Thursday, January 02, 2014

Podcast: Identity Management and crypto with Red Hat's Ellen Newlands and Matt Smith

Ellen Newlands shares new IdM and cryptography features in Red Hat Enterprise Linux--including the new RHEL 7 beta--while Matt Smith talks about some trends that he's seeing at the customers he speaks with such as the desire to extend enterprise identity into public clouds.

Listen to MP3 (0:11:14)
Listen to OGG (0:11:14)


Gordon Haff:  You're listening to the Cloudy Chat podcast with Gordon Haff.
Hi, everyone. This is Gordon Haff, cloud evangelist with Red Hat, and today I've got two guests here with me. I've got Ellen Newlands, who runs product management for our identity and security products, and I've got Matt Smith, who's a solution architect in the Northeast region with Red Hat. Matt's going to have some great insights about some of the conversations he's having with customers around security and identity.
I'd like to start off first with you, Ellen. What's new?
Ellen Newlands:  Well, I have to say, Gordon, especially with Red Hat Enterprise Linux 7.0 going into beta ‑‑ as you know, we just went into beta with 7.0 at the beginning of this month, December ‑‑ there's a lot that's new in identity management. Many of you may remember that we've included identity management as a feature set in RHEL, which means that it is free with the RHEL subscription. In 7.0, we are bringing out some new functionality that we think is particularly useful.
A lot of customers have Active Directory as what we call their authoritative source for identity in a Windows environment, and yet they'll very often have a very, very large Red Hat Linux deployment, particularly in development or in test. One of their questions is always, "How do I best manage my Linux identities but maintain my capabilities to have Active Directory as the authoritative source for regulatory and compliance purposes?"
Well, in RHEL 7.0, we're shipping something we're calling cross‑realm Kerberos trust. What does that mean? What that actually means is that we have put together a very secure scheme for setting up a trust between Active Directory and what we call the IPA ‑‑ or identity, policy, and audit server, the server piece of identity management in RHEL ‑‑ so that your users in a Windows environment can use their Active Directory credentials and have them passed to an identity server for Linux and then securely and safely reach Linux resources without having to, for example, change one authoritative source for another. In other words, keep your Active Directory, set up a trust with identity management in Linux, and enable your Windows users to access the Linux resources that they would want. We are beginning beta on this now, and we have already had some very good feedback on this functionality.
Now, I did want to mention that, in addition to this, there are customers who do not wish to have any kind of a second domain in Linux, so we have functionality that we call SSSD, which is client functionality that will allow you to connect your individual Linux resources or hosts directly into Active Directory should you prefer. We believe that this gives us a wider reach in today's heterogeneous environment for identity management.
Gordon:  Going to talk a little bit about crypto in a couple minutes, at the risk of having people's heads explode, but for right now, Matt, maybe you can tell us a little bit about what you're seeing out in the field. You spend a lot of time talking to customers, and I'm sure you've got a lot of good insights about what they're seeing out there.
Matt Smith:  Sure, absolutely. Thank you, Gordon.
Really, what we're seeing come forward with the RHEL 7 beta here, with the new features and functionality in IdM, this really addresses some of the calls we're seeing in the field. Customers have a huge investment in Active Directory ‑‑ in the infrastructure they've deployed, in the processes they've developed. As Ellen already described, really being able to bring forward a solution that allows the Linux environments to interact with an Active Directory but have the features and functionality that Red Hat IdM provides, which, beyond just the authentication, also has the management of the access control within that Linux environment, and it gives the Linux admins the ability to interact very, very easily with that IdM environment. Being able to have that integration with an established Active Directory meets a very, very high demand from our customers.
Gordon:  You've been doing this for a while. What are some of the trends that you see out there? What's different today than if I was asking you this question maybe a couple years ago?
Matt:  That's a great question. Really, the newest trend that we're seeing, and really, it's been developing over the past few years ‑‑ how do I extend my enterprise identity into the cloud? As software‑as‑a‑service options are becoming more and more attractive, as platform‑as‑a‑service and infrastructure‑as‑a‑service offerings out in the public cloud become more available, more cost‑effective, and more feasible for many of our customers, they look at that credential set that today might live inside of an Active Directory or inside of a Red Hat IdM, and they question whether they should extend that to those outside public services, whether they should be creating new IDs and passwords out there in that public space, if there's a way that doesn't violate network security principles to tie those systems back into credentials inside their data center.
Of course, here, we are very aware of the other authentication activities in the world, whether this is SAML in the federated authorization space or OpenID and oAuth, and we're developing those strategies around how to leverage those technologies to be able to extend enterprise identity into those cloud services.
Gordon:  Ellen, let's talk a little bit about crypto specifically. I know we've got some new features out there, so maybe if you could explain it without having people's heads explode too much, I think that'd be interesting.
Ellen:  I did want to start by saying I have worked with what we call the crypto geeks for about half of my working life, and I will tell you, you can always spot them in a crowd.
Having said that, all crypto is essentially mathematically based. One of the best protections for any of the cryptographic algorithms that keep your communications and your data safe and locked up is that it takes so long, using computers, to crack the code. As computer power has increased, the algorithms that were in common use are more easily cracked. It takes less time. Cracking an algorithm is all about the compute time it takes to crack it. With the expansion of compute power and the high demand for security, the National Institutes of Standards and Technology ‑‑ known lovingly as NIST ‑‑ recently set out standards and recommendations for what we would call higher‑order cryptographic algorithms, which they call Suite B.
Now, the Red Hat Enterprise Linux 5.10 and 6.5, which just recently went GA, and 7.0, which is in beta now have all included some new cryptography in addition to the original algorithms that they had in Suite B. One of the more interesting pieces of cryptography that has been included is something called elliptic‑curve cryptography. The reason that this is interesting is, for less processing power and less compute power, it offers stronger crypto than had previously been available.
I think the basic point here is that the crypto in Red Hat Enterprise Linux has been updated, which ensures safer communication, safer data at rest and in motion. As the standards change, I just want it on record that RHEL and the feature set in RHEL keep up with the changes and recommendations.
Gordon:  Matt, out in the field, how are you seeing use of crypto out there? Is it increasing? Are people being more aware of the technical details? What are the trends that you see there?
Matt:  Absolutely. Crypto becomes more important every day, but at the same time, the assumption is generally that it is just there. At this point, being able to see that HTTPS in your URL bar in your favorite browser is just an assumed technology ‑‑ "Oh, it's HTTPS, therefore it is secure." Of course, as customers look to move data out, again, into the cloud, or they start expanding where their data lives ‑‑ it's no longer just within the four walls of their existing data center ‑‑ really being able to encrypt that data, in flight or at rest, becomes more and more critical and more and more of an assumption on our customers' part.
Gordon:  Are there changes in the way they're doing key management these days? Encryption is easy. It's the key management that's the hard part.
Matt:  Absolutely. There are a number of vendor products out there for key management, as well as when we look at certificate‑based management, our own certificate management capabilities within Red Hat IdM and within Red Hat Certificate Server. We provide those capabilities, but again, as customers are looking to distribute the geography of their data, this is a challenge in the space that, really, there's still a lot of space left to find proper solutions.
Gordon:  Ellen, maybe we can start to wrap up here. Anything else that you'd like to share?

Ellen:  I would like to say that if customers are interested in any of the new capabilities for identity management in Red Hat Enterprise Linux 7.0, we have instituted a high‑touch beta program specifically for those who are interested in the identity functionality, and customers are still welcome to join that beta program because it runs from now until the middle of March. There's plenty of time to get a look at the new features and, if time permits and resources allow, to give them a test run.

No comments: