February 2014

IBM Security Services

Securing the Cloud:

Identity and Access Management for / from Cloud
Neeraj Kurulkar – Global Offering Manager - IAM
IBM Security Services

Source*: “IDM2011 London IAM Cloud Nov11.ppt” published by Robin Cohan – Senior Product Manager
© 2014 IBM Corporation
Identity and Access Management For / From The Cloud

Agenda

IAM - an Ever Growing Technology

Cloud Computing Market Overview
– Cloud trends, usage scenarios
– “Secure by Design” – security is
fundamental for the cloud
– Customer concerns, goals – What is required?

Approaches to Cloud Security – what kinds of
solutions are available?

Use case examples – How cloud-based
solutions are being deployed

2 © 2014 IBM Corporation

Identity and Access Management For / From The Cloud

Key takeaways

Security is a key concern for cloud environments

– can be an inhibitor to cloud adoption
– but can be addressed – cloud environments can be just as secure as traditional
environment

Today’s Identity and Access Management security solutions help address cloud
security needs

While adjusted approaches may be needed for cloud deployments,
existing enterprise security solutions can work equally well in both cloud and
traditional environments

Our “real world” examples show how customers secure their cloud environments

3 © 2014 IBM Corporation

Identity and Access Management For / From The Cloud

IAM – an Ever growing Technology

4 © 2014 IBM Corporation

Identity and Access Management For / From The Cloud

Identity and Access Management (IAM) Solution Overview

5 © 2014 IBM Corporation

Identity and Access Management For / From The Cloud

Cloud, mobile, social media, and information trends impact the

future design and use of identity and access management, changing
methods of delivery and enhancing business relevance
Cloud Computing Mobile Computing
Users require secure and manageable Securing connectivity to corporate
access to Cloud/SaaS services. Managing applications are top of mind as
identities in a hybrid enterprise/cloud organizations broaden support for
world will be complex mobility, challenging IAM architecture and
integration capabilities

Social Media Information

A hybrid enterprise/social identity can
enable additional user access options and
quicker delivery of service. At the same
time it challenges IAM policy and privacy
Leveraging identity and access activity
data for business intelligence demands
changes in the IAM organization to
leverage skills in analytics and advanced
data management

6 © 2014 IBM Corporation

Identity and Access Management For / From The Cloud

IAM secures user access to data and applications across the

enterprise as well as to cloud and mobile environments
Partners and
Channels
Business
Suppliers Vendors
Partners
Social Sites SaaS
and Identities
Access Mgt

- Account - Authentication
Provisioning
- Authorization
- User Lifecycle Mgmt
- B2B/B2C Single Sign
- Password Self- On
Service
- SaaS Single Sign On
- Access Certification

Enterprise
Applications
Mobile Devices,
Active Lotus SAP
Directory Notes Apps, and Identities

7 © 2014 IBM Corporation

Identity and Access Management For / From The Cloud

Changing user behaviors and rapid business transformations are

driving the need for more effective Identity & Access Management

Audit Failures and Whether there is an actual audit failure or a need to pre-empt one and
Regulatory respond, auditors are requiring IT and LOB owners to demonstrate that
Compliance appropriate user access controls are in place.

B2B and B2C users and their on-line or mobile access present a weak
Advanced
link into the enterprise. Without strong identity controls, once breached,
Threat hackers can gain unfettered access to sensitive resources.

Data Center Data center consolidation and private cloud projects result in a high
concentration of virtual and physical servers, accessible ubiquitously to
Consolidations/ a large number of users and system administrators. It is critical to
Private Clouds control access of those users using a scalable policy-based approach.

With public clouds and social access, your data is only as secure as its
Public Cloud access - it is important that strong controls be put on the exposed
& Social Access resources to ensure only authorized individuals can access this data

8 © 2014 IBM Corporation

Identity and Access Management For / From The Cloud

What is Cloud Computing?

9 © 2014 IBM Corporation

Identity and Access Management For / From The Cloud

An Example - Cloud

Source* : IBM Press Release: http://www-03.ibm.com/press/ie/en/pressrelease/37897.wss#release

10 © 2014 IBM Corporation
Identity and Access Management For / From The Cloud

Cloud is a shift in the consumption and delivery of IT with the goal of

simplifying to manage complexity more effectively.

