Identity access and privacy in the new hybrid enterprise slides

Identity, Access & Privacy in the New Hybrid
Enterprise
 Scott Morrison  Eve Maler
CTO, Layer 7 Technologies Principal Analyst, Forrester Research, Inc.

May 17, 2012

Housekeeping
 Questions
- Chat any questions you have and we’ll answer them at the end of this call

 Twitter facebook.com/layer7

- Today’s event hashtag:
layer7.com/linkedin
- #L7webinar
layer7.com/blogs
- Follow us on Twitter:
- @layer7
- @forrester
- @xmlgrrl
- @kscottmorrison

Identity, Access, And Privacy
In The New Hybrid Enterprise
Eve Maler, Principal Analyst

May 17, 2012

2 © 2011 Forrester Research, Inc. Reproduction Prohibited
2009

“ Sounds awesome – maybe later?
SAML and friends have succeeded in
”
one realm, but the extended enterprise
has strained them to the breaking point.


Agenda

Many enterprises aren’t just extended – they’re over-extended.

IAM challenges favor Zero Trust and emerging technologies.

Plan for the new “Venn” of access control in the API economy.

Learn from your peers: Brandish IT carrots instead of sticks.


Steve Yegge’s rant crystallized the
challenge

[Jeff Bezos] issued a mandate that was so out there, so huge and
eye-bulgingly ponderous, that it made all of his other mandates look
like unsolicited peer bonuses. … “1) All teams will henceforth
expose their data and functionality through service interfaces.” …

Like anything else big and important in life, Accessibility has an evil
twin who, jilted by the unbalanced affection displayed by their parents
in their youth, has grown into an equally powerful Arch-Nemesis (yes,
there's more than one nemesis to accessibility) named Security. And
boy howdy are the two ever at odds.

But I'll argue that Accessibility is actually more important than Security
because dialing Accessibility to zero means you have no product at
all, whereas dialing Security to zero can still get you a reasonably
successful product such as the Playstation Network.


The extended enterprise requires you to think outside
the box (or…get a bigger box)
App sourcing and hosting

SaaS apps

Apps in public clouds

Partner apps

Apps in private clouds

On-premises enterprise apps

Enterprise computers Employees
Contractors
Enterprise-issued devices
Partners
Public computers Members
Personal devices Customers

App access channels User populations


Even social use cases press for better access
control with accessibility and agility


And yet SAML-based identity federation still reaches
mostly large enterprises with deep pockets

Source: October 26, 2011, “OpenID Connect Heralds The ‘Identity Singularity’” Forrester report

And loosely coupled SOA security solutions aren’t
rushing to fill the gap


Source: January 5, 2009 Forrester report “Web Services Security Specifications: WS-Security Achieves Critical Mass Of User Adoption”

Agenda






Introducing Zero Trust Identity

In Zero Trust, all interfaces are untrusted.
Assume every business and IAM function is “equally
far apart,” and treat all traffic among them as
untrusted until it proves itself otherwise.


Source: September 14, 2010, “No More Chewy Centers: Introducing The Zero Trust Model Of Information Security” Forrester report

Internal to the
organization
Staff
user store

Organization serves as
an identity server for At external
business functions partners

Consumer
user store
Exposed to
customers

Plan for both
inward and A security token service (STS)
outward identity handles token issuance, translation,
and consumption.

propagation
Staff
user store

Organization serves as
an identity client of Institutional
user stores user store
For functions internal
to the organization

Consumer
user store
Source: March 22, 2012 “Navigate The Future of IAM” Forrester report

Go from IDaaS to “IAM as an API”

The business app’s
own API determines
access control
granularity
Back-end apps, web apps, mobile apps . . . Business apps

API client API client IAM API client IAM API client

Robustly protect all
Internet interfaces, regardless Internet
of their sourcing
model

APIs for authentication,
Web service and app APIs authorization, provisioning . . .

