Optimizing IAM with Single Sign-On From the Cloud to On-Premise
-
Upload
mycroftinc -
Category
Technology
-
view
488 -
download
0
description
Transcript of Optimizing IAM with Single Sign-On From the Cloud to On-Premise
![Page 1: Optimizing IAM with Single Sign-On From the Cloud to On-Premise](https://reader033.fdocuments.us/reader033/viewer/2022061123/5470858bb4af9fc80a8b47a6/html5/thumbnails/1.jpg)
• Why SSO?
• A Challenge for the Enterprise
• Deployment models
• Hybrid IAM
• Q & A
Optimizing IAM with Single Sign-On from the Cloud to On-Premise
Copyright ©2013 Mycroft Inc. All rights reserved
![Page 2: Optimizing IAM with Single Sign-On From the Cloud to On-Premise](https://reader033.fdocuments.us/reader033/viewer/2022061123/5470858bb4af9fc80a8b47a6/html5/thumbnails/2.jpg)
ModeratorShanley Stern, Sr. Director Marketing, Mycroft Inc.
PresenterLester Rivera, Sr. Business Solutions Architect,Mycroft Inc.
PresenterHerb Mehlhorn, Product Manager, CA Technologies
INTRODUCTIONS
Copyright ©2013 Mycroft Inc. All rights reserved
![Page 3: Optimizing IAM with Single Sign-On From the Cloud to On-Premise](https://reader033.fdocuments.us/reader033/viewer/2022061123/5470858bb4af9fc80a8b47a6/html5/thumbnails/3.jpg)
Why Single Sign-On?
WHY SSO?A CHALLENGE FOR THE ENTERPRISEDEPLOYMENT MODELSHYBRID IAMQ & A
Copyright ©2013 Mycroft Inc. All rights reserved
![Page 4: Optimizing IAM with Single Sign-On From the Cloud to On-Premise](https://reader033.fdocuments.us/reader033/viewer/2022061123/5470858bb4af9fc80a8b47a6/html5/thumbnails/4.jpg)
SSO – SIMPLY STATED
Copyright ©2013 CA. All rights reserved
Mobile employee or Customer
Partner User
Internal Employee
Enterprise or Partner Apps
Cloud Apps/Platfor
ms& Web
Services
SaaS
Data
Identities
App/Resource
App/Resource
Clien
t S
ide
![Page 5: Optimizing IAM with Single Sign-On From the Cloud to On-Premise](https://reader033.fdocuments.us/reader033/viewer/2022061123/5470858bb4af9fc80a8b47a6/html5/thumbnails/5.jpg)
A Challenge for the Enterprise
WHY SSO?A CHALLENGE FOR THE ENTERPRISEDEPLOYMENT MODELSHYBRID IAMQ & A
Copyright ©2013 Mycroft Inc. All rights reserved
![Page 6: Optimizing IAM with Single Sign-On From the Cloud to On-Premise](https://reader033.fdocuments.us/reader033/viewer/2022061123/5470858bb4af9fc80a8b47a6/html5/thumbnails/6.jpg)
WHAT TO LOOK FOR IN SSO PRODUCTS – CLIENT SIDE
Copyright ©2013 CA. All rights reserved
User AdministratorResources
SupportedDevices
SupportedUser
InterfacesBrowser
Mobile Applicatio
nTerminal Emulator
Desktop/Laptop Tablet
Smart Phone
![Page 7: Optimizing IAM with Single Sign-On From the Cloud to On-Premise](https://reader033.fdocuments.us/reader033/viewer/2022061123/5470858bb4af9fc80a8b47a6/html5/thumbnails/7.jpg)
WHAT TO LOOK FOR IN SSO PRODUCTS – RESOURCE SIDE
Copyright ©2013 CA. All rights reserved
User AdministratorResources
Apps/Resources
Location of App
On Premise
Partner Site
Partner App
Access Path
PaaS SiteSaaS App
Rest API via Gateway
Http over corp. Network
Http over Internet
Web Services
![Page 8: Optimizing IAM with Single Sign-On From the Cloud to On-Premise](https://reader033.fdocuments.us/reader033/viewer/2022061123/5470858bb4af9fc80a8b47a6/html5/thumbnails/8.jpg)
WHAT TO LOOK FOR IN SSO PRODUCTS – FROM CLIENT TO RESOURCE
Copyright ©2013 CA. All rights reserved
Administrator
Resources
Authentication
User Experience
User
Password SmartCard + X.509
ArcotID®
OpenIDOAuth
Single Sign onPersonalized Experience
Single Logoff
Enforcement
Context of the authentication
Web Agent Proxy Gateway Native to the App
![Page 9: Optimizing IAM with Single Sign-On From the Cloud to On-Premise](https://reader033.fdocuments.us/reader033/viewer/2022061123/5470858bb4af9fc80a8b47a6/html5/thumbnails/9.jpg)