Cloud is:
– A new consumption and delivery model

Clouds come in various forms:

– Multiple deployment models:
• public, private, hybrid
– Multiple delivery models:
• Infrastructure as a Service (IaaS),
• Platform as a Service (PaaS),
• Software as a Service (SaaS) and
• Business Process as a Service

11 © 2014 IBM Corporation

Identity and Access Management For / From The Cloud

Deployment Models

Public Clouds
– Hosted, operated and managed by third party vendor
– Security and day to day management by the vendor

Private Clouds
– Networks, infrastructures, data centers owned by the organization

Hybrid Clouds
– Sensitive applications in a private cloud and non sensitive applications in a
public cloud

12 © 2014 IBM Corporation

Identity and Access Management For / From The Cloud

Cloud Services Delivery Model

SaaS
– Rents software on a subscription basis
– Service includes software, hardware and support
– Users access the service through authorized device
– Suitable for a company to outsource hosting of apps

PaaS
– Vendor offers development environment to application developers
– Provide develops toolkits, building blocks, payment hooks

IaaS
– Processing power and storage service
– Hypervisor is at this level

13 © 2014 IBM Corporation

Identity and Access Management For / From The Cloud

IAM For / From The Cloud

14 © 2014 IBM Corporation

Identity and Access Management For / From The Cloud

Identity & Access Management – Cloud Perspectives

To the Cloud: managing identity and access for today’s focus

enterprise applications/infrastructure hosted in
cloud environment
– Simplify security controls for both on- and off-premise services with
centralized identity management

In the Cloud: help cloud service providers manage their

cloud identity and access infrastructure for their clients

From the Cloud: IAM services provided as cloud based

offering, rather than on premise (IAM as a service -
IAMaaS)

15 © 2014 IBM Corporation

Identity and Access Management For / From The Cloud

Approach: align security plans with each phase of a cloud project or

initiative

Design Deploy Consume

Establish a cloud strategy Build cloud services, in the Manage and optimize
and implementation plan to enterprise and/or as a cloud consumption of cloud
get there. services provider. services.

IBM Cloud Secure by Design Workload Driven Service Enabled

Security
Approach Focus on building security Secure cloud resources Govern the cloud through
into the fabric of the cloud. with innovative features ongoing security operations
and products. and workflow.

Example
Cloud security roadmap
Application security
Identity and access

security
management
capabilities
Secure development
Virtualization security

Network threat protection
Endpoint protection
Secure cloud
communications

Server security
Configuration and patch
management
Managed security

Database security services

16 © 2014 IBM Corporation

Identity and Access Management For / From The Cloud

Entry points to get started with security solutions for cloud

AREA Top concern Solution Design Deploy Consume

GRC
Understand the concerns of IBM Cloud Security

your unique cloud initiative Roadmap Service
X

Enable single sign on across IBM Tivoli Federated

Identity
multiple cloud services Identity Manager Business GW X

Protect and monitor

Data
access to shared databases
IBM InfoSphere Guardium X X

Defend users and apps IBM Security Network

Intrusion
from network attacks Intrusion Prevention System
X

Protect VMs and hypervisor IBM Virtual Server

Virtualization
from advanced threats Protection for VMware X X

Patch
Provide patch and config IBM Tivoli Endpoint Manager

Management management of VMs for Security and Compliance
X X

Cloud Security On Ramps

17 © 2014 IBM Corporation

Identity and Access Management For / From The Cloud

Getting Started On Ramp for the Cloud

Federated Access/Identity Management

Identity Federation enables web single sign

on across applications
• Access controls on cloud applications
• Provide users with the ability to single sign on
to multiple Web-based cloud applications with
disparate user IDs/passwords
• Self service identity registration, validation and
processing user credentials

Know who can

access the cloud

Single access method for

users into workload aware
Cloud

18 18
© 2014 IBM Corporation
 Identity and Access Management For / From The Cloud

Beyond the basics: Next steps in IAM for Cloud Security

Add full Identity and Access Assurance solutions

– Build on Access and Authorization Control
– Full life-cycle user/identity management
– Role-Based Identity and Access Management
– Privileged Identity Management
– Security Information and Event Management

Add Identity and Access Assurance to manage Identities, Entitlements, Access Control and
Auditing
Summary: Improved visibility and securely
connect users to the workload aware cloud – 3rd Party
Know who can Service Systems and Image Computing
Cloud
Management Management Infrastructure
access the cloud enforce auditable access & enable secure
collaboration. Service Requestor

Single access method Cloud Use Case: Federated SSO to

for users into IAA
workload aware Cloud SaaS/cloud; Self service identity provisioning, Systems Storage

validation and processing user credentials.

