VICE PRESIDENT GLOBAL BUSINESS
DEVELOPMENT, MCAFEE
RAMON PEYPOCHCHIEF ARCHITECT
AND CTO, APPLICATION
SECURITY AND IDENTITY
PRODUCTS, INTEL
ANDY THURAI
WEB, MOBILITY AND CLOUD SECURITY
Building a Secure Bridge to the CloudRamon Peypoch – Vice President, Network & Cloud Security
Andy Thurai – Intel® Application Security & Identity Products Group, CTO & Chief Architect
An Intel Company
Application complexity is increasing with the
Cloud ecosystem1
Cloud Computing
Cloud Computingeverything and the kitchen sink
App Server
Database
Kitchen Sink
PC
Mobile
Code
Application Complexity is Growing
Using context-driven security
models to build trust2
Financial Services
Telecom
Government
Enterprise
Social Media
Cloud Apps
Reputation
Trust Management
Attestation
Relationship Management
Context
Cloud transparencyis a BIG challenge3
The CloudYour Network
• Application Complexity
• Context-Driven Security
• Cloud Transparency
Cloud Penetrates the Enterprise
84%Enterprises Using It Annual Spending
$112B
• Business agility• Cost efficiencies• Enhanced innovation• Improved IT services
The Power of Cloud Computing
However, security remains the roadblock
• Data loss• Identity• Information governance• Data control
WebAuthentication
EmailData Loss Data Loss
Intrusion Intrusion
Enterprise
Mobile Users Enterprise UsersPrivate CloudApplications
Partners CloudVendors
Applications Customers
Cloud Ecosystem
AppServices
Web AccessControl
DLP Email
+
Web Authentication Email
EnterpriseMobileUsers
EnterpriseUsers
Private CloudApplications
Cloud Security Platform
Global Threat Intelligence
Unified Management, Policy and Reporting, ePO Integration
Mod
ules
SaaS
or A
ppliance
Services Gateway Identity Manager
EmailSecurity
Data LossPrevention
WebSecurity
PartnersCloud
Vendors Applications Customers
Cloud Ecosystem
Intel ASIP solution set
• MIM (McAfee Identity Manager)• MSG (McAfee Service Gateway)
– McAfee Service Gateway– McAfee CSB (Cloud Service Broker) – McAfee API Gateway
• McAfee TB (Tokenization Broker)
April 11, 202319
An Intel Company
McAfee ePO• Integrated monitoring for
Cloud apps
McAfee Web Gateway• To the Cloud- web filtering• From the Cloud- AV &
Malware
McAfee DLP• To /From the Cloud-Data leak
protection
McAfee Global Threat Intelligence• Provides real-time URL and
connection reputation
McAfee Services Gateway• App API & Web Service Security
McAfee Identity Manager• Cloud SSO, Strong Auth,
Provisioning
App-to-Cloud
Consistent Security Across Cloud Traffic Channels
Interoperable Cloud Security Modules or Operate Stand-a-alone
User-to-Cloud
An Intel Company
Enterprise
Single Sign-on to the Cloud
McAfee Cloud Identity Manager
An Intel Company
Provision Access Secure SSO Compliance
• Provision/de-provision user accounts
• AD integration
• Sync Id Profiles
• Rich audit trail of user login showing AuthN level
• De-provision & orphan account reports
• Federate windows/AD log in via SAML, OAuth
• Eliminate insecure passwords
• Cloud Ready Connectors
Adaptive Strong Auth
• 2nd factor OTP AuthN
• Variety of AuthN methods mobile devices, SMS, email
Combining Federal Strong Auth with SSO
More Secure Cloud SSO - Federated User Access
In the CloudUser to Cloud Access
AD
Agency
• Federated SSO is pillar for NSTIC, ICAM, and other federal identity initiatives
• Drives strong auth access and cross agency collaboration
• Supports log-in using private sector identity credentials such as Open Id, Pay Pal, OAuth
• Supports Trust Framework LOA level of access level 3 with SAML ID support
• GSA listed
Direct from Intel or from McAfee as Cloud Identity Manager
Only 3 in 1 Product to Manage User to Cloud Access
An Intel Company
Cloud Access ModelsAn Intel Company
Enterprise
Secure & Simplify Consumption of Enterprise/ Cloud Apps
McAfee Services Gateway
Services/APIs
An Intel Company
Cloud ProviderCloud Provider
Rise of Cloud Service Broker - Widely Recognizedas Key Capability For Cloud
Cloud Service Management
Cloud Service Management
NIST - USG Cloud Computing Reference Architecture
Cloud AuditorCloud
Auditor
Cloud Consumer
Cloud Consumer
Provisioning/ConfigurationProvisioning/Configuration
Portability/Interoperability
Portability/Interoperability
SecurityAudit
SecurityAudit
Privacy Impact Audit
Privacy Impact Audit
Performance Audit
Performance Audit
Business Support
Business Support
Sec
urit
y
Pri
vacy
Cloud Broker
Service Intermediation
Service Aggregation
Service ArbitragePhysical Resource Layer
Hardware
Facility
Resource Abstraction and Control Layer
Service Layer
IaaS
SaaS
PaaS
“By 2015, at least 20% of all cloud services will be intermediated via CSBs” – Daryl Plummer, Managing VP, Gartner Fellow
An Intel Company
CSB
On Prem CSB 3rd party Intermediary
• Identity as a Service• Security as a Service• Trust as a Service
• Vale added processing• Packaged API Level Policies• Security, Governance, Integration• Solves Complexity, Overhead
Capabilities Available Today Using Gateway Cloud Service Broker Appliance Software