WHAT TO LOOK FOR IN SSO PRODUCTS – ADMINISTRATION
Copyright ©2013 CA. All rights reserved
User Administrator
Resources
• Managing SSO• Ability to manage the authentication and access via a UI or
programmatic interface
• …with efficiency• for all resource types via a single UI• for all access paths via a single UI• for all authentication policies via single UI
• ….with confidence• provide ability to flexibly segregate and delegate
administration• generating necessary log and audit data for governance and
compliance purposes
![Page 10: Optimizing IAM with Single Sign-On From the Cloud to On-Premise](https://reader033.fdocuments.us/reader033/viewer/2022061123/5470858bb4af9fc80a8b47a6/html5/thumbnails/10.jpg)
SSO also requires:
DON’T FORGET THESE OTHER KEY REQUIREMENTS
Copyright ©2013 CA. All rights reserved
User AdministratorResources
Identity life cycle management
Effective monitoring
Efficient delivery if using physical authentication methods
![Page 11: Optimizing IAM with Single Sign-On From the Cloud to On-Premise](https://reader033.fdocuments.us/reader033/viewer/2022061123/5470858bb4af9fc80a8b47a6/html5/thumbnails/11.jpg)
WHAT’S AVAILABLE IN THE MARKET
Thick Client SSO
Web/Html Client SSO
TIME
Web/Html Client SSO
via Federation
Web/SOAP Client SSO via WS-*
Web & Mobile
native SSO via REST &
API
• Similarities across each of these developments:- SSO experience for the end user- Needed security characteristics of the solution
• Differences- Location of the resource- Access path to the resource
Copyright ©2013 CA. All rights reserved
![Page 12: Optimizing IAM with Single Sign-On From the Cloud to On-Premise](https://reader033.fdocuments.us/reader033/viewer/2022061123/5470858bb4af9fc80a8b47a6/html5/thumbnails/12.jpg)
Deployment Models
WHY SSO?A CHALLENGE FOR THE ENTERPRISEDEPLOYMENT MODELSHYBRID IAMQ & A
Copyright ©2013 Mycroft Inc. All rights reserved
![Page 13: Optimizing IAM with Single Sign-On From the Cloud to On-Premise](https://reader033.fdocuments.us/reader033/viewer/2022061123/5470858bb4af9fc80a8b47a6/html5/thumbnails/13.jpg)
CHOOSE YOUR DEPLOYMENT MODEL
Copyright ©2013 Mycroft Inc. All rights reserved
On-Demand
• Deployed in third-party datacenter
• Subscription pricing model, no hardware required
• Federated SSO everywhere
• No VPN, no Firewall changes
• Fully managed
On-Premise
• Deployed at enterprise datacenter
• Allows for customization
• Requires professional services, longer deployment times
Hosted
• Deployed in third-party datacenter (private cloud)
• Connected to enterprise thru VPN
• Available as Managed Service
![Page 14: Optimizing IAM with Single Sign-On From the Cloud to On-Premise](https://reader033.fdocuments.us/reader033/viewer/2022061123/5470858bb4af9fc80a8b47a6/html5/thumbnails/14.jpg)
CHOOSE YOUR DEPLOYMENT MODEL
Copyright ©2013 Mycroft Inc. All rights reserved
On-Demand
Important to me:
• Tactical solution
• Very quick to market
• OpEX rather than CapEX
• Standardized & ooB
• Local market
• No hardware hassle
• Very small TCO
On-Premise
Important to me:
• Strategic solution
• Innovation
• Individuality
• Differentiate also by services
• Tend to prefer CapEx
• International market
• Ownership
Hosted
Important to me:
• Quick time to market
• Some individuality
• Some innovation
• Tend to prefer OpEx
• Sense of ownership
• TCO
• Differentiate from competition by assortment & price
![Page 15: Optimizing IAM with Single Sign-On From the Cloud to On-Premise](https://reader033.fdocuments.us/reader033/viewer/2022061123/5470858bb4af9fc80a8b47a6/html5/thumbnails/15.jpg)
HOW DO THEY COMPARE?
