Presentation is loading. Please wait.

Presentation is loading. Please wait.

EMEA Jürgen Pfeifer Architect Microsoft EMEA HQ Kevin Sangwell Architect Microsoft EMEA HQ

Similar presentations


Presentation on theme: "EMEA Jürgen Pfeifer Architect Microsoft EMEA HQ Kevin Sangwell Architect Microsoft EMEA HQ"— Presentation transcript:

1 EMEA Jürgen Pfeifer Architect Microsoft EMEA HQ http://blogs.msdn.com/juergenp Kevin Sangwell Architect Microsoft EMEA HQ http://blogs.technet.com/sanger SaaS - Implications for your Infrastructure

2 Infrastructure Architecture Principals I.T. Should be seamless to users and the business Infrastructure Applications Access Helpdesk Physical Location

3 SaaS: Replacing Challenges SaaS Provider You Integration Identity Management Data Operations Security Contract Management SLAs Compliance Service Delivery Service Level Management Capacity Management Availability Management IT Continuity Management Financial Management Service Support Helpdesk Training

4 Some people may be after your head Why care? Another username & password! Where is the training? I can’t access the CRM application! Sales Team Um, what CRM application? Helpdesk Lawyers ‘R Us Are we still in compliance with regulations? What about our privacy policies: customer and partner data? CSO

5 Why care? Integration Users: another username, training? Helpdesk: another app, where is 2nd line, what about password resets.. Contractual Lawyers: regulatory compliance Security: privacy - customer data?

6 Integration Infrastructure Integration Identity Management Data Operations Security

7 Integration Infrastructure Integration Identity Management Federated Identity and Access Management Role based access control Data Operations Compliance

8 Federated Identity and Access Management Industry Definition Standards-based technology & IT processes … Distributed identification, authentication & authorization Across boundaries (security, departmental, organizational or platform boundaries) … Without federation Another username & password for users Manual definition of roles and rights in SaaS app User admin in SaaS app = high overhead for you / your business to maintain Provisioning/de-provisioning overhead

9 SaaS Provider Tennant Namespace(s) You Private Namespace Active Directory Federation Services Projects AD Identities to other security realms Federation Server Federation Server Federation Servers Manage: Trust -- Keys Security -- Claims required Privacy -- Claims allowed Audit -- Identities, authorities

10 Security Tokens & Claims Distributed authentication/authorization Secret Key Password Proof of Possession Security tokens assert claims Claims – Statements authorities make about security principals (name, identity, key, group, privilege, capability, etc). SignedX.509 Kerberos XrML SAML

11 Security Token Service Key Distribution Center A security token service issues security tokens STS’s can “swap” tokens as a request crosses security domain boundaries

12 ADFS: How it works Federation Trust

13 ADFS Architecture Active Directory Authenticates users Manages attributes used to populate claims Federation Service (FS) STS Issues security tokens Manages federation trust policy FS Proxy (FS-P) Client proxy for token requests Provides UI for browser clients Web Server SSO Agent Enforces user authentication Creates user authorization context HTTPS LPC/Web Methods Windows Authentication/ LDAP Note: ADFS supports both W2K & W2K3 forests FS & FS-P co-located by default, Can be separate boxes FS, FS-P & SSO agent require IISv6 W2K03 R2 Browser clients only for ADFSv1 (W2K03 R2 release)

14 ADFS Requirements Internet Information Server (IIS) 6.0 ASP.NET Microsoft.NET Framework 2.0 Transport Layer Security and Secure Sockets Layer (TLS/SSL) X.509 certificate (Federation Service only) ADFS requires Active Directory or ADAM Domain controllers must be Windows Server 2003 Service Pack 1 (SP1) Windows Server 2003 R2 Windows 2000 with Service Pack 4 (SP4)

15 Integration Infrastructure Integration Identity Management Federated Identity and Access Management Role based access control Data Operations Compliance

16 Sales Role Role Based Access Control (RBAC) Michal Sales Dept Portal Author on Account Activity pages Document Mgmt Owner for Sales Order Processing documents CRM Manager for Eastern Europe sales teams

