A Registered Investment Advisor (RIA) firm designed to provide financial services to high net worth individuals is using IAM technology to remain competitive and provide attractive services to both clients and Wealth Advisors. The firm also needed to establish business relationships with strategic partners delivering a variety of services, including fixed income inventory and strategies, retirement planning, a private trust and banking division, insurance & annuities, and more.

Requirements:

1. Embedding cloud SSO portal into Sharepoint – The firm was already using Sharepoint as their company portal. The cloud IAM SSO portal needed to be integrated into Sharepoint as a webpart.
2. Non-SAML applications – The firm was using more than a dozen on-demand applications that didn’t support federation standards such as SAML. The solution had to support single sign-on (SSO) into such applications as well.
3. Branding and customization – The solution should be re-brandable and customizable to company’s look-n-feel as it gets rolled out to the firm’s clients.

On top of it, being part of regulated industry where they are responsible for handling their client’s financial assets, they needed a solution that was secure from end-to-end. The firm chose Intel Expressway Cloud Access 360 (ECA360), and rolled out the solution for its Wealth Advisors initially with a plan to roll it out to its clients in the future.

How did Intel Cloud Access 360 fill their requirements?

1. Embedding cloud SSO portal into Sharepoint – Cloud Access 360 SSO portal publishing all the applications that can be single signed on, can be fully embedded into Sharepoint as a webpart without requiring any additional authentication.
2. Non-SAML applications –  Cloud Access 360 supported all the desired applications through either native connectors using custom APIs or form based authentication.
3. Branding and customization – The logo and look-n-feel of the end-user facing SSO portal page of Cloud Access 360 can be completely branded and customized using CSS style sheets.

According to the firm’s CIO, “The flexibility, security and other capabilities provided by Intel Expressway Cloud Access 360 will enable it’s firm to leapfrog legacy RIA environments and offer an architecture to harness  the entire financial services Rolodex* in a seamless, connected experience.”

Looking for more of such customer case studies – find them here

Implementing authorization services with standards like XACML empowers the security architect to enforce policy via a Gateway and answer the authorization queries from the source with the freshest and most specific data. Often the information needed to resolve authorization requests is stored beyond the directory and only available in a database or other repository.

The Cloud presents real integration challenges to the enterprise, what Gartner calls Cloudstreams and Cloud Service Brokerages focus on “integration, governance, and security impact points.”

In Part 1, we examined four Anti-Patterns that enterprises should avoid as they move the Cloud. These four Anti-Patterns are at the heart of dealing with the “Complexity Kills” problem that Gartner’s research shows as a recurring theme in Cloud migrations.

In Part 2, we looked at how open standards like SAML, Oauth, and OpenID can be used to mitigate the Anti-Patterns, when it comes to fine grained authorization and Attribute based Access Control that many Cloud applications require, standards like these are necessary but not sufficient for the overall identity architecture.

The old enterprise perimeter was based on network firewalls, but today applications are integrated, distributed via Cloud and consumed via Mobile apps. The network firewall is severely limited in this context. Fine grained authorization and Attribute Based Access Control help close out the gaps in Cloud Security by providing a Dynamic Perimeter that manages access control across these contexts.

Today’s reality is that users, systems and data are distributed. The genie is not going to be put back in the box, but access control policy enforcement can and should be centralized.

Centralizing access control policy enforcement is essential for:

• For Security architects to understand the boundaries in the system,
• For developers to know what and where to code for authorization operations
• For auditors to be able to review
• For testers to be able to identify vulnerabilities

Gateways are ideal for providing the Policy Enforcement Point function, to intercept requests before they reach the resource and ensure the request is authorized.

The trend line  in access control points to more fine grained access control and to have authorization decisions be policy based (rather than hard coded).

The four Anti-Patterns that we discussed show why trends continue in the direction of increased granularity and policy based access control.

Low/no access control – “we’ll see if it works and then turn on security later”

Access control is too important to be left up to developer discretion. Authorization and access control should be configured in policy, not hard coded. Externalizing the application’s authorization gives the enterprise several important advantages, including flexibility to route authorization requests to the system that has the most specific and freshest information.

Replicating user accounts – copying in full or an extract your Enterprise directory to the Cloud provider

XACML separates the Policy Enforcement Point (PEP: which protects the app) from the Policy Decision Point (PDP: which has the information to grant or deny the authorization request). This logical separation enables the enterprise to deploy its PEP on the Cloud Provider side to implement authorization enforcement while routing requests to PDP’s with the freshest and most specific attributes to answer the authorization request.

Separating the PEP and PDP means that the Gateway can intercept the request to the resource, route the request to the system with the freshest and most specific information, and enforce the policy. This pattern allows for a flexible, best of breed authorization architecture with the PEP and PDP tuned to control the authorization workflow. The PEP is responsible to enforce the chain of responsibilities in authorization and the PDP carries out the responsibility via querying data sources to grant or deny access.  Note, the information needed to make the grant or deny access may cross from Cloud Provider to enterprise Cloud.

