Nishant Kaushik, Chief Architect, Identropy
Stress and nervous tension are now serious social problems in all parts of the Galaxy, and it is in order that this situation should not be in any way exacerbated that I will reveal in advance that the answer is No. But Identity is the New Perimeter and the Great Enabler of Next. Establishing that big bold idea, this session will lay out what we mean by Identity, and how attributes, relationships, identifiers, entitlements and the notion of Context fit into the ever-expanding branches of identity management like lifecycle management, provisioning, verification, compliance and federation.
CIS13: Is Identity the Answer to the Great Question of Life, the Universe, and Everything?
1. Is
Iden'ty
the
Answer
to
the
Great
Ques'on
of
Life,
the
Universe,
and
Everything?
Nishant
Kaushik
/
Chief
Architect
@NishantK
2. Is
Iden'ty
the
Answer
to
the
Great
Ques'on
of
Life,
the
Universe,
and
Everything?
Nishant
Kaushik
/
Chief
Architect
@NishantK
3. In
the
beginning
the
Universe
was
created.
This
has
made
a
lot
of
people
very
angry
and
has
been
widely
regarded
as
a
bad
move.
4. In
the
beginning
the
Internet
was
created
without
an
Iden'ty
layer.
This
has
made
a
lot
of
people
very
angry
and
has
been
widely
regarded
as
a
bad
move.
6. Iden'ty
=
Context
Trust
Transparency
Convenience
Security
Privacy
Community
7. Interac've
Subjec'vity
Frameworks
“Just
as
Einstein
observed
that
space
was
not
an
absolute
but
depended
on
the
observer’s
movement
in
space,
and
that
'me
was
not
an
absolute,
but
depended
on
the
observer’s
movement
in
'me,
so
it
is
now
realized
that
numbers
are
not
absolute,
but
depend
on
the
observer’s
movement
in
restaurants.”
13. Context
In
Ac'on:
Hiring
Amy,
Part
1
Recrui'ng
App
Social
Login
Authen'ca'on
Service
Iden'ty
Verifica'on
Service
Iden'ty
Store
Service
14. Context
In
Ac'on:
Hiring
Amy,
Part
2
Recrui'ng
App
Social
Login
Authen'ca'on
Service
A^ribute
Exchange
Service
Iden'ty
Store
Service
Authorize
Data
Release
A^ribute
Authority
15. Context
in
Ac'on:
A
Day
in
the
Life
of
Amy
Company
Portal
Social
Login
Authen'ca'on
Service
Iden'ty
Store
Service
Launch
box.net
Passive
Step-‐up
Authen<ca<on
JIT
Provisioning
&
Federated
AuthN
A^ribute
Exchange
Service
16. Context
in
Ac'on:
A
Day
in
the
Life
of
Amy
(Alt.)
Iden'ty
Store
Service
Logs
in
with
personal
account,
then
requests
access
to
company
site
Iden'ty
Hub
Service
Authen'ca'on
Service
Step-‐up
Authen<ca<on
via
Iden<ty
Verifica<on
Register
for
Iden<ty
Event
No<fica<ons
via
Graph
API
17. Context
in
Ac'on:
Amy
Unleashed
Recommenda'on
Service
Walks
into
retail
store
and
uses
their
Recommenda<on
Service.
Directs
service
to
the
Iden<ty
Oracle
using
her
mobile
Various
Authorita've
Sources
Iden'ty
Oracle
Service
Requests
access
to
personaliza<on
data.
User
policy
enforced
via
UMA
Log
out
&
Dispose
19. (De)Construc'ng
Iden'ty
A^ribute:
A
property
of
a
subject
that
may
have
zero
or
more
values
Hair
Color:
Blond
Age:
31
Name:
Janet
Munroe
Title:
VP,
Engineering
Loca'on:
40.783147,
-‐73.971277
Mobile:
212-‐555-‐2962
Roles:
Github
Admin,
SOX12,
Developer,
…
23. (De)Construc'ng
Iden'ty
Iden'fier:
A
representa'on
mapped
to
a
subject
en'ty
that
uniquely
refers
to
it
589-25-6029
465-05-6873
034-39-7383
945-27-4834
437-52-0358
576-23-2957
085-72-2068
25. So,
What’s
a
Magrathean
to
do?
