Date post: | 02-Apr-2018 |
Category: |
Documents |
Upload: | kent-white |
View: | 215 times |
Download: | 0 times |
of 20
7/27/2019 Cloud Buyers
1/20
Cloud Identity Buyers GuideIdentity & Access Management In the Cloud
WHITE PAPER
Paper Focus:
Outsourcingidentityandaccessmanagement to the cloud
IAMforSaaSappstradeoffsand concerns
Implementation,integrationand operationalrequirements
CloudServiceBrokertechnologies
DetailedsampleRFPtemplate
Abstract
InthisBuyersGuide,Inteldiscusseshowyourorganizationcandeployandmanageaneffective,efcientidentityandaccessmanagementsolutionforcloudapplications.
7/27/2019 Cloud Buyers
2/20
7/27/2019 Cloud Buyers
3/20
Cloud Identity Buyers Guide
1: Executive Summary................................................................................................................. 4
2: Problem Statement.................................................................................................................. 4
2.1:AutomatingIAMforSaaS................................................................................................5
2.1.1:InternetSingleSign-On(SSO)...................................................................................5
2.1.2:StrongAuthentication..................................................................................................5
2.1.3:IdentityLifecycleManagement..............................................................................6
2.2: Regulatory Requirements............................................................................................. 7
2.2.1:PrivacyLaws.......................................................................................................................7
2.2.2:Industry-specicRequirements............................................................................7
3: Use Cases & Integration Requirements.................................................................. 8
3.1: SSO for Cloud Apps............................................................................................................... 8
3.2: Strong Authentication for Cloud Apps.................................................................9
3.2.1:Context-awareAuthentication...............................................................................9
3.3: Identity Lifecycle Management for Cloud Apps...........................................9
3.3.1:ProvisioningStandards.................................................................................................10
3.4: Operational Management.................... .................... .................... .................... ...............10
3.4.1:ManagementPortal........................................................................................................10
3.4.2:SSOPortal............................................................................................................................11
3.5: On-Premise Deployment.................................................................................................113.6: In The Cloud Deployment...............................................................................................12
3.7: Hybrid Deployment.................. .................... .................... .................... .................... ............12
4: Cloud Service Broker Security Ecosystem............................................................13
4.1 Security Gateway...................................................................................................................13
5: Intel & McAfee Resources...................................................................................................13
5.1: McAfee Integration................... .................... .................... .................... .................... ............14
6: More Info & Other Resources...........................................................................................14
7: Appendix I - Sample RFP......................................................................................................15
8: Appendix II - Industry Glossary & Acronyms.......................................................19
3
7/27/2019 Cloud Buyers
4/20
Enterprisesofallsizesareembracingcloudcomputingbecauseofthemanyadvantagesitprovides.Theseincludelowercosts,greaterbusinessagility,reducedITadministrativeoverhead,accesstobest-of-breedapplications,andmore.IndustryanalystrmIDCreportstheSaaSmarketreached$16.6billionin
revenuein2010andisprojectedtogrowatmorethan25%peryearbetweennowand2015.
Thecloudcontainssolutionsthataddress
virtuallyanyconceivablebusinessneed:sales,marketing,humanresources,collaborationandcommunication,nance,legal,etc.However,thisproliferatingprofusionofsolutionshascreatedadauntingoperationalchallenge:howtoefcientlymanagetheprofusionofidentitiesthatusersrequireoneforeach
cloudapplicationtheyaccess.Ifyouhave1,000employees,eachaccessing10cloudapplicationsonaverage,thats10,000uniqueidentitiestomanage.
IntheCloudComputingTechnology
Roadmap,theNationalInstituteofStandardsandTechnology(NIST)advises,theneedfortrustedidentitiesandsecureandefcientmanagementoftheseidentitieswhileusersprivacyisprotected
isakeyelementforthesuccessfuladoptionofanycloudsolution. 2Thebestwaytoaddresstheseconcernsistodeploystrongidentitymanagementprocessesandtechnologiestoensurethatonlyauthorizedusershaveaccesstocloudapplications.
InthisCloudIdentityBuyersGuide,Intel
discusseshowyourorganizationcandesign,deployandmanageaneffective,efcientidentityandaccessmanagementsolutionforSaaSapplicationsintwo
differentscenarios:
1:ExecutiveSummary
Thesoftware-as-a-service(SaaS) 1
applicationdeliverymodelisgrowing
rapidly.SaaSistakingovertheworld.Thatsthegoodnews.However,customerswhoadopttheSaaSmodelstruggletomanagetheoverwhelming
numberofuseraccountstheyhavetocreate.Theirusersareconstantlyforgettingtheirpasswordsandcallingthehelpdesk.TheyareunhappybecausetheyhavetoreentertheiruserIDandpasswordeverytimetheylogontoanapplicationduringtheday.Overwhelmed
ITadministratorstaketoolongtocreateaccountsfornewusers.Whenauserleaves
theorganizationtheirSaaSaccountsremainactive,increasingtheriskofdataexposure.
Allthisconsumesresources,increasesenterpriserisk,andcostsyourorganizationtime,moneyandeffort.YouneedhelptoreducethecomplexityofmanagingthehundredsorthousandsofSaaSaccountsyourusersrequire,notjustemployees,
butotherstoo,likecontractors,partners,distributorsandcustomers.
2:ProblemStatement
TothecloudIAMforSaaSapplicationsfromanon-premiseplatform
InthecloudIAMforSaaSapplicationsfromanon-demandplatform
Figure1:IdentitytotheCloud
theneedfortrustedidentitiesandsecureandefcient
managementoftheseidentitieswhileusersprivacyisprotectedisakeyelementforthesuccessful
adoptionofanycloudsolution.
NationalInstituteofStandards andTechnology
1 See Appendix II - Industry Glossar y & Acronyms on pg. 18.2 US Government Cloud Computing Technology Roadmap, Volume I, National Institute of Standards and Technology, Special Publication 500-293, Nov. 2011
User
Authentication
Attribu
tes
AccountSync
SaaS Apps
ActiveDirectory
IAM System
4
ThisBuyersGuidediscussestheissueofidentityandaccessmanagement(IAM)for
cloudapplications.Itoutlinestheissuesthatneedtobeaddressed,suggestssomeapproachestosolvingthoseissuesandwrapsupwithanoverviewofthe
productsfromIntelthataredesignedtohelpcompaniesmanagetheirSaaSaccountidentitiesmoreeffectivelyandefciently.
7/27/2019 Cloud Buyers
5/20
Wediscusssomeofthetechnologiesavailableto:
Managetheend-useridentitylifecycle
fromcreationtotermination.
ProvideuserswithgreaterconveniencebyeliminatingtheneedforthemtorememberuserIDandpasswordsformultiplesystems.
Protectsensitivesystemswithstrongmulti-factorauthentication.
EmpowerITadministratorstoeasilymonitorandmanageallSaaSaccessactivitiesandensurecompliancewithrelevantregulations.
