Weitere ähnliche Inhalte Ähnlich wie How to Implement Cloud Security: The Nuts and Bolts of Novell Cloud Security Service (20) How to Implement Cloud Security: The Nuts and Bolts of Novell Cloud Security Service1. How to Implement
Novell Cloud Security Services
®
Nuts and Bolts
Dale Olds, Distinguished Engineer
Ben Fjeldstet, Sr. Engineer
Tom Cecere, Product Strategy
Novell Cloud Security Service
March 24, 2010
2. Key Takeaways
SaaS adoption is projected to increase three-fold to
US$14 Billion by 2012, according to Gartner.
“SaaS sprawl” is causing IT administration and
security nightmare for enterprises.
Enforcing consistent policies for internal and cloud
applications is key to effective governance.
Novell Cloud Security Service allows organizations
®
to extend its internal policies, roles and workflow and
manage a multi-SaaS environment consistently.
Novell is a leading provider of identity and security
solutions and has been for over 20 years.
2 © Novell, Inc. All rights reserved.
3. Agenda
Why Novell Cloud Security Service (NCSS)?
®
What Is NCSS and How Does It Work?
Architecture
Deployment Options
3 © Novell, Inc. All rights reserved.
4. Creating IT Administration Nightmare
User data/
permissions
User data/ User data/
permissions permissions
User data/ User data/
permissions permissions
Users
Enterprise Challenge
Apps
• IT Department
Multiple usernames/passwords
• Multiple identity silos
• Disparate administration tools
• Challenge in timely deprovisioning accountsSystems/
Directory User data/ of ex-employees
permissions tools
4 © Novell, Inc. All rights reserved.
5. And Concerns Over Security
• DuPont: “When a sales person leaves the company, it
takes 10 days to de-provision their account in
SalesForce.com. Until then, the sales person has
access to his account. This is a real problem.”
• International Fragrances & Flavors: At an executive
briefing told us, “We cannot use SaaS until it uses our
identity management systems.”
• “What’s keeping us from getting more large enterprise
customers? Trust.” –David Carroll, Salesforce.com
evangelist
5 © Novell, Inc. All rights reserved.
6. Agenda
Why Novell Cloud Security Service (NCSS)?
®
What Is NCSS and How Does It Work?
Architecture
Deployment Options
6 © Novell, Inc. All rights reserved.
7. How Does NCSS Work?
Enterprise Relying Party
User Store Participant
Novell Cloud 2
Security Services
NCS IdP SAML 1,
Secure SAML 2,
User Store Bridge SaaS Application
AuthN Service WS-Fed
User User Access
1 Authentication SaaS Resources
3
NCSS handles both use cases: A user directly logging into a cloud
1
service or user logging into their enterprise system first.
7 © Novell, Inc. All rights reserved.
8. NCSS Enterprise Connections with
LDAP Identity Stores
• Secure Bridge Service
– SSH Tunneling Services for Identity Verification for NCSS
– Audit Reporting
• Secure Bridge Appliance (Post 1.0)
– Identity Federation to NCSS
– SSH Tunneling Services for Audit Reporting
Identity Store(s)
Secure Bridge Enterprise Firewall
Audit Server(s)
8 © Novell, Inc. All rights reserved.
9. NCSS Enterprise Connections with
Existing AM Solutions
• Secure Bridge Service
– SSH Tunneling Services for Audit Reporting
• Access Management Solution Integration
– Quick Start Integration for Common Identity Providers
– SAML 2.0, POST capabilities required
Identity Store(s)
Enterprise Firewall
Audit Server(s) Secure Bridge
9 © Novell, Inc. All rights reserved.
10. NCSS Provider Components
• Multi-tenant Director
– Console hosting
– Audit Collection/Reporting
– Cost Accounting Collection/Reporting
Director Provider Console
– Multi-tenant Operations Management
Customer Console
• Per-tenant Security Brokers Audit Collection/Reporting
– Identity Federation Cost Accounting
Collection/Reporting
– Event Routing for Security Brokers
Multi-tenant Operations
Audit/Billing/Operations Identity
Federation
Tenant A
Event Routing
Identity
Federation
Tenant B
Event Routing
Identity
Federation
Tenant C
Event Routing
10 © Novell, Inc. All rights reserved.
11. NCSS SaaS Connections
• Quick Customer On-boarding
• Per-Customer Services
– Identity Federation (SAML 2.0)
– Audit Reporting
• Large Supported Platform Base
– Java Spring SaaS
Connections
– Apache
– ...
Identity
Events
Hoster/MSP
Firewall
11 © Novell, Inc. All rights reserved.
12. Agenda
Why Novell Cloud Security Service (NCSS)?
®
What Is NCSS and How Does It Work?
Architecture
Deployment Options
12 © Novell, Inc. All rights reserved.
