7/27/2019 Cloud Buyers

1/20

Cloud Identity Buyers GuideIdentity & Access Management In the Cloud

WHITE PAPER

Paper Focus:

Outsourcingidentityandaccessmanagement to the cloud

IAMforSaaSappstradeoffsand concerns

Implementation,integrationand operationalrequirements

CloudServiceBrokertechnologies

DetailedsampleRFPtemplate

Abstract

InthisBuyersGuide,Inteldiscusseshowyourorganizationcandeployandmanageaneffective,efcientidentityandaccessmanagementsolutionforcloudapplications.

7/27/2019 Cloud Buyers

2/20

7/27/2019 Cloud Buyers

3/20

Cloud Identity Buyers Guide

1: Executive Summary................................................................................................................. 4

2: Problem Statement.................................................................................................................. 4

2.1:AutomatingIAMforSaaS................................................................................................5

2.1.1:InternetSingleSign-On(SSO)...................................................................................5

2.1.2:StrongAuthentication..................................................................................................5

2.1.3:IdentityLifecycleManagement..............................................................................6

2.2: Regulatory Requirements............................................................................................. 7

2.2.1:PrivacyLaws.......................................................................................................................7

2.2.2:Industry-specicRequirements............................................................................7

3: Use Cases & Integration Requirements.................................................................. 8

3.1: SSO for Cloud Apps............................................................................................................... 8

3.2: Strong Authentication for Cloud Apps.................................................................9

3.2.1:Context-awareAuthentication...............................................................................9

3.3: Identity Lifecycle Management for Cloud Apps...........................................9

3.3.1:ProvisioningStandards.................................................................................................10

3.4: Operational Management.................... .................... .................... .................... ...............10

3.4.1:ManagementPortal........................................................................................................10

3.4.2:SSOPortal............................................................................................................................11

3.5: On-Premise Deployment.................................................................................................113.6: In The Cloud Deployment...............................................................................................12

3.7: Hybrid Deployment.................. .................... .................... .................... .................... ............12

4: Cloud Service Broker Security Ecosystem............................................................13

4.1 Security Gateway...................................................................................................................13

5: Intel & McAfee Resources...................................................................................................13

5.1: McAfee Integration................... .................... .................... .................... .................... ............14

6: More Info & Other Resources...........................................................................................14

7: Appendix I - Sample RFP......................................................................................................15

8: Appendix II - Industry Glossary & Acronyms.......................................................19

3

7/27/2019 Cloud Buyers

4/20

Enterprisesofallsizesareembracingcloudcomputingbecauseofthemanyadvantagesitprovides.Theseincludelowercosts,greaterbusinessagility,reducedITadministrativeoverhead,accesstobest-of-breedapplications,andmore.IndustryanalystrmIDCreportstheSaaSmarketreached$16.6billionin

revenuein2010andisprojectedtogrowatmorethan25%peryearbetweennowand2015.

Thecloudcontainssolutionsthataddress

virtuallyanyconceivablebusinessneed:sales,marketing,humanresources,collaborationandcommunication,nance,legal,etc.However,thisproliferatingprofusionofsolutionshascreatedadauntingoperationalchallenge:howtoefcientlymanagetheprofusionofidentitiesthatusersrequireoneforeach

cloudapplicationtheyaccess.Ifyouhave1,000employees,eachaccessing10cloudapplicationsonaverage,thats10,000uniqueidentitiestomanage.

IntheCloudComputingTechnology

Roadmap,theNationalInstituteofStandardsandTechnology(NIST)advises,theneedfortrustedidentitiesandsecureandefcientmanagementoftheseidentitieswhileusersprivacyisprotected

isakeyelementforthesuccessfuladoptionofanycloudsolution. 2Thebestwaytoaddresstheseconcernsistodeploystrongidentitymanagementprocessesandtechnologiestoensurethatonlyauthorizedusershaveaccesstocloudapplications.

InthisCloudIdentityBuyersGuide,Intel

discusseshowyourorganizationcandesign,deployandmanageaneffective,efcientidentityandaccessmanagementsolutionforSaaSapplicationsintwo

differentscenarios:

1:ExecutiveSummary

Thesoftware-as-a-service(SaaS) 1

applicationdeliverymodelisgrowing

rapidly.SaaSistakingovertheworld.Thatsthegoodnews.However,customerswhoadopttheSaaSmodelstruggletomanagetheoverwhelming

numberofuseraccountstheyhavetocreate.Theirusersareconstantlyforgettingtheirpasswordsandcallingthehelpdesk.TheyareunhappybecausetheyhavetoreentertheiruserIDandpasswordeverytimetheylogontoanapplicationduringtheday.Overwhelmed

ITadministratorstaketoolongtocreateaccountsfornewusers.Whenauserleaves

theorganizationtheirSaaSaccountsremainactive,increasingtheriskofdataexposure.

Allthisconsumesresources,increasesenterpriserisk,andcostsyourorganizationtime,moneyandeffort.YouneedhelptoreducethecomplexityofmanagingthehundredsorthousandsofSaaSaccountsyourusersrequire,notjustemployees,

butotherstoo,likecontractors,partners,distributorsandcustomers.

2:ProblemStatement

TothecloudIAMforSaaSapplicationsfromanon-premiseplatform

InthecloudIAMforSaaSapplicationsfromanon-demandplatform

Figure1:IdentitytotheCloud

theneedfortrustedidentitiesandsecureandefcient

managementoftheseidentitieswhileusersprivacyisprotectedisakeyelementforthesuccessful

adoptionofanycloudsolution.

NationalInstituteofStandards andTechnology

1 See Appendix II - Industry Glossar y & Acronyms on pg. 18.2 US Government Cloud Computing Technology Roadmap, Volume I, National Institute of Standards and Technology, Special Publication 500-293, Nov. 2011

User

Authentication

Attribu

tes

AccountSync

SaaS Apps

ActiveDirectory

IAM System

4

ThisBuyersGuidediscussestheissueofidentityandaccessmanagement(IAM)for

cloudapplications.Itoutlinestheissuesthatneedtobeaddressed,suggestssomeapproachestosolvingthoseissuesandwrapsupwithanoverviewofthe

productsfromIntelthataredesignedtohelpcompaniesmanagetheirSaaSaccountidentitiesmoreeffectivelyandefciently.

7/27/2019 Cloud Buyers

5/20

Wediscusssomeofthetechnologiesavailableto:

Managetheend-useridentitylifecycle

fromcreationtotermination.

ProvideuserswithgreaterconveniencebyeliminatingtheneedforthemtorememberuserIDandpasswordsformultiplesystems.

Protectsensitivesystemswithstrongmulti-factorauthentication.

EmpowerITadministratorstoeasilymonitorandmanageallSaaSaccessactivitiesandensurecompliancewithrelevantregulations.

