Tuesday, January 15, 2013

Podcast: Cloud identity management with Ellen Newlands

In this podcast, Red Hat cloud security product manager Ellen Newlands discusses:
  • The changing security perimeter
  • Interoperability and cross-donain trust in heterogeneous hybrid cloud environments
  • The role of open standards in hybrid cloud identity management
  • How to approach identity in the cloud

  • Listen to MP3 (0:11:40)
    Listen to OGG (0:11:40)

Gordon Haff:  Hi, everyone. This is Gordon Haff, cloud evangelist with Red Hat, and I'm sitting here with Ellen Newlands, who's the product manager for our cloud security products. Welcome, Ellen.
Ellen Newlands:  Thank you, Gordon.
Gordon:  Ellen, could you briefly give a little bit of background about yourself and security?
Ellen:  Sure. I have a pretty extensive background in security, and particularly in identity and access management, and more recently, in cloud applications for identity and access.
Gordon:  Great. Well, it's certainly a hot topic in cloud. In fact, I'd like to start off this conversation with a quote from Chris Perretta, the CIO of State Street, in a recent interview he had in Forbes. He says, "I think we'll see the day where our cloud will be accessible to our clients. In fact, it is today. We're building features here where customers actually load their data, and we keep data on their behalf."
I don't think I've read anything that says to me quite as strongly that security is not about the network perimeter any longer. It's about verifying the people who are inside your systems.
Ellen:  I would agree, Gordon. One of the things increasingly that we are seeing with the new technology, cloud in particular, is that from a company point of view, there really is no inside or outside anymore. Knowing who you're doing business with, and who has the right to access what, has become increasingly important when you really don't control your perimeter, and frankly, when there isn't a perimeter anymore.
Gordon:  How do you go about doing this?
Ellen:  One of the things that we have been doing a lot of work on is putting together centralized identity and access management as a feature set within Red Hat Enterprise Linux, to make it a lot easier to manage identities in a centralized context as a foundation for moving into virtualization, and of course, into open hybrid cloud.
Gordon:  You mentioned that "hybrid" word with cloud, and that's obviously a hot topic these days; Gartner is talking about hybrid IT. We're certainly emphasizing open hybrid clouds because it's what our customers are asking us for. How do you handle identity in that kind of distributed world?
Ellen:  I think part of it is how you look at the environment that you're working in. When you say "open hybrid cloud," that includes a company's "private" cloud as well as public clouds, for example, Amazon and others of that sort. What you're seeing is balance between use of the cloud on‑premise, by the enterprise, and the applications and capabilities that will we put into a public cloud. That's one way of looking at a hybrid cloud. One of the things that we do in identity and access management in Red Hat Enterprise Linux is we make it very easy to set up and manage the identities in a Linux environment.
Gordon:  It's really even a little more complicated than you just said, isn't it though? Because it's not just about having private resources and public resources. It's also about having heterogeneous private and public resources, including, for example, Windows systems in many cases.
Ellen:  I think you make a very good point here, Gordon, which is, many large customers, and even some of the medium sized, will have a heterogeneous environment. Windows is very, very popular, of course, and what we are seeing is that the ability to work well in a heterogeneous environment is very important for identity and access management, and by definition, that really means the ability to interoperate smoothly with Active Directory.
Gordon:  How do you do that?
Ellen:  One of the things that we just shipped in Red Hat Enterprise Linux, the most recent release, is what we call a tech preview of something that we give the name of "Kerberos‑based cross‑domain trust." You might say, "Well, what does that mean? What is that to me?” Both Active Directory and our own identity management in Red Hat Linux use the Kerberos standard as developed by MIT. The Kerberos standard has recently been expanded and updated to allow the Kerberos tickets to carry not only the authentication, meaning the identity, but the attributes. This change in Kerberos allows us to set up a trust between Active Directory and our own identity management.
Gordon:  I think this really points to how important openness is in these hybrid environments, because we're not just talking about open source, but you've just described an open standard that's important to get security authentication across these types of hybrid environments.