Weevaluatevariousidentitymanagementstandards,suchasServiceProvisioningMarkupLanguage(SPML),SecurityAssertionMarkupLanguage(SAML),OpenID,andOAuthwhichhelpensure
AsyouexpandyourutilizationofSaaSandaccumulatemoreandmoreapplications
withvaryingunderlyingsecurityandarchitecturemodels,youmayquicklyndyourselfdealingwithawidevarietyof
userinterfaces,applicationprogramminginterfaces(API),securitypolicies,andmanagementtools.
AutomatingIAMforSaaSapplicationscan
simplifytheseproblemsinanumberofways.
2.1.1: Internet Single Sign-On (SSO)
AsmoreSaaSapplicationsbecomepartof
theenterpriseportfolio,usersdesiretheconvenienceofasingleentrypointintoalltheirapplications.
Usersarenotoriousforunsafepassword
practices:
Theymayusethesamepasswordformorethanoneapplication,increasingtherisktomultipleapplicationsifoneof
themiscompromised.
thattheabilitytoaccessenterpriseSaaSsolutionswillkeeppaceastheindustrymatures.
Bymakingthesefundamentalcapabilitiesanessentialpartofyouroverallcloud
IftheyhavetorememberalargenumberofuserID/passwordcombinations,they
maywritethemdownandposttheminaconvenient,yetinsecure,location,suchasundertheirkeyboard.
Theymaychoosepasswordsthatareeasytorememberand,therefore,easytobreak.
Implementingsinglesign-onforSaaSappsrelievesend-usersoftheresponsibilityofmanagingtheirpasswordswhileprovidingahighlevelofassurancethattheyhavebeenproperlyauthenticated.SSOreducestimewastedloggingonand
loggingoffworksystems.Itvirtuallyeliminatespasswordresetcallstoyour
ITadministratororhelpdesk,freeingupthoseresourcestofocusonmorevalue-addedwork.And,iteliminatesmanyofthepotentialsecurityrisksassociatedwithweakpasswords.
initiative,youwillbeabletoenjoythemanybenetsofthecloud,whilesimultaneouslyprotectingyourvitalcorporateassetsfromunauthorizedaccess,improvingyouruserscloudexperience,andcontrollingcosts.
2.1.2: Strong Authentication
Oneoftheleadingreasonsfornot
outsourcing identity and accessmanagement(IAM)tothecloudisconcernforthesecurityofusercredentials.In
caseswheretheriskassociatedwithaccessishigh,eventhestrongestpasswordmanagementpracticesmayberegardedasinsufcienttoadequatelyprotectusercredentialsinthecloud.
Whatorganizationsarelookingforistheabilitytoinvokestrong,multi-factorauthentication(MFA)insituationswhereitisessentialtovalidateausersidentity
withmorethanauserIDandpassword.Candidatesforstrongauthenticationincludeuserswhoareaccessingaparticularlysensitiveapp,whoarelocated
outsidetherewall,whoarecontractorsorothertemporaryhires,orwhobelongtoaparticulargroup.
Figure2:IdentityintheCloud
2.1:AutomatingIAMforSaaS
User
Authentication
Attribu
tes
AccountSync
SaaS Apps
ActiveDirectory
IAM System
5
7/27/2019 Cloud Buyers
6/20
ImplementingInternetSSOgivesyoutheabilitytoprovideuserswithaccesstohundredsofexternalsitesusingasingle
setofcredentials,throughasingleportal.Ifthosecredentialsarecompromised,thenallthetargetsitesareatrisk.Inthisusecase,wheresimplyenteringa
userID/passwordmaynotbesufcientprotection,MFAprovidesanexcellentstrategytoprotectmultipleappsby
controllingaccesstotheSSOportal.Itenablesyourorganizationtosecurethecloud-basedportal,bringingituptoenterprisesecuritystandards.
Thisneedhasledtotheemergenceofvariousstrongauthenticationtechnologies,aslistedinTable1.
Overthepastfewyears,softtokentechnologyhasemergedwhichleveragesomethingyourusersprobablyalreadyhavetheircellphoneorothermobile
device.Softtokenshaveanumberofadvantagesoverhardwaretokens,includingthefactthattheycanbe
deliveredviaavarietyofout-of-bandchannels.
2.1.3: Identity Lifecycle Management
IdentitylifecyclemanagementencompassesalltheactivitiesthatITadministratorsandsecuritypersonnel
performtomanagetheuseraccountsfromcreatingaSaaSapplicationaccounttoterminatingitwhentheuserleavestheorganization.Thisidentitylifecycleis
oftenreferredtoastheCReate-Update-Delete(CRUD)process.
APPROACH DESCRIPTION
Biometrics Relies on physical characteristics (iris, fingerprint, voiceprint, etc.) of the user.
Highadministrativeoverheadexpensivetodeploy,configureandmaintain.
Limitedportability.
Inflexibletypicallylinkedtoasingleapplicationorentrypoint.
Hardware Token Usesadedicateddevice,suchasanRSA*SecureID*token.
Proprietarysolutionmaybecomplicatedtoinstall,configure,distributeandmanage.
Insecure-customershavetoreplacealltheirtokensintheeventthevendorsustainsabreach.
Typicallyconfiguredforasingleapplication,whichlimitsusefulnesswhenyouaredeployingmultiplecloud
applications using multiple service providers.
Software Token Based on something your user (employee, contractor, customer, business partner, etc.) probably already has.
Lowmanagementoverheaddoesntrequireyoutopurchase,distributeandmanagemultiplesingle-usehardwaredevices.
Flexiblecanbedeliveredthroughmultiplechannels:smartphoneapp,SMStextmessage,email,IM,Skype,etc.
Secureserviceproviderdoesntholdseedsthatcanbecompromised.
Table 1: Multi-factor Authentication Technologies
STAGE DESCRIPTION
Create Provisioningnewhiresquicklyisimportant,sinceadelayinprovisioningusersresultsinalossofemployee
productivity. Other employee lifecycle events, such as open enrollment for healthcare benefits, can also drive the
need to create large numbers of identities in a relatively short period of time.
Update Asyourusersattributeschange(e.g.,transfertoanotherdepartmentorrelocationtoanewoffice),theyshould
beupdatedintheiridentityprofile,whereappropriate.
Delete When your employee leaves the organization, you need a mechanism to delete or disable their accounts on thetargetsystem(s).Otherwise,yourorganizationrisksallowingnon-employeestoaccesscorporatedatathroughthese orphan accounts. Orphan accounts can also cost money in excess license or subscription fees.
Table 2: Identity Lifecycle Stages
6
7/27/2019 Cloud Buyers
7/20
Ordinarily,whenanewemployeecomesonboard,yourITadministratororapplicationownermustusetheSaaS
applicationmanagementinterfacetocreateanaccountforyouruserscontainingtheiruserID,password,andotherusefulattributes(department,phonenumber,manager,location,etc.)Thisprocess,whichistherststepintheCRUDcycle,istypicallyreferredtoasprovisioning.
