pre-con ed: multiple implementation and access models for ca sso

World®’16

Pre-ConEd:MultipleImplementationandAccessModelsforCASingleSign-On(CASSO)

SCX09E

SECURITY

2 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD

©2016CA.Allrightsreserved.Alltrademarksreferencedhereinbelongtotheirrespectivecompanies.

Thecontentprovidedinthis CAWorld2016presentationisintendedforinformationalpurposesonlyanddoesnotformanytypeofwarranty. The informationprovidedbyaCApartnerand/orCAcustomerhasnotbeenreviewedforaccuracybyCA.

ForInformationalPurposesOnlyTermsofthisPresentation


Abstract

Today’sorganizationsneedtodomorethanjustsecuretheon-premise applicationsrunningintheirdatacenters.Modernorganizationsalsohaveapplicationsrunninginplatform-as-a-service(PaaS)datacenters,suchasAzureorAmazonandonmobileplatforms,andhaveagrowingnumberofSaaSapplications(suchasWebEx).Additionally,applicationscontinuetobemovedaroundacrossthesedifferentimplementationandaccessmodels,changinglocations(on-premise toAWS,forexample)andchangingtheacceptablemethodsofuserauthentication.Mixinthedynamicofausergainingaccessviadifferentdevices(laptop,tablet,BYOD)andyoucanseehowcomplicatedlifegetsforauserandanITsecurityprofessional.Inthissession,we’lldiscussvariousPaaS,managedandSaaSimplementationmodelsandhowtosecureapplicationsofallvarieties.

AaronBerman

HerbMehlhorn

KathyHickeyCATechnologies


Agenda

THEITCHALLENGE

EVOLVINGDEPLOYMENTARCHITECTURES

METHODSOFAPPLICATIONINTEGRATION

OVERLAYINGACCESSMETHODSWITHDEPLOYMENTARCHITECTURES

1

2

3

4

5 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD5 ©2016CA.AllRIGHTSRESERVED.

TheChallengeofToday’sITEnvironment

§ EVERYTHING isinmotion– Users– Devices– Applications– DataCenters


EndUser Apps Security

ApplicationsandSecurityintheDataCenter

OnPremiseDataCenter


ApplicationsandSecurityintheDataCenter

EndUsers Apps Security

OnPremiseDataCenter


TheDeploymentArchitectureattheStartoftheJourney

DataCenter1

DataCenter2

EndUsers


TheDeploymentArchitectureattheStartoftheJourney

EndUsers

DataCenter1

DataCenter2

ThirdPartyApps


EvolvingDeploymentArchitectures

PAASEndUsers

DataCenter1

DataCenter2

ThirdPartyApps



EndUsersThirdPartyApps

DataCenter1

DataCenter2

PAAS



PAAS

ManagedandHostedServices

EndUsers

DataCenter1

DataCenter2

ThirdPartyApps



PAASSAASEndUsers

ManagedandHostedServices

DataCenter1

DataCenter2

ThirdPartyApps


KeyPaaSConsideration– ExposedtoPublic?

PAASEndUsers

DataCenter1

DataCenter2



PAAS

VPNforPrivateAccessOnly

EndUsers

DataCenter1

DataCenter2



EndUsers

DataCenter1

DataCenter2

PAAS

VPNforPrivateAccessOnly


KeyConsiderationsforPaaSDeploymentConsideration PrivateSegment Public Segment

Locationofuserrepository (PIIdataatrest)

BackupandRecovery

HAandfailover

Network AddressTranslation

Encryption ofData

Monitoring Performance

Log collection

VPNGateway atfrontendofPaaS

Load balancerexposedtoInternet

BastionServer

Front endfirewall&threatprevention


PotentialPaaSComponentDeployment

LoadBalancer

ExternalLoadBalancer

LoadBalancer

Location#1

SSOPolicyServers

SSOAgents/AccessGtwy

Location#2 Location#3

Threat/Bastion

CorporateLocation

ExternalUsers

VPN


FlexibleSolutiontoMeetManyNeedsinaSingleDeployment

CASingleSign-On

OpenStandards

SOAPandRESTAPIs

PolicyEnforcementGateway(AccessGateway)

OpenFormatToken

PolicyEnforcementConnectors

(Agents)


ApplicationIntegrationMethodscanbeUsedbyThemselvesorTogether§ AccessGateway+Agent=differentwaystosecureanappbasedonaccess

§ Gateway(orAgent)+Federation=URLlevelfilteringwithlowintegrationcostsforappsthatalreadyspeakSAML

§ Openformatcookie+API=agentlessSSOandexternalizedauthorizationcontrolsforappsoutsidethedatacenter

§ Federation+API=StandardsbasedSSOforinternalapplicationswiththeabilitytodoauthorizationcalls

§ Agent+API=securesessionmanagementandauthorizationwithlesscommunicationbetweenappandpolicyserver


PotentialPaaSComponentDeploymentNoVPNConnectingPaaSandInternalDataCenter

LoadBalancer

PaaSDataCenter

Applications

CorporateLocation

LoadBalancer

LoadBalancer

SSOPolicyServers


OpenFormatCookie


PotentialPaaSComponentDeploymentNoVPNConnectingPaaSandInternalDataCenter

LoadBalancer

LoadBalancer

PaaSDataCenter

SSOPolicyServers


CorporateLocation

LoadBalancer

LoadBalancer

SSOPolicyServers


CADirectoryorOtherUserStore

DisparateSSO

OpenFormatCookie

SAML


PotentialPaaSComponentDeploymentVPNConnectingPaaSandInternalDataCenter

LoadBalancer

PaaSDataCenter

SSOPolicyServers


CorporateLocation

VPN

LoadBalancer

LoadBalancer

SSOPolicyServers



AgentCommunication

RestAPICommunication

12.52SP1CR4introducedtheabilitytodisableIsAuthorized

callsfromAgents


PotentialPaaSComponentDeploymentVPNConnectingPaaSandInternalDataCenter

LoadBalancer

LoadBalancer

PaaSDataCenter

SSOPolicyServers


CorporateLocation

VPN

LoadBalancer

LoadBalancer

SSOPolicyServers



AgentCommunication

DisparateSSO


CybersecurityfortheHybridEnterpriseProvidingInherentSecurityControlsinaTransparentandSeamlessWay