Copying credentials – sometimes Enterprise copy credentials to Cloud based services; and thereby create a new pool of identity risk to manage.

Separating the PEP and PDP eliminates the need to hard code individual credentials to resolve access control challenges. This is because the PEP queries the PDP on behalf of the user to verify user’s attributes against the authorization target including the Resource and Action requested.

“Trusted” proxy – where trust is in name only

Trust, but verify means auditability. When authorization logic is strewn across millions of lines of code, auditing is impossible. Auditable systems must have authorization rules and logic that are clear and straightforward to review. Pulling key authorization policies out of the code and into XACML policies allows the Auditor to assess the target and ensure it meets the system owners’ goals.

Gunnar Peterson is a Managing Principal at Arctec Group. He is focused on distributed systems security for large mission critical financial, financial exchanges, healthcare, manufacturer, and federal/Gov systems, as well as emerging start ups. Mr. Peterson is an internationally recognized software security expert, frequently published, an Associate Editor for IEEE Security & Privacy Journal on Building Security In, an Associate Editor for Information Security Bulletin, a contributor to the SEI and DHS Build Security In portal on software security, and an in-demand speaker at security conferences. He blogs at http://1raindrop.typepad.com.

I am proud to announce that we’ve developed an Expressway Service Gateway app for Splunk that provides operational intelligence for service gateway instances across any sort of network topology, including including monitoring across geographically separated data-centers. You can grab the plugin here.

Splunk can track and provide visibility for a host of important metrics such as the total number of transactions, policy invocations, requests from an IP address, requests to a back-end IP address (invocation), transactions per hour,  transactions per policy, top failures, CPU usage, as well as  produce PDF reports and searches across the Expressway transaction logs.  This provides a new level of operational intelligence for application level data, especially for Enterprises that expose services outside their Enterprise or use Expressway as a control point deployed on as a service provider, such as Amazon EC2 or Rackspace.

If you are interested in learning more about Intel(R) Expressway service gateway, please visit our website here.

-Blake

Here’s a “birds-eye-view” on our new Analyst Consensus page

-Jeff

Today, we are pleased to announce that Intel® has entered into a relationship with Box, a leader in the on-line file sharing and collaboration market. Now, Box customers can accelerate access to, and better protect, files stored on the Box cloud platform with end-to-end user account lifecycle management, consistent with enterprise security policies.

Box customers can use Intel® Expressway Cloud Access 360 (Intel® ECA 360) to provision and manage accounts on the Box platform, provide single sign-on (SSO) to their customers, and improve security with strong, multi-factor authentication, when needed. The combination of Intel ECA 360 and Box will help drive usage, improve productivity and address regulatory compliance directives. For more, visit the  Secure File Sharing resource page.

To learn more about the new and improved ECA 360 v2, please visit our web site at www.intel.com/go/identity.

Enterprises moving to the Cloud must avoid the Cloud Security Anti-Patterns. Luckily there are a set of open standards to use in this endeavor. Unfortunately, for enterprises there are many standards to choose from and it can be difficult at first to decipher what standards are addressing which problem set.

SAML, OAUTH, OpenId, and XACML are widely regarded by Cloud Security Alliance, Cloud providers, and the tech community as a whole as key building blocks to the Cloud. In each case, these standards have a unique value proposition towards addressing the Cloud Security Anti-Patterns.

Low/no access control – “we’ll see if it works and then turn on security later” This mindset is not limited to Cloud applications, its been around since the dawn of IT, but its at the root of many of thorniest issues in security. When security is not factored into the design at the beginning stages its very, very complicated to add it in later.

Home builders will often run wires and pipes inside walls of the homes they are building, leaving stubs where sinks, appliances and electric outlets can be added later. After all, who wants to rip up their walls just to add a new electric outlet?

Enterprises moving to the Cloud must look for strong access control protocols that enable:

• Tamper proof credentials
• Encrypting sensitive data
• Secure attribute exchange
• End to end authentication

Cloud security standards like SAML, OAUTH, OpenId, and XACML enable enterprises to move their applications and data to the Cloud while still implementing an access control regime that meets policy goals around enterprise control as described above.

Like deciding where the sinks should go while building out your houses’ foundation – with all the choices in identity standard, it can be difficult to know which one enterprises should implement. What’s important is to choose a Identity standards for you applications that are designed for newer Cloud applications because low and now access control leaves too many holes.

Replicating user accounts – copying in full or an extract your Enterprise directory to the Cloud provider. There are several security and compliance nightmares at work here. The Enterprise directory’s purpose in life is for the Enterprise to manage its user accounts, provision, deprovision, and assign group and role membership so that the business runs efficiently. Adding points of administration is a proven way to make this process less efficient and more error prone.

Of course, the problem with Replicating user accounts to the Cloud is immediately clear for most security architects, but the solutions can seem more elusive. The solution in this case requires that the Enterprise Directory stays under Enterprise control and management while still allowing for fine grained access control decisions on the Cloud Provider side. The challenge then is to facilitate the movement of identity information from the Enterprise-controlled User directory and give the Cloud provider applications the attributes they need to make authorization decisions. Oh, and your users would probably like Single Sign On (SSO) as well.