Overtime,employeeattributeschange,whichoftenrequiresupdatestotheirapplicationproles.
AutomatingIAMprocessescanhelpyourorganizationcomplywithvariousindustryrequirementsandgovernmentregulations.
2.2.1: Privacy Laws
ManyjurisdictionsintheUnitedStatesandothercountriesrequirecompanies
thatcaptureandstoreprivatepersonalinformationtotakespecicstepstoprotectthatdatafromunauthorizedaccess.
2.2.2: Industry-specific Requirements
Certainregulatedindustrieshaverequirementsforprotectingprivate,personalornancialinformationfromunauthorizedaccess.Insomeinstances,theserequirementsarepublishedbyindustryorganizations,whileinothers
theyaremandatedbythegovernment.Afewexamplesinclude:
Finally,theemployeeleavestheorganization,whichresultsintheneedtoblockthemfrombeingabletoaccess
sensitiveSaaSapps.TheeffortandexpenserequiredtomanagetheCRUDprocessisaffectedbyanumberoffactors:numberofemployees,numberandvarietyoftarget
SaaSapplications,employeeturnover,andseasonalhiring/ringpatterns.Ascompaniesexpandovertime,theytypicallyreachapointwherethecostandinconveniencerequiredtomanagethisprocessbecomeshighenoughthatitmakessensetoconsiderautomatingit.
PCIDSS:thePaymentCardIndustryDataSecurityStandardisanexampleofnon-governmentindustryrequirements.PCIDSSwasdevelopedbyaconsortiumofpaymentcardvendors(AmericanExpress,Discover,Visa,Mastercard,etc.)Itspecifiesprocessestoprotectpersonalinformationoncreditcardsor
debitcards,includingaccesscontrolsandprovisioning/de-provisioningofuseraccountswithaccesstopaymentcarddata.
HIPAA:theHealthcareInsurancePortabilityandAccountabilityActmandatesthathealthcareproviders
implementprocedurestoprotectpersonalhealthinformationdatafromdisclosure.Theseincludemanagingandmonitoringaccessrightsandenforcingsecurepasswordpolicies.
Otherfeaturesprovidedbyautomationcanincludeamanagementconsolewhichprovidesprovisioning/de-provisioning
tools,aswellastheabilitytomonitoruseraccessactivities,generatealertsandcollecteventdatalogs.
Logscanbeusedforvariouspurposes,suchascapacityplanning,auditand
compliancereporting.Thelatterareparticularlyimportantincertainregulatedindustries.
FFIEC:theFederalFinancialInstitutionsExaminationCouncilstandardsrequiremultifactorauthentication(MFA)toprotectagainstthetacticsofincreasinglysophisticatedhackers,particularlyontheInternet.
GLBA:TheGramm-Leach-BlileyActstatesthat,eachfinancialinstitution
hasanaffirmativeandcontinuingobligationtorespecttheprivacyofitscustomersandtoprotectthesecurityandconfidentialityofthosecustomersnonpublicpersonalinformation.
2.2RegulatoryRequirements
7
7/27/2019 Cloud Buyers
8/20
CloudSSOimprovesend-userconvenienceandproductivityuserslogononcetoatrusted,secureportalcontrolledbytheirenterprise(eitheron-premiseorinthecloud),andaccessauthorizedSaaSapplicationswithasingleclick.
Cloudsinglesign-onrequiresahighdegreeofintegrationbetweentheIAM/SSOsystemandthetargetapplication(s).TheSecurityAssertionMarkupLanguage(SAML)isthestandardofchoicefor
authenticationandauthorizationbetweendomains.SAMLhasseveralimportantattributes:
SAMLisawidelyadoptedstandardwhichissupportedbymostmajorSaaSapplicationvendors.
SAMLisbasedonaprovenfederatedtrustmodel.
SAMLdoesntrequireapassword.ASAML-protectedserviceproviderreliesontheabilityofatrustedidentityprovidertoverifyausersidentity.
Ideally,thesolutionshouldprovideout-of-the-boxSSOforawidevarietyofpopularSaaSapplications.BuyersshouldseekoutSaaSsolutionswhichsupport
SAMLandensurethattheirIAMsolutionalsosupportsitinordertoprovide
thefoundationforsecurefederatedSSO.OtherauthenticationstandardstoconsiderincludeOAuthandOpenID.Moststandards-basedSSOissometimesreferredtoasfederatedSSO,sincethereisatrustedrelationshipbetweentheuserandthevarioussystemsresponsibleforauthentication.
IfaSaaSapplicationvendordoesnotsupportfederatedSSOusingastandard,suchasSAML,OAuthorOpenID,theymayprovidesupportforHTTPforms
authenticationoraproprietaryAPI.WhenconsideringanIAMsolutionfor
SaaS,makesurethevendorsupportstheauthenticationmodel(s)supportedbyyourSaaSappvendors.
AUTHENTICATION DESCRIPTION
SAML Usesindustry-standardassertions(SAMLtoken)providedbytrustedtargetplatforms,ensuringfuturecompatibilityas
technologyevolves;reducesrisk(sinceSAMLassertionscontainnopasswords)andaddresscloudidentityregulatory
compliance concerns.
OpenID OpenIDisusedbyaresourceprovider(typicallyawebsite)toauthenticateauserbyredirectingtheusersbrowserto
anidentityprovider,whichprovidesanauthenticationtokenusedtoobtainaccess.OpenIDisdesignedforuseover
HTTP,soitsuseislimitedtobrowsers.
OAuth UnlikeOpenID,OAuthisdesignedtobeprotocol-independent.ApplicationsusingOAuthcantheoreticallyrequest/receiveauthenticationtokensthroughaRESTAPIusingvariousprotocols,includingSAML,JSON(JavaScriptObjectNotation) or proprietary APIs.
HTTP Forms ThousandsofSaaSapplicationsrequireuserstoauthenticatebyenteringauserID/passwordviaawebform.SSOthat
workswithHTTPformsenablestheusertoentertheiruserIDandpasswordonce.Theircredentialsarethenstoredinasecurepasswordvaultandtransparentlyreplayedwhenevertheuserlogsinafterthat.
Native API AsmallernumberofapplicationssupportSSObyexposinganAPIthatcanbecalledbytheSSOsoftware.
Table 3: Saas Authentication Models
3:UseCaseandIntegrationRequirements
3.1:SSOforCloudApps
Figure3:FederatedSSOintheCloud
Federated
SSO
SaaS Apps
SSO Portal
Authentication
User
8
7/27/2019 Cloud Buyers
9/20
Strongauthenticationinacloudenvironmentcanbeperformedusinghardorsofttokens.UsingasofttokenforMFA,ratherthanahardwaretoken,hasanumberofadvantages:
Thereisnoneedtopurchase,distribute,manageorhandlebreak/fixissueswithasofttoken.
Aself-serviceportalcanbeprovidedwhereuserscanregistertheirmobiledeviceordownloadasmartphoneapp.
Ifadevice,suchasaphone,islostorstolen,theusercanreplacetheoldphonenumberwithanewone,
effectivelydisablingthemissingphone.
Softtokenscanbeconfiguredtoworkwithmultipleapps,whilehardware
tokensaretypicallyassociatedwithasingleapplication.
Themostpopularmethodofdeliveringasofttokenisviaanout-of-bandmobiledevice,suchasasmartphoneapporastandardcellphoneusingSMStextmessaging.
Inthisscenario,auserischallengedtoenteraone-timepassword(OTP)aspartoftheauthenticationprocess.ThesystemsendstheOTPtothedevice.Without
physicalpossessionofthemobiledevice,theuser(orahacker)isunabletologon.
Integrationrequirementsincludeasecureservice-basedarchitecturewhichcanprompttheusertoenteranOTP,generatetheOTP,deliverittothedevicefortheusertoretrieveandverifyitonceentered.Secureauthentication
dependsonmaintainingtheintegrityofthedataowacrossthenetwork,aswellasusertrainingonhowtoprotecttheircellphone,orothermobiledevice,fromcompromise.Buyersshouldevaluatethecomplexityofthesystem,aswellastheeaseandconvenienceoftheend-userregistrationprocess.
3.2.1: Context-aware Authentication
Withmostvendorsolutions,strongauthenticationisavailableasanall-or-nothingapproach.WhatsomeIT
administratorsdesireistheabilityto
selectivelyinvokeMFAinparticularscenarios.Forexample,itmaymakesensetoinvokeMFAforaspecicgroupofusers;whenauserisinaninsecurelocationoronapublicnetwork;orisaccessingtheSaaSapplicationfroma
previouslyunknowndeviceorIPaddress.Context-awareauthenticationallowsyoutodenebusinessrulesthatselectivellyenforceMFA,basedonuseridentity-relatedattributes.
ThebasicidentitylifecycleforSaaSapplicationsconsistsofprovisioning,managingandde-provisioninguser
accountsinthecloud.ProvisioningrequirestoolsandprocessestocreateuseraccountsontargetSaaSplatforms.
TheSaaSapplicationadministratorshouldhavetheabilitytocreatemultipletargetaccountsinasfewstepsaspossible.Similarly,whentheuserleavestheorganization,youshoulddetermineifthesystemsupportsanautomatedprocess
fordisablingordeletingtheirSaaSapplicationaccounts.
TherearetwobasicprovisioningmodelsforSaaSapplications:tothecloudand
inthecloud.Provisioningtothecloudfromaninternalsiterequirestheability
toestablishaconnectionbetweenthe
provisioningengineandthetargetapplication(s).Thisconnectionwillberesponsibleforcreatingtheuseraccounton the target system and maintaining that
accountovertime.
Provisioninginthecloudmeansdeliveringtheprovisioningengineasacloud-basedserviceoffering.Thisiscommonlyreferredtoasidentityandaccessmanagement-as-a-service(IAMaaS).Inthisscenario,thesystemadministratorusesthecloudservicetocreateandmaintainSaaSapplicationaccounts.
Dependingonbusinessrequirements,theIAMaaSservicemayrequireestablishinga connection to an internal identity
repository.
3.3:IdentityLifecycleManagementforCloudApps
Figure4:StrongAuthenticationwithOTP
Manyenterpriseshaveanauthoritativeenterpriseidentityrepository.Integrationwiththisrepositoryisusefultokeepuser
identitiesintherepositorysynchronizedwiththevariousidentitiesmanagedintargetapplications.Therepository
typicallycontainsinformationsuchastheusersidentier(userID),password(inencryptedformat),name,location,phone,department,logicalgroups,andotheruser-specicattributes.Inmostorganizations,thisdataisheldin
ActiveDirectory(AD)fromMicrosoft*,anenterpriseLDAPdirectory,orinadatabasemanagedbyahumanresources(HR)system,suchasPeoplesoft*orSAP*.
3.2:StrongAuthenticationforCloudApps
IAM System
Access
Granted
SaaS Apps
Access Request
Access Request
OTP ChallengeUser
OTP
9
7/27/2019 Cloud Buyers
10/20
Theremaybeinstanceswheretheidentityattributesofdifferentcategoriesofusersarestoredindifferentrepositories.AnorganizationmaykeeptheidentitiesofregularemployeesinanHRsystemofrecord,contractoridentities
inarelationaldatabase,andcustomeridentitiesinacustomerrelationshipmanagementsystem,suchasSalesforce*.Itsalsonotunusualforasingleusersidentityattributestobestoredinmultiplelocations,suchasanemployeename,ID#,manager,location,phonenumberintheHRsystemofrecord,whiletheirnetworkuserID,networkpasswordandemailaddressarestoredinAD.
Whenevaluatingyourintegrationrequirements,itmaybenecessaryto
examinemultiplesystemstodeterminewhererelevantuseridentityattributes
arestored.
Integrationwithinternalrepositoriesaddressesmultiplepurposes:provisioning,prolesynchronization,
andauthentication.Forexample,whenprovisioningaSaaSaccountforauser,theattributesinthevariousrepositories
maybepassedalongtothetargetsystem,andkeptinsynchwiththetargetsystemastheychangeovertime(e.g.,ausertransfersbetweendepartmentsormovestoanewlocation.)Centralizeduserauthenticationreliesontheuserbeing
authenticatedoncewhentheylogontotheirPCoranetwork.Oncetheuserisreliablyauthenticated,thatcanprovidethebasisforenablingsecureSSOtovarioustargetSaaSapplications.
Regardlessofwhichscenario(IAMinthecloudoron-premise)isused,thebasiclifecycleisthesame:anadministratorusesthesystemtoestablishoneormoreSaaSapplicationaccountsonbehalfofusers,managesthoseaccountsovertime,anddeletesordisablestheaccountswhen
theuserleavestheorganization.Youshouldevaluatetheabilityofeachvendor
tosupportbothprovisioningANDde-provisioningforkeySaaSapplications.
3.3.1: Provisioning Standards
TheServiceProvisioningMarkupLanguage(SPML)standardwas
establishedtofacilitateavendor-neutralprocessforprovisioningand
managingaccountsontargetapplications.Unfortunately,itisnotwidelysupportedbyapplicationvendors.Asaresult,IAMsolutionvendorshaveneededtocreatecustomizedprovisioninginterfacesforeachtargetapplication.Recentlythe
SimpleCloudIdentityManagement(SCIM)provisioningprotocolhasemerged.ThisnewprotocolisexpectedtobesupportedbyinuentialSaaSproviders,includingSalesforceandGoogle.
