Intelligent Workload Security
Dynamic Control, Portability and Flexibility with WorkloadIQ—Secure
Written by Ken Baker
In your physical and virtual environments when a user logs into a server and accesses certain files, you have the ability to view that activity within your log files. However, when you move your workloads to the cloud, its services and operating system might not be in your control. The workload might be hosted on a service provider’s machine with layers of firewalls and proxies that prevent you from establishing the peer-to-peer, or point-to-point connections you need to make sure that the right people can access the workload services for the right reasons. The “secure” component of WorkloadIQ solves that problem by allowing you to inject intelligence inside of those workloads with the security and identity and access management layers you need.
As part of its unique approach to enabling intelligent workload management, WorkloadIQ focuses on enabling IT organizations to better manage and optimize their computing resources in a policy-driven, secure and compliant manner across physical, virtual and cloud environments. It gives you a simple way to securely manage workloads across physical, virtual and cloud environments by leveraging the Novell ability to integrate identity and security into everything you do. Using a broad portfolio of WorkloadIQ products, solutions and partners, you can take advantage of those aspects of its intelligent workload management that make the most sense for your organization. While four critical functions make up WorkloadIQ—build, secure, manage and measure—this article deals with the “secure” component of WorkloadIQ.
By leveraging Novell Identity Manager 4, as soon as one of your intelligent workloads comes online, Novell Identity Manager can recognize it as a unique, identifiable entity that can be dynamically provisioned by policy with the appropriate security, user access controls, monitoring and reporting.
Embedded Security Intelligence
Security and compliance are one of the major concerns for any enterprise. You have to ensure that you have the right levels of data protection and access control to protect your intellectual property, control access and to comply with government and industry regulations. That becomes increasingly difficult in a workload management scenario that needs to leverage physical, virtual and cloud environments. Your identity services need to be able to grow as dynamically as your cloud and virtual environment. You need to be able to flexibly manage security within the individual workloads themselves, including user activity monitoring across all of your different environments independent of where the workload actually resides. This type of balanced flexibility and control requires intelligence embedded inside your workloads.
WorkloadIQ delivers that ability by letting you inject or embed an intelligent identity footprint into your workloads. By leveraging Novell Identity Manager 4, as soon as one of your intelligent workloads comes online, Novell Identity Manager can recognize it as a unique, identifiable entity that can be dynamically provisioned by policy with the appropriate security, user access controls, monitoring and reporting. That built-in intelligence can allow Novell Identity Manager to recognize the purpose or context of that workload, talk to it, and act upon it in an appropriate and dynamic manner.
For example, you can use the user application in Novell Identity Manager 4 to trigger provisioning workflows, including leveraging its Role Mapping Administrator to provision the workload with user access authorizations and permissions based on their business roles in your organization. You could have it kick off a workflow process that notifies business managers about the availability of the workload’s services. It could ask them if they want to turn on its access and security, and if so what type of security they want to turn on. Such options might be to leverage policy to automatically provision the workload with Novell Sentinel, Novell Privileged User Manager, Novell Access Manager, or any or all of the components that make up the Novell Compliance Management Platform.
Also, by using standard REST APIs to interact with the workload via the REST interface in Novell Identity Manager, you could also have other services interact with the workload to secure and provision it. The key is that it provides dynamic, flexible and intelligent access based on the purpose or context of the workload. You can determine what you want to happen when that certain type of workload comes online. As a result, you can create very lightweight, highly portable workloads that once injected with this intelligent footprint can be dynamically acted upon, expanded and secured as needed within a matter of hours, rather than the weeks and months that would be required to manually provision and secure other vendors’ workload management solutions. Furthermore, at anytime you have the ability to change or apply new policies that can automatically and dynamically update and change how the workload is provisioned, secured and managed.
With the secure component of WorkloadIQ you also have the ability to easily and dynamically administer your workloads’ access management services from anywhere.
Dynamic, Portable Workloads
With the secure component of WorkloadIQ you also have the ability to easily and dynamically administer your workloads’ access management services from anywhere. This ability ties back to the intelligent identity footprints embedded into your workloads, as well as to the content package manager in Novell Identity Manager.
The content package manager in Novell Identity Manager allows you to easily create, distribute, consume and control your workload policies through modular packages that act as the building blocks for all your policies. This lets you create lightweight workloads with a baseline set of standard policies, and then as needed apply custom policies on top of them in a dynamic matter without having to do any hard-coded point-to-point scripting. So, instead of having to bring in a team of consultants or engineers to write policy code every time you deploy new workloads, with a few simple clicks you can dynamically apply the needed policy packages. In fact, you can even use a smart phone to easily add, modify, or remove policies from any of your workloads, regardless of whether those workloads are physical, virtual or in the cloud. The content package manager also automatically provides you notification of any conflicts or dependencies between policies and then helps resolve them.