Not only about CAPEX vs. OPEX
• About optimizing 3 Es • Effectiveness• Economy• Efficiency
On-Premise
HostedOn
DemandBenefits of Hosted
Infrastructure Hardware acquisition not required
Implementation
SMEs readily available
Operation 24x7 SOC, no internal management needed
Security Top tier
Most effective, economical & efficientMore effective, economical & efficientEffective, economical & efficient
Copyright ©2013 Mycroft Inc. All rights reserved
![Page 16: Optimizing IAM with Single Sign-On From the Cloud to On-Premise](https://reader033.fdocuments.us/reader033/viewer/2022061123/5470858bb4af9fc80a8b47a6/html5/thumbnails/16.jpg)
THINGS TO CONSIDER
SSO…is even MORE important• Federate, Federate, Federate, Federate, Federate, Federate, Federate, F.E.D.E.R.A.T.E.
• Request for access needs to be simple, powerful, pervasive…not just about user accounts!
• SAML, OAuth, OpenID, WS-FED (Office365)
Provisioning goes Just-In-Time• More SaaS applications supports it
• BUT, no real automated de-provisioning
Identity Governance continues to be important• Governance, risk, & compliance (GRC)
• Ignores the enterprise “fence”; Data and users are mobile
Think APIs…Everything is an API• Keep simple & authorize well
• BUT not every API requires user accounts; sometimes you authorize device, source, etc.
• AND sometimes the point is really identify the source
Security is Policy-based• Security takes place outside of the app
• Programmatic vs. declarative
Copyright ©2013 Mycroft Inc. All rights reserved
![Page 17: Optimizing IAM with Single Sign-On From the Cloud to On-Premise](https://reader033.fdocuments.us/reader033/viewer/2022061123/5470858bb4af9fc80a8b47a6/html5/thumbnails/17.jpg)
Hybrid IAM
WHY SSO?A CHALLENGE FOR THE ENTERPRISEDEPLOYMENT MODELSHYBRID IAMQ & A
Copyright ©2013 Mycroft Inc. All rights reserved
![Page 18: Optimizing IAM with Single Sign-On From the Cloud to On-Premise](https://reader033.fdocuments.us/reader033/viewer/2022061123/5470858bb4af9fc80a8b47a6/html5/thumbnails/18.jpg)
HYBRID IAM
Copyright ©2013 Mycroft Inc. All rights reserved
![Page 19: Optimizing IAM with Single Sign-On From the Cloud to On-Premise](https://reader033.fdocuments.us/reader033/viewer/2022061123/5470858bb4af9fc80a8b47a6/html5/thumbnails/19.jpg)
On-Premise Enterprise Apps
Customers
Partners
Federated SSO
Advanced Authentication
Employees
Privileged Identity Mgt
Identity Governance
Identity Management
Identity Management
Identity Governance
Advanced Authentication
Access Management
Privileged Identity Mgt
On-Premise Connector
Cloud Platforms
SaaS
Enterprise Datacenter
Copyright ©2013 Mycroft Inc. All rights reserved
MYCROFT XSPECTRA ON-DEMAND SERVICE ARCHITECTURE
![Page 20: Optimizing IAM with Single Sign-On From the Cloud to On-Premise](https://reader033.fdocuments.us/reader033/viewer/2022061123/5470858bb4af9fc80a8b47a6/html5/thumbnails/20.jpg)
A single log-on, launch any SaaS application available to you
Copyright ©2013 Mycroft Inc. All rights reserved
MYCROFT XSPECTRA ON-DEMAND SERVICE
![Page 21: Optimizing IAM with Single Sign-On From the Cloud to On-Premise](https://reader033.fdocuments.us/reader033/viewer/2022061123/5470858bb4af9fc80a8b47a6/html5/thumbnails/21.jpg)
IN A NUTSHELL
SSO…is critical• Simple, powerful access to applications a single log on - whether on-premise, in the
cloud or hosted
• Increased user productivity & overall company efficiency
• Essential for security
Deployment Models• Your organization has options
• Cloud vs on-premise vs on-demand. Examine the pros and cons as it relates to your environment, as well as the overall efficiency, effectiveness & economy of each option
Hybrid IAM• It doesn’t matter where your application is – behind the firewall or in the cloud
• Scalable – seamless end-user experience between on-premise & cloud-based applications
Security is Policy-based• Security takes place outside of the app
• Programmatic vs. declarative
Copyright ©2013 Mycroft Inc. All rights reserved