Weevaluatevariousidentitymanagementstandards,suchasServiceProvisioningMarkupLanguage(SPML),SecurityAssertionMarkupLanguage(SAML),OpenID,andOAuthwhichhelpensure

AsyouexpandyourutilizationofSaaSandaccumulatemoreandmoreapplications

withvaryingunderlyingsecurityandarchitecturemodels,youmayquicklyndyourselfdealingwithawidevarietyof

userinterfaces,applicationprogramminginterfaces(API),securitypolicies,andmanagementtools.

AutomatingIAMforSaaSapplicationscan

simplifytheseproblemsinanumberofways.

2.1.1: Internet Single Sign-On (SSO)

AsmoreSaaSapplicationsbecomepartof

theenterpriseportfolio,usersdesiretheconvenienceofasingleentrypointintoalltheirapplications.

Usersarenotoriousforunsafepassword

practices:

Theymayusethesamepasswordformorethanoneapplication,increasingtherisktomultipleapplicationsifoneof

themiscompromised.

thattheabilitytoaccessenterpriseSaaSsolutionswillkeeppaceastheindustrymatures.

Bymakingthesefundamentalcapabilitiesanessentialpartofyouroverallcloud

IftheyhavetorememberalargenumberofuserID/passwordcombinations,they

maywritethemdownandposttheminaconvenient,yetinsecure,location,suchasundertheirkeyboard.

Theymaychoosepasswordsthatareeasytorememberand,therefore,easytobreak.

Implementingsinglesign-onforSaaSappsrelievesend-usersoftheresponsibilityofmanagingtheirpasswordswhileprovidingahighlevelofassurancethattheyhavebeenproperlyauthenticated.SSOreducestimewastedloggingonand

loggingoffworksystems.Itvirtuallyeliminatespasswordresetcallstoyour

ITadministratororhelpdesk,freeingupthoseresourcestofocusonmorevalue-addedwork.And,iteliminatesmanyofthepotentialsecurityrisksassociatedwithweakpasswords.

initiative,youwillbeabletoenjoythemanybenetsofthecloud,whilesimultaneouslyprotectingyourvitalcorporateassetsfromunauthorizedaccess,improvingyouruserscloudexperience,andcontrollingcosts.

2.1.2: Strong Authentication

Oneoftheleadingreasonsfornot

outsourcing identity and accessmanagement(IAM)tothecloudisconcernforthesecurityofusercredentials.In

caseswheretheriskassociatedwithaccessishigh,eventhestrongestpasswordmanagementpracticesmayberegardedasinsufcienttoadequatelyprotectusercredentialsinthecloud.

Whatorganizationsarelookingforistheabilitytoinvokestrong,multi-factorauthentication(MFA)insituationswhereitisessentialtovalidateausersidentity

withmorethanauserIDandpassword.Candidatesforstrongauthenticationincludeuserswhoareaccessingaparticularlysensitiveapp,whoarelocated

outsidetherewall,whoarecontractorsorothertemporaryhires,orwhobelongtoaparticulargroup.

Figure2:IdentityintheCloud

2.1:AutomatingIAMforSaaS

User

Authentication

Attribu

tes

AccountSync

SaaS Apps

ActiveDirectory

IAM System

5

7/27/2019 Cloud Buyers

6/20

ImplementingInternetSSOgivesyoutheabilitytoprovideuserswithaccesstohundredsofexternalsitesusingasingle

setofcredentials,throughasingleportal.Ifthosecredentialsarecompromised,thenallthetargetsitesareatrisk.Inthisusecase,wheresimplyenteringa

userID/passwordmaynotbesufcientprotection,MFAprovidesanexcellentstrategytoprotectmultipleappsby

controllingaccesstotheSSOportal.Itenablesyourorganizationtosecurethecloud-basedportal,bringingituptoenterprisesecuritystandards.

Thisneedhasledtotheemergenceofvariousstrongauthenticationtechnologies,aslistedinTable1.

Overthepastfewyears,softtokentechnologyhasemergedwhichleveragesomethingyourusersprobablyalreadyhavetheircellphoneorothermobile

device.Softtokenshaveanumberofadvantagesoverhardwaretokens,includingthefactthattheycanbe

deliveredviaavarietyofout-of-bandchannels.

2.1.3: Identity Lifecycle Management

IdentitylifecyclemanagementencompassesalltheactivitiesthatITadministratorsandsecuritypersonnel

performtomanagetheuseraccountsfromcreatingaSaaSapplicationaccounttoterminatingitwhentheuserleavestheorganization.Thisidentitylifecycleis

oftenreferredtoastheCReate-Update-Delete(CRUD)process.

APPROACH DESCRIPTION

Biometrics Relies on physical characteristics (iris, fingerprint, voiceprint, etc.) of the user.

Highadministrativeoverheadexpensivetodeploy,configureandmaintain.

Limitedportability.

Inflexibletypicallylinkedtoasingleapplicationorentrypoint.

Hardware Token Usesadedicateddevice,suchasanRSA*SecureID*token.

Proprietarysolutionmaybecomplicatedtoinstall,configure,distributeandmanage.

Insecure-customershavetoreplacealltheirtokensintheeventthevendorsustainsabreach.

Typicallyconfiguredforasingleapplication,whichlimitsusefulnesswhenyouaredeployingmultiplecloud

applications using multiple service providers.

Software Token Based on something your user (employee, contractor, customer, business partner, etc.) probably already has.

Lowmanagementoverheaddoesntrequireyoutopurchase,distributeandmanagemultiplesingle-usehardwaredevices.

Flexiblecanbedeliveredthroughmultiplechannels:smartphoneapp,SMStextmessage,email,IM,Skype,etc.

Secureserviceproviderdoesntholdseedsthatcanbecompromised.

Table 1: Multi-factor Authentication Technologies

STAGE DESCRIPTION

Create Provisioningnewhiresquicklyisimportant,sinceadelayinprovisioningusersresultsinalossofemployee

productivity. Other employee lifecycle events, such as open enrollment for healthcare benefits, can also drive the

need to create large numbers of identities in a relatively short period of time.

Update Asyourusersattributeschange(e.g.,transfertoanotherdepartmentorrelocationtoanewoffice),theyshould

beupdatedintheiridentityprofile,whereappropriate.

Delete When your employee leaves the organization, you need a mechanism to delete or disable their accounts on thetargetsystem(s).Otherwise,yourorganizationrisksallowingnon-employeestoaccesscorporatedatathroughthese orphan accounts. Orphan accounts can also cost money in excess license or subscription fees.

Table 2: Identity Lifecycle Stages

6

7/27/2019 Cloud Buyers

7/20

Ordinarily,whenanewemployeecomesonboard,yourITadministratororapplicationownermustusetheSaaS

applicationmanagementinterfacetocreateanaccountforyouruserscontainingtheiruserID,password,andotherusefulattributes(department,phonenumber,manager,location,etc.)Thisprocess,whichistherststepintheCRUDcycle,istypicallyreferredtoasprovisioning.