Modular, Headless Workloads
One of the main advantages of injecting intelligence into a workload is that it makes it become headless. In other words, that intelligence allows you to easily and dynamically tie additional external services to those workloads. That means at build time you don’t have to embed every service that you might need into that workload. So, instead of having large, heavy-duty pre-built workloads with large memory footprints that lack flexibility and portability, and are hard to maintain, you can build lightweight highly flexible, portable, and manageable workloads that when they come online they simply grab the extra services they need.
For example, you could create a security appliance running the Compliance Management Platform products that listens for new workloads to come online. When a new WorkloadIQ workload comes online it would send out a heartbeat letting your security appliance know that it’s alive. The security appliance could look at the workload’s identity footprint to determine what type of workload it is, and then according to policy it could say this workload needs services from Novell Sentinel and its complete reporting framework. It might determine the workload needs Novell Privileged User Manager, Novell Access Manager or Novell Access Governance Suite. Its ability to dynamically tie new services and policies to that workload virtually become endless.
Additionally, as policy changes, new services can be added, while existing services can be modified, replaced or removed seamlessly. This type of headlessness eliminates inter-dependencies and gives you the flexibility to move workloads from one environment to another, while giving you the ability to dynamically instrument them with the security and controls you need.
The content package manager in Novell Identity Manager allows you to easily create, distribute, consume and control your workload policies through modular packages that act as the building blocks for all your policies.
Dynamic Workload Role Management
As mentioned before, the intelligence injected into these workloads allows you to easily provision them with the appropriate user accesses and entitlements by leveraging the Role Mapping Administrator in Novell Identity Manger. (See Figure 1.) Instead of having to write low-level scripts (that have to been manually maintained and updated) for each of your workloads, as is required by other vendors’ solutions, you can create pre-defined baseline policies for users’ entitlements based on their roles in the organization. These roles can apply to any of the workload services that you might bring online, or you might have a different set of roles defined for different types of workloads. You do this by creating role associations with the Role Mapping Administrator.
For example, using the Role Mapping Administrator’s click-and-drag interface you could specify that a set of profiles on salesforce.com or SAS are equal to certain groups in Active Directory. Once these associations are made they can be automatically applied to certain workloads that come online. If those roles’ entitlements or associations need to be expanded or modified some time in the future, those additions and changes can automatically flow to all of your workloads that use those roles. That ensures consistent access control and compliance across all your workloads, while eliminating the need to manually update each workload whenever changes occur.
Intelligent Event and User Monitoring
The embedded workload intelligence provided by WorkloadIQ augments your ability to monitor and correlate events that occur within your workloads. (See Figure 2.) For example, in your virtual environment you might already have the ability to monitor the status of your different virtual machines in terms of memory usage, CPU usage and other similar metrics. Using the identity activity and correlation capabilities provided by Novell Sentinel you can get correlated details on events occurring within those virtual machines as well. So, instead of just knowing that two or three virtual workloads on a host are struggling because the CPU is being over-used, it can help you determine the cause of that overutilization by correlating the events happening within individual workloads, such as revealing that one of them is performing a significant amount of file copies or other activity that exceeds the norm. That kind of actionable information can trigger remediation efforts that allow you to proactively address potential problems.
That same capability in Novell Sentinel allows you to monitor user activity within your cloud, virtual and physical workloads, correlating or tying that activity together based on identity to give you a single unified picture of what users are really doing throughout your different environments. It can correlate identity on user activity across all your workloads to alert you to suspicious activity. For example, it could correlate a string of events that show that even though logs in your SAP workload indicates that Bill Smith logged in and accessed SAP records from your San Francisco office on a certain date at a certain time, other system event logs show that Bill Smith never even logged into the San Francisco network or even entered the building on that day. Instead, the other logs might even indicate that Bill Smith was actually in New York that entire day.
With the strong integration between identity management and security management inherent to WorkloadIQ, it doesn’t matter whether activity is occurring in your physical, virtual, or cloud environments, you can still track what’s going on and tie that activity back to specific user roles and identities. That type of correlated user activity monitoring not only saves you time, but it enables you to easily identify potential security issues that would otherwise go unnoticed.
The embedded workload intelligence provided by WorkloadIQ augments your ability to monitor and correlate events that occur within your workloads.
Dynamic, Flexible Control
Your security and identity services need to be able to grow and evolve in as dynamic a fashion as the virtual and cloud environments where they run. You also need to be able to control, monitor and secure what’s going on inside those workloads in a dynamic manner. You can do all that by leveraging the intelligent identity footprints that WorkloadIQ lets you embed within your workloads.
Whether in physical, virtual or cloud environments, WorkloadIQ gives you the dynamic flexibility and control over your workloads to keep them secure and your organization safe. To find out more about WorkloadIQ, read the other articles in this issue of Novell Connection and learn what WorkloadIQ can do to help you build, manage and measure your intelligent workloads.
- 01. Novell Identity Manager +
- 02. Novell Sentinel +
- 03. Novell Privileged User Manager +
- 04. Novell Access Manager +
- 05. Novell Compliance Management Platform +
- 06. WorkloadIQ Secure +