SlideShare ist ein Scribd-Unternehmen logo

Push, Pull, or Punt - Identity management tug-of-war: Then, Now, and Beyond

Ian Glazer
Ian Glazer

This document discusses push, pull, and punt approaches to identity management and authorization. It summarizes the evolution from push-based provisioning to emerging pull-centric architectures that externalize authorization decisions. While push is commonly used today, pull-based identity management that centrally manages authorization policies is an emerging design pattern that provides better visibility, control and auditability over user access and entitlements. However, external authorization is still gaining vendor support and widespread adoption.

Technologie
1 von 127
Push, Pull, or Punt?! Identity tug-of-war: then, now & beyond Ian Glazer Research Director, Gartner ian.glazer@gartner.com @iglazer
What are we doing today Push in the Enterprise
Catalog entitlements
Entitlements • The highest-order assignable object in a security model • Cataloging is more than just names • Descriptions and meanings • Owners, risk, sensitivity
Group them
Bundles of entitlements • Technical roles • But that name is losing cachet • What has to be assigned to make business function X go?
Build business roles
Roles • Multiple attempts to build role models • Regular, semi-homogenous orgs work best • Don’t try this with development shops • No silver bullets have ever or will ever exist
Build (provisioning) policies
1.Membership
1.Membership 2.Attributes & Entitlements
Membership Clause • Governs eligibility • Can be static • Membership in business role • Can be dynamic • (orgUnitId in (102,103,53,142)) • Or combinations of both
Attributes & Entitlements • Describes what needs to be set in target systems • Could be pointers to bundles of entitlements • More likely pointers + some attributes that also need to be set
Build approval processes
Build and/or reuse fulfillment mechanisms
Fulfill this! • Need to set attributes and assign entitlements in the target systems • How that is done is less and less important • User provisioning • Help Desk ticket • Email • Directory sync
Push bits into managed resources
Review as needed
Access Certification • Increasingly important in enterprise • SP 800-53 AC-2 • Rise of Identity and Access Governance • Separates operations from management
Spray old data everywhere
Managed systems never built to be remotely managed
Manage systems never built to externalize authorization decisions
What are we doing today Push in a Federation
Sign business agreement
Determine RPs needs
• Attributes • Entitlements
Start building SAML metadata
Hub and Spoke
Network of peers
Map local attributes to RPs entitlements and attributes
Perform telekinesis
Perform telekinesis?
Action at a distance
Telekinesis
Telekinesis • Want to effect the authorizations in a remote system
Telekinesis • Want to effect the authorizations in a remote system • Provisioning local objects to effect remote authorization state
Telekinesis • Want to effect the authorizations in a remote system • Provisioning local objects to effect remote authorization state • But this is a hoax
Telekinesis • Want to effect the authorizations in a remote system • Provisioning local objects to effect remote authorization state • But this is a hoax • Provision remote objects too
Spray old data everywhere
Spray old data everywhere • But now with less visibility
Spray old data everywhere • But now with less visibility • RPs don’t know the quality of the data
Spray old data everywhere • But now with less visibility • RPs don’t know the quality of the data • RPs don’t know the data’s “Sell By” date
Spray old data everywhere • But now with less visibility • RPs don’t know the quality of the data • RPs don’t know the data’s “Sell By” date • Information sources don’t always know where the data went
Federated provisioning
SPML = push
SAML = push & pull
Proprietary APIs = push / pull
LDAP = pull
No one best approach
Emerging architecture of identity management Pull
Catalog capabilities
Determine authorization policies
1.Membership
1.Membership 2.Attributes & Entitlements
1.Membership 2.Attributes & Entitlements 3.Context
Context • Time of day • Authenticator type • Geolocation • Transaction “value”
Identify authoritative sources
Codify access policies
Authorize & enforce
But my apps don’t know how to do that!
Push policies to XACMLoids
Where is the market?
Pull-centric identity architecture is just beginning to emerge
Last year was a quiet year for finer-grained authorization
External authZ is gaining vendor traction
• Oracle Entitlement Server • Microsoft Active Directory Federation Services v2 • Axiomatics
But it doesn’t have a lot of momentum yet
Use cases we see are:
Internal, non-federation
Bespoke systems where EA has a had a strong voice
ADFS v2, Geneva, & SharePoint 2010
But as a design pattern
external authorization
doesn’t have wide-spread mindshare
Amusement Park Parable This tall to ride
Goal: Authorize people to ride
Condition: No existing agreement
PDP
PDP Not authorized
You carry claims
Do not treat height as token for relationship
Do not use height as an entitlement
Don’t confuse attributes for relationships
Don’t mistake attributes for entitlements
You must be as tall as the Speedzone logo to drive this car
You must be as tall as the Speedzone logo to drive this car
Auditing challenges
Problems validating policy
But I wanna go on the ride...
But I wanna go on the ride... • I’m tall enough
But I wanna go on the ride... • I’m tall enough • But Mom doesn’t want me to ride the ride
But I wanna go on the ride... • I’m tall enough • But Mom doesn’t want me to ride the ride • How does her “policy” get represented?
But I wanna go on the ride... • I’m tall enough • But Mom doesn’t want me to ride the ride • How does her “policy” get represented? • How is it acted upon?
Inappropriate authorizations
Push, Pull, Punt A way forward
The business of identity providers
Federated virtual directory
Rise of the XACMLoids
Cache and Stash
Apps aren’t built for this
Audit patterns
Regardless whether you
push, pull, or punt
IdM is changing under your feet
Reference • Gartner ITP / Burton Group Research • The Emergent Architecture for Identity Management - Bob Blakley • Provisioning’s Role in the Next-Generation IdM Architecture - Lori Rowland • Characteristics of an Effective Identity Management Governance Program - Kevin Kampman • Market Profile: Identity and Access Governance 2010 - Ian Glazer & Mark Diodati
Images courtesy of • croweb • sundazed • nickso • andy castro • Graham • tkksummers Ballantyne • spacesuitcatalyst
Push, Pull, or Punt - Identity management tug-of-war: Then, Now, and Beyond