Overtime,employeeattributeschange,whichoftenrequiresupdatestotheirapplicationproles.

AutomatingIAMprocessescanhelpyourorganizationcomplywithvariousindustryrequirementsandgovernmentregulations.

2.2.1: Privacy Laws

ManyjurisdictionsintheUnitedStatesandothercountriesrequirecompanies

thatcaptureandstoreprivatepersonalinformationtotakespecicstepstoprotectthatdatafromunauthorizedaccess.

2.2.2: Industry-specific Requirements

Certainregulatedindustrieshaverequirementsforprotectingprivate,personalornancialinformationfromunauthorizedaccess.Insomeinstances,theserequirementsarepublishedbyindustryorganizations,whileinothers

theyaremandatedbythegovernment.Afewexamplesinclude:

Finally,theemployeeleavestheorganization,whichresultsintheneedtoblockthemfrombeingabletoaccess

sensitiveSaaSapps.TheeffortandexpenserequiredtomanagetheCRUDprocessisaffectedbyanumberoffactors:numberofemployees,numberandvarietyoftarget

SaaSapplications,employeeturnover,andseasonalhiring/ringpatterns.Ascompaniesexpandovertime,theytypicallyreachapointwherethecostandinconveniencerequiredtomanagethisprocessbecomeshighenoughthatitmakessensetoconsiderautomatingit.

PCIDSS:thePaymentCardIndustryDataSecurityStandardisanexampleofnon-governmentindustryrequirements.PCIDSSwasdevelopedbyaconsortiumofpaymentcardvendors(AmericanExpress,Discover,Visa,Mastercard,etc.)Itspecifiesprocessestoprotectpersonalinformationoncreditcardsor

debitcards,includingaccesscontrolsandprovisioning/de-provisioningofuseraccountswithaccesstopaymentcarddata.

HIPAA:theHealthcareInsurancePortabilityandAccountabilityActmandatesthathealthcareproviders

implementprocedurestoprotectpersonalhealthinformationdatafromdisclosure.Theseincludemanagingandmonitoringaccessrightsandenforcingsecurepasswordpolicies.

Otherfeaturesprovidedbyautomationcanincludeamanagementconsolewhichprovidesprovisioning/de-provisioning

tools,aswellastheabilitytomonitoruseraccessactivities,generatealertsandcollecteventdatalogs.

Logscanbeusedforvariouspurposes,suchascapacityplanning,auditand

compliancereporting.Thelatterareparticularlyimportantincertainregulatedindustries.

FFIEC:theFederalFinancialInstitutionsExaminationCouncilstandardsrequiremultifactorauthentication(MFA)toprotectagainstthetacticsofincreasinglysophisticatedhackers,particularlyontheInternet.

GLBA:TheGramm-Leach-BlileyActstatesthat,eachfinancialinstitution

hasanaffirmativeandcontinuingobligationtorespecttheprivacyofitscustomersandtoprotectthesecurityandconfidentialityofthosecustomersnonpublicpersonalinformation.

2.2RegulatoryRequirements

7

7/27/2019 Cloud Buyers

8/20

CloudSSOimprovesend-userconvenienceandproductivityuserslogononcetoatrusted,secureportalcontrolledbytheirenterprise(eitheron-premiseorinthecloud),andaccessauthorizedSaaSapplicationswithasingleclick.

Cloudsinglesign-onrequiresahighdegreeofintegrationbetweentheIAM/SSOsystemandthetargetapplication(s).TheSecurityAssertionMarkupLanguage(SAML)isthestandardofchoicefor

authenticationandauthorizationbetweendomains.SAMLhasseveralimportantattributes:

SAMLisawidelyadoptedstandardwhichissupportedbymostmajorSaaSapplicationvendors.

SAMLisbasedonaprovenfederatedtrustmodel.

SAMLdoesntrequireapassword.ASAML-protectedserviceproviderreliesontheabilityofatrustedidentityprovidertoverifyausersidentity.

Ideally,thesolutionshouldprovideout-of-the-boxSSOforawidevarietyofpopularSaaSapplications.BuyersshouldseekoutSaaSsolutionswhichsupport

SAMLandensurethattheirIAMsolutionalsosupportsitinordertoprovide

thefoundationforsecurefederatedSSO.OtherauthenticationstandardstoconsiderincludeOAuthandOpenID.Moststandards-basedSSOissometimesreferredtoasfederatedSSO,sincethereisatrustedrelationshipbetweentheuserandthevarioussystemsresponsibleforauthentication.

IfaSaaSapplicationvendordoesnotsupportfederatedSSOusingastandard,suchasSAML,OAuthorOpenID,theymayprovidesupportforHTTPforms

authenticationoraproprietaryAPI.WhenconsideringanIAMsolutionfor

SaaS,makesurethevendorsupportstheauthenticationmodel(s)supportedbyyourSaaSappvendors.

AUTHENTICATION DESCRIPTION

SAML Usesindustry-standardassertions(SAMLtoken)providedbytrustedtargetplatforms,ensuringfuturecompatibilityas

technologyevolves;reducesrisk(sinceSAMLassertionscontainnopasswords)andaddresscloudidentityregulatory

compliance concerns.

OpenID OpenIDisusedbyaresourceprovider(typicallyawebsite)toauthenticateauserbyredirectingtheusersbrowserto

anidentityprovider,whichprovidesanauthenticationtokenusedtoobtainaccess.OpenIDisdesignedforuseover

HTTP,soitsuseislimitedtobrowsers.

OAuth UnlikeOpenID,OAuthisdesignedtobeprotocol-independent.ApplicationsusingOAuthcantheoreticallyrequest/receiveauthenticationtokensthroughaRESTAPIusingvariousprotocols,includingSAML,JSON(JavaScriptObjectNotation) or proprietary APIs.

HTTP Forms ThousandsofSaaSapplicationsrequireuserstoauthenticatebyenteringauserID/passwordviaawebform.SSOthat

workswithHTTPformsenablestheusertoentertheiruserIDandpasswordonce.Theircredentialsarethenstoredinasecurepasswordvaultandtransparentlyreplayedwhenevertheuserlogsinafterthat.

Native API AsmallernumberofapplicationssupportSSObyexposinganAPIthatcanbecalledbytheSSOsoftware.

Table 3: Saas Authentication Models

3:UseCaseandIntegrationRequirements

3.1:SSOforCloudApps

Figure3:FederatedSSOintheCloud

Federated

SSO

SaaS Apps

SSO Portal

Authentication

User

8

7/27/2019 Cloud Buyers

9/20

Strongauthenticationinacloudenvironmentcanbeperformedusinghardorsofttokens.UsingasofttokenforMFA,ratherthanahardwaretoken,hasanumberofadvantages:

Thereisnoneedtopurchase,distribute,manageorhandlebreak/fixissueswithasofttoken.