Ellen:  Absolutely right, because both Microsoft and Red Hat support the MIT Kerberos standard. We now make it very easy for an end‑user on a Windows client with identity registered in Active Directory to gain access through a trust from Active Directory to identity management in RHEL, to many of the Linux services, within what we call an enterprise single sign‑on. This makes transactions very smooth for the user, and much, much easier to manage for both sets of administrators. It enhances both security and, to some degree, compliance.
Gordon:  One of the challenges in a hybrid environment is that all this stuff is, well, supposed to work together, and I think as any of our listeners, and as you know, that doesn't just auto‑magically happen.
Ellen:  No, but the good news is with a cross‑domain trust, you need very, very few changes in either one of these, I'm going to call them, domains. The Active Directory and the identity management for Linux, I need very, very few changes to just refer to one another. To pass the credentials from one to the other makes it much, much simpler. There's no syncing, there's no being out of sync, need much less installation or management hassle than you might've in the past.
One of the advantages too is, in this way, when using identity management in Red Hat Enterprise Linux, since it's designed for native Linux, it allows you to do some very native Linux type things, like sudo rules, etc.
Gordon:  What type of testing do we do that helps ensure this stuff really does work together?
Ellen:  Of course, we do interoperability testing of this functionality to make sure that the Windows client, Windows end‑user, is able to access the Linux services requested through this cross‑domain trust.
Gordon:  If I can maybe take this up a little bit to a higher level, as people are moving to clouds, to open hybrid clouds, what are some of the things they should be thinking, and some of the things they really need to be careful, about as they're setting up their authentication systems?
Ellen:  I think people want to be assured that whoever is accessing services has the right to access those services, and accesses only those services that they have the rightful privileges to access. I think that is fundamentally, the right people get access to the right information at the right time. I think that thinking about how to manage that is very important. Partly for that reason, we do a lot of work on interoperability with the Red Hat products that really function in open hybrid cloud, so back‑ending, for example, CloudForms or OpenShift, working with the OpenStack committee is very important, again, to ensure that the right people have access to the right capabilities at the right time.
Gordon:  What is some of the stuff going on in the identity cloud-related spaces that you think is really interesting right now, that people ought to be keeping their eyes on?
Ellen:  The thing that I think is very interesting now is a lot of the work in the past has been what I call point‑to‑point. It's required a lot of interoperability, setup, it's required a lot of, perhaps, contractual work, etc. Increasingly, you're seeing through some of the newer standards, and I will reference things like OpenID and OAuth, that it becomes easier and easier to interact from one service and one area in the cloud to another with a recognized standard. The standards in the back‑end, the standards for enterprise, identity, are being merged and used as back‑ends for some of the newer cloud areas.
The other thing that I think is very interesting is that the Federal Government has taken a very active in outlining the kinds of security, and identity and access management, that makes for a good, secure cloud computing. I think you see this with the OMB, with FedRAMP, with the new standards from NIST.
Gordon:  Of course, Cloud Security Alliance has also done a lot of work in outlining some of the specific things and security and compliance areas that people need to pay attention to.
Ellen:  Yes. As you know, Red Hat is a member of the Cloud Security Alliance, and I do think for people who are looking to set up a cloud, open hybrid cloud, any kind of cloud, you can get very, very good guidance in what to look at across the whole spectrum of cloud security from the outlines and tips that the cloud security alliance provides.
Gordon:  One thing that, for me, I think is a little bit encouraging is that we seem to be, for the most part, moving beyond "the cloud is secure, the cloud is insecure," sort of discussions, to really much more specific conversations around, say, specific aspects of compliance.
Ellen:  I think that's absolutely true. The cloud is not a monolith, and in some ways, I would submit that the cloud doesn't really exist. There are so many use cases, and one of the things that you learn early in security is to design the security level that you need for the value of the information and where you're placing it. I think that gives people a range of options of what they would put in a public cloud, what they might keep on premise, and how much or how little protection that information may need. Certainly not everything is Fort Knox.
Gordon:  Thank you, Ellen. I've been speaking with Ellen Newlands, the product manager for cloud security at Red Hat.

No comments: