Topsummit安全既服務(wù)案例分析–WindowsAzureAD身份云的架構(gòu)和設(shè)計(jì)-微軟李雨航

安全既服務(wù)案例分析–WindowsAzureAD身份云的架構(gòu)和設(shè)計(jì)李雨航Y(jié)aleLi微軟全球首席安全架構(gòu)師云安全聯(lián)盟全球總戰(zhàn)略顧問摘要1）傳統(tǒng)IT安全軟件的問題和不足

2）安全既服務(wù)的產(chǎn)生和要解決的問題3）WindowsAzureAD身份云的架構(gòu)和設(shè)計(jì)4）開發(fā)人員使用場(chǎng)景5）打造身份云吸取的經(jīng)驗(yàn)教訓(xùn)傳統(tǒng)IT安全軟件的問題和不足不適應(yīng)多租戶的云服務(wù)用戶擴(kuò)展性的局限無法跟上快速開發(fā)部署的步伐SecuritySoftwareExamples:Ad-AwareFreeAntivirus+Protectyourpersonalcomputeragainstvirusandspywareattacks.ComodoInternetSecurityProtectPCfromviruses,Trojans,worms,bufferoverflows,zero-dayattacks,spywareandhackers.ComodoFirewallGuardyourWindowsPCfrommalwareandInternetbasedattacks.SuperAntiSpywareFreeEditionDetectandremovespyware,malware,rootkits,trojans,hijackers,andothermaliciousthreats.ComodoAntivirusDetectanddestroymalwareandviruses.USBDiskSecurityProvideprotectionagainstanymaliciousprogramstryingtoattackviaUSBdrive.HitmanPro3(32-bit)Rescueyourcomputerfromvirusesandmalware.TrendMicroHijackThisScanyourRegistryandharddriveforspyware.MicrosoftSecurityEssentials(64-bit)ProtectyourcomputerwithMicrosoft'slatestsecuritysoftware.SuperAdBlockerBlockallformsofadvertising,includingpop-ups,Flashads,andbannerads.安全既服務(wù)的產(chǎn)生和要解決的問題

云計(jì)算的安全問題安全既服務(wù)帶來的機(jī)會(huì)云安全聯(lián)盟的十大SECaaS身份云要解決的問題描述云計(jì)算的安全問題

DataBreachesDataLossAccountHijackingInsecureAPIsDenialofServiceMaliciousInsidersAbuseofCloudServicesInsufficientDueDiligenceSharedTechnologyIssues安全既服務(wù)帶來的機(jī)會(huì)

盾牌式戰(zhàn)略思維：把注意力放在使用舊安全工具來保護(hù)云中數(shù)據(jù)和系統(tǒng)利劍式戰(zhàn)略思維：為什么不能用云的力量創(chuàng)造出新一代安全工具這就是安全既服務(wù)（SecurityasaServiceorSECaaS)：Provisioningelastic,scalablesecuritysolutionsandservicestobothcloudbasedandtraditionalonpremisessystemsinpurecloudorhybridmodels.云安全聯(lián)盟的十大SECaaS分類

IdentityandAccessManagement(IAM)–身份云DataLossPrevention(DLP)WebSecurityEmailSecuritySecurityAssessmentsIntrusionManagement,Detection,andPrevention(IDS/IDP)SecurityInformationandEventManagement(SIEM)EncryptionBusinessContinuityandDisasterRecovery(BCDR)NetworkSecurity身份云要解決的問題云用戶賬號(hào)身份生命周期的管理支持所以云應(yīng)用的登錄統(tǒng)一技術(shù)標(biāo)準(zhǔn)的線上線下身份認(rèn)證手段組織機(jī)構(gòu)的內(nèi)外部共享所有員工和個(gè)人等減少企業(yè)卡，工作證，校園卡，組織機(jī)構(gòu)代碼證等的分別發(fā)放線上線下使用同一身份認(rèn)證介質(zhì)、資源管理和服務(wù)分享手段實(shí)名上網(wǎng)和統(tǒng)一數(shù)據(jù)跟蹤、行為跟蹤能力建立大數(shù)據(jù)和大數(shù)據(jù)溯源監(jiān)控的能力使用的方便和簡(jiǎn)潔直接決定用戶體驗(yàn)，新時(shí)代的特點(diǎn)WindowsAzureAD身份云的架構(gòu)和設(shè)計(jì)WindowsAzureAD身份云設(shè)計(jì)原則WindowsAzureAD身份云工作原理WindowsAzureAD身份云聯(lián)邦身份（Federation）WindowsAzureAD身份云一鍵登錄(SingleSignOn)WindowsAzureAD身份云多因驗(yàn)證(PhoneFactor)WindowsAzureAD身份云設(shè)計(jì)原則