Aself-serviceportalcanbeprovidedwhereuserscanregistertheirmobiledeviceordownloadasmartphoneapp.

Ifadevice,suchasaphone,islostorstolen,theusercanreplacetheoldphonenumberwithanewone,

effectivelydisablingthemissingphone.

Softtokenscanbeconfiguredtoworkwithmultipleapps,whilehardware

tokensaretypicallyassociatedwithasingleapplication.

Themostpopularmethodofdeliveringasofttokenisviaanout-of-bandmobiledevice,suchasasmartphoneapporastandardcellphoneusingSMStextmessaging.

Inthisscenario,auserischallengedtoenteraone-timepassword(OTP)aspartoftheauthenticationprocess.ThesystemsendstheOTPtothedevice.Without

physicalpossessionofthemobiledevice,theuser(orahacker)isunabletologon.

Integrationrequirementsincludeasecureservice-basedarchitecturewhichcanprompttheusertoenteranOTP,generatetheOTP,deliverittothedevicefortheusertoretrieveandverifyitonceentered.Secureauthentication

dependsonmaintainingtheintegrityofthedataowacrossthenetwork,aswellasusertrainingonhowtoprotecttheircellphone,orothermobiledevice,fromcompromise.Buyersshouldevaluatethecomplexityofthesystem,aswellastheeaseandconvenienceoftheend-userregistrationprocess.

3.2.1: Context-aware Authentication

Withmostvendorsolutions,strongauthenticationisavailableasanall-or-nothingapproach.WhatsomeIT

administratorsdesireistheabilityto

selectivelyinvokeMFAinparticularscenarios.Forexample,itmaymakesensetoinvokeMFAforaspecicgroupofusers;whenauserisinaninsecurelocationoronapublicnetwork;orisaccessingtheSaaSapplicationfroma

previouslyunknowndeviceorIPaddress.Context-awareauthenticationallowsyoutodenebusinessrulesthatselectivellyenforceMFA,basedonuseridentity-relatedattributes.

ThebasicidentitylifecycleforSaaSapplicationsconsistsofprovisioning,managingandde-provisioninguser

accountsinthecloud.ProvisioningrequirestoolsandprocessestocreateuseraccountsontargetSaaSplatforms.

TheSaaSapplicationadministratorshouldhavetheabilitytocreatemultipletargetaccountsinasfewstepsaspossible.Similarly,whentheuserleavestheorganization,youshoulddetermineifthesystemsupportsanautomatedprocess

fordisablingordeletingtheirSaaSapplicationaccounts.

TherearetwobasicprovisioningmodelsforSaaSapplications:tothecloudand

inthecloud.Provisioningtothecloudfromaninternalsiterequirestheability

toestablishaconnectionbetweenthe

provisioningengineandthetargetapplication(s).Thisconnectionwillberesponsibleforcreatingtheuseraccounton the target system and maintaining that

accountovertime.

Provisioninginthecloudmeansdeliveringtheprovisioningengineasacloud-basedserviceoffering.Thisiscommonlyreferredtoasidentityandaccessmanagement-as-a-service(IAMaaS).Inthisscenario,thesystemadministratorusesthecloudservicetocreateandmaintainSaaSapplicationaccounts.

Dependingonbusinessrequirements,theIAMaaSservicemayrequireestablishinga connection to an internal identity

repository.

3.3:IdentityLifecycleManagementforCloudApps

Figure4:StrongAuthenticationwithOTP

Manyenterpriseshaveanauthoritativeenterpriseidentityrepository.Integrationwiththisrepositoryisusefultokeepuser

identitiesintherepositorysynchronizedwiththevariousidentitiesmanagedintargetapplications.Therepository

typicallycontainsinformationsuchastheusersidentier(userID),password(inencryptedformat),name,location,phone,department,logicalgroups,andotheruser-specicattributes.Inmostorganizations,thisdataisheldin

ActiveDirectory(AD)fromMicrosoft*,anenterpriseLDAPdirectory,orinadatabasemanagedbyahumanresources(HR)system,suchasPeoplesoft*orSAP*.

3.2:StrongAuthenticationforCloudApps

IAM System

Access

Granted

SaaS Apps

Access Request

Access Request

OTP ChallengeUser

OTP

9

7/27/2019 Cloud Buyers

10/20

Theremaybeinstanceswheretheidentityattributesofdifferentcategoriesofusersarestoredindifferentrepositories.AnorganizationmaykeeptheidentitiesofregularemployeesinanHRsystemofrecord,contractoridentities

inarelationaldatabase,andcustomeridentitiesinacustomerrelationshipmanagementsystem,suchasSalesforce*.Itsalsonotunusualforasingleusersidentityattributestobestoredinmultiplelocations,suchasanemployeename,ID#,manager,location,phonenumberintheHRsystemofrecord,whiletheirnetworkuserID,networkpasswordandemailaddressarestoredinAD.

Whenevaluatingyourintegrationrequirements,itmaybenecessaryto

examinemultiplesystemstodeterminewhererelevantuseridentityattributes

arestored.

Integrationwithinternalrepositoriesaddressesmultiplepurposes:provisioning,prolesynchronization,

andauthentication.Forexample,whenprovisioningaSaaSaccountforauser,theattributesinthevariousrepositories

maybepassedalongtothetargetsystem,andkeptinsynchwiththetargetsystemastheychangeovertime(e.g.,ausertransfersbetweendepartmentsormovestoanewlocation.)Centralizeduserauthenticationreliesontheuserbeing

authenticatedoncewhentheylogontotheirPCoranetwork.Oncetheuserisreliablyauthenticated,thatcanprovidethebasisforenablingsecureSSOtovarioustargetSaaSapplications.

Regardlessofwhichscenario(IAMinthecloudoron-premise)isused,thebasiclifecycleisthesame:anadministratorusesthesystemtoestablishoneormoreSaaSapplicationaccountsonbehalfofusers,managesthoseaccountsovertime,anddeletesordisablestheaccountswhen

theuserleavestheorganization.Youshouldevaluatetheabilityofeachvendor

tosupportbothprovisioningANDde-provisioningforkeySaaSapplications.

3.3.1: Provisioning Standards

TheServiceProvisioningMarkupLanguage(SPML)standardwas

establishedtofacilitateavendor-neutralprocessforprovisioningand

managingaccountsontargetapplications.Unfortunately,itisnotwidelysupportedbyapplicationvendors.Asaresult,IAMsolutionvendorshaveneededtocreatecustomizedprovisioninginterfacesforeachtargetapplication.Recentlythe

SimpleCloudIdentityManagement(SCIM)provisioningprotocolhasemerged.ThisnewprotocolisexpectedtobesupportedbyinuentialSaaSproviders,includingSalesforceandGoogle.

Giventheuncertainstateofprovisioningstandards,youshouldcarefullyevaluatewhatprovisioningcapabilitiesareexposedbyyourSaaSvendorsandwhetherthe IAM solution you are considering

supportsthosecapabilities.Otherwise,youwillneedtoworkwithyourIAM

vendortocreateandmaintaincustomizedprovisioningconnectors.

Figure5:ManagementConsole

3.4:OperationalManagement

3.4.1: Management Portal

Thesystemshouldprovideamanagementconsolethatenablesadministratorstomanagetheidentitylifecycleandmonitor

allidentity-relatedevents.

Theconsoleshoulddeliverreal-timeutilizationdata,indicatingrecent

successfulandunsuccessfulaccessattempts,aswellashistoricaldatathatcanbeanalyzedandprovidesabasisforutilizationandcompliancereporting,ifyourorganizationissubjecttoindustryregulations.

10

7/27/2019 Cloud Buyers

11/20

3.5:On-PremiseDeployment

Figure6:End-userSSOPortal3.4.2: SSO Portal

Manyorganizationsprovideemployeeswithaccesstoanenterpriseportalusedtoprovideconvenientaccesstovariousapplications.CommonexamplesincludeIBMWebsphere*,OracleWebLogic*andMicrosoftSharepoint*.Inmanyinstances,theportalisresponsibleforauthenticationofausersidentity,orit may rely on another authentication

system,suchasWindows.

Whenselectinganon-premiseIAMsystem,youshouldensurethatitwillbecompatiblewithyourexistingorplanned

enterpriseportals.ImplementinganIAMsystemthatsupportsyourenterpriseportalenablesyoutocreatepersonalizedportalpages,whereauthenticateduserscanhavesecureaccesstothevariousSaaSapplicationstheyareauthorizedtouse.OneadvantageofusingapersonalizedSSOportalapproachisthatuserscanbeblockedfromaccesstoapps

theyarenotauthorizedtouse.

Anon-premisesolutionisthetraditionalapproachtoimplementingIAM.Themajoradvantageon-premisesystemshaveistheirabilitytointegratewithvariousinternalsystemsbehindtherewall,suchasanauthoritativeidentityrepository.

Someorganizationsconsiderusercredentialstobethekeystothekingdomandfeelmoresecureknowingthat they are held internally and are

relativelysafefromexternalattack.However,thisadvantagemaynotbeasstrongasitmighthaveoncebeen.Morethanoneorganizationhasbeenbrokenintobyaskilledhackeranduseridentitiesandpasswordsstolen,exposingtheenterprisetofurtherattacks.

Thesameapproachcanbetakentoanon-demandSSOportalbyprovidinguserswithapersonalizedlandingpageinthecloud.Oncetheuserauthenticatestothepage,theywillseealltheSaaSapplicationstheyareauthorizedtoaccess

andclickontheicontologon.

Likemostotheron-premisesystems,anon-premiseIAMsolutiontypicallyinvolvesacquiringdedicatedhardware,aperpetualsoftwarelicenseandpayingforongoingannualmaintenancefees.

Theseup-frontcostscanbeamelioratedbyusingvirtualizationtechnologytoenablegreaterutilizationofexistingsystems,andobtaininganannualsubscriptionlicenseratherthana

perpetualsoftwarelicense.Inaddition,ifextensivecustomizationorcongurationisrequired,youmaywinduppayingthevendororasystemintegratorfordeployment,integrationandotherprofessionalservices.Finally,operationalexpensestendtobehigher,since

Intodayscloudaccessenvironment,ithasbecomestandardtoprovideuserswithaccesstodozensorhundredsofpre-conguredcloudapps.Duringtheevaluationprocess,determinewhetherornotyourvendorcanprovidethis

capability,sincewithoutit,yourITteamwillhavetodesignandimplementweblinksandotherfeaturesoftheportal.

dedicatedITpersonnelwithspecializedskillsortrainingaretypicallyrequiredtomanageandmaintainthesystem,includingbackup/recover,patching,congurationmanagement,updates,etc.

11

7/27/2019 Cloud Buyers

12/20

Asthecloudhasbecomemorepopularoverthepastseveralyears,morecompaniesareconsideringtheadvantagesofoutsourcingtheirIAMsoftwaretoa

cloud-basedservicesprovider:

Off-premisecomputingservicesconvertfixedcoststovariablecoststhecustomerbuysservicesastheyareutilized,notforthefixedcapacityavailableforusethatmustbeamortized

overtheusefullifeoftheasset.

Mostserviceprovidersutilizeamulti-tenantarchitecture,whichenablesthemtocutcostsandpassthosesavingsontocustomers.

Servicedeliveryiselasticandresponsivetodynamicallychangingbusinesscircumstancescustomerscanexpandservicevolumewithoutworryingaboutaddingmoreinternalhardwarecapacity.

Operationalcomplexityiseliminatedtheserviceproviderisresponsibleforoperationaldetails,suchasbackup/recovery,updates,patches,etc.SLAsareavailabletomeetdemandingavailabilityandreliabilityrequirements.

Shiftingfromownedassetsto

contractedservicesmayimprovethecompanysbalancesheetbyincreasingbothreturnonassetsandfinancialleverageraisingthecompanysreturnonequity.

Somecompanieschoosetodeployahybridsolution.Thereareavarietyof

availablescenarios,suchasmovingtheidentityandaccessmanagementfunctiontothecloud,butmaintainingalinktoaninternalrepositoryforautomatedidentityprovisioningandsynchronization.Another

istouseaninternalsolutionformanagingtheidentitiesofemployees,whileusinganIAMaaSsolutiontomanageidentitiesofexternalusers.

Implementationisrelativelyquick.On-demand customers can start small

withatrialandexpandasneeded.Fulldeploymentcanoccurinlessthan30

daysforfast,visibleROI.

ThereareseveralcommonlyseenadoptionscenariosforIAMaaS.

Inonescenario,alargeenterprisemightstartusingIAMaaStomanageexternalworkers(suchascontractors,tempsorbusinesspartners),orinsupportofamergeroracquisition.IAMaaSinthisscenariomaybeagoodwayforanenterprisetotestthewatersandvalidatetheusefulnessofIAMaaS.Some

companies,suchassmalltomedium(SMB)organizations,haveadoptedaCloudFirstmodelandarecomfortablewithbuildingtheirinfrastructureinthecloud.Thesecompaniesarelikelytohavearelativelyunsophisticatedon-premiseidentityinfrastructure,consistingprimarilyofanenterprisedirectory,suchasMicrosoftAD.ByadoptinganIAMaaSapproach,theygettheabilitytoleverage

best-of-breedfeaturesprovidedbyleadingedgeIAMvendorsinthecloud.

Therearetwomajorissuesthatcompaniesshouldconsiderwhenmoving

theiruseridentitiestothecloud.

Regardlessofthemodelyouselect,youalsoneedtoconsiderthevendorssupport

forenterprise-classfeatures,suchas:SecuritythesystemshouldprotectallnetworkedtransactionswithstrongencryptionusingSSL.