Empfohlen

No Governance as Usual
No Governance as UsualNo Governance as Usual
No Governance as UsualRob Bogue
 
365 Daily Success Quotes
365 Daily Success Quotes365 Daily Success Quotes
365 Daily Success QuotesSreedhar K R
 
Push and pull production system
Push and pull production systemPush and pull production system
Push and pull production systemNiket Kawale
 
Push and pull -strategy
Push and pull -strategyPush and pull -strategy
Push and pull -strategythiruvalla
 
Push vs pull Advantages & Disadvantages
Push vs pull Advantages & DisadvantagesPush vs pull Advantages & Disadvantages
Push vs pull Advantages & DisadvantagesSwapnil Gharde
 
How to be successful in life
How to be successful in lifeHow to be successful in life
How to be successful in lifeATEES Industrial Training Pvt Ltd
 
17 Ways Successful People Approach Life
17 Ways Successful People Approach Life17 Ways Successful People Approach Life
17 Ways Successful People Approach LifeBrian Downard
 
Switch mode power supply
Switch mode power supplySwitch mode power supply
Switch mode power supplyAnish Das
 

Empfohlen

No Governance as Usual
No Governance as UsualNo Governance as Usual
No Governance as UsualRob Bogue
 
365 Daily Success Quotes
365 Daily Success Quotes365 Daily Success Quotes
365 Daily Success QuotesSreedhar K R
 
Push and pull production system
Push and pull production systemPush and pull production system
Push and pull production systemNiket Kawale
 
Push and pull -strategy
Push and pull -strategyPush and pull -strategy
Push and pull -strategythiruvalla
 
Push vs pull Advantages & Disadvantages
Push vs pull Advantages & DisadvantagesPush vs pull Advantages & Disadvantages
Push vs pull Advantages & DisadvantagesSwapnil Gharde
 
How to be successful in life
How to be successful in lifeHow to be successful in life
How to be successful in lifeATEES Industrial Training Pvt Ltd
 
17 Ways Successful People Approach Life
17 Ways Successful People Approach Life17 Ways Successful People Approach Life
17 Ways Successful People Approach LifeBrian Downard
 
Switch mode power supply
Switch mode power supplySwitch mode power supply
Switch mode power supplyAnish Das
 
The SharePoint Migration Playbook
The SharePoint Migration PlaybookThe SharePoint Migration Playbook
The SharePoint Migration PlaybookJoAnna Cheshire
 
Are you Ready to Rumble? Let's Migrate Some Jira Data
Are you Ready to Rumble? Let's Migrate Some Jira DataAre you Ready to Rumble? Let's Migrate Some Jira Data
Are you Ready to Rumble? Let's Migrate Some Jira DataAtlassian
 
Public Key Infrastructures
Public Key InfrastructuresPublic Key Infrastructures
Public Key InfrastructuresZefren Edior
 
CIS14: Identity Souffle: Creating a Well-baked Identity Lifecycle
CIS14: Identity Souffle: Creating a Well-baked Identity LifecycleCIS14: Identity Souffle: Creating a Well-baked Identity Lifecycle
CIS14: Identity Souffle: Creating a Well-baked Identity LifecycleCloudIDSummit
 
