Level 3 and 4 authentication Fine-grained access controls Need-to-know

Authorization is like fashion

Informal Attire For a Day at The Lake

Admission to certain venues requires formal wear

http://upload.wikimedia.org/wikipedia/commons/3/39/MITO_Orchestra_Sinfonica_RAI.jpg

Access Control

X OK

Organizations need to collaborate with business partners

The cloud is a natural place for collaboration Easy to set up workspaces as needed Identity management can be a combination of federated identities for

those with robust IAM infrastructures and cloud-managed identities for business partners without the heavy-duty IAM infrastructures

Protecting intellectual property in collaborative environments can be a challenge

Enterprise IAM infrastructure in place

LDAP

SAML

XACML PAP

Enterprise IAM Infrastructure

SSO

XACML PEP XACML PDP

The Cloud

SaaS

IaaS

PaaS

File Repositories

Web Apps

Cloud IAM

Enterprise Applications

SCIM

Evolution of access controls

Time

IAM Solution Complexity Evolves To Meet Scalability and Granularity Requirements

Users Groups

RBAC

ABAC PBAC

Union of Attribute and Policy

Policy

Attribute

Based

Access

Control

Policy/Attribute-based access control

XACML for consistent attribute-based access control in both the cloud and on-premise infrastructure

Profiles for privacy, export controls, intellectual property controls, and data loss prevention

Interoperability at the transport layer Can facilitate the migration to Mandatory Access Control (MAC) model

Fine-grained Authorization Subject identity is just one variable in the authorization equation Resources have identities too! Resource attributes must also be

evaluated in runtime authorization decisions

Subject Resource

Environment Action

Fine-grained AuthZ Two major categories of data necessitate two different approaches: Unstructured data: standardized metadata tags on data objects Structured data: policy-based access controls applied via SQL and web application proxies Backend Attribute Exchange: one domain trusts another to provide authoritative attributes for authenticated users

Metadata tagging and AuthZ Create

Document Content Analysis

Metadata Application

XACML PEP XACML PDP

By United States Air Force.718 Bot at en.wikipedia [Public domain], from Wikimedia Commons http://upload.wikimedia.org/wikipedia/commons/6/62/1948_Top_Secret_USAF_UFO_extraterrestrial_document.png

Read Metadata

Class: Top Secret

Decision

Pass Metadata as Resource Attributes

LDAP

Subject User

Subject Attributes

Policy-based SQL and application proxies

LDAP

XACML PAP

SQL/XACML PEP

XACML PDP

Thick Client App

DB

Web App

WAF/XACML PEP

DB

Certain row/column Results match policies

Certain application Actions match

policies

Backend Attribute Exchange User

authenticates in Domain A

Domain B SSO gets attributes from Domain A

User receives access

in Domain B

User requests access

to resource in Domain B

Assumption: Domain B trusts that Domain A is authoritative for specific attributes about users originating from there.

SSO

LDAP

SAML

SSO SSO

SAML

SSO Web App 1

2

4

3

5 6

7

8 9

Mandatory Access Control Gov't Classification Commercial Analogs

Unclassified Public Domain

Confidential Confidential

Secret Competition Sensitive / Restricted

Top Secret Limited Distribution

No Read Up

No Write Down

Bell-LaPadula

No Read Down

No Write Up

Biba Integrity

Compliance Monitoring and Risk Management

Standardized authentication and authorization mechanisms for consistent enforcement and reporting

Integration with Security Incident and Event Management for real-time alerting

Integration with GRC software

Conclusion Is the cloud ready for enterprise security? Yes, some providers offer solutions in most areas described

above. Cloud service providers will capture more customers with high

security service offerings Resource identities (attributes) are just as important in access

control decisions as subject identities

top related