Highavailabilitythesystem

shouldsupportclusteringandothertechnologies that ensure continued

operationsintheeventofacomponentfailure.

Therstissecurity.Evaluationofavendorsserviceofferingmustincludearigoroussecurityreviewtoensurethevendorsinfrastructureandoperational

proceduresdeliverthehighestlevelofassetprotection,commensuratewiththe

cost.

Theotheristheriskassociatedwiththevendorsbusinessmodel.CompaniesconsideringmovingIAMfunctionstothe

cloudshouldconsidermorethanfeature/functionsofferedbycompetingvendors.Inparticular,thevendorsstrengthandviabilityonanumberofdimensions:nancial,engineering,supportservices,etc.,shouldbeevaluated.Placingcritical

businessfunctions,likeidentity,intothehandsofafast-growingstartuprequiresexplicitconsiderationoftheirongoing

viability.Whennegotiatingwithavendor,besureyouunderstandwhatwillhappentoyourassetsintheeventthevendorisacquired,encounterscashoworothergrowth-relatedproblems,orgoesoutofbusiness.

Performancethesystemshouldbeabletoscaleuptosupportthousands

oftransactionspersecondwithoutnoticeabledegradationofend-userresponsetime.

3.6:IntheCloudDeployment

3.7:HybridDeployment

12

7/27/2019 Cloud Buyers

13/20

OneelementthatsimportantfororganizationsmovingtheiridentityandotherITassetstothecloudtoconsideristheemergingroleofthecloud

servicebroker(CSB).ACSBshieldstheinternalenterprisefromthecomplexityofconsuming1-ncloudservicesfrommultipleproviders.Asanenterprise

adoptscloudservices,billing,SLAs,integration,webservicegovernance,andidentityfunctionsbecometoo

Thereareseveralareaswhereasecuritygatewayaddsvaluetocloudidentitymodels:

SecurityTokenServices:Aswebservicesareusedtotransactdatafromtheenterprisetothecloudortopartnerapplications,theyarecrossingdifferentsecuritydomains.Eachdomainreliesonaparticularidentitytokenformat

forauthentication.ASecurityTokenServices(STS)validateenterprisesecuritytokens,likeKerberostickets

fromActiveDirectory,andcanexchangeoneidentitytokenformatforanothersothatatransactioncanbeauthenticatedtoprocess.Inmanycasesthisiscalledidentitybrokeringoridentitymapping.

IntelandMcAfee,together,haveproducedarangeofproductsandsystemsdesignedtoenableorganizationstomanageuser

identitiesandaccessrightstoSaaSapplications.

complextomanageinternallyatscale.JustasEDIevolvedfromexpensiveinternalintegrationgroupstothirdpartyoperatingexchangestoaggregateand

simplifyconsumption,thecloudandSaaSservicesarefollowingasimilarpattern.CSBscanbethirdpartiesthataggregate,integrate,andcustomizeserviceofferings

frommultiplecloudprovidersorinlargeenterprisesthesecanbeITdepartmentsthatsetupCSBinfrastructuretoservice1-ninternaldepartments.

CloudAPIManagement:Themantraofreusingexistingapplicationassetsasserviceshasbecomeestablishedaspartofthecommonlanguageassociatedwithcloud-basedinfrastructure

sharing.ThekeytoexposingapplicationfunctionalityisthroughAPIsandthisiswellunderstoodbydevelopers.Cloud-basedAPImanagementpresentsanewdisciplinewithaddedsecurity,visibility,integration,andscalerequirements.Asapplicationsaresharedoutsidetheprotectivefirewallto/fromthecloud

andamongcloudproviders,traditionalfirewallsdonotprovidethemediationorXMLthreatprotectionrequiredtoexposetheseapplicationssafely.

CSBsarerelativelynewbutthetechnologyplatformsthatCSBsutilizearebasedonmaturetechnologiessuchasfederationgateways,IAMaaSoperators,

monitoringbillingapplications,ande-catalogs.SecurityGatewaysarethemostimportantCSBtechnologyinthattheycanexpose,govern,andsecure

cloudapplicationAPIs.Todayalmost1/3ofallenterprisetrafctothecloudisAPIbased.

FeaturesthatmanagecloudAPIsprovideanewmeanstometer,throttle,andaudithowservicesareconsumed.Acloudservicebrokercanprovidethebackboneforacloudprovideroranenterpriseto

createanAPImonetizationprogramthatbillsbackdepartmentsorchargesotherentitiesforAPIusage.

4:CloudServiceBrokerSecurityEcosystem

4.1:SecurityGateway

5:Intel&McAfeeResources

PRODUCT DESCRIPTION

Intel Cloud SSO Intelson-demandsolutionprovidingidentityandaccessmanagementasaservice.Includesidentitylifecycle

management features (such as provisioning), single sign-on, 2 factor authentication and a cloud-based secure

SSO portal.

Intel Expressway Cloud

Access 360

Intelson-premisesolutionformanagingSaaSidentitiesandaccess.Alongwiththefeaturesassociatedwith

Intel Cloud SSO, this solution adds on-premise identity repository integration and synchronization, an internal

SSOportalintegratedwithWindowsauthentication.

Table 4: Intel & McAfee Resources

13

7/27/2019 Cloud Buyers

14/20

Asorganizationstransitiontoacomprehensivecloudaccessmodelwhereuserauthentication,data,andapplicationservicesecurityarebrokeredbyITor3rd

partyproviders,bothIntelsIAMsolutionsforSaaSapplicationsarealignedwiththe McAfeeCloudSecurityPlatform ,providingenterprise-classsecurity

IntelandMcAfeeprovideawidevarietyofonlineassetsforyoutoinvestigateyourcloud identity and access management

options.Theseareavailableatwww.intel.

com/go/identity.Theyinclude:

AnalystresearchresearchreportspublishedbyfirmslikeGartner,Forrester,IDC,The451Groupandothers.

WhiteboardvideosshortclipswithsubjectmatterexpertsdescribingtopicslikeSSOandstrongauthentication.

policyenforcement,threatprotection,andcollaborationacrossallcloudtrafcchannels.

Intelspositionasaworld-classplatformproviderdeliversinsightintoemergingsecuritytechnologiesthatcanbeusedtobuildatrustedclient-to-cloudconnection.

Productbriefsdownloadabledescriptionsofspecificproducts,suchasIntelCloudSSOandIntelECA360.

Whitepaperswhitepapersonavarietyoftopics,suchasthisBuyersGuide

Customercasestudies&videosassets

withdetaileddescriptionsofhowIntelcustomershavemetthechallengesofcloudidentityandassetmanagement.

Intelisuniqueinthat,unlikeanyothervendor,itoffersintegratedpreemptiveprotectionthatcrossesallsecuritylayers.

MoreinformationisalsoavailablefromMcAfeeathttp://www.mcafee.com/us/solutions/cloud-security/cloud-security.aspx.

5.1:McAfeeIntegration

6:MoreInfo&OtherResources

14

7/27/2019 Cloud Buyers

15/20

Section I. Company Background Information

1.HowlonghasyourSaaSIAMsolutionbeenonthemarket?

a.WhatisthecurrentreleaseversionofyourIAMproduct?

b.Listhowmanypriorversionsofyourproducthavebeenreleasedtothemarket.

c.Pleaseincludeanyrelevantawardsoranalystcoverageyoursolutionhasreceived.

2.Pleaseprovide3customerreferences.Ideally,theseclientsshouldbeorganizationswithasizeandscopesimilartoourenvironment.

3.DidyourorganizationdevelopyourSaaSidentitymanagementsolutioninhouseorwasitacquiredfromothervendors?Ifacquired,pleaseanswerthefollowing:

a.Whatdifferentproductsorvendorswereacquiredtobuildoutyoursolution?

b.Howdotheproductsworkwithoneanother?

c.Howwillyouinsureseamlessinteroperabilityoftheproductsmovingforward?

4.Provideabriefhistoryofyoursolution,highlightingmilestonesanduniquefeaturesyourcompanyhasintroducedtothemarket.

5.ProvideaproductroadmaphighlightingfutureplansforyourIAMsolution.

6.Areyouwillingtocompleteafreetrial?Provideanoverviewofyourtrialprocess.

7.DescribethevarioussoftwaremodulesthatcomepackagedwithyourIAMsolution(i.e.provisioning,passwordmanagement,strongauthentication,reporting,etc.)

8.Whatindustrystandards(e.g.,SAML,XACML,OAuth,OpenID,etc.)doesyourproductsupport?

9.Describeyourproductssupportforhighavailabilityandscalability.

Section II. User Provisioning Capabilities

10.Describeyoursolutionsprovisioningcapabilities.Foreachrequirementbelow,indicatewhetherthisisoutoftheboxfunctionality,requirescustomization,requiresathirdpartyproduct,orisnotavailable.

a.Howwilltheadministratorinitiatetheprovisioningworkow?Pleaseincludescreenshots.

b.Doesyourproductprovidethecapabilitytodelegateprovisioning?

c.Whatarethevarioustypesofprovisioningactionsyoursolutionoffers(i.e.create,change,disable,delete,etc.)?

d.CanyourSaaSapplicationprovisioningsystemintegratewithexistingon-premiseidentityandaccessmanagementsystems?

e.Whatarethevarioustypesofprovisioningworkowsyoursolutionoffers(i.e.requestor/approver,self-service,bulk,etc.)

f.Whatistheprocesstocreateorchangeaprovisioningworkow?Whattypeofskillsetdoesthisprocessrequire(i.e.codingordevelopment)?Pleaseincludescreenshots.

7:AppendixI-SampleRFP

CompanyName

Name/contactinformation

Numberofusersundermanagementonthesystem.

Generaldescriptionoftheirdeployment(numberofusers,systemstheyareprovisioning,typeofworkows,etc.)

Datetheywentintofullproductionwithyoursystem

Businessresultsthathavecomefromthedeploymentofyour solution

15

7/27/2019 Cloud Buyers

16/20

11.DescribehowyourprovisioningsolutionwillintegratewithourtargetSaaSapplicationstoautomaticallyprovisionuseraccounts.Foreachrequirementbelow,indicatewhetherthisisoutoftheboxfunctionality,requirescustomization,requiresathirdpartyproduct,orisnotavailable.

a.PleaselistallSaaSapplicationsthatyoursolutioncanprovisionoutofthebox.

b.Whatisthelevelofdetailyourprovisioningconnectorsprovide?

c.Whatoptionsdowehaveforcreatingprovisioningconnectorsforsystemsnotcurrentlysupportedbyyourproduct?Whowouldbuildtheseconnectors(i.e.yourcompanyorours)?

d.Doesyourprovisioningsolutionsupportintegrationwithouron-premiseidentityrepository?Canyoursolutionautomaticallyprovision/de-provisionuserSaaSaccountsiftheuserproleintheidentityrepositorychanges(add,change,delete)?

Section III. Single Sign-on (SSO) Capabilities

12.DescribeyourSSOcapabilities.Foreachrequirementbelow,indicatewhetherthisisoutoftheboxfunctionality,requirescustomization,requiresathirdpartyproduct,orisnotavailable.

a.IdentifywhetherornotyousupportSSOforthefollowingSaaSauthenticationmodels:SAML,HTTPPOSTforms,OAuth,

proprietaryAPI.

b.DoyouhaveamechanismforuserstoviewSaaSapplicationstheyareauthorizedtoaccess?Howdoyourestricttheirviewtoonlyauthorizedapplications?

c.Howdoyouhandlepassworderrors,expirationorresetnoticesfromthetargetSaaSapplication?

d.DoesyoursolutionsupportSSObasedonWindowsauthentication?

e.WhathappensifauserchangestheirpasswordnativelyinActiveDirectory?Willthepasswordsgetoutofsynch?

f.Canwechoosetoestablishanend-userSSOportalonourintranetorinthecloud?

g.Whattoolsareavailableforthesystemadministratortodealwithpasswordissues?

h.Describeyoursupportfornativetargetplatformpasswordpolicyrequirements(length,strength,dictionaryuse,password

reuse,passwordexpiration,etc.)

Section IV. Strong Authentication Capabilities

13.Describeyourstrongauthenticationcapabilities.Foreachrequirementbelow,indicatewhetherthisisoutoftheboxfunctionality,requirescustomization,requiresathirdpartyproduct,orisnotavailable.

a.Describehowyoursolutionsupportsstrongauthentication.

b.Whatout-of-bandchannelsaresupportedforstrongauthenticationviaone-timepassword(OTP)softtoken?

c.Canyoursolutionselectivelyinvokestrongauthentication,basedonuserattributesdenedbythesystemadministrator(e.g.,usergroup,userID,networkIPaddress,etc.)?

Section V. Architecture Overview

14.PleaseprovideageneraloverviewofyourIAMarchitecture.

a.WillyourIAMsolutionrequireustoimplementormaintainanyproprietaryinfrastructure?

b.WillweneedtoconsolidateourinformationintoonedirectorytodeployyourIAMproduct?

c.Canyourproductsimultaneouslyworkwithmultipledirectoriesordatasources?

d.IfweintegrateyourproductwithActiveDirectory,willitrequire(andwouldyourecommend)thatwemodifyourADschema?

e.Howisyourproductarchitectedtodeliverenterprise-classreliability,availabilityandperformance?Doesithavesupportfora

distributedITinfrastructure?