For
Applica'ons,
it’s
been
a
DIY
world,
baby!
26. So,
What’s
a
Magrathean
to
do?
For
Applica'ons,
it’s
been
a
DIY
world,
baby!
User
Tables
Roles
&
Policies
Registra'on
Processes
User
Administra'on
Profile
Management
Security
Enforcement
30. Enter
Iden'ty
&
Access
Management
“The
History
of
every
major
Galac'c
Civiliza'on
tends
to
pass
through
three
dis'nct
and
recognizable
phases,
those
of
Survival,
Inquiry
and
Sophis'ca'on,
otherwise
known
as
the
How,
Why
and
Where
phases.”
31. Enter
Iden'ty
&
Access
Management
“The
History
of
every
major
Galac'c
Civiliza'on
tends
to
pass
through
three
dis'nct
and
recognizable
phases,
those
of
Survival,
Inquiry
and
Sophis'ca'on,
otherwise
known
as
the
How,
Why
and
Where
phases.”
The
Goal
• Reduce
security
risks
while
empowering
users
• Ensure
compliance
with
corporate
policies
and
regulatory
requirements
• Drama'cally
reduce
the
cost
of
providing
and
managing
access
to
valuable
corporate
resources
• Increase
produc'vity
and
opera'onal
efficiency
• Enable
IT
to
be
more
responsive
to
evolving
business
requirements
37. The
Typical
Employee
On-‐Boarding
ID
Store
Iden'ty
Provider
Trust
HR
Applica'on
A^ribute
Authority
38. The
Typical
Contractor
On-‐Boarding
ID
Store
Iden'ty
Provider
Trust
Contractor
Database/Spreadsheet
A^ribute
Authority
39. Adding
Automa'on
HR
Applica'on
Trust
A^ribute
Authori'es
Contractor
DB
ID
Store
Iden'ty
Provider
Provisioning
System
40. Transi'oning
to
an
Online
World
System(s)
of
Record
ID
Store
Iden'ty
Provider
Trust
A^ribute
Authori'es
Provisioning
System
Recrui'ng/Registra'on
App
Self-‐Asserted
Claims
41. Iden'ty
Proofing
System
of
Record
ID
Store
Provisioning
System
Recrui'ng/Registra'on
App
Iden'ty
Proofing
Service
A^ribute
Authori'es
Self-‐Asserted
Claims
42. Iden'ty
Proofing
ID
Store
User
Registra'on
Portal
Iden'ty
Proofing
Service
A^ribute
Authori'es
Self-‐Asserted
Claims
43. Social
Iden'ty
Proofing
ID
Store
User
Registra'on
Portal
Iden'ty
Proofing
Service
Risk
Score
44. Access
Provisioning
&
De-‐Provisioning
“To
summarize
the
summary
of
the
summary:
people
are
a
problem.”
45. Access
Provisioning
is…
…the
crea'on,
maintenance
and
deac'va'on
of
user
objects
and
user
a^ributes,
as
they
exist
in
one
or
more
systems,
directories
or
applica'ons,
in
response
to
automated
or
interac've
business
processes
Source:
h^p://en.wikipedia.org/wiki/Provisioning#User_provisioning
46. Access
Provisioning
is…
…the
crea'on,
maintenance
and
deac'va'on
of
user
objects
and
user
a^ributes,
as
they
exist
in
one
or
more
systems,
directories
or
applica'ons,
in
response
to
automated
or
interac've
business
processes
This
Covers
• Crea'ng
and
Dele'ng
User
Accounts
• Upda'ng
their
A^ributes
• Assigning
and
Removing
Privileges
• Password
Management
(Change,
Reset,
Sync,
Recovery)
Source:
h^p://en.wikipedia.org/wiki/Provisioning#User_provisioning
47. The
Basic
Manual
Approach
Employee/Contractor
Internal
Applica'ons
User
Stores
(SSO,
IdP,
Fed)
HR
Manager
Applica'on
Admins/Helpdesk
APPROVED
Access
Request
Form
Ops
Team
48. Marvin
the
Paranoid
Android
Says…
We’re
talking
about
lost
produc'vity
and
error
prone
processes.