Scale-out IAM
infrastructure infrastructure

Applying the pattern
API façade pattern to IAM functions

Source: March 22, 2012 “Navigate The Future of IAM” Forrester report

New identity solutions disrupt…but attract.
Or, The good thing about reinventing the wheel is that
you can get a round one.*
*Douglas Crockford, inventor of JavaScript Object Notation (JSON)


Source: tom-margie | CC BY-SA 2.0 | flickr.com

Emerging standards for IAM interfaces have an edge
over traditional ones for Zero Trust

Provisioning, Authentication, Authorization,
IAM session management, consent,
proofing,
functionality SSO, federation access control
self service
Established
SOA-friendly
standards
Emerging
web-friendly
standards
SCIM Connect


Why are these technologies attractive?
Security pros’ control diminishes with distance


Agenda






OAuth magic: let a person delegate constrained
access from one app to another


OpenID Connect magic: turn SSO into a robust
OAuth-protected identity API

OAuth delegated
SAML and OpenID SSO OpenID Connect
authorization
standardize… standardizes…
standardizes…

Initiating user’s login
session
X Initiating user’s login
session
Initiating user’s login
session

X
Collecting user’s Collecting user’s Collecting user’s
consent to share consent to share consent to share
attributes attributes attributes

X
High-security identity
High-security identity High-security identity
tokens (using JSON
tokens (SAML only) tokens
Web Tokens)

X Distributed and
aggregated claims
Distributed and
aggregated claims

X Session timeout
Session timeout (on
the docket)

An OpenID Connect killer app:
“Street Identity”
1. Service provider (SP) needs
trusted data
2. Attribute provider (AP) has it

3. Identity provider (IdP) can
broker your permission to
provide it
4. AP can demand a fee from SP
for it
5. Lather, rinse, and repeat for:
– Credit scores
– Verified email addresses
– Proofed identities backed by
strong authentication…


OpenID Connect will dramatically lower the price and
complexity bar for all identity federation

Already exposing customer identities using a draft
OpenID Connect-style API

Working to expose workforce identities through
OpenID Connect

LOB apps and smaller partners can get into the federation game more
easily; complex SAML-based solutions will see price pressure over time


UMA magic: turn sharing of online access with others
into OAuth-derived “privacy by design” solution

 Alice-to-Alice, Alice-to-Bob,
Alice-to-org…and org-to-org
 Claims-based and policy-
based authorization
– Not just consent

 User can impose terms and
conditions on requesters
– Not just accept terms

 Centralizable authorization
function
– Not just point-to-point


Killer apps for UMA

 UMAnized Street Identity:
– Centralized management
and policy-driven sharing of
addresses etc. with anyone

 APIified access
management: IdP
AP
– Direct control and auditing
of all employee SaaS
access PEP
RS PDP
AS
 Zero Trust B2B2C privacy:
– Telco allows location
sharing today – and health
record sharing tomorrow RP

client
requester

Agenda






One research organization’s experience with
emerging IAM technologies for “Enterprise 2.0”
Objectives: Approach:
 Unified authentication and  IdP proxy from internal SAML
authorization flows for all SSO systems
protected resources
 Leverage OpenID (and soon
 Serve internal and external users OpenID Connect)
alike, using internal and external
 “Graylist” approach: users take
apps
responsibility for dynamic external
 Remove friction and risk in getting service provider choices
all new internal apps to federate – Organization is in charge of
whitelists and blacklists
 Enable brokered distributed
attribute provisioning  Devs partnered with IT from the
beginning
 Enable use by people with pre-
proofed high-quality credentials – Rationale that worked: “Ad hoc
login creation is worse”

Its architecture

External OP Database
DMZ
Corporate Firewall
Intranet
User Data
Two-Factor Signon
Internal OP

Corporate SSO


Its results

New internal apps federate “by default” even if
they’re in the long tail

IT gets a level of comfort by operating production-
quality servers itself

Dynamic associations with external apps are
auditable

While they prefer OAuth-based tech,
OpenID 2.0 has become legacy already!

Not enough external SaaS providers are
enabling standardized inbound SSO


Drawing lessons from this experience

 Low-usage internal apps aren’t necessarily low-
sensitivity apps; protect them by reducing friction
 For extranet apps and APIs, think light weight,
particularly for partners with unsophisticated IT

 Expect protocol discussions to reflect partner power
relationships

 Bet on “reach” vs. “rich” – in distributed computing,
it always wins in the end


Scott Morrison
 CTO, Layer 7 Technologies

The Old Enterprise
Line of
Formal and structured security & connectivity business
 VPNs & prop. Protocols for thick clients servers

 HTTP(s) for browsers
 SOAP+WS-* for B2B

Firewall

VPN
Enterprise
Road Network
Warriors with
VPN

SSL WS-S

Browser Formal
Clients Trading
Partners

The New Hybrid Enterprise
Line of
Highly agile security & connectivity business
 REST, OAuth, OpenID Connect, UMA servers

