Interagency Advisory Board Meeting Agenda, Wednesday, September 26, 2012
1. Opening Remarks
2. Enabling the Mobile Government Workforce with PIV Credentials in a BYOD Future (Neville Pattinson, Gemalto)
3. Enabling PIV and Federated Access and Privileges within Cloud Services (Ken Ammon, CSO, Xceedium)
4. Demonstration of Means to Provision PIV to Various Relying Party Systems (Joe Broghamer, DHS)
5. Identity Management Reassembled (Jeff Nigriny, Certipath)
6. Closing Remarks
Enabling PIV and Federated Access and Privileges within Cloud Services
PIV in the New Enterprise
• Legacy compu8ng and network resources • Includes mainframe
• Private cloud implementa8on • Implemented in support of FDCCI
• Public cloud integra8on
• Driven by FDCCI and budget
• Results in “New Enterprise” PIV requirement with significant implica8ons for privileged access
Cloud and Hybrid Cloud
3
• Hybrid IaaS and PaaS cloud implementa8on may u8lize private plaKorm and public cloud u8lity • VMware
• OpenStack
• Eucalyptus
• Amazon Web Services
• and more on the way….
• Focus of presenta8on is Amazon Web Services (AWS) integrated into legacy enterprise
Challenges of Privileged Access in the Hybrid Cloud
• Virtualiza8on AND cloud creden8al and management complexity
• Configura8on of mul8ple plaKorm specific IAM engines
• Lack of detailed and centralized privileged audit
• Distributed policy management
• Automated API and CLI access
• Redundant two-‐factor administra8on creden8als
• PIV integra8on
• Administra8ve single sign-‐on
• Federa8ng privileged iden8ty
PIV and Federated Access and Privilege Management for AWS
5
AWS IAM Creden8als
• Creden8als consist of a Master Account Key, Secret Access Key, and a corresponding Access Key ID
• Permissions are encapsulated within encrypted, 8me limited token
• Basic creden8als necessary for: • Command Line Interface (CLI) • Applica8on Programing
Interface (API) • Console Access (Web)
• S3 (Storage Bucket) creden8al different than AWS EC2
AWS IAM Permissions
AWS-‐to-‐Customer IAM Architecture
Customer AWS Cloud
Customer Enterprise Network
Privileged User
Corporate Enterprise
AWS Console EC2
Role, Permissions, and Policy
SecretAccessKey
Secure Token Service
API
AWS Programmatic Interface
AccessKeyID Token
Master Account Key
Master Account Key
Machine Credential
Amazon Machine Image (AMI)
Instance (Linux, Windows, Oracle, etc…)
Machine Credential
Privileged Script or
Application
Audit Requirement
PIV Enabled Privileged Iden8ty and Access Management for Legacy Enterprise
Client
Privileged User
PIV Credential
Customer Enterprise Network
AD/LDAP Server Server
PIV/CAC Revocation
Server
Web Portal, RDP, SSH, FTP, Telnet, VNC, etc…
PIV Smartcard
• Policy and permission
• Audit • End-point
Credential (Password, SSH Key, etc…)
Applications Network Servers
Federated with On Premise AD Authen8ca8on – Single VPC and On Premise Xsuite
Availability Zone 1
Customer Enterprise Network
Client
Privileged User
Corporate Enterprise
AD/LDAP Server Server
Smartcard
Smartcard Revocation
Server
Applications
Network
Servers Corporate Enterprise
AWS Console
Role, Permissions, and Policy
Secure Token Service
API
AWS Programmatic Interface
Amazon Machine Image (AMI)
Instance (Linux, Windows, Oracle, etc…)
Machine Credential
Federated with On Premise AD Authen8ca8on – Single VPC and Virtual Xsuite
Availability Zone 1
Customer Enterprise Network
Client
Privileged User
Corporate Enterprise
AD/LDAP Server Server
Smartcard
Smartcard Revocation
Server
Applications
Network
Servers Corporate Enterprise
AWS Console
Role, Permissions, and Policy
Secure Token Service
API
AWS Programmatic Interface
Amazon Machine Image (AMI)
Virtualized Appliance
13
Market Outlook
• PIV enabled legacy enterprise • Servers, network, mainframe
• Industrial control systems
• FDCCI drives cloud adoption • Virtualization and IaaS introduce new IAM vectors
• PIV integration eliminates expense of redundant two-factor identification system
• Cloud brings new challenges • Additional management plane and privileged automation…machines building machines
• Must federate identity and abstract policy to avoid cloud vendor lock-in
• Pace of cloud technology evolution • Admins and engineers require ramp-up time while cloud engineering resource demand is
rapidly increasing
• PIV identity and federated access for privileged access is available today
• Today- Legacy IT, Virtual Machine, AWS
• Roadmap- OpenStack, AWS FIPS 140-2 Level 3, Metadata plane integration
Contact Us
2214 Rock Hill Road, Suite 100 Herndon, VA 20170 Phone: 866-‐636-‐5803
Email: [email protected]
Twi7er: @Xceedium Facebook: www.facebook.com/
xceedium
14