- The changing security perimeter
- Interoperability and cross-donain trust in heterogeneous hybrid cloud environments
- The role of open standards in hybrid cloud identity management
- How to approach identity in the cloud
Listen to MP3 (0:11:40)
Listen to OGG (0:11:40)
Transcript:
Gordon
Haff: Hi, everyone. This is Gordon Haff, cloud evangelist with Red
Hat, and I'm sitting here with Ellen Newlands, who's the product manager for
our cloud security products. Welcome, Ellen.
Ellen
Newlands: Thank you, Gordon.
Gordon:
Ellen, could you briefly give a little bit of background about yourself
and security?
Ellen:
Sure. I have a pretty extensive background in security, and particularly
in identity and access management, and more recently, in cloud applications for
identity and access.
Gordon:
Great. Well, it's certainly a hot topic in cloud. In fact, I'd like to
start off this conversation with a quote from Chris Perretta, the CIO of State
Street, in a recent interview he had in Forbes. He says, "I think we'll
see the day where our cloud will be accessible to our clients. In fact, it is
today. We're building features here where customers actually load their data,
and we keep data on their behalf."
I
don't think I've read anything that says to me quite as strongly that security
is not about the network perimeter any longer. It's about verifying the people
who are inside your systems.
Ellen:
I would agree, Gordon. One of the things increasingly that we are seeing
with the new technology, cloud in particular, is that from a company point of
view, there really is no inside or outside anymore. Knowing who you're doing
business with, and who has the right to access what, has become increasingly
important when you really don't control your perimeter, and frankly, when there
isn't a perimeter anymore.
Gordon:
How do you go about doing this?
Ellen:
One of the things that we have been doing a lot of work on is putting
together centralized identity and access management as a feature set within Red
Hat Enterprise Linux, to make it a lot easier to manage identities in a
centralized context as a foundation for moving into virtualization, and of
course, into open hybrid cloud.
Gordon:
You mentioned that "hybrid" word with cloud, and that's
obviously a hot topic these days; Gartner is talking about hybrid IT. We're
certainly emphasizing open hybrid clouds because it's what our customers are
asking us for. How do you handle identity in that kind of distributed world?
Ellen:
I think part of it is how you look at the environment that you're working
in. When you say "open hybrid cloud," that includes a company's
"private" cloud as well as public clouds, for example, Amazon and
others of that sort. What you're seeing is balance between use of the cloud on‑premise,
by the enterprise, and the applications and capabilities that will we put into
a public cloud. That's one way of looking at a hybrid cloud. One of the things
that we do in identity and access management in Red Hat Enterprise Linux is we
make it very easy to set up and manage the identities in a Linux environment.
Gordon:
It's really even a little more complicated than you just said, isn't it
though? Because it's not just about having private resources and public
resources. It's also about having heterogeneous private and public resources,
including, for example, Windows systems in many cases.
Ellen:
I think you make a very good point here, Gordon, which is, many large
customers, and even some of the medium sized, will have a heterogeneous
environment. Windows is very, very popular, of course, and what we are seeing
is that the ability to work well in a heterogeneous environment is very
important for identity and access management, and by definition, that really
means the ability to interoperate smoothly with Active Directory.
Gordon:
How do you do that?
Ellen:
One of the things that we just shipped in Red Hat Enterprise Linux, the
most recent release, is what we call a tech preview of something that we give
the name of "Kerberos‑based cross‑domain trust." You might say,
"Well, what does that mean? What is that to me?” Both Active Directory and
our own identity management in Red Hat Linux use the Kerberos standard as
developed by MIT. The Kerberos standard has recently been expanded and updated
to allow the Kerberos tickets to carry not only the authentication, meaning the
identity, but the attributes. This change in Kerberos allows us to set up a
trust between Active Directory and our own identity management.
Gordon:
I think this really points to how important openness is in these hybrid
environments, because we're not just talking about open source, but you've just
described an open standard that's important to get security authentication
across these types of hybrid environments.