7:AppendixI-SampleRFP(Continued)

16

7/27/2019 Cloud Buyers

17/20

15.Connectors

a.DescribethebreadthofyourportfolioofconnectorstoSaaSplatforms.

b.Howmanyconnectorsareavailable?

c.Areconnectorsbundledwithyoursuiteorsoldseparately?

d.Howmanyconnectorsworkoutofthebox?

e.Howmanywillrequirecustomizationtoworkinourenvironment?

f.Describetheprocessofmaintainingconnectorsasourenvironmentchanges.

g.Describetheprocessofmakingnew,customconnectorsavailableforoursystems.

Section VI. Deployment & Management

16.Describetheimplementationprocessforyoursolution.

17.Canyoursolutionbeintegratedintoourcorporateportalusingourlook-and-feel?

18.Doesyoursolutionprovidetheexibilitytobedeployedeitheron-premiseorasaservice?

19.Howdoesyoursolutioncapturecorporatesecuritypoliciesandincorporatethemintothesystem?

20.Describeyoursuitesauditandreportingfunctionality.

a.Whattypeofreportscomestandardwithyoursolution?

b.Doesyoursuitesupportstandardreportingtools?

c.Doesyoursolutionhavethecapabilitytocreateasecure,fullaudittrailforanyidentity-relatedoperation?

Section VII. Implementation Services

21.Describewhatprofessionalserviceswillberequiredtodeployyoursolution.Willprofessionalservicesbeprovidedbyyourorganization,asub-contractor,ora3rdparty?

22.Whatresourceswillyourrmassigntoourimplementation?Describetheirrolesandresponsibilitiesduringtheimplementation.

23.Howlongdoyouanticipateitwilltakeanorganizationofoursizeandscopetodeployyoursolution?

24.Describeyourstandardimplementationmethodology.

a.Whatareyourbestpracticesforminimizingprojectrisk,whiledemonstratingincrementalvalueandquickwinsthroughouttheprojectlifecycle?

b.HowwillyouassistusincollectingandanalyzingdatatodemonstratetheROIofyoursolution?

25.Whatisthepricingmodelforprofessionalservices:xed-feeortime-and-material?

Section VIII. Post-deployment

26.Describethepost-deploymentsupportservicesavailablefromyourcompany.a.Canwegetsupport24x7?

b.Whatservicelevelagreementsareavailabletousasacustomer?

c.Describehowyoutrackandmanagecustomerissuestoensurehighpriorityproblemsareaddressedinatimelyfashiontominimizedisruptiontoourbusiness.

7:AppendixI-SampleRFP(Continued)

17

7/27/2019 Cloud Buyers

18/20

Section IX. Licensing & Pricing

27.Describeyourlicensingandpricingmodel.

a.Softwarelicensingprovidesoftwarepricingfortherelevantsoftwaremodulesprovidedbyyourcompanythatwouldsatisfy

therequirementsinthisRFI.b.Doesyoursoftwarelicensingincludeunlimitedapplicationconnectors,oristhereachargeforeachadditionalSaaSapplication?

c.Doesyourlicensingmodelprovidetheexibilityforeitheranon-premiseoron-demandservicedeploymentforthesamepricepoint?

d.Maintenanceandsupportprovidepricingforyourmaintenanceandsupportoptions.Is24x7supportprovidedaspartofthe

baselicense,orwillitcostextra?

e.Provideadescriptionofwhatisincludedwithyourmaintenanceandsupportoptions.Providemaintenancecostsforyear1andfutureyearsaswell.

f.Professionalservicesprovidepricingfortheinstallationservicesyourcompanywilldeliverduringtheinstallation.Listwhattyperesourceswouldbeassignedtothisprojectandtheirhourlybillingrate.Listpricingforanyadditionalpost-deployment

services.g.Administrativeorend-usertrainingprovidecoursedescriptionsandfeesofthevariousadministratororend-usertrainingoptionsyourcompanyprovides.Indicatewhetherthesetrainingcoursesareheldatyourcompanyoriftheycanbeonsiteatourfacilities.

7:AppendixI-SampleRFP(Continued)

18

7/27/2019 Cloud Buyers

19/20

8:AppendixII-IndustryGlossary&Acronyms

ACRONYM MEANING ADDITIONAL INFO

CRUD CReate, Update, Delete Referstothemajorlifecycleoperationsappliedtoausersidentity.

IaaS Infrastructure-as-a-Service Deliversrelativelyrawhardware,operatingsystems,storageandnetworkcapacityas a service via the Internet.

IAM Identity and access management AtechnicalbusinessprocesswhichencompassestheCRUDlifecycleofausers

identity, regardless of delivery model.

IAMaaS Identity and AccessManagement-as-a-Service

IAMfunctionsoutsourcedtoanexternalserviceprovider.

IDaaS* Identity-as-a-service SimilartoIAMaaS,butmayprovidecertainlimitedaspectsofIAM,suchasauthentication or authorization.

OAuth Open Authorization An open standard for authorization. (Wikipedia)

OOB Out-of-band AnalternatechannelusedtodeliveranOTP,whichisseparatefromaprimaryauthentication channel.

OpenID Open ID Anopenstandardusedbywebidentityproviders(Facebook,Google,etc.)tosharecredentialswithotherentities.(OpenID.net)

OTP One-timepassword Atechniqueofchallengingausertoenteraone-timepassworddeliveredviaan OOB channel, such as a cell phone. The user authenticates by demonstrating

possessionofadeviceortoken.

PaaS Platform-as-a-Service DelivershigherlevelITservices(e.g.,security,management,middleware,etc.)layeredontopofIaaS.IAMaaSisaformofPaaS.

SaaS Software-as-a-service Thedeliveryofanapplicationbyanexternalserviceproviderwithouttheneedtoacquire,deployormanagehardwareorsoftwareinternally,otherthananInternet

browser.

SAML SecurityAssertionMarkup

Language

TheleadingindustrystandardformanagingfederatedSSObetweenapplications.

(OASIS)

SCIM SimpleCloudIdentityManagement An emerging standard for managing provisioning and de-provisioning SaaSaccounts. (SCIM)

SPML ServiceProvisioningMarkupLanguage

AnXML-basedframeworkforexchangingprovisioninginformationbetween

cooperatingorganizations.Hasnotbeenwidelyadoptedduetoimplementation

complexity,hencetheemergenceofSCIM.(Wikipedia)

XACML eXtensibleAccessControlMarkupLanguage

AnopenXML-basedaccesscontrolframeworkdesignedtoabstractandseparate

the authorization process from an application. (Wikipedia)

Table 5: Industry Glossary & Acronyms

19

7/27/2019 Cloud Buyers

20/20

McAfee and the McAfee logo are registered trademarks or t rademarks of McAfee, Inc. or its subsidiaries in the United St ates and other countries. Other marks and brands may beclaimed as the property of others. The product pl ans, specications and descriptions herein are provided for information only and subject to change without notice, and are provided

without warranty of any kind, express or implied.

C i ht 2012 M Af I

Phone:+1-651-628-5352email:identity@mcafee.com

More Information

IntelCloudSSO:intelcloudsso.comMcAfee:www.mcafee.com/cim