Network
Deployment Scenario: Hosted, managed FIM
and deployed as a Cloud
Service Provider

19 © 2014 IBM Corporation

Identity and Access Management For / From The Cloud

Customer Cloud Use Cases

20 © 2014 IBM Corporation

 Identity and Access Management For / From The Cloud
Customer use case example: Large French Energy producer
Enterprise expansion - Securing public cloud access
Requirements

Extend on-premise IAM infrastructure to support new cloud applications

Secure employee access to SaaS applications (Google Apps,
Salesforce) deployed at worldwide level

Provide a worldwide common infrastructure and approach to manage identity and federated SSO
– Internal/traditional applications and new external SaaS ones

Provision and de-provision of users in SaaS partner’s registry.
Solution:

Use common identity management solution architecture across all domains for user provisioning and password
management
– Provision and de-provision users based on enterprise role
– User and manager initiated entitlement requests
– Administrators of each business unit can manage their users’ rights

Federate access, exchanging the identities through SAML tokens. Strong authentication solution can be added later to
enhance security
– Enable enterprise users to seamlessly access SaaS resources based on authenticating to the enterprise directory
– Allow users to land in SaaS application in context, based on web launch points
– Limit Federated SSO access based on role
Identity
Provider
Company Portal
Service
Federated Enterprise
Provider
Access Directory
Manager- (eg MS AD)
Salesforce.com, Internet Enterprise
Google Apps Users

Identity
HR
Manager
Feed
21 © 2014 IBM Corporation
 Identity and Access Management For / From The Cloud

Customer use case example: Partner SSO

Large Banking Financial Group - Canada
A Commercial Banking line of business (LOB)
within a major Canadian Banking Financial
Group provides Treasury Management
services for commercial and institutional
clients

GOALS: SOLUTION: Federated Single Sign On

Improve customer experience:

provide SSO to partner products offered in
each of the treasury applications.
Expand business opportunities:

ease the process of enrollment and access to
premium services.
Address competitive banking pressures:

maintain leadership in offerings; competitors
are starting to offer Federated SSO.

22 © 2014 IBM Corporation

Identity and Access Management For / From The Cloud

Summary

Security is a major concern for cloud deployments,

but by building security controls in from the start (“Secure by Design”),
cloud environments can be just as secure as traditional deployments

Identity and access management solutions can help secure the wide variety of
cloud deployment types and use cases
– Different models (e.g. IaaS vs SaaS, pubic vs. private), different use cases (G2C, B2B,
etc)
– While adjusted approaches may be needed for cloud deployments,
existing enterprise security solutions can be extended to work equally well in both cloud
and traditional environments

Customers today are using enterprise IAM solutions to secure both their cloud
and traditional IT environments

23 © 2014 IBM Corporation

Identity and Access Management For / From The Cloud

IAM-as-a-Service (IAMaaS) is growing at a CAGR of

~30% with client demand increasing

Segment Opportunity
“Demand remains high from buyers looking
Identity and Access Segment Size
7000
(Source: IDC, Gartner) to cloud-based security services to address
6000 IAM a lack of staff or skills, reduce costs, or
IAMaaS
5000 comply with security regulations
quickly3those without such capabilities
($000 USD)

4000

3000
need to act quickly to adapt to this
2000
competitive threat.”
- Gartner, April 2013
1000

0
2011 2012 2013 2014 2015

By year-end 2015, IAMaaS will account for 25% of all new IAM sales, compared with less
than 5% in 2012 (May 2013).
• Growth to date mostly driven by SMB accessing SaaS applications>but enterprise clients beginning to
adopt
• Vendors with deeper functionality for mixture of cloud and on-premise applications also saw significant
increase in clients.

24 © 2014 IBM Corporation

Identity and Access Management For / From The Cloud

The market offers two primary models for IAMaaS delivery

to consider: full enterprise-class “IAM in the Cloud” and
Web-centric IDaaS
1. Enterprise, Mid market, 2. LOBs, SMBs,
IAM outsourcing Application Developers

IAM infrastructure as a (hosted) Service

SSO as a Service Authentication as a Service
•User on boarding & provisioning
User On/Off-Boarding Identity Analytics
•Access management & approvals
•Process integration Access Certification Application/API Integration

(IBM)

(MSFT centric) (Oracle)

25 © 2014 IBM Corporation

2
6
Identity and Access Management For / From The Cloud

26 © 2014 IBM Corporation