Ellen:
Absolutely right, because both Microsoft and Red Hat support the MIT
Kerberos standard. We now make it very easy for an end‑user on a Windows client
with identity registered in Active Directory to gain access through a trust
from Active Directory to identity management in RHEL, to many of the Linux
services, within what we call an enterprise single sign‑on. This makes
transactions very smooth for the user, and much, much easier to manage for both
sets of administrators. It enhances both security and, to some degree,
compliance.
Gordon:
One of the challenges in a hybrid environment is that all this stuff is,
well, supposed to work together, and I think as any of our listeners, and as
you know, that doesn't just auto‑magically happen.
Ellen:
No, but the good news is with a cross‑domain trust, you need very, very
few changes in either one of these, I'm going to call them, domains. The Active
Directory and the identity management for Linux, I need very, very few changes
to just refer to one another. To pass the credentials from one to the other
makes it much, much simpler. There's no syncing, there's no being out of sync,
need much less installation or management hassle than you might've in the past.
One
of the advantages too is, in this way, when using identity management in Red
Hat Enterprise Linux, since it's designed for native Linux, it allows you to do
some very native Linux type things, like sudo rules, etc.
Gordon:
What type of testing do we do that helps ensure this stuff really does work
together?
Ellen:
Of course, we do interoperability testing of this functionality to make
sure that the Windows client, Windows end‑user, is able to access the Linux
services requested through this cross‑domain trust.
Gordon:
If I can maybe take this up a little bit to a higher level, as people are
moving to clouds, to open hybrid clouds, what are some of the things they
should be thinking, and some of the things they really need to be careful,
about as they're setting up their authentication systems?
Ellen:
I think people want to be assured that whoever is accessing services has
the right to access those services, and accesses only those services that they
have the rightful privileges to access. I think that is fundamentally, the
right people get access to the right information at the right time. I think
that thinking about how to manage that is very important. Partly for that
reason, we do a lot of work on interoperability with the Red Hat products that
really function in open hybrid cloud, so back‑ending, for example, CloudForms
or OpenShift, working with the OpenStack committee is very important, again, to
ensure that the right people have access to the right capabilities at the right
time.
Gordon:
What is some of the stuff going on in the identity cloud-related spaces
that you think is really interesting right now, that people ought to be keeping
their eyes on?
Ellen:
The thing that I think is very interesting now is a lot of the work in
the past has been what I call point‑to‑point. It's required a lot of
interoperability, setup, it's required a lot of, perhaps, contractual work,
etc. Increasingly, you're seeing through some of the newer standards, and I
will reference things like OpenID and OAuth, that it becomes easier and easier
to interact from one service and one area in the cloud to another with a
recognized standard. The standards in the back‑end, the standards for
enterprise, identity, are being merged and used as back‑ends for some of the
newer cloud areas.
The
other thing that I think is very interesting is that the Federal Government has
taken a very active in outlining the kinds of security, and identity and access
management, that makes for a good, secure cloud computing. I think you see this
with the OMB, with FedRAMP, with the new standards from NIST.
Gordon:
Of course, Cloud Security Alliance has also done a lot of work in
outlining some of the specific things and security and compliance areas that
people need to pay attention to.
Ellen:
Yes. As you know, Red Hat is a member of the Cloud Security Alliance, and
I do think for people who are looking to set up a cloud, open hybrid cloud, any
kind of cloud, you can get very, very good guidance in what to look at across
the whole spectrum of cloud security from the outlines and tips that the cloud
security alliance provides.
Gordon:
One thing that, for me, I think is a little bit encouraging is that we
seem to be, for the most part, moving beyond "the cloud is secure, the
cloud is insecure," sort of discussions, to really much more specific
conversations around, say, specific aspects of compliance.
Ellen:
I think that's absolutely true. The cloud is not a monolith, and in some
ways, I would submit that the cloud doesn't really exist. There are so many use
cases, and one of the things that you learn early in security is to design the
security level that you need for the value of the information and where you're
placing it. I think that gives people a range of options of what they would put
in a public cloud, what they might keep on premise, and how much or how little
protection that information may need. Certainly not everything is Fort Knox.
Gordon:
Thank you, Ellen. I've been speaking with Ellen Newlands, the product
manager for cloud security at Red Hat.
No comments:
Post a Comment