13. CSS: Identity and Compliance
Services System Architecture
CSS Director
Administration
Secure Bridge Operations Mgmt SaaS/PaaS
Services
SSH Protocol Tunnel
Connections
Identity Federation
and RESTful APIs
Cloud Security
Protocol Broker
Mapping PivotLink
Authentication
Event SharePoint
Distribution Federation
Workflow Attribute Aggregation
Initiation
Event Distribution
GoogleApp
High Availability Engine
Limited Workflow
13 © Novell, Inc. All rights reserved.
14. Secure Bridge
Services
Protocol
Mapping
Event
Distribution
Workflow
Initiation
Secure Bridge Services Stack
Event
Distribution
LDAP Server HTTP Svcs Event Limited
Mapping Mapping Receptor Workflow API
CSB Connection Manager
SSH Tunnel
14 © Novell, Inc. All rights reserved.
15. CSS Director
Administration
Operations Mgmt
CSS - Director Stack
Administration
Operations Management
Customer
Provider Consoles
Consoles CABE
Operations Director Security Manager
Processors
HTML JavaScript
GWT REST APIs Configuration Distributor Event Receptor
CSS Core
Services Instance Event Receptor Security Session Broker Data Store Mgmt
Manager Communication (REST) Manager (Clustering) (Clustering)
CSS Service Foundation
Apache / Tomcat Cloud Service Bus
WS* AXIS XMLSEC XALAN XERCES JPA (Hibernate) JAX-RS JMS/CMS Log4j/cxx
Infrastructure Service Foundation
IaaS Management APIs HTTP Stack Messaging Stack SQL Database
SSH Tunnel
(Cloud Vendor) (Apache) (ActiveMQ) (SQLite)
15 © Novell, Inc. All rights reserved.
16. CSS Director
Administration
Operations Mgmt
CSS - Director Stack
Administration
Provider Consoles Customer Operations Management
Consoles Operations Director Security Manager CABE
Customer Admin
Identity Services Processors
Identity Services CSB Registry Tenant Segregation
CABE Services
CABE Services Config Query APIs Cert/Key Distribution Report Generation
Operations Management
Security Auditor Configuration Distribution Event Correlation/
Security Auditor
Reports (billing, etc.) SB Query APIs Aggregation
Billing Auditor
Backup/Restore Event Receptor/
Help Desk Storage
System Monitoring
Service Migration/Upgrade Billing Processing
HTML JavaScript
GWT REST APIs Configuration Distributor Event Receptor
CSS Core
Services Instance Event Receptor Security Session Broker Data Store Mgmt
Manager Communication (REST) Manager (Clustering) (Clustering)
CSS Service Foundation
Apache / Tomcat Cloud Service Bus
WS* AXIS XMLSEC XALAN XERCES JPA (Hibernate) JAX-RS JMS/CMS Log4j/cxx
Infrastructure Service Foundation
IaaS Management APIs HTTP Stack Messaging Stack SQL Database
SSH Tunnel
(Cloud Vendor) (Apache) (ActiveMQ) (SQLite)
16 © Novell, Inc. All rights reserved.
17. Cloud Security Broker
Authentication
Federation
Attribute Aggregation
Event Distribution
High Availability
Limited Workflow
CSS – Cloud Security Broker Stack
Identity Event High Workflow
Distribution Availability
Session
Event Event Processors
Authentication Federation CSB & Services Provisioning
Recptor
Attribute (Audit, Billing, Operations
Methods Protocols With Customer & Monitor/Scale Triggers
Management Provider Views)
CSS Core
Services Instance Event Receptor Security Session Broker Data Store Mgmt
Manager Communication (REST) Manager (Clustering) (Clustering)
CSS Service Foundation
Java / Apache
WS* AXIS XMLSEC XALAN XERCES JPA (Hibernate) JAX-RS JMS/CMS Log4j/cxx
Infrastructure Service Foundation
IaaS Management APIs HTTP Stack Messaging Stack
SSH Tunnel SQL Database
(Cloud Vendor) (Apache) (ActiveMQ)
17 © Novell, Inc. All rights reserved.
18. Cloud Security Broker
Authentication
Federation
Attribute Aggregation
Event Distribution
High Availability
Limited Workflow
CSS – Cloud Security Broker Stack
Identity Event High Workflow
Distribution Availability
Authentication Federation Session Event Processors CSB Cluster Annexation
Methods Protocols Attribute Director
Management
Card Space Audit
CSB Cluster User
LDAP SAML 1.1 Billing Monitor Provision
OAuth SAML 2 Aggregation
Event Operations
Recptor Service Health User
X-509 WS-* Security Customer Monitor De-provision
CSS Core
Services Instance Event Receptor Security Session Broker Data Store Mgmt
Manager Communication (REST) Manager (Clustering) (Clustering)
CSS Service Foundation
Java / Apache
WS* AXIS XMLSEC XALAN XERCES JPA (Hibernate) JAX-RS JMS/CMS Log4j/cxx
Infrastructure Service Foundation
IaaS Management APIs HTTP Stack Messaging Stack
SSH Tunnel SQL Database
(Cloud Vendor) (Apache) (ActiveMQ)
18 © Novell, Inc. All rights reserved.
