In IT environments, identity is the key to governance and security. In this session, we discuss the challenges with identity in hybrid environments and some of the solutions. Topics include identity lifecycle management, single sign-on, multi-factor authentication, and dealing with multiple identity providers from different parties. We also cover the security requirements of a hybrid cloud environment: maintaining visbility, encryption, secure remote access, and compliance and auditing requirements.

2. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Hybrid Identity Management and
Security for Large Enterprises
Eric Moore
Chief Technologist, AWS
Integrated Practice
DXC Technology
E N T - 3 0 7
Tom Laszewski
Enterprise Technologist
Amazon Web Services

3. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Agenda
AWS and Hybrid / Multi Cloud
Identity across environments
Visibility, encryption, and access
Audit and compliance
Q&A / Discussion

4. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Session repeats
Thursday, Month Day
Session Title
1:15 – 2:15 | Aria
Wednesday, Month Day
Session Title
1:45 – 2:45 | Venetian

5. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

6. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Hybrid and Multi Cloud
Hybrid Cloud refers to a combination of public cloud and on-premises systems, which in turn
could be a private cloud.
Hybrid Cloud as a complement to on-premises
Complements on-prem with functionality, scalability, global presence, and more.
Core data synchronized / replicated / joined between the two.
Hybrid Cloud as an extension of on-premises
Apps roughly the same between the two.
All data synchronized / replicated / joined between the two.
Multi Cloud
Refers to the use of multiple public clouds
Becoming the default stance for many large enterprises

7. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Hybrid Cloud on AWS
Security
(Network, Data, Compute, Identity & Access)
Capabilities: Transport encryption, key/cert
management/control/rotation, high performance,
strong protocols, robust perimeter, DDoS mitigation
tools, mature RBAC, Secret management, intrusion
detection and protection, RBAC, Transport encryption,
encryption at rest, Secret management, directory
integration, roles, permission, logging and monitoring,
penetration testing
AWS Services: Security Groups and NACLs, AWS
Certificate Manager, AWS Shield, AWS Firewall
Manager, AWS WAF, AWS Certificate Manager, AWS
Secrets Manager, AWS Key Management Service, AWS
CloudHSM, Amazon Macie, Amazon GuardDuty, AWS
Organizations, AWS IAM, AWS Directory Service,
Amazon Cloud Directory, Amazon CloudWatch, AWS
CloudTrail
Operations, Management and Monitoring
Data Integration

8. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

9. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Minimize your identity complexity
• Privileged access is the answer to sensitive access
• Temporarily grant additional access to an identity based on approved change or need
• Beware identity sprawl
• It may be appropriate to have a separate identity domain and provider for infrastructure /
production access, but THAT IS IT
• Where you manage identities (authentication) is different than where
you might manage what people can do (authorization)
• Tracking the location of where authorization may be granted is critical to ensuring
compliance with standards. Ideally, all authorization would be based on some form of
membership (RBAC) or metadata (ABAC) stored in the identity provider, but in reality this
rarely happens consistently, and can hurt your agility if updating the provider is overly
onerous

10. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Identity lifecycle management is the biggest gap in
many enterprises cloud identity model
• Learning from the past
• Despite the fact that most legacy identity systems had some form of identity lifecycle
integration, many modern implementations seem to be missing this
• User changed roles? Moved on? Review the authorizations!
• This is where the rubber meets the road on lifecycle. When a user changes roles, you need to
be comfortable your team knows how to review and update all the places that user might
have been granted access
• More than just hired, moved, or left
• People will find issues with permissions in all sorts of context, working an incident,
performing an update or deployment, no matter where or by whom an issue with a
permission set is discovered, it needs to be populated to a central identity team to evaluate
impact to any other users with permissions in the affected system.

11. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Multi-Federated Master Identity Model
• Problem: provide a master identity that privileged users have to access
to cloud resources, both web (AWS Management Console, CLI) and
instances (Windows and Linux VMs) that is cloud-based but cloud-
agnostic.
• Solution: use tried-and-true technologies. Microsoft Active Directory /
AD FS hosted in multiple clouds selective cross-forest domain trusts to
resource domains for instance access.
• Use resource domains that contain the computer objects. This domain
then has trusts to multiple domains that provide the user objects and
groups granting permissions. This allows two (or more) user object
stores that can be managed by different organizations (e.g. MSP vs
Client) to provide authentication and authorization from multiple
sources to a single instance.

12. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Multi-
Federated
Identity
Model with
Microsoft
Active
Directory

13. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

14. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Visibility, Encryption, and Access
• Visibility is the key to security
• Encryption is essential, but can conflict with visibility, so needs to be
managed appropriately (Centrally managed encryption keys integrated
with appropriate security appliances that support SSL inspection)
• Access across environments requires a mature network model, avoid
many VPNs (MPLS (or rather why to avoid MPLS), and alternatives)
• Challenge is not dissimilar from balancing the agility provided by cloud
(or easy access) and the governance required to have a secure
performant service

15. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Multi-Cloud Networking and Multi-Cloud Key
Management
• Keeping track of CIDR allocations per cloud and environment allows for
central tools to access resources in different environments
(CMDB/IPAM)
• Key management across clouds is a requirement to maintain
encryption for data crossing environmental boundaries and for traffic
inspection via technologies like transit VPCs
• Set of master keys per cloud backed up outside of said cloud for use
with data at rest is one good approach. TLS/SSL private keys also
backed up outside of the cloud depending on risk approach. Has
implications for traffic inspection.

16. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

17. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Audit and Compliance
• Visibility leads to Audit, trust but verify
• Compliance means setting meaningful standards, and providing the
right tools to make compliance transparent without sacrificing agility
• Standards allow everyone to speak the same language, and have a
common starting point for discussion
• Security wants control for good reason, product owners and developers
want agility for good reason, must find middle ground – clear
consistent standards that are more easily followed and provide
benefits when followed make everyone a lot happier 

18. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

19. Thank you!
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Eric Moore
emoore@dxc.com
Tom Laszewski
tomlasz@amazon.com

20. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.