Your
IT
staff
is
burdened
with
tasks
well
below
their
levels.
Don’t
even
begin
to
ask
me
about
handling
updates
and
moves,
what
with
the
lack
of
tracking
and
clarity
on
policies
or
processes.
And
if
someone
leaves?
I
could
tell
you
all
the
access
you
need
to
cancel
or
delete
since
you
clearly
won’t
know.
But
why
bother?
What’s
the
point,
really?
49. Tradi'onal
Provisioning
Architecture
Employee/Contractor
IT
Admins/
Developers
Consultants
Provisioning
System
Internal
Applica'ons
User
Stores
(SSO,
IdP,
Fed)
50. Marvin
the
Paranoid
Android
Says…
The
first
ten
million
enhancements
are
the
worst,
and
the
second
ten
million
enhancements,
they
were
the
worst
too.
The
third
ten
million
I
didn’t
enjoy
at
all.
Axer
that
I
went
into
a
bit
of
a
decline.
It’s
the
armies
of
developers
and
consultants
you
need
to
hire
in
this
job
that
really
get
you
down.
51. The
Compliance
Problem
Employee/Contractor
IT
Admins/
Developers
Consultants
Provisioning
System
Internal
Applica'ons
User
Stores
(SSO,
IdP,
Fed)
Auditors
Applica'on
Recer'fica'on
52. Marvin
the
Paranoid
Android
Says…
My
capacity
for
happiness
at
the
prospect
of…
…gathering
all
that
data
from
different
applica'ons,
running
axer
and
nagging
all
my
applica'on
administrators
and
business
owners
to
get
them
to
help
me,
then
trying
to
put
it
into
spreadsheets
that
my
managers
can
actually
use
without
rubber
stamping
them
or
wan'ng
to
throw
their
computers
down
an
elevator
shax…
…you
could
fit
into
a
matchbox
without
taking
out
the
matches
first.
53. The
Birth
of
a
New
Solu'on
Category
Employee/Contractor
IT
Admins/
Developers
Consultants
Provisioning
System
Internal
Applica'ons
User
Stores
(SSO,
IdP,
Fed)
Auditors
Applica'on
Recer'fica'on
Applica'on
Recer'fica'on
54. Marvin
the
Paranoid
Android
Says…
I
suppose
you
want
me
to
configure,
manage
and
maintain
two
of
these
beasts?
I’m
not
going
to
enjoy
this.
55. The
Cloud
Problem
Cometh
Employee/Contractor
Provisioning
System
Internal
Applica'ons
User
Stores
(SSO,
IdP,
Fed)
Auditors
Applica'on
Recer'fica'on
Admins/Helpdesk
Business
Users
Manual
Fulfillment
56. Marvin
the
Paranoid
Android
Says…
You
think
you’ve
got
problems?
What
are
you
supposed
to
do
if
you
are
a
manically
depressed
robot?
57. When
SaaS
A^acks
(the
Enterprise
Market)
Employee/Contractor
Provisioning
System
Internal
Applica'ons
User
Stores
(SSO,
IdP,
Fed)
AD
Directory
Synchroniza<on
58. Marvin
the
Paranoid
Android
Says…
You
may
not
see
the
folly
of
opening
up
all
those
connec'ons
to
your
internal
IT
environment,
but
then
your
logic
circuits
don’t
compare
to
mine.
And
to
try
and
model
all
those
SaaS
apps
privileges
into
your
AD
environment
so
that
you
can
con'nue
to
give
users
a
single
management
and
request
portal?