Firewall

Enterprise
Mobile Network
Devices

Clouds

Informal,
API-driven
integrations

The Hybrid Enterprise Made Possible By APIs

API
Server

Mobile App

An API is a
RESTful service
Web Client

Web App

5
5

For Example:

GET http://services.layer7.com/staff/Scott

6

http://services.layer7.com/staff/Scott
For Example:

{
"firstName": ”Scott ",
"lastName" : ”Morrison",
”title" : “CTO”,
"address" :
{
"streetAddress": ”405-1100 Melville",
"city" : ”Vancouver",
”prov" : ”BC",
"postalCode" : ”V6E 4A6"
},
"phoneNumber":
[
{
"type" : ”office",
"number": ”605 681-9377"
},
{
"type" : ”home",
"number": ”604 555-4567"
}
]
}

7

Why Zero Trust?

Source: http://www.yurock.net/santa-getting-
arrested/

A Sensible Response

Source:
http://skreened.com/impossiblethings6/keep-calm-trust-no-one

Or Better Yet:

AND USE
OAUTH,
OPENID
CONNECT
& UMA

What Do These Do?

OAuth To get access to an API.
OpenID To share information about users.
Connect
UMA To give a user the power to control
how their attributes are shared.

Priority #1: OAuth

 Make it easy
 Make it scale

How to Make OAuth Easy
Simple, drop-in virtual or hardware Protected
gateway SecureSpan
Resource

 Acts as both Authorization Server (AS) and Gateway
Protecting RS
Resource Server (RS)
 Advanced security on all APIs
Directory
 Threat detection, audit, QoS mgmt, etc Firewall

Enterprise
Network
SecureSpan
Mobile Gateway as
Devices AS

All Authorization Grants
➠ Authorization code
Clouds,
Webapps, etc ➠ Implicit

Informal, ➠ Resource owner password
API-driven credentials
integrations
➠ Client credentials

How to Make OAuth Web Scale

SecureSpan Secure Zone Protected
Gateway Resource
Firewall 2
cluster RS
DMZ
Firewall 1 Directory

SecureSpan
Gateway as
Secure Token
Store

SecureSpan
Gateway
cluster as AS

How to Make OAuth Scale – Architecture
Resource provider
Internal (secure) network DMZ Internet
• Who is asking
• Which API?
• What scope?
• Is token valid?
Resource • etc…
Accessed when Server
API Proxy
client requests
resources
Server • Prove who you are
• Authorize entitlement
• etc…
OVP

Accessed when Authorization client
Client
client requests Server
user authorization Store
and tokens
Token Token
Store Server
• Create
• Check
IDMS • Expire
• Revoke
• etc…

Accessible through an LDAP query
Endpoints accessible through an API
Endpoints accessible through OAuth protocol API

Priority #2: Introduce OpenID Connect
Resource provider
Internal (secure) network DMZ Internet

Core
• Provide IDtoken
• Validate and return claims
Resource CheckID
Server
UserInfo • Provide access token
• Get attributes (eg:
family_name, picture,
gender, birthdate, etc)
OVP Optional
SessionMgmt
client
Client
Store Optional
1. Refresh endpoint
DynamicReg 2. End session endpoint
Token
Store
Discovery
IDMS

Accessible through an LDAP query
Endpoints accessible through an API
Endpoints accessible to outside clients

Summary
 Implement OAuth now!
- Don’t roll your own
- Plan for failure
- Plan for scale
 Plan for OpenID Connect
- Understand what you need to share
- Look to integration with existing identity providers
 Keep a very close eye on UMA
- This is the missing piece in the puzzle
- Maturing very fast

Questions?

Scott Morrison Eve Maler
CTO Principal Analyst
Layer 7 Technologies Forrester Research, Inc.

smorrison@layer7.com emaler@forrester.com

Identity access and privacy in the new hybrid enterprise slides

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (19)

Andere mochten auch

Andere mochten auch (6)

Ähnlich wie Identity access and privacy in the new hybrid enterprise slides

Ähnlich wie Identity access and privacy in the new hybrid enterprise slides (20)

Mehr von CA API Management

Mehr von CA API Management (20)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

Identity access and privacy in the new hybrid enterprise slides