IT Departments Can Run On-prem
An Intel Company
Cloud Provider
Cloud Provider
APIs are New Cloud Control Point – 1/3 of theenterprise traffic is now API based
Applications move
off premise
Leverage third-party services
1/3 of Enterprise Traffic is via APIs
Enterprise
API API
An Intel Company
APIs are Strategic Control Points for Cloud
API BrokerAPI Broker
Core Apps• CRM• Workflow• Doc Mgt• IAM• ERP/Mainframe
Apps• SaaS CRM• Partner B2B• Social Mashups
API Management Control
• Performance Management
• Integration & Service Lifecycle Management
• Enforce Access & ID Token Translation
• Threat Protect - DoS, Content Threats
• Visibility, Auditing, Usage Xxx takeaway
An Intel Company
Service Gateway Revealed
• FIPS 140-2 Level 3 Crypto (Optional)• Common Criteria EAL4+ • DoD STIG Ready & PKI Certified• HSM PKI key storage (Optional)• Cavium crypto acceleration• Form factors: software, virtual, and tamper
resistant• GSA listed
• REST,SOAP, JSON• XML, Binary, ASCII• HTTP, FTP, TCP,
JMS, MQ, Custom
Tech Agnostic
• Optimized for Intel chips
• Tie-in to chiproadmap
• Efficient XMLparsing at chip level
Performance
• Simple visualworkflow building tool
No Programming
CODING
• Routing • Transform• Validation• Service Call-outs• Firewall rules
Flexible
An Intel Company
Program Intel / McAfee Solution
Identity Credential and Access Management (ICAM), BAE, HSPD-12, PIV
Enabling Federated access, Cloud SSO. Account Provisioning, Strong Auth Software One Time Passwords;
Authenticating Web Services, SOAP, REST, Expose secure APIs
NSTIC - Provides an “identity ecosystem” for individuals/organizations to utilize secure identity solutions to access online services.
Enabling Federated access, Cloud SSO. Account Provisioning, Strong Auth Software One Time Passwords.
DoD Public Key Infrastructure - Data integrity, user identification and authentication, user non repudiation, data confidentiality, encryption and digital signature Services
Ability to authenticate and validate certificates against DoD root authority.
NIEM National Information Exchange Model - NIEM will be the method by which state, local, and tribal agencies will share information with federal agencies.
Service gateways provide a fast path to handle the complex XMLprocessing requirements for NIEM.
OMB Cyberscope - Provide federal agencies an automated method for submitting FISMA audit results.
McAfee Policy Auditor - SCAP validated product that workswith the IPS and endpoint products to report audit information.The Vulnerability Manager / CyberScope Data Feed Generator tool helpsgenerate a data feed report that can be submitted to the CyberScope application.
Federal InitiativesAn Intel Company
An Intel Company
Tokenization Broker
• Flexible Software ApplianceForm Factor
• Secure Appliance Form Factor• Tokenization
Feature Summary• Token Vault• Authentication & Access Control• High Performance, optimized
for Intel® Multi-Core
Benefit Summary
Reduce or remove payment applications and databases fromPCI scope
Own and manage PAN data on-premise with a secure hardware appliance
Easily Choose the tokenization scheme appropriate for your business
Minimize change to existing applications compared to E2E Encryption
Address more than 200 PCI compliance requirements through gateway tokenization
An Intel Company
Internal Tokenization: Use Case
Downstream applications receive
documents with tokens rather than PANs &
benefit from reduced/ eliminated PCI scope.
Point of Capture Application
Output documents contain tokens in
place of PAN data in print-equivalent or machine readable
XML.
Documents containing PAN
data arrive at point of capture
application.
TB generates tokens for PAN data,
encrypts/stores PANs, and routes documents
to their destination.
Intel® Expressway Tokenization Broker
Application forwards document
to backend Applications.
PCI Scope
Reduced scope or out of scope
Token Exchange Benefits:
• Wide Range of Formats
• Wide Range of Protocols
• Strong Authentication• Secure Channel• Enterprise IDM• Format-Preserving
Surrogate Tokens
• Single-Use or Multi-Use Tokens
• Secure Vault• Strong PAN
Protection• Multiple Token
Generation Options• Physical Security
(Appliance SKU Only)
Intel® Expressway Tokenization BrokerReverse the token from
SecureVault
An Intel Company
One Trusted Vendor to Address Your CriticalCloud Security Needs
XML
Transformation
Monitoring & Reporting
Policy
Enforcement
ID
BrokeringTrust
Federal PKI/DoD Bridge
FIPS L3 Crypto
Multi-ProtocolContent
Inspection
Cyber Defense
Cloud API
An Intel Company
Federal Cloud Security Paper
Test Drive
Cloud Access 360 Data SheetService Gateway Data Sheet
Other Webinars in Info Library:
• NIEM enablement in 60 days
• Portable Security Architecture to Establish Cross
Domain
• How to Combat Advanced Persistent Threats
www.intel.com/go/identity
email: [email protected]
An Intel Company
An Intel Company
An Intel Company