pre-con ed: multiple implementation and access models for ca sso
TRANSCRIPT
World®’16
Pre-ConEd:MultipleImplementationandAccessModelsforCASingleSign-On(CASSO)
SCX09E
SECURITY
2 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
©2016CA.Allrightsreserved.Alltrademarksreferencedhereinbelongtotheirrespectivecompanies.
Thecontentprovidedinthis CAWorld2016presentationisintendedforinformationalpurposesonlyanddoesnotformanytypeofwarranty. The informationprovidedbyaCApartnerand/orCAcustomerhasnotbeenreviewedforaccuracybyCA.
ForInformationalPurposesOnlyTermsofthisPresentation
3 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
Abstract
Today’sorganizationsneedtodomorethanjustsecuretheon-premise applicationsrunningintheirdatacenters.Modernorganizationsalsohaveapplicationsrunninginplatform-as-a-service(PaaS)datacenters,suchasAzureorAmazonandonmobileplatforms,andhaveagrowingnumberofSaaSapplications(suchasWebEx).Additionally,applicationscontinuetobemovedaroundacrossthesedifferentimplementationandaccessmodels,changinglocations(on-premise toAWS,forexample)andchangingtheacceptablemethodsofuserauthentication.Mixinthedynamicofausergainingaccessviadifferentdevices(laptop,tablet,BYOD)andyoucanseehowcomplicatedlifegetsforauserandanITsecurityprofessional.Inthissession,we’lldiscussvariousPaaS,managedandSaaSimplementationmodelsandhowtosecureapplicationsofallvarieties.
AaronBerman
HerbMehlhorn
KathyHickeyCATechnologies
4 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
Agenda
THEITCHALLENGE
EVOLVINGDEPLOYMENTARCHITECTURES
METHODSOFAPPLICATIONINTEGRATION
OVERLAYINGACCESSMETHODSWITHDEPLOYMENTARCHITECTURES
1
2
3
4
5 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD5 ©2016CA.AllRIGHTSRESERVED.
TheChallengeofToday’sITEnvironment
§ EVERYTHING isinmotion– Users– Devices– Applications– DataCenters
6 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
EndUser Apps Security
ApplicationsandSecurityintheDataCenter
OnPremiseDataCenter
7 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
ApplicationsandSecurityintheDataCenter
EndUsers Apps Security
OnPremiseDataCenter
8 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
TheDeploymentArchitectureattheStartoftheJourney
DataCenter1
DataCenter2
EndUsers
9 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
TheDeploymentArchitectureattheStartoftheJourney
EndUsers
DataCenter1
DataCenter2
ThirdPartyApps
10 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
EvolvingDeploymentArchitectures
PAASEndUsers
DataCenter1
DataCenter2
ThirdPartyApps
11 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
EvolvingDeploymentArchitectures
EndUsersThirdPartyApps
DataCenter1
DataCenter2
PAAS
12 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
EvolvingDeploymentArchitectures
PAAS
ManagedandHostedServices
EndUsers
DataCenter1
DataCenter2
ThirdPartyApps
13 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
EvolvingDeploymentArchitectures
PAASSAASEndUsers
ManagedandHostedServices
DataCenter1
DataCenter2
ThirdPartyApps
14 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
KeyPaaSConsideration– ExposedtoPublic?
PAASEndUsers
DataCenter1
DataCenter2
15 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
KeyPaaSConsideration– ExposedtoPublic?
PAAS
VPNforPrivateAccessOnly
EndUsers
DataCenter1
DataCenter2
16 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
KeyPaaSConsideration– ExposedtoPublic?