Giventheuncertainstateofprovisioningstandards,youshouldcarefullyevaluatewhatprovisioningcapabilitiesareexposedbyyourSaaSvendorsandwhetherthe IAM solution you are considering
supportsthosecapabilities.Otherwise,youwillneedtoworkwithyourIAM
vendortocreateandmaintaincustomizedprovisioningconnectors.
Figure5:ManagementConsole
3.4:OperationalManagement
3.4.1: Management Portal
Thesystemshouldprovideamanagementconsolethatenablesadministratorstomanagetheidentitylifecycleandmonitor
allidentity-relatedevents.
Theconsoleshoulddeliverreal-timeutilizationdata,indicatingrecent
successfulandunsuccessfulaccessattempts,aswellashistoricaldatathatcanbeanalyzedandprovidesabasisforutilizationandcompliancereporting,ifyourorganizationissubjecttoindustryregulations.
10
7/27/2019 Cloud Buyers
11/20
3.5:On-PremiseDeployment
Figure6:End-userSSOPortal3.4.2: SSO Portal
Manyorganizationsprovideemployeeswithaccesstoanenterpriseportalusedtoprovideconvenientaccesstovariousapplications.CommonexamplesincludeIBMWebsphere*,OracleWebLogic*andMicrosoftSharepoint*.Inmanyinstances,theportalisresponsibleforauthenticationofausersidentity,orit may rely on another authentication
system,suchasWindows.
Whenselectinganon-premiseIAMsystem,youshouldensurethatitwillbecompatiblewithyourexistingorplanned
enterpriseportals.ImplementinganIAMsystemthatsupportsyourenterpriseportalenablesyoutocreatepersonalizedportalpages,whereauthenticateduserscanhavesecureaccesstothevariousSaaSapplicationstheyareauthorizedtouse.OneadvantageofusingapersonalizedSSOportalapproachisthatuserscanbeblockedfromaccesstoapps
theyarenotauthorizedtouse.
Anon-premisesolutionisthetraditionalapproachtoimplementingIAM.Themajoradvantageon-premisesystemshaveistheirabilitytointegratewithvariousinternalsystemsbehindtherewall,suchasanauthoritativeidentityrepository.
Someorganizationsconsiderusercredentialstobethekeystothekingdomandfeelmoresecureknowingthat they are held internally and are
relativelysafefromexternalattack.However,thisadvantagemaynotbeasstrongasitmighthaveoncebeen.Morethanoneorganizationhasbeenbrokenintobyaskilledhackeranduseridentitiesandpasswordsstolen,exposingtheenterprisetofurtherattacks.
Thesameapproachcanbetakentoanon-demandSSOportalbyprovidinguserswithapersonalizedlandingpageinthecloud.Oncetheuserauthenticatestothepage,theywillseealltheSaaSapplicationstheyareauthorizedtoaccess
andclickontheicontologon.
Likemostotheron-premisesystems,anon-premiseIAMsolutiontypicallyinvolvesacquiringdedicatedhardware,aperpetualsoftwarelicenseandpayingforongoingannualmaintenancefees.
Theseup-frontcostscanbeamelioratedbyusingvirtualizationtechnologytoenablegreaterutilizationofexistingsystems,andobtaininganannualsubscriptionlicenseratherthana
perpetualsoftwarelicense.Inaddition,ifextensivecustomizationorcongurationisrequired,youmaywinduppayingthevendororasystemintegratorfordeployment,integrationandotherprofessionalservices.Finally,operationalexpensestendtobehigher,since
Intodayscloudaccessenvironment,ithasbecomestandardtoprovideuserswithaccesstodozensorhundredsofpre-conguredcloudapps.Duringtheevaluationprocess,determinewhetherornotyourvendorcanprovidethis
capability,sincewithoutit,yourITteamwillhavetodesignandimplementweblinksandotherfeaturesoftheportal.
dedicatedITpersonnelwithspecializedskillsortrainingaretypicallyrequiredtomanageandmaintainthesystem,includingbackup/recover,patching,congurationmanagement,updates,etc.
11
7/27/2019 Cloud Buyers
12/20
Asthecloudhasbecomemorepopularoverthepastseveralyears,morecompaniesareconsideringtheadvantagesofoutsourcingtheirIAMsoftwaretoa
cloud-basedservicesprovider:
Off-premisecomputingservicesconvertfixedcoststovariablecoststhecustomerbuysservicesastheyareutilized,notforthefixedcapacityavailableforusethatmustbeamortized
overtheusefullifeoftheasset.
Mostserviceprovidersutilizeamulti-tenantarchitecture,whichenablesthemtocutcostsandpassthosesavingsontocustomers.
Servicedeliveryiselasticandresponsivetodynamicallychangingbusinesscircumstancescustomerscanexpandservicevolumewithoutworryingaboutaddingmoreinternalhardwarecapacity.
Operationalcomplexityiseliminatedtheserviceproviderisresponsibleforoperationaldetails,suchasbackup/recovery,updates,patches,etc.SLAsareavailabletomeetdemandingavailabilityandreliabilityrequirements.
Shiftingfromownedassetsto
contractedservicesmayimprovethecompanysbalancesheetbyincreasingbothreturnonassetsandfinancialleverageraisingthecompanysreturnonequity.
Somecompanieschoosetodeployahybridsolution.Thereareavarietyof
availablescenarios,suchasmovingtheidentityandaccessmanagementfunctiontothecloud,butmaintainingalinktoaninternalrepositoryforautomatedidentityprovisioningandsynchronization.Another
istouseaninternalsolutionformanagingtheidentitiesofemployees,whileusinganIAMaaSsolutiontomanageidentitiesofexternalusers.
Implementationisrelativelyquick.On-demand customers can start small
withatrialandexpandasneeded.Fulldeploymentcanoccurinlessthan30
daysforfast,visibleROI.
ThereareseveralcommonlyseenadoptionscenariosforIAMaaS.
Inonescenario,alargeenterprisemightstartusingIAMaaStomanageexternalworkers(suchascontractors,tempsorbusinesspartners),orinsupportofamergeroracquisition.IAMaaSinthisscenariomaybeagoodwayforanenterprisetotestthewatersandvalidatetheusefulnessofIAMaaS.Some
companies,suchassmalltomedium(SMB)organizations,haveadoptedaCloudFirstmodelandarecomfortablewithbuildingtheirinfrastructureinthecloud.Thesecompaniesarelikelytohavearelativelyunsophisticatedon-premiseidentityinfrastructure,consistingprimarilyofanenterprisedirectory,suchasMicrosoftAD.ByadoptinganIAMaaSapproach,theygettheabilitytoleverage
best-of-breedfeaturesprovidedbyleadingedgeIAMvendorsinthecloud.
Therearetwomajorissuesthatcompaniesshouldconsiderwhenmoving
theiruseridentitiestothecloud.
Regardlessofthemodelyouselect,youalsoneedtoconsiderthevendorssupport
forenterprise-classfeatures,suchas:SecuritythesystemshouldprotectallnetworkedtransactionswithstrongencryptionusingSSL.