CIS14: Identity Souffle: Creating a Well-baked Identity Lifecycle
CIS14: Identity Souffle: Creating a Well-baked Identity LifecycleCIS14: Identity Souffle: Creating a Well-baked Identity Lifecycle
CIS14: Identity Souffle: Creating a Well-baked Identity LifecycleCloudIDSummit
 
Efficiencies in RPA with UiPath and CyberArk Technologies - Session 2
Efficiencies in RPA with UiPath and CyberArk Technologies - Session 2Efficiencies in RPA with UiPath and CyberArk Technologies - Session 2
Efficiencies in RPA with UiPath and CyberArk Technologies - Session 2DianaGray10
 
DO WE HAVE A ROUND WHEEL YET?
DO WE HAVE A ROUND WHEEL YET?DO WE HAVE A ROUND WHEEL YET?
DO WE HAVE A ROUND WHEEL YET?ForgeRock
 
Tech essentials for Product managers
Tech essentials for Product managersTech essentials for Product managers
Tech essentials for Product managersNitin T Bhat
 
BeyondCorp New York Meetup: Closing the Adherence Gap
BeyondCorp New York Meetup: Closing the Adherence GapBeyondCorp New York Meetup: Closing the Adherence Gap
BeyondCorp New York Meetup: Closing the Adherence GapIvan Dwyer
 
IoT mobile app device cloud identity and security architecture
IoT mobile app device cloud identity and security architectureIoT mobile app device cloud identity and security architecture
IoT mobile app device cloud identity and security architectureVinod Wilson
 
Mr. desmond cloud security_format
Mr. desmond cloud security_formatMr. desmond cloud security_format
Mr. desmond cloud security_formatMULTIMATICS_ID
 
SharePoint Authentication And Authorization SPTechCon San Francisco
SharePoint Authentication And Authorization SPTechCon San FranciscoSharePoint Authentication And Authorization SPTechCon San Francisco
SharePoint Authentication And Authorization SPTechCon San FranciscoLiam Cleary [MVP]
 
Cloud identity management meetup 150108
Cloud identity management meetup 150108Cloud identity management meetup 150108
Cloud identity management meetup 150108Morteza Ansari
 
Telecom Agent Marketing: The Rock, Paper, Scissors Method
Telecom Agent Marketing: The Rock, Paper, Scissors MethodTelecom Agent Marketing: The Rock, Paper, Scissors Method
Telecom Agent Marketing: The Rock, Paper, Scissors MethodMojenta
 
Stop Treating Your Customers Like Your Employees (Ian Glazer, Salesforce)
Stop Treating Your Customers Like Your Employees (Ian Glazer, Salesforce)Stop Treating Your Customers Like Your Employees (Ian Glazer, Salesforce)
Stop Treating Your Customers Like Your Employees (Ian Glazer, Salesforce)ForgeRock
 
Stop treating your customers like your employees
Stop treating your customers like your employeesStop treating your customers like your employees
Stop treating your customers like your employeesIan Glazer
 
IIW 13 - Scalability Point to Point Federation
IIW 13 - Scalability Point to Point FederationIIW 13 - Scalability Point to Point Federation
IIW 13 - Scalability Point to Point FederationSteve Sidner
 
Solving the Credit Union 'Tower of Babel' (Conference Session Slides)
Solving the Credit Union 'Tower of Babel' (Conference Session Slides)Solving the Credit Union 'Tower of Babel' (Conference Session Slides)
Solving the Credit Union 'Tower of Babel' (Conference Session Slides)NAFCU Services Corporation
 
SharePoint Saturday Austin - Share point authentication and authorization
SharePoint Saturday Austin - Share point authentication and authorizationSharePoint Saturday Austin - Share point authentication and authorization
SharePoint Saturday Austin - Share point authentication and authorizationLiam Cleary [MVP]
 
SharePoint Online vs. On-Premise
SharePoint Online vs. On-PremiseSharePoint Online vs. On-Premise
SharePoint Online vs. On-PremiseEvan Hodges
 
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...itnewsafrica
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Alkin Tezuysal
 

Weitere ähnliche Inhalte

Ähnlich wie Push, Pull, or Punt - Identity management tug-of-war: Then, Now, and Beyond

The SharePoint Migration Playbook
The SharePoint Migration PlaybookThe SharePoint Migration Playbook
The SharePoint Migration PlaybookJoAnna Cheshire
 
Are you Ready to Rumble? Let's Migrate Some Jira Data
Are you Ready to Rumble? Let's Migrate Some Jira DataAre you Ready to Rumble? Let's Migrate Some Jira Data
Are you Ready to Rumble? Let's Migrate Some Jira DataAtlassian
 