19. Enterprise SaaS/PaaS
SB SaaS
Identity
Federation Services
Protocol
SB Daemon
Identity Connector
AEB Mapping
CSB Event Connector
LDAP Mapping
Enterprise
Identity Store
Secure Data
Marshaling
19 © Novell, Inc. All rights reserved.
20. Enterprise Console
Enterprise SaaS/PaaS
SB SaaS
Audit Store
Services
SB Daemon
Identity Connector
AEB Mapping
CSB Event Connector
LDAP Mapping
REST API
with 0Auth
Secure Data
Marshaling
20 © Novell, Inc. All rights reserved.
21. Enterprise SaaS/PaaS
SB SaaS
Audit Store
Services
SB Daemon Identity
Federation
Protocol
Identity Connector
AEB Mapping
CSB Event Connector
LDAP Mapping
Identity Store REST API
with 0Auth
Secure Data
Marshaling
21 © Novell, Inc. All rights reserved.
22. Enterprise SaaS/PaaS Provider
Data Store
SB SaaS
Audit Store
Services
SB Daemon CSSD
REST API Identity Connector
AEB Mapping Federation
CSB Event Connector
LDAP Mapping
REST API
Identity Store
Secure Data
Marshaling
22 © Novell, Inc. All rights reserved.
23. Agenda
Why Novell Cloud Security Service (NCSS)?
®
What Is NCSS and How Does It Work?
Architecture
Deployment Options
23 © Novell, Inc. All rights reserved.
24. NCSS Small Deployment
• 1 Multi-tenant Director Director Provider Console
– With configuration backup/restore services Customer Console
Audit Collection/Reporting
• 1-N Customers/Tenants, each with: Cost Accounting
Collection/Reporting
– 1 Secure Bridge and
Multi-tenant Operations
– 1-2 Security Brokers connecting to
1-20 SaaS applications
Customer SaaS
Connections Security Brokers Connections
Tenant A
Tenant B
...
Tenant C
24 © Novell, Inc. All rights reserved.
25. NCSS Medium Deployment
Director Provider Console
Cluster
• Multi-tenant Director Cluster** Customer Console
Audit Collection/Reporting
– 1-8 Directors
Cost Accounting
Collection/Reporting
• 1-N Tenants, each with: Multi-tenant Operations
– 1 Secure Bridge
– 1-5 Security Brokers connecting to
Database
1-50 SaaS applications Cluster
Customer SaaS
Connections Security Brokers Connections
Tenant A
Tenant B
...
Tenant C
25 © Novell, Inc. All rights reserved. ** Requires clustered DB server deployment
26. NCSS Large Deployment Database Cluster
• Multi-tenant Director Cluster**
– 1-5 Directors
> Console hosting
> Multi-tenant Operations
– 1-5 Audit Servers Director Audit Cost Accounting
Cluster Cluster Cluster
– 1-5 Billing Servers
• 50-N Tenants, each with:
– 1 Security Broker
– 1-5 Security Brokers connecting
to 1-100 SaaS applications
Customer SaaS
Connections Security Brokers Connections
Tenant A
Tenant B
...
Tenant C
26 © Novell, Inc. All rights reserved. ** Requires clustered DB server deployment
27. Novell Cloud Security Service
(NCSS)
Director Provider Console
Cluster
Customer Console
Audit Collection/Reporting Deep Connectors to Rackspace
Internal and App Store Apps
Cost Accounting
Collection/Reporting
Multi-tenant Operations
Security Brokers
Internal LDAP
Directory Only.
Uses NCSS Tenant A
Secure Bridge
Internal Identity
management System Tenant B
with Federation ...
No User Accounts on Tenant C
Customer Premises
Novell
Identity
Manager
Surface Connectors to External
SaaS Applications, SSO Only
27 © Novell, Inc. All rights reserved.
30. Unpublished Work of Novell, Inc. All Rights Reserved.
This work is an unpublished work and contains confidential, proprietary, and trade secret information of Novell, Inc.
Access to this work is restricted to Novell employees who have a need to know to perform tasks within the scope
of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified,
translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Novell, Inc.
Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability.
General Disclaimer
This document is not to be construed as a promise by any participating company to develop, deliver, or market a
product. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in
making purchasing decisions. Novell, Inc. makes no representations or warranties with respect to the contents
of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any
particular purpose. The development, release, and timing of features or functionality described for Novell products
remains at the sole discretion of Novell. Further, Novell, Inc. reserves the right to revise this document and to
make changes to its content, at any time, without obligation to notify any person or entity of such revisions or
changes. All Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc.
in the United States and other countries. All third-party trademarks are the property of their respective owners.