Highavailabilitythesystem
shouldsupportclusteringandothertechnologies that ensure continued
operationsintheeventofacomponentfailure.
Therstissecurity.Evaluationofavendorsserviceofferingmustincludearigoroussecurityreviewtoensurethevendorsinfrastructureandoperational
proceduresdeliverthehighestlevelofassetprotection,commensuratewiththe
cost.
Theotheristheriskassociatedwiththevendorsbusinessmodel.CompaniesconsideringmovingIAMfunctionstothe
cloudshouldconsidermorethanfeature/functionsofferedbycompetingvendors.Inparticular,thevendorsstrengthandviabilityonanumberofdimensions:nancial,engineering,supportservices,etc.,shouldbeevaluated.Placingcritical
businessfunctions,likeidentity,intothehandsofafast-growingstartuprequiresexplicitconsiderationoftheirongoing
viability.Whennegotiatingwithavendor,besureyouunderstandwhatwillhappentoyourassetsintheeventthevendorisacquired,encounterscashoworothergrowth-relatedproblems,orgoesoutofbusiness.
Performancethesystemshouldbeabletoscaleuptosupportthousands
oftransactionspersecondwithoutnoticeabledegradationofend-userresponsetime.
3.6:IntheCloudDeployment
3.7:HybridDeployment
12
7/27/2019 Cloud Buyers
13/20
OneelementthatsimportantfororganizationsmovingtheiridentityandotherITassetstothecloudtoconsideristheemergingroleofthecloud
servicebroker(CSB).ACSBshieldstheinternalenterprisefromthecomplexityofconsuming1-ncloudservicesfrommultipleproviders.Asanenterprise
adoptscloudservices,billing,SLAs,integration,webservicegovernance,andidentityfunctionsbecometoo
Thereareseveralareaswhereasecuritygatewayaddsvaluetocloudidentitymodels:
SecurityTokenServices:Aswebservicesareusedtotransactdatafromtheenterprisetothecloudortopartnerapplications,theyarecrossingdifferentsecuritydomains.Eachdomainreliesonaparticularidentitytokenformat
forauthentication.ASecurityTokenServices(STS)validateenterprisesecuritytokens,likeKerberostickets
fromActiveDirectory,andcanexchangeoneidentitytokenformatforanothersothatatransactioncanbeauthenticatedtoprocess.Inmanycasesthisiscalledidentitybrokeringoridentitymapping.
IntelandMcAfee,together,haveproducedarangeofproductsandsystemsdesignedtoenableorganizationstomanageuser
identitiesandaccessrightstoSaaSapplications.
complextomanageinternallyatscale.JustasEDIevolvedfromexpensiveinternalintegrationgroupstothirdpartyoperatingexchangestoaggregateand
simplifyconsumption,thecloudandSaaSservicesarefollowingasimilarpattern.CSBscanbethirdpartiesthataggregate,integrate,andcustomizeserviceofferings
frommultiplecloudprovidersorinlargeenterprisesthesecanbeITdepartmentsthatsetupCSBinfrastructuretoservice1-ninternaldepartments.
CloudAPIManagement:Themantraofreusingexistingapplicationassetsasserviceshasbecomeestablishedaspartofthecommonlanguageassociatedwithcloud-basedinfrastructure
sharing.ThekeytoexposingapplicationfunctionalityisthroughAPIsandthisiswellunderstoodbydevelopers.Cloud-basedAPImanagementpresentsanewdisciplinewithaddedsecurity,visibility,integration,andscalerequirements.Asapplicationsaresharedoutsidetheprotectivefirewallto/fromthecloud
andamongcloudproviders,traditionalfirewallsdonotprovidethemediationorXMLthreatprotectionrequiredtoexposetheseapplicationssafely.
CSBsarerelativelynewbutthetechnologyplatformsthatCSBsutilizearebasedonmaturetechnologiessuchasfederationgateways,IAMaaSoperators,
monitoringbillingapplications,ande-catalogs.SecurityGatewaysarethemostimportantCSBtechnologyinthattheycanexpose,govern,andsecure
cloudapplicationAPIs.Todayalmost1/3ofallenterprisetrafctothecloudisAPIbased.
FeaturesthatmanagecloudAPIsprovideanewmeanstometer,throttle,andaudithowservicesareconsumed.Acloudservicebrokercanprovidethebackboneforacloudprovideroranenterpriseto
createanAPImonetizationprogramthatbillsbackdepartmentsorchargesotherentitiesforAPIusage.
4:CloudServiceBrokerSecurityEcosystem
4.1:SecurityGateway
5:Intel&McAfeeResources
PRODUCT DESCRIPTION
Intel Cloud SSO Intelson-demandsolutionprovidingidentityandaccessmanagementasaservice.Includesidentitylifecycle
management features (such as provisioning), single sign-on, 2 factor authentication and a cloud-based secure
SSO portal.
Intel Expressway Cloud
Access 360
Intelson-premisesolutionformanagingSaaSidentitiesandaccess.Alongwiththefeaturesassociatedwith
Intel Cloud SSO, this solution adds on-premise identity repository integration and synchronization, an internal
SSOportalintegratedwithWindowsauthentication.
Table 4: Intel & McAfee Resources
13
7/27/2019 Cloud Buyers
14/20
Asorganizationstransitiontoacomprehensivecloudaccessmodelwhereuserauthentication,data,andapplicationservicesecurityarebrokeredbyITor3rd
partyproviders,bothIntelsIAMsolutionsforSaaSapplicationsarealignedwiththe McAfeeCloudSecurityPlatform ,providingenterprise-classsecurity
IntelandMcAfeeprovideawidevarietyofonlineassetsforyoutoinvestigateyourcloud identity and access management
options.Theseareavailableatwww.intel.
com/go/identity.Theyinclude:
AnalystresearchresearchreportspublishedbyfirmslikeGartner,Forrester,IDC,The451Groupandothers.
WhiteboardvideosshortclipswithsubjectmatterexpertsdescribingtopicslikeSSOandstrongauthentication.
policyenforcement,threatprotection,andcollaborationacrossallcloudtrafcchannels.
Intelspositionasaworld-classplatformproviderdeliversinsightintoemergingsecuritytechnologiesthatcanbeusedtobuildatrustedclient-to-cloudconnection.
Productbriefsdownloadabledescriptionsofspecificproducts,suchasIntelCloudSSOandIntelECA360.
Whitepaperswhitepapersonavarietyoftopics,suchasthisBuyersGuide
Customercasestudies&videosassets
withdetaileddescriptionsofhowIntelcustomershavemetthechallengesofcloudidentityandassetmanagement.
Intelisuniqueinthat,unlikeanyothervendor,itoffersintegratedpreemptiveprotectionthatcrossesallsecuritylayers.
MoreinformationisalsoavailablefromMcAfeeathttp://www.mcafee.com/us/solutions/cloud-security/cloud-security.aspx.