17 Role Based Access Control (RBAC) CRM Portal Document Mgmt Author on Account Activity pages Owner for Sales Order Processing documents Manager for Eastern Europe sales teams Sales Role

18 Role Based Access Control (RBAC) CRM Portal Docume nt Mgmt Author on Account Activity pages Owner for Sales Order Processing documents Manager for Eastern Europe sales teams Sales Role SaaS Reader on Sales Order Processing pipeline

19 Role Based Access Control (RBAC) RBAC + Federation approach Configure Federation to transform group claims to SaaS Application SaaS Application Group Member: Managers Cookie: Group: Managers  Authorisation

20 NOT Role Based Access Control Implemented only in SaaS Application Another (external) application in which you need to perform admin Do the business get delegated admin of users inside the SaaS app? How do they include enterprise users in the SaaS app as Federation won't necessarily reveal users in SaaS app?

21 Integration Infrastructure Integration Identity Management Data Operations Security

22 Data Integration LoB apps are typically islands, but need to share data EAI Do you have another application which needs this data? (CRM & Accounting) Is the data used in a workflow? ETL Do you want to do data mining in house? (CRM) How do you get the data into the “Universal Business Management Tool” (Excel)

23 Integration Infrastructure Integration Identity Management Data Operations Security

24 Operations How are helpdesk going to treat the SaaS App? Not involved at all Then how do you measure quality? Ideally add the SaaS Vendor as a 2 nd line in the Trouble Ticketing system Integrate with the enterprise monitoring Helpdesk know of a problem before your users Trending/metrics for decision support:- Is user training needed? Bugs/poor performance or availability: challenge the SaaS provider Helps with SLA measurement Replace text w/drawings

25 Integration Infrastructure Integration Identity Management Data Operations Security

26 Security / Compliance Are you subject to regulations? These extend to the SaaS Provider Industry regulations SoX, ECB, BASEL II, EMV Data Protection EU & USA incompatible Common Criteria to at least EAL 3 on all layers of the SaaS stack – network, OS, application, DB etc.

27 Infrastructure Architecture Visio/stack diagram showing top level integration TBC To be added in v2

28 SaaS Infrastructure Integration Checklist (SiiC) Define and implement an Identity Management strategy Obtain skills in Federation technology and products Create an architecture for operations and data integration which supports SaaS Applications Doing it one by one = quick path to chaos

29 Why care? Integration Users: another username, training? Helpdesk: another app, where is 2nd line, what about password resets.. Contractual Lawyers: regulatory compliance Security: privacy - customer data?

30 Why care? Contractual Operations, operations, operations Data ownership & Compliance Cross-provider integration?

31 Operations, operations, operations Does the provider follow formal operations frameworks? Security accreditations? User training? Ability to turn on/off functionality Can you define when upgrades occur

32 Operations, operations, operations Impact on business continuity Can you make brick-level restores? Is there a charge for this? What Disaster Recovery or Business Continuity level do they offer?

33 Data ownership & Compliance What is “data”? Proving you are still in compliance What reporting is available from the SaaS app? Do you have any internal policies about customers data Microsoft policy for Personally Identifiable Information (PII) = no vendor has access to PII without adopting our policy (legal agreement)

34 Cross-Provider Integration The obvious stuff SOA & WS Does the SaaS provider have public APIs What security technology do they use to allow programmatic access to your data/the app?

35 SaaS “Keep My Job” Checklist Identity Integration RBAC Operations Integration Security Accreditations Contractual SLAs Data Ownership WS Data Access LoB ApplicationTactical Application Data Ownership

36 Summary SaaS = Integration Infrastructure Operations SaaS is similar to outsourcing Contracts SLAs Multiple SaaS applications introduce a new set of complexities we need to address


Download ppt "EMEA Jürgen Pfeifer Architect Microsoft EMEA HQ Kevin Sangwell Architect Microsoft EMEA HQ"

Similar presentations


Ads by Google