Not
even
the
Googleplex
Star
Thinker,
which
can
calculate
the
trajectory
of
every
single
dust
par'cle
throughout
a
five-‐week
Dangrabad
Beta
sand
blizzard
can
do
that!
59. We
Could
Try
Some
Extensions…
Employee/Contractor
Provisioning
System
Internal
Applica'ons
User
Stores
(SSO,
IdP,
Fed)
Auditors
Applica'on
Recer'fica'on
60. We
Could
Try
Some
Extensions…
Employee/Contractor
Provisioning
System
Internal
Applica'ons
User
Stores
(SSO,
IdP,
Fed)
Auditors
Applica'on
Recer'fica'on
61. SCIM?
Whither
the
Standardized
Solu'on?
Employee/Contractor
Provisioning
System
Internal
Applica'ons
User
Stores
(SSO,
IdP,
Fed)
Auditors
Applica'on
Recer'fica'on
62. Marvin
the
Paranoid
Android
Says…
I
suppose
I
could
hang
around
and
wait
for
another
five
hundred
and
seventy-‐six
thousand
million,
three
thousand
five
hundred
and
seventy-‐nine
years.
63. The
Requisite
Cloud-‐Based
Solu'on
Employee/Contractor
Provisioning
System
Internal
Applica'ons
User
Stores
(SSO,
IdP,
Fed)
Cloud-‐based
Iden'ty
Bridge
64. Marvin
the
Paranoid
Android
Says…
Here
I
am,
brain
the
size
of
a
planet
and
they
ask
me
to
build
a
bridge.
Call
that
job
sa<sfac<on?
‘Cos
I
don’t.
65. IDaaS
Solu'ons
–
The
First
Wave
Employee/Contractor
Provisioning
System
Internal
Applica'ons
User
Stores
(SSO,
IdP,
Fed)
AD
Directory
Synchroniza<on
Cloud-‐based
SSO
SAML
/
Oauth/
Form
Filling
66. Marvin
the
Paranoid
Android
Says…
I
could
tell
you
that
it
ignores
everything
that
is
deployed
on-‐premises,
and
assumes
that
you
something
else
to
manage
the
iden'ty
store.
I
suppose
it
might
be
relevant
that
de-‐provisioning
is
a
problem
area,
and
that
there
is
a
lack
of
governance
controls.
And
all
the
problems
of
directory
synchroniza'on
will
show
up
here…
…but
I
don’t
suppose
you’ll
be
very
interested
in
knowing
that.
67. IDaaS
Solu'ons
–
The
Next
Wave
Employee/Contractor
On-‐Prem
Iden'ty
Bridge
Internal
Applica'ons
User
Stores
(SSO,
IdP,
Fed)
Cloud-‐based
Provisioning
System
68. Marvin
the
Paranoid
Android
Says…
Good
idea,
if
you
ask
me.
It’s
brilliant.
But
they’re
not.
71. Adding
Automa'on
System
of
Record
ID
Store
Internal
Applica'ons
User
Stores
Provisioning
System
72. Adding
Automa'on
System
of
Record
ID
Store
Internal
Applica'ons
User
Stores
Provisioning
System
• Account
Reten'on
Period
• Re'rees
• Rehires
• Scheduled
Termina'on
with
Warning
and
Extensions
73. The
Myth
of
SSO-‐Based
De-‐Provisioning
System
of
Record
ID
Store
Internal
Applica'ons
(SSO)
User
Stores
SSO
System
74. Marvin
the
Paranoid
Android
Says…
They’ve
spent
the
last
five
years
building
it.
They
think
they’ve
got
it
right
but
they
haven’t.
First
off,
the
meter
on
those
accounts
is
s'll
running.
And
they’re
ac've,
which
means
they
can
be
logged
into.
And
they
can
be
exploited
in
ways
that
circumvent
SSO.
And
did
no
one
stop
to
consider
mobile
access?
There’s
nothing
I
can
do.
It’s
on
an
independent
circuit
from
the
others.