EndUsers
DataCenter1
DataCenter2
PAAS
VPNforPrivateAccessOnly
17 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
KeyConsiderationsforPaaSDeploymentConsideration PrivateSegment Public Segment
Locationofuserrepository (PIIdataatrest)
BackupandRecovery
HAandfailover
Network AddressTranslation
Encryption ofData
Monitoring Performance
Log collection
VPNGateway atfrontendofPaaS
Load balancerexposedtoInternet
BastionServer
Front endfirewall&threatprevention
18 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
PotentialPaaSComponentDeployment
LoadBalancer
ExternalLoadBalancer
LoadBalancer
Location#1
SSOPolicyServers
SSOAgents/AccessGtwy
Location#2 Location#3
Threat/Bastion
CorporateLocation
ExternalUsers
VPN
19 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
FlexibleSolutiontoMeetManyNeedsinaSingleDeployment
CASingleSign-On
OpenStandards
SOAPandRESTAPIs
PolicyEnforcementGateway(AccessGateway)
OpenFormatToken
PolicyEnforcementConnectors
(Agents)
20 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
ApplicationIntegrationMethodscanbeUsedbyThemselvesorTogether§ AccessGateway+Agent=differentwaystosecureanappbasedonaccess
§ Gateway(orAgent)+Federation=URLlevelfilteringwithlowintegrationcostsforappsthatalreadyspeakSAML
§ Openformatcookie+API=agentlessSSOandexternalizedauthorizationcontrolsforappsoutsidethedatacenter
§ Federation+API=StandardsbasedSSOforinternalapplicationswiththeabilitytodoauthorizationcalls
§ Agent+API=securesessionmanagementandauthorizationwithlesscommunicationbetweenappandpolicyserver
21 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
PotentialPaaSComponentDeploymentNoVPNConnectingPaaSandInternalDataCenter
LoadBalancer
PaaSDataCenter
Applications
CorporateLocation
LoadBalancer
LoadBalancer
SSOPolicyServers
SSOAgents/AccessGtwy
OpenFormatCookie
22 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
PotentialPaaSComponentDeploymentNoVPNConnectingPaaSandInternalDataCenter
LoadBalancer
LoadBalancer
PaaSDataCenter
SSOPolicyServers
SSOAgents/AccessGtwy
CorporateLocation
LoadBalancer
LoadBalancer
SSOPolicyServers
SSOAgents/AccessGtwy
CADirectoryorOtherUserStore
DisparateSSO
OpenFormatCookie
SAML
23 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
PotentialPaaSComponentDeploymentVPNConnectingPaaSandInternalDataCenter
LoadBalancer
PaaSDataCenter
SSOPolicyServers
SSOAgents/AccessGtwy
CorporateLocation
VPN
LoadBalancer
LoadBalancer
SSOPolicyServers
SSOAgents/AccessGtwy
CADirectoryorOtherUserStore
AgentCommunication
RestAPICommunication
12.52SP1CR4introducedtheabilitytodisableIsAuthorized
callsfromAgents
24 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
PotentialPaaSComponentDeploymentVPNConnectingPaaSandInternalDataCenter
LoadBalancer
LoadBalancer
PaaSDataCenter
SSOPolicyServers
SSOAgents/AccessGtwy
CorporateLocation
VPN
LoadBalancer
LoadBalancer
SSOPolicyServers
SSOAgents/AccessGtwy
CADirectoryorOtherUserStore
AgentCommunication
DisparateSSO
25 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
CybersecurityfortheHybridEnterpriseProvidingInherentSecurityControlsinaTransparentandSeamlessWay
HYBRIDENTERPRISETraditionalDataCenter PrivateCloud PublicCloud- IaaS SaaSApplications
§ CentralizeAuthentication§ FederateIdentities§ SingleSign-on§ SessionReplayProtection
§ SingleLogout§ IdentityMappingacrosstheenterprise§ UserActivitymonitoringandauditing§ Inspectionofeveryrequest
UsingSecuritytoSolveToday’sBusinessRequirements
AuthenticationAuthorization
&AccessManagement
SingleSign-On SessionSecurity
26 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
CASupportsaWideVarietyofDeploymentOptions
TraditionalOnPremiseDeployedandManaged
SaaS
ManagedOnPremise
ManagedoffPremise
TraditionallyManaged–CloudDeployed
Softwareinstalledinlocaldatacenters– managedbyemployees
Softwareinstalledinlocaldatacenters– managedbyCAorCAPartner
SoftwareinstalledinClouddatacenters– managedbyemployees
SoftwareinstalledinHostedenvironmentsdatacenters–managedbyCAorPartners
Softwareasaservice– managedbyemployees
27 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
TwoApproachestoSingleSignOn
§ Usercanbecentrallyauthenticatedorlocallyauthenticated
§ AllCommunicationbetweenbrowserandwebserverisinterceptedandinspected
§ Eachrequestcanbeexaminedforvalidity,tampering,andauthorization
§ Asinglesharedsessionspansallapplications
§ Identityinformationisplacedintorequestsoapplicationcanreadtheidentity
§ Userdirectlyaccesswebsitetolaunch(toplevelanddeeplinkedbookmarks)
TIGHTLYCOUPLED§ UseriscentrallyAuthenticated
§ Atokencontainingidentityandsecurityattributesiscreatedandthenpassedtotheapplication
§ Applicationreadstokencreatesapplicationspecificsession
§ Applicationisresponsibleforauthorization,sessionsecurityandhonoringsecurityclaims
§ Tokenmaybeonetimeuseormaybepresentedoneachrequest
§ Launchedbyaccessinglaunchpad orbyaccessingacustomizedURL
LOOSELYFEDERATED
Most3rd PartySaaSapplications(Salesforce,Concur)onlysupportLooselyFederatedModel
28 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
DeploymentOptionCapabilities
TraditionalOnPremiseDeployedandManaged
SaaS
ManagedOnPremise
ManagedoffPremise
TraditionallyManaged–CloudDeployed
TightlyandLooselyCoupled
TightlyandLooselycoupled
TightlyandLooselyCoupled
LooselyCoupledOnly
TightlyandLooselyCoupled
29 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
SingleSign-on
Authentication(SaaS-firstmodel) CAIdentity
Service
Userprovisioning&deprovisioning
SingleSign-onRogueandorphanaccountdetectionandremediation
CASingleSign-On
On-premisesapps
SaaSApps
Peoplesource(optional)
Authentication(Hybridmodel)
SingleSign-on
ANewHybridDeploymentModelCASSOandCAIdentityService
30 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
TheLaunchpadisdynamicallypopulatedattimeofloginbaseduponwhattheenduserhas
accessto
Accesstoonprem CASSOprotectedapplicationsisavailable– truehybrid
support
ANewHybridDeploymentModelCASSOandCAIdentityService
CAIdentityService
31 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
§ PredefinedintegrationwithCASingleSign-On
§ FewclickstoimportexistingCASSOprotectedresources
§ ExistingCASSOpoliciesdynamicallyevaluatedtodeterminewhogetsaccess
§ OptiontoenableCASSOastheidentityprovider
ANewHybridDeploymentModelSimplifiedWorkforceExperience
32 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
EndUsers
DataCenter1
DataCenter2
ThirdPartyApps CAIdentityService
SaaSApplication
AHybridDeploymentArchitecturewithCAIdentityService
33 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
CybersecurityfortheHybridEnterpriseProvidingInherentSecurityControlsinaTransparentandSeamlessWay
HYBRIDENTERPRISETraditionalDataCenter PrivateCloud PublicCloud- IaaS SaaSApplications
§ CentralizeAuthentication§ FederateIdentities§ SingleSign-on§ SessionReplayProtection
§ SingleLogout§ IdentityMappingacrosstheenterprise§ UserActivitymonitoringandauditing§ Inspectionofeveryrequest
UsingSecuritytoSolveToday’sBusinessRequirements
AuthenticationAuthorization
&AccessManagement
SingleSign-On SessionSecurity
34 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
Questions?
35 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
RecommendedSessions
SESSION# TITLE DATE/TIME
SCX16E Pre-ConEd:Who’smindingtheSSOstore 11/15/2016at1:00pm
SCT44TTechTalk:WebAccessManagementandFederation–TwoGreatTastesthatTasteGoodTogether 11/16/2016at11:30am
SCX20S CARoadmap:Authentication,SingleSign-On,Directory 11/17/2016 at1:45pm
SCT43T HybridAppLauchpad 11/17/2016at3:45pm
36 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
Don’tMissOurINTERACTIVESecurityDemoExperience!
SNEAKPEEK!
36 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
37 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
THANKYOU
Stayconnectedatcommunities.ca.com