Theclouddesignpointdemandscapabilitiesthatarenotpartofcurrent-dayWindowsServerActiveDirectoryMaximizedevice&platformreachhttp/web/RESTbasedprotocolsMulti-tenancyCustomerownsdirectory,notMicrosoftOptimizeforavailability,consistentperformance,andscaleKeepitsimpleLeverageon-premisesinvestments,providecloudadditionsWindowsAzureAD身份云工作原理WindowsAzureAD身份云的架構(gòu)和設(shè)計(jì)MSODSFederationsUsersPwdsTenantsSubscriptions,SKUsUsersandGroupsServiceprincipalsSyncTenantsIdentityProvidersServiceprincipalsADOn-premEnterpriseOrgIDACSAADCreate

Service

principalsADFSDirsyncusers,groupsIdentity

FederationMetadataNametoID

lookupAADDirectoryMgmtPortalGraphAPIPScmdsDirectorymanagementNativeClientAuthNlibLocateusers

Identity

providerRichclaims

intokenFederationsFederationsWindowsAzureAD身份云一鍵登錄(SingleSignOn)

Singleidentityandsign-onforon-premisesandcloudservicesIdentitiesmasteredon-premises,singlepointofmanagementSecureTokenbasedauthenticationClientaccesscontrolbasedonIPaddresswithADFSandOffice365servicesStrongfactorauthenticationoptionsforadditionalsecurityWindowsAzureAD身份云

多因驗(yàn)證(PhoneFactor)

WhymultifactorYourdataandapplicationsareunderattackPasswordsareeasilycompromisedConsumerizationofIThasonlyincreasedthescopeofvulnerabilityStrengtheningregulatoryrequirementscallforstronglyauthenticatingaccessProvenAuthenticationPlatformPoweredbymarket-leadingPhoneFactorplatformTrustedbythousandsofenterprisecustomersacrossawiderangeofindustries,includinghealthcare,financialservices,manufacturing,andgovernmentAuthenticatingmillionsofloginsandtransactionseachmonthUserExperience(afterusername/passwordauthentication)MobileApp:

Theusertaps“Verify”intheapptoauthenticate.PhoneCall:Placesanautomatedvoicecalltotheuser.Theuseranswersthecallandpresses#inthephonekeypadtoauthenticate.TextMessage:Sendsatextpasscodetotheuser.Theusereitherrepliestothetextmessagewiththepasscodeorentersthepasscodeintothesign-ininterface.開發(fā)人員使用場(chǎng)景

AdeveloperofanestablishedcloudapplicationenablessignupofcustomerswhohaveAzureAD(開發(fā)企業(yè)自有身份云的云應(yīng)用)Singlesignoninsteadofseparateusername/passwordforappQueryDirectoryGraphforuserinformation,provisioningAdeveloperofanewcloudapplicationusesAzureADasoff-the-shelfidentitysystemfortheirapp(開發(fā)基于身份云的云應(yīng)用)UsesAzureADasthelocalaccountstoreEnablesignupofcustomersusingpopularwebIDsEnablesignupofcustomerswhohaveAzureADCheckout/en-us/manage/services/identity/(details)/en-us/library/hh974459.aspx(samples)GraphicAPI例子Request://Users('Ed@'){“d”: {"Manager":{"uri":"http://Users('..')/Manager"},"MemberOf":{"uri":"http://Users('..')/MemberOf"},"ObjectId":"90ef7131-9d01-4177-b5c6-fa2eb873ef19","ObjectReference":"User_90ef7131-