5.1:McAfeeIntegration
6:MoreInfo&OtherResources
14
7/27/2019 Cloud Buyers
15/20
Section I. Company Background Information
1.HowlonghasyourSaaSIAMsolutionbeenonthemarket?
a.WhatisthecurrentreleaseversionofyourIAMproduct?
b.Listhowmanypriorversionsofyourproducthavebeenreleasedtothemarket.
c.Pleaseincludeanyrelevantawardsoranalystcoverageyoursolutionhasreceived.
2.Pleaseprovide3customerreferences.Ideally,theseclientsshouldbeorganizationswithasizeandscopesimilartoourenvironment.
3.DidyourorganizationdevelopyourSaaSidentitymanagementsolutioninhouseorwasitacquiredfromothervendors?Ifacquired,pleaseanswerthefollowing:
a.Whatdifferentproductsorvendorswereacquiredtobuildoutyoursolution?
b.Howdotheproductsworkwithoneanother?
c.Howwillyouinsureseamlessinteroperabilityoftheproductsmovingforward?
4.Provideabriefhistoryofyoursolution,highlightingmilestonesanduniquefeaturesyourcompanyhasintroducedtothemarket.
5.ProvideaproductroadmaphighlightingfutureplansforyourIAMsolution.
6.Areyouwillingtocompleteafreetrial?Provideanoverviewofyourtrialprocess.
7.DescribethevarioussoftwaremodulesthatcomepackagedwithyourIAMsolution(i.e.provisioning,passwordmanagement,strongauthentication,reporting,etc.)
8.Whatindustrystandards(e.g.,SAML,XACML,OAuth,OpenID,etc.)doesyourproductsupport?
9.Describeyourproductssupportforhighavailabilityandscalability.
Section II. User Provisioning Capabilities
10.Describeyoursolutionsprovisioningcapabilities.Foreachrequirementbelow,indicatewhetherthisisoutoftheboxfunctionality,requirescustomization,requiresathirdpartyproduct,orisnotavailable.
a.Howwilltheadministratorinitiatetheprovisioningworkow?Pleaseincludescreenshots.
b.Doesyourproductprovidethecapabilitytodelegateprovisioning?
c.Whatarethevarioustypesofprovisioningactionsyoursolutionoffers(i.e.create,change,disable,delete,etc.)?
d.CanyourSaaSapplicationprovisioningsystemintegratewithexistingon-premiseidentityandaccessmanagementsystems?
e.Whatarethevarioustypesofprovisioningworkowsyoursolutionoffers(i.e.requestor/approver,self-service,bulk,etc.)
f.Whatistheprocesstocreateorchangeaprovisioningworkow?Whattypeofskillsetdoesthisprocessrequire(i.e.codingordevelopment)?Pleaseincludescreenshots.
7:AppendixI-SampleRFP
CompanyName
Name/contactinformation
Numberofusersundermanagementonthesystem.
Generaldescriptionoftheirdeployment(numberofusers,systemstheyareprovisioning,typeofworkows,etc.)
Datetheywentintofullproductionwithyoursystem
Businessresultsthathavecomefromthedeploymentofyour solution
15
7/27/2019 Cloud Buyers
16/20
11.DescribehowyourprovisioningsolutionwillintegratewithourtargetSaaSapplicationstoautomaticallyprovisionuseraccounts.Foreachrequirementbelow,indicatewhetherthisisoutoftheboxfunctionality,requirescustomization,requiresathirdpartyproduct,orisnotavailable.
a.PleaselistallSaaSapplicationsthatyoursolutioncanprovisionoutofthebox.
b.Whatisthelevelofdetailyourprovisioningconnectorsprovide?
c.Whatoptionsdowehaveforcreatingprovisioningconnectorsforsystemsnotcurrentlysupportedbyyourproduct?Whowouldbuildtheseconnectors(i.e.yourcompanyorours)?
d.Doesyourprovisioningsolutionsupportintegrationwithouron-premiseidentityrepository?Canyoursolutionautomaticallyprovision/de-provisionuserSaaSaccountsiftheuserproleintheidentityrepositorychanges(add,change,delete)?
Section III. Single Sign-on (SSO) Capabilities
12.DescribeyourSSOcapabilities.Foreachrequirementbelow,indicatewhetherthisisoutoftheboxfunctionality,requirescustomization,requiresathirdpartyproduct,orisnotavailable.
a.IdentifywhetherornotyousupportSSOforthefollowingSaaSauthenticationmodels:SAML,HTTPPOSTforms,OAuth,
proprietaryAPI.
b.DoyouhaveamechanismforuserstoviewSaaSapplicationstheyareauthorizedtoaccess?Howdoyourestricttheirviewtoonlyauthorizedapplications?
c.Howdoyouhandlepassworderrors,expirationorresetnoticesfromthetargetSaaSapplication?
d.DoesyoursolutionsupportSSObasedonWindowsauthentication?
e.WhathappensifauserchangestheirpasswordnativelyinActiveDirectory?Willthepasswordsgetoutofsynch?
f.Canwechoosetoestablishanend-userSSOportalonourintranetorinthecloud?
g.Whattoolsareavailableforthesystemadministratortodealwithpasswordissues?
h.Describeyoursupportfornativetargetplatformpasswordpolicyrequirements(length,strength,dictionaryuse,password
reuse,passwordexpiration,etc.)
Section IV. Strong Authentication Capabilities
13.Describeyourstrongauthenticationcapabilities.Foreachrequirementbelow,indicatewhetherthisisoutoftheboxfunctionality,requirescustomization,requiresathirdpartyproduct,orisnotavailable.
a.Describehowyoursolutionsupportsstrongauthentication.
b.Whatout-of-bandchannelsaresupportedforstrongauthenticationviaone-timepassword(OTP)softtoken?
c.Canyoursolutionselectivelyinvokestrongauthentication,basedonuserattributesdenedbythesystemadministrator(e.g.,usergroup,userID,networkIPaddress,etc.)?
Section V. Architecture Overview
14.PleaseprovideageneraloverviewofyourIAMarchitecture.
a.WillyourIAMsolutionrequireustoimplementormaintainanyproprietaryinfrastructure?
b.WillweneedtoconsolidateourinformationintoonedirectorytodeployyourIAMproduct?
c.Canyourproductsimultaneouslyworkwithmultipledirectoriesordatasources?
d.IfweintegrateyourproductwithActiveDirectory,willitrequire(andwouldyourecommend)thatwemodifyourADschema?
e.Howisyourproductarchitectedtodeliverenterprise-classreliability,availabilityandperformance?Doesithavesupportfora
distributedITinfrastructure?
