Being competitive today means building an enterprise that is capable of taking full advantage of the “5 forces”, Cloud, Mobile, Social, Analytics and the Internet of Things. Harnessing these 5 forces requires a holistic view on the business side, on technology, on the risks involved, and on different cultures.
In this track, we will together create an action plan on how to work through the almost incomprehensible mountains of systems, platforms, processes and roles, towards a light and agile architecture for the digital enterprise.
After attending this session block, you will be able to:
- List the top Cloud security and privacy concerns and the measures to reduce those risks.
- Discuss the developing field of Mobile Identity, the risks posed and the solutions needed.
- Describe the benefits of Customer Managed Encryption Keys (CMK).
- List the risks in the software development lifecycle and the solutions that mitigate risk.
Customer-Managed Encryption Keys: Controlling Your Data’s Privacy in the Cloud
Businesses put a lot of trust in the cloud, believing that, as paying customers, they will enjoy total protection from hackers and law enforcement agencies trying to access their private data.
But the majority of cloud providers who encrypt data have full control over encryption keys and could – if required to – access and share the data. This is a risk many businesses are unaware of. It also means CISOs in industries handling very sensitive data cannot take advantage of the benefits of cloud technology, as their enterprise policies and regulatory compliance requirements prohibit them from having implementations where providers have full access to their data. Customer-managed encrypted keys (CMKs) offer a solution to this problem, putting the data owner in full control of the encryption being used within the cloud service regardless of where it is stored.
This combined panel & presentation session will explore how implementing CMKs will give customers back the control of their data as well as promoting cloud adoption. You will become familiar with cryptography systems available now that use CMKs to protect data held by cloud vendors, how they work, when it is necessary to implement, and how it can enable highly regulated industries to operate securely beyond the firewall.
Best Practice: From Zero to Secure in 1 Minute
Cloud instances lifecycles are accelerating fast. Cloud providers are competing among them by switching to by-the-minute server billing instead of hourly billing. This means that servers should be installed, launched, process and terminate and all within a range of minutes. This new accelerated life cycle makes traditional security processes such as periodic patches, vulnerability scanning, hardening and forensics impossible. In this accelerated lifecycle, there are no maintenance windows for patches or ability to mitigate a vulnerability, so the security infrastructure must adapt into new thinking. In this new thinking we must adopt new methods for server’s security configuration, evaluation and termination. Servers must be patched before they boot up, security configuration and hardening procedures should be integrated with server installation, vulnerability scanning and mitigation process should be automatic and operating systems should not even include user’s ability to login directly. In the presentation we announce on a new open source tool named “Cloudefigo” and explain about techniques that enables this new accelerated security lifecycle. We demonstrate how to launch a pre-configured, already patched instances into encrypted storage environment automatically while evaluating their security and mitigating them automatically if a vulnerability is found. In the live demo we leverage Amazon Web Services EC2 Cloud-Init scripts and object storage for provisioning automated security configuration, integrating encryption, including secure encryption keys repositories for secure server’s communication. The result for those techniques are cloud servers that are resilient, automatically configured and secure without any attack surface for hacker to explore.
Best Practice: A Hybrid Enterprise in a Cloud First World
You’ll laugh, you’ll cry, and you might even pick up a useful nugget or two listening to a real-world enterprise IT architect share the experiences of the past year trying to support his business migrating to cloud services, and sharing the lessons learned from trying to integrate 2 hybrid enterprises into a single, streamlined company. You’ll hear where the cloud came through for us, and how we often had to fall back to on-prem services such as FIM, Ping Federate, and ADFS to make the glue which binds it all together.
- Migrating to the cloud can be hard; mergers and acquisitions of companies is hard; M&A of hybrid cloud enabled companies is very hard.
- How to manage the cloud vendor relationships through integrations
- Identity and Security planning to make integrations successful in a cloud world
Identity-as-a-Service Securing PostNL’s 100% Cloud Strategy
PostNL deals in letters, parcels and everything related to letters and parcels. PostNL is with 60.000 employees and 3.4 billion of revenues the leader in The Netherlands and PostNL also works in Belgium, Luxembourg, the United Kingdom, Germany and Italy. Volumes in the letters business are declining and therefor cost cutting and having flexibility in cost both in Business and in IT are a key target for PostNL. For this reason, PostNL announced a 100% go to Cloud strategy where execution will be finished by the end of 2015 by migrating all on-premise hosted applications to the Cloud: “from on-premise/customized to cloud-based/standardized IT”.
Identity and Access Management is an essential part of the security domain within the PostNL Cloud Orchestration Kernel to facilitate the 100% Cloud Strategy and to comply to security standards and certifications for ‘securing the cloud’. Through the IAM project Identity and Access Management is implemented for PostNL employees using the services of the IDaaS provider iWelcome – so a cloud service in itself. This full IDaaS service includes amongst others: availability of all employee identities, a login page including (two factor) user authentication, a portal (launch pad) for cloud application, user provisioning and authentication to relying parties, single sign-on/log-off and self service.
Generally speaking there are five main areas in Identity Management being: (1) Identity Governance (business processes around so-called authoritative sources like SAP HR); (2) Identity Provisioning; (3) Identity Authentication and Access Management and (4) Application Authorization (business logic in the destination applications).
Theo Punter will share his experiences with the audience about implementing IDAAS for the enterprise.
- Current IAM solutions could not keep pace with developments in the cloud, mobile apps and federations;
- With IDAAS PostNL is able to lower TCO significantly and thus serving improvements in PostNL’s market position
- Suppliers preferably to big to fail … but partnership and flexibility is a key value as well
- Stick to standards and enforce them
- Define I&AM policies upfront to CSP’s (as part of contract)
- Over 90% use SAML2.0 for authentication but SCIM as a standard for provisioning is not there yet
- Don’t mix cloud with on-premise unless you design on-premise on cloud principles.
- Release and transition management becomes even more important
- Don’t make critical IT plans on product roadmaps of suppliers.
The Future of Directory Services: Data Models – Performance – Security
While there hasn’t been much news around directory services in the last decade, we see new momentum in this area, driven by two challenges and both related to the “hyberconnected” enterprise that has to manage identities of consumer, things, devices etc. and their relationships.
One challenge is performance. Managing some thousand employees or even tens of thousands or a few hundred thousand is fairly different from managing tens of millions of customers, billions of things, or all the related devices. There have been some large deployments particularly in the consumer space, but right now this is moving from a specialized use case in few industries towards a standardized requirement of virtually any industry. Vendors propose various answers to that challenge. HDAP (Hadoop + LDAP), Cloud Directory Services, or just larger deployments of their COTS products. But what does it really need?
The other challenge are data models. LDAP, being derived from X.500 DAP, has its roots in phone directories. It has a rather inflexible data model. When looking at the broad variety of identities to manage, beyond humans, and theire complex relationships, the question arises whether the LDAP data model is good enough for the future. Some vendors already decided against LDAP as the core of their directory data model. But what does it really need?
In this panel, both the challenge of performance and of data models will be discussed in depth. Is LDAP still the future or do we need something different? Will there be new REST-based standards or will we end up with proprietary approaches?
Business Critical Application Security
Most transactions take place on business-critical applications and infrastructure, producing data and information with the highest possible value for attackers. Protecting these applications and infrastructure is a fundamental part of each corporate security strategy. In this session we will talk about the real security challenges facing your business critical infrastructure, i.e. your SAP system, how mitigate the risks involved and prevent against threats.