This is where standards like SAML provide a lot of value. Enterprises using SAML designate their Enterprise Directory as the Identity provider and the Cloud Service Provider consumes identity information as needed from the enterprise directory. The key distinction here is that the Cloud provider doesn’t manage the identity information. SAML profiles provide the standard protocols that enable applications to provide Single Sign On user experience and securely exchange attributes. This means the Cloud provider can make access control decisions based on identity information in the Enterprise directory without owning the management (and risk) of that directory.

Copying credentials – sometimes Enterprise copy credentials to Cloud based services; and thereby create a new pool of identity risk to manage. Related to the previous Replicating User Account Anti-Pattern, sometimes Enterprises will seek a temporary work around for Cloud Applications by copying credentials like system accounts and passwords that enable a magical, back door access to certain apps or data. Like all magic, its fun for a kids’ party trick, but not for running a business on.

Enterprises using Cloud application should focus on getting the benefits of the Cloud – scale, distribution, cost savings – but not confuse those benefits with a system that should be trusted with enterprise secrets. Credentials should remain under direct enterprise governance. Copying credentials like passwords to the Cloud Provider simply introduces too much risk where the credentials can be used to effect changes to enterprise accounts and systems.

As with the Replicating User Accounts Anti-Patterns, Enterprises should seek to enforce a separation with Identity Management (owned on the Enterprise side) versus Identity Consumption (owned on the Cloud Provider side) through standards like SAML, OpenID and oauth.

“Trusted” proxy – where trust is in name only As we discussed in Part 1, the first step to dealing with Cloud Security Anti-Patterns is deploying a Policy Enforcement Point to give the Information Security team a place to implement controls that avoid the Anti-Patterns and enable more robust security architecture. There is not a magic “pizza box” that you can simply route your Cloud traffic through to get the kind of security Cloud applications need.

The Proxy or Gateway that you select for mediating the communications to your Cloud provider(s) should be selected based on its support for identity and access standards, monitoring visibility, and ease of integration. The Cloud Security Alliance (https://cloudsecurityalliance.org/) guidelines provide a robust starting point for planning for these capabilities; these should be factored in from the very first Cloud deployment for your enterprise.

Gunnar Peterson is a Managing Principal at Arctec Group. He is focused on distributed systems security for large mission critical financial, financial exchanges, healthcare, manufacturer, and federal/Gov systems, as well as emerging start ups. Mr. Peterson is an internationally recognized software security expert, frequently published, an Associate Editor for IEEE Security & Privacy Journal on Building Security In, an Associate Editor for Information Security Bulletin, a contributor to the SEI and DHS Build Security In portal on software security, and an in-demand speaker at security conferences. He blogs at http://1raindrop.typepad.com.

VanRoekel gave his first major policy speech recently, since taking over for Vivek Kundra in August, signaling how he plans to move the administration’s IT reform ball forward.

In this Federalnewsradio.com post, read about how:

• OMB will promote “Share first” policy –The Office of Management and Budget will begin promoting a “share first” policy. VanRoekel said the idea is to have agencies look to others when buying technology or upgrading systems before going off on their own.
• “I envision a set of principles like XML First, Web Services First, Virtualize First and other firsts that will inform how we develop our Government’s systems.”
• “All of these elements are really grounded in the foundation that is cybersecurity.”

Toward these goals, you can deploy Intel Expressway Service Gateway, a purpose-built cross domain service gateway that enables secure collaboration amongst agencies.

You can address perimeter defense with wire speed XML threat protection, complex security policy enforcement and ready multi-factor integration to identity infrastructure.

And you get the Intel advantage since Intel Expressway Service Gateway has been engineered to take advantage of Intel hardware optimizations to deliver best in class performance and hardened, high-assurance security.

Please reach out to us at  intelsoainfo@intel.com or call 978-948-2585 if you need assistance.

Federal Cloud Security Initiatives Explained – Choosing the Right Standards and Technologies

Mapping the alphabet soup of federal cloud security initiatives is a daunting task. Tim Grance from NIST and federal security expert Gunnar Peterson join forces to decompose the funded programs and standards initiatives to recommend an adoption path for cloud security. Tim begins with a grounding in NIST’s baseline cloud security architectures/guidelines. Gunnar follows with insight into how these practices have been incorporated into programs such as NSTIC, FedRamp, FICAM, Cyberscope, and DOD-PKI.  This will be followed with additional guidance on some of Intel’s solutions from Intel Application Security & Identity Products Chief Architect, Andy Thurai. A group discussion will comment on the adoption timelines, real world use cases, and applicable COTs commercial technologies. Attendees of this webinar will receive a copy of Gunnar Peterson’s Federal Cloud Security white-paper. Sponsored by Intel & McAfee.

Register here:

http://washingtontechnology.com/webcasts/2011/10/intel-mcafee-cloud-security-100611.aspx?tc=page0