Inside Symantec O 3 Sergi Isasi Senior Manager, Product Management SR B30 - Inside Symantec O3 1
Agenda 2
Cloud: Opportunity And Challenge Cloud Private Cloud We should embrace the Cloud to respond to LOB needs, drive business agility and better manage costs Challenge We lack a comprehensive means to control access, security and compliance across the breadth of cloud services and applications 3
Cloud-mobile: Opportunity And Challenge Cloud Private Cloud Mobile We should embrace BYOD, BYOA and the new mobile platform to augment productivity and innovate new business models Challenge How do we layer common protection across cloud and mobile without undermining the convenience of the mobile experience? 4
Introducing Symantec O 3 A New Cloud Information Protection Platform Access Control Information Protection Cloud Visibility Symantec O 3 Control Security Compliance Private Cloud SR B30 - Inside Symantec O3 SYMANTEC VISION 2012 5
A Platform To Meet The Challenge In Three Dimensions Control Convenience Compliance Single control point Context-based Layered security as-a-service Easy access/sso for cloud/web apps Use the apps you like Any device, including mobile SIEM and forensics for the cloud Log and audit trail management Policy audit and reporting 6
Symantec O 3 Identity and Access Control Architecture User Admin Leverages Existing IDM Infrastructure Any corporate directory or identity store Single ID SSO Strong Authentication VIP OTP Stepped up (per application policy) Other forms using custom integration Authorization Context-based policy engine Who (identity-based) What (device-based) Federation/Password Management SAML & OpenID Gateway-based keychain and wizard Apps catalog (+ connectors) 7
O 3 Services ID Broker And Authentication Model End-user SSO login options to O 3 : 1. At O 3 gateway portal 2. Custom portal in front of O 3 -GW 3. External IDP with redirect 4. SAML based SP with redirect O 3 End-user User Devices Client App IDP initiated SAML SP initiated SAML Service access O 3 SSO Login Custom portal O 3 Admin Console IDP IDP portal O 3 Gateway GW Portal O 3 Intelligence Center IDP IDP SAML Assertion Identity and Access Broker Information Gateway Policies and Configuration Enterprise Customer AD/ LDAP Dir Auth and Attributes portal SP SAML Assertion SAML handler SAML Cloud Service HTTP POST Login ceremony portal Cloud Service 8
Application Integration IDP SAML HTTP-Fed O 3 End-user User Devices Client App O 3 Gateway Identity and Access Broker SSO portal Cloud Services and Information Gateway Credential Keychain Web-enabled applications SAML Gateway proxies user store as IDP Redirect or proxy mode option Point and click SAML setup (no SAML expertise required) HTTP-Federation HTTP form stuffing Credential stored in local keychain Reverse proxy Trusted headers (internal web apps) Gateway Credential Keychain Password vault storing SaaS app credentials Encrypted and locally stored in GW, 1 per user Work with any web apps (catalog and custom adaptors) Keychain Tool Java tool to pre-populate SaaS app username-passwords in keychain Prevents user login @ SaaS app with machine-generated username-password Input: spreadsheet of uid/pswd 9
Demonstration! https://intelcenter.symanteco3.com https://ea0-o3-gw1.symanteco3.com SR B30 - Inside Symantec O3 10
Deployment: Symantec cloud, Your cloud, hybrid Managed Devices Unmanaged Devices Acme Inc Network A D Private Cloud Symantec O 3 Gateway (single-tenant) Symantec O 3 Gateway Cloud or Partner Virtualized Infrastructure Symantec O 3 Gateway (single-tenant on IAAS) Policy Synch Symantec O 3 Secure Infrastructure Intelligence Center (multi-tenant policy mgmt.) Identity Sec Policy Information Sec Policy SAAS Any SAAS IAAS/PAAS Any Public Cloud 11
Customer-Hosted Deployment Overview Customer Network Customer Administrator A Policies and configuration Symantec O3 Intelligence Center Employees C Symantec O 3 Gateway D F F E B C Roaming Employees Symantec Network Cloud Applications Customer AD/LDAP Internal SaaS Applications A. Customer admin defines employee access policies at hosted O 3 IC B. Policies published to on-prem O 3 gateway(s) C. Internal and External Employees authenticate to O 3 gateway to gain access to applications D. O 3 gateway delegates authentication to customer AD/LDAP E. O 3 gateway enforces Identity based access and information protection policies F. Employees gain access to applications upon successful authorization 12
Symantec-Hosted Deployment Overview Customer Network Customer Administrator A B Symantec O 3 Intelligence Center Employees Symantec O 3 ID Link Roaming Employees C D E Symantec O 3 Gateway Symantec Network F F Cloud Applications Customer AD/LDAP Internal SaaS Applications A. Customer admin defines employee access policies at hosted O 3 IC B. Policies published to Symantec Hosted O 3 gateway(s) C. Internal and External Employees authenticate to O 3 gateway to gain access to applications D. O 3 gateway delegates authentication to customer AD/LDAP E. O 3 gateway enforces Identity based access and information protection policies F. Employees gain access to applications upon successful authorization SR B30 - Inside Symantec O3 SYMANTEC VISION 2012 13
Roadmap SR B30 - Inside Symantec O3 14
Roadmap Disclaimer This information is about pre-release software. Any unreleased update to the product or other planned modification is subject to ongoing evaluation by Symantec and therefore subject to change. This information is provided without warranty of any kind, express or implied. Customers who purchase Symantec products should make their purchase decision based upon features that are currently available. 15
Symantec O 3 Information Security Architecture DLP for information classification Leverages existing DLP deployment Identity context Any device, any cloud Silent File Encryption Leverages existing PGP deployment Key management option Other forms using custom portal integration ipad Secure Sandbox App Bring your ipad to work Integrated with gateway (SSL VPN with 2FA) Sandbox data at rest encryption Availability: 2H CY2012 16
Demonstration! https://gw.ea7.symanteco3.com/ SR B30 - Inside Symantec O3 17
Roadmap Disclaimer This information is about pre-release software. Any unreleased update to the product or other planned modification is subject to ongoing evaluation by Symantec and therefore subject to change. This information is provided without warranty of any kind, express or implied. Customers who purchase Symantec products should make their purchase decision based upon features that are currently available. 18
O 3 As The Cloud Information Protection Platform Cloud Access and Information Protection 1. End-user SSO session portal 2. Brokered authentication and authorization 3. Policy and configuration synchronization 4. Information protection 5. Audit and access logs Symantec VIP OTP O3 connectors AD/LDAP ID-link AD IWA External User-Store OpenID SAML Oauth Enterprise User-Dir. AD / LDAP ODBC / JDBC WS / REST IDP / Usr-Store Connectors O 3 Gateway Default SSO portal Authentication delegation Legacy web-enabled applications User Devices Client App Custom portal Context Based Policy Enforcement Federation Services (SAML, OA, OID, WSF) Cloud SP connectors Gateway web-services Reverse Proxy services Non-native 2FA IC sync esso HTTP-FED External Cloud Applications O 3 Logs Audit and Access System logs Symantec 2FA MPKI FDS 3 rd party 2FA RSA Certificates O 3 Intelligence Center Multi-tenant Policy Management GW configuration and status Info Protection (ICAP) DLP PGP / Key-management Archiving / ediscovery Symantec Log Management SSIM Minimum Security Standards (MSS) Log management Symantec DeepSight, Symantec Global Intelligence Network 19
Thank you! Sergi Isasi Copyright 2012 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice. SR B30 - Inside Symantec O3 20