HYBRIDENTERPRISETraditionalDataCenter PrivateCloud PublicCloud- IaaS SaaSApplications

§ CentralizeAuthentication§ FederateIdentities§ SingleSign-on§ SessionReplayProtection

§ SingleLogout§ IdentityMappingacrosstheenterprise§ UserActivitymonitoringandauditing§ Inspectionofeveryrequest

UsingSecuritytoSolveToday’sBusinessRequirements

AuthenticationAuthorization

&AccessManagement

SingleSign-On SessionSecurity


CASupportsaWideVarietyofDeploymentOptions

TraditionalOnPremiseDeployedandManaged

SaaS

ManagedOnPremise

ManagedoffPremise

TraditionallyManaged–CloudDeployed

Softwareinstalledinlocaldatacenters– managedbyemployees

Softwareinstalledinlocaldatacenters– managedbyCAorCAPartner

SoftwareinstalledinClouddatacenters– managedbyemployees

SoftwareinstalledinHostedenvironmentsdatacenters–managedbyCAorPartners

Softwareasaservice– managedbyemployees


TwoApproachestoSingleSignOn

§ Usercanbecentrallyauthenticatedorlocallyauthenticated

§ AllCommunicationbetweenbrowserandwebserverisinterceptedandinspected

§ Eachrequestcanbeexaminedforvalidity,tampering,andauthorization

§ Asinglesharedsessionspansallapplications

§ Identityinformationisplacedintorequestsoapplicationcanreadtheidentity

§ Userdirectlyaccesswebsitetolaunch(toplevelanddeeplinkedbookmarks)

TIGHTLYCOUPLED§ UseriscentrallyAuthenticated

§ Atokencontainingidentityandsecurityattributesiscreatedandthenpassedtotheapplication

§ Applicationreadstokencreatesapplicationspecificsession

§ Applicationisresponsibleforauthorization,sessionsecurityandhonoringsecurityclaims

§ Tokenmaybeonetimeuseormaybepresentedoneachrequest

§ Launchedbyaccessinglaunchpad orbyaccessingacustomizedURL

LOOSELYFEDERATED

Most3rd PartySaaSapplications(Salesforce,Concur)onlysupportLooselyFederatedModel


DeploymentOptionCapabilities

TraditionalOnPremiseDeployedandManaged

SaaS

ManagedOnPremise

ManagedoffPremise

TraditionallyManaged–CloudDeployed

TightlyandLooselyCoupled

TightlyandLooselycoupled


LooselyCoupledOnly



SingleSign-on

Authentication(SaaS-firstmodel) CAIdentity

Service

Userprovisioning&deprovisioning

SingleSign-onRogueandorphanaccountdetectionandremediation

CASingleSign-On

On-premisesapps

SaaSApps

Peoplesource(optional)

Authentication(Hybridmodel)

SingleSign-on

ANewHybridDeploymentModelCASSOandCAIdentityService


TheLaunchpadisdynamicallypopulatedattimeofloginbaseduponwhattheenduserhas

accessto

Accesstoonprem CASSOprotectedapplicationsisavailable– truehybrid

support

ANewHybridDeploymentModelCASSOandCAIdentityService

CAIdentityService


§ PredefinedintegrationwithCASingleSign-On

§ FewclickstoimportexistingCASSOprotectedresources

§ ExistingCASSOpoliciesdynamicallyevaluatedtodeterminewhogetsaccess

§ OptiontoenableCASSOastheidentityprovider

ANewHybridDeploymentModelSimplifiedWorkforceExperience


EndUsers

DataCenter1

DataCenter2

ThirdPartyApps CAIdentityService

SaaSApplication

AHybridDeploymentArchitecturewithCAIdentityService


CybersecurityfortheHybridEnterpriseProvidingInherentSecurityControlsinaTransparentandSeamlessWay

HYBRIDENTERPRISETraditionalDataCenter PrivateCloud PublicCloud- IaaS SaaSApplications

§ CentralizeAuthentication§ FederateIdentities§ SingleSign-on§ SessionReplayProtection

§ SingleLogout§ IdentityMappingacrosstheenterprise§ UserActivitymonitoringandauditing§ Inspectionofeveryrequest

UsingSecuritytoSolveToday’sBusinessRequirements

AuthenticationAuthorization

&AccessManagement

SingleSign-On SessionSecurity


Questions?


RecommendedSessions

SESSION# TITLE DATE/TIME

SCX16E Pre-ConEd:Who’smindingtheSSOstore 11/15/2016at1:00pm

SCT44TTechTalk:WebAccessManagementandFederation–TwoGreatTastesthatTasteGoodTogether 11/16/2016at11:30am

SCX20S CARoadmap:Authentication,SingleSign-On,Directory 11/17/2016 at1:45pm

SCT43T HybridAppLauchpad 11/17/2016at3:45pm


Don’tMissOurINTERACTIVESecurityDemoExperience!

SNEAKPEEK!



THANKYOU

Stayconnectedatcommunities.ca.com

pre-con ed: multiple implementation and access models for ca sso

Technology