7:AppendixI-SampleRFP(Continued)
16
7/27/2019 Cloud Buyers
17/20
15.Connectors
a.DescribethebreadthofyourportfolioofconnectorstoSaaSplatforms.
b.Howmanyconnectorsareavailable?
c.Areconnectorsbundledwithyoursuiteorsoldseparately?
d.Howmanyconnectorsworkoutofthebox?
e.Howmanywillrequirecustomizationtoworkinourenvironment?
f.Describetheprocessofmaintainingconnectorsasourenvironmentchanges.
g.Describetheprocessofmakingnew,customconnectorsavailableforoursystems.
Section VI. Deployment & Management
16.Describetheimplementationprocessforyoursolution.
17.Canyoursolutionbeintegratedintoourcorporateportalusingourlook-and-feel?
18.Doesyoursolutionprovidetheexibilitytobedeployedeitheron-premiseorasaservice?
19.Howdoesyoursolutioncapturecorporatesecuritypoliciesandincorporatethemintothesystem?
20.Describeyoursuitesauditandreportingfunctionality.
a.Whattypeofreportscomestandardwithyoursolution?
b.Doesyoursuitesupportstandardreportingtools?
c.Doesyoursolutionhavethecapabilitytocreateasecure,fullaudittrailforanyidentity-relatedoperation?
Section VII. Implementation Services
21.Describewhatprofessionalserviceswillberequiredtodeployyoursolution.Willprofessionalservicesbeprovidedbyyourorganization,asub-contractor,ora3rdparty?
22.Whatresourceswillyourrmassigntoourimplementation?Describetheirrolesandresponsibilitiesduringtheimplementation.
23.Howlongdoyouanticipateitwilltakeanorganizationofoursizeandscopetodeployyoursolution?
24.Describeyourstandardimplementationmethodology.
a.Whatareyourbestpracticesforminimizingprojectrisk,whiledemonstratingincrementalvalueandquickwinsthroughouttheprojectlifecycle?
b.HowwillyouassistusincollectingandanalyzingdatatodemonstratetheROIofyoursolution?
25.Whatisthepricingmodelforprofessionalservices:xed-feeortime-and-material?
Section VIII. Post-deployment
26.Describethepost-deploymentsupportservicesavailablefromyourcompany.a.Canwegetsupport24x7?
b.Whatservicelevelagreementsareavailabletousasacustomer?
c.Describehowyoutrackandmanagecustomerissuestoensurehighpriorityproblemsareaddressedinatimelyfashiontominimizedisruptiontoourbusiness.
7:AppendixI-SampleRFP(Continued)
17
7/27/2019 Cloud Buyers
18/20
Section IX. Licensing & Pricing
27.Describeyourlicensingandpricingmodel.
a.Softwarelicensingprovidesoftwarepricingfortherelevantsoftwaremodulesprovidedbyyourcompanythatwouldsatisfy
therequirementsinthisRFI.b.Doesyoursoftwarelicensingincludeunlimitedapplicationconnectors,oristhereachargeforeachadditionalSaaSapplication?
c.Doesyourlicensingmodelprovidetheexibilityforeitheranon-premiseoron-demandservicedeploymentforthesamepricepoint?
d.Maintenanceandsupportprovidepricingforyourmaintenanceandsupportoptions.Is24x7supportprovidedaspartofthe
baselicense,orwillitcostextra?
e.Provideadescriptionofwhatisincludedwithyourmaintenanceandsupportoptions.Providemaintenancecostsforyear1andfutureyearsaswell.
f.Professionalservicesprovidepricingfortheinstallationservicesyourcompanywilldeliverduringtheinstallation.Listwhattyperesourceswouldbeassignedtothisprojectandtheirhourlybillingrate.Listpricingforanyadditionalpost-deployment
services.g.Administrativeorend-usertrainingprovidecoursedescriptionsandfeesofthevariousadministratororend-usertrainingoptionsyourcompanyprovides.Indicatewhetherthesetrainingcoursesareheldatyourcompanyoriftheycanbeonsiteatourfacilities.
7:AppendixI-SampleRFP(Continued)
18
7/27/2019 Cloud Buyers
19/20
8:AppendixII-IndustryGlossary&Acronyms
ACRONYM MEANING ADDITIONAL INFO
CRUD CReate, Update, Delete Referstothemajorlifecycleoperationsappliedtoausersidentity.
IaaS Infrastructure-as-a-Service Deliversrelativelyrawhardware,operatingsystems,storageandnetworkcapacityas a service via the Internet.
IAM Identity and access management AtechnicalbusinessprocesswhichencompassestheCRUDlifecycleofausers
identity, regardless of delivery model.
IAMaaS Identity and AccessManagement-as-a-Service
IAMfunctionsoutsourcedtoanexternalserviceprovider.
IDaaS* Identity-as-a-service SimilartoIAMaaS,butmayprovidecertainlimitedaspectsofIAM,suchasauthentication or authorization.
OAuth Open Authorization An open standard for authorization. (Wikipedia)
OOB Out-of-band AnalternatechannelusedtodeliveranOTP,whichisseparatefromaprimaryauthentication channel.
OpenID Open ID Anopenstandardusedbywebidentityproviders(Facebook,Google,etc.)tosharecredentialswithotherentities.(OpenID.net)
OTP One-timepassword Atechniqueofchallengingausertoenteraone-timepassworddeliveredviaan OOB channel, such as a cell phone. The user authenticates by demonstrating
possessionofadeviceortoken.
PaaS Platform-as-a-Service DelivershigherlevelITservices(e.g.,security,management,middleware,etc.)layeredontopofIaaS.IAMaaSisaformofPaaS.
SaaS Software-as-a-service Thedeliveryofanapplicationbyanexternalserviceproviderwithouttheneedtoacquire,deployormanagehardwareorsoftwareinternally,otherthananInternet
browser.
SAML SecurityAssertionMarkup
Language
TheleadingindustrystandardformanagingfederatedSSObetweenapplications.
(OASIS)
SCIM SimpleCloudIdentityManagement An emerging standard for managing provisioning and de-provisioning SaaSaccounts. (SCIM)
SPML ServiceProvisioningMarkupLanguage
AnXML-basedframeworkforexchangingprovisioninginformationbetween
cooperatingorganizations.Hasnotbeenwidelyadoptedduetoimplementation
complexity,hencetheemergenceofSCIM.(Wikipedia)
XACML eXtensibleAccessControlMarkupLanguage
AnopenXML-basedaccesscontrolframeworkdesignedtoabstractandseparate
the authorization process from an application. (Wikipedia)
Table 5: Industry Glossary & Acronyms
19
7/27/2019 Cloud Buyers
20/20
McAfee and the McAfee logo are registered trademarks or t rademarks of McAfee, Inc. or its subsidiaries in the United St ates and other countries. Other marks and brands may beclaimed as the property of others. The product pl ans, specications and descriptions herein are provided for information only and subject to change without notice, and are provided
without warranty of any kind, express or implied.
C i ht 2012 M Af I
Phone:+1-651-628-5352email:[email protected]
More Information
IntelCloudSSO:intelcloudsso.comMcAfee:www.mcafee.com/cim