Public Key Infrastructures
Public Key InfrastructuresPublic Key Infrastructures
Public Key InfrastructuresZefren Edior
 
CIS14: Identity Souffle: Creating a Well-baked Identity Lifecycle
CIS14: Identity Souffle: Creating a Well-baked Identity LifecycleCIS14: Identity Souffle: Creating a Well-baked Identity Lifecycle
CIS14: Identity Souffle: Creating a Well-baked Identity LifecycleCloudIDSummit
 
CIS14: Identity Souffle: Creating a Well-baked Identity Lifecycle
CIS14: Identity Souffle: Creating a Well-baked Identity LifecycleCIS14: Identity Souffle: Creating a Well-baked Identity Lifecycle
CIS14: Identity Souffle: Creating a Well-baked Identity LifecycleCloudIDSummit
 
Efficiencies in RPA with UiPath and CyberArk Technologies - Session 2
Efficiencies in RPA with UiPath and CyberArk Technologies - Session 2Efficiencies in RPA with UiPath and CyberArk Technologies - Session 2
Efficiencies in RPA with UiPath and CyberArk Technologies - Session 2DianaGray10
 
DO WE HAVE A ROUND WHEEL YET?
DO WE HAVE A ROUND WHEEL YET?DO WE HAVE A ROUND WHEEL YET?
DO WE HAVE A ROUND WHEEL YET?ForgeRock
 
Tech essentials for Product managers
Tech essentials for Product managersTech essentials for Product managers
Tech essentials for Product managersNitin T Bhat
 
BeyondCorp New York Meetup: Closing the Adherence Gap
BeyondCorp New York Meetup: Closing the Adherence GapBeyondCorp New York Meetup: Closing the Adherence Gap
BeyondCorp New York Meetup: Closing the Adherence GapIvan Dwyer
 
IoT mobile app device cloud identity and security architecture
IoT mobile app device cloud identity and security architectureIoT mobile app device cloud identity and security architecture
IoT mobile app device cloud identity and security architectureVinod Wilson
 
Mr. desmond cloud security_format
Mr. desmond cloud security_formatMr. desmond cloud security_format
Mr. desmond cloud security_formatMULTIMATICS_ID
 
SharePoint Authentication And Authorization SPTechCon San Francisco
SharePoint Authentication And Authorization SPTechCon San FranciscoSharePoint Authentication And Authorization SPTechCon San Francisco
SharePoint Authentication And Authorization SPTechCon San FranciscoLiam Cleary [MVP]
 
Cloud identity management meetup 150108
Cloud identity management meetup 150108Cloud identity management meetup 150108
Cloud identity management meetup 150108Morteza Ansari
 
Telecom Agent Marketing: The Rock, Paper, Scissors Method
Telecom Agent Marketing: The Rock, Paper, Scissors MethodTelecom Agent Marketing: The Rock, Paper, Scissors Method
Telecom Agent Marketing: The Rock, Paper, Scissors MethodMojenta
 
Stop Treating Your Customers Like Your Employees (Ian Glazer, Salesforce)
Stop Treating Your Customers Like Your Employees (Ian Glazer, Salesforce)Stop Treating Your Customers Like Your Employees (Ian Glazer, Salesforce)
Stop Treating Your Customers Like Your Employees (Ian Glazer, Salesforce)ForgeRock
 
Stop treating your customers like your employees
Stop treating your customers like your employeesStop treating your customers like your employees
Stop treating your customers like your employeesIan Glazer
 
IIW 13 - Scalability Point to Point Federation
IIW 13 - Scalability Point to Point FederationIIW 13 - Scalability Point to Point Federation
IIW 13 - Scalability Point to Point FederationSteve Sidner
 
Solving the Credit Union 'Tower of Babel' (Conference Session Slides)
Solving the Credit Union 'Tower of Babel' (Conference Session Slides)Solving the Credit Union 'Tower of Babel' (Conference Session Slides)
Solving the Credit Union 'Tower of Babel' (Conference Session Slides)NAFCU Services Corporation
 
SharePoint Saturday Austin - Share point authentication and authorization
SharePoint Saturday Austin - Share point authentication and authorizationSharePoint Saturday Austin - Share point authentication and authorization
SharePoint Saturday Austin - Share point authentication and authorizationLiam Cleary [MVP]
 
SharePoint Online vs. On-Premise
SharePoint Online vs. On-PremiseSharePoint Online vs. On-Premise
SharePoint Online vs. On-PremiseEvan Hodges
 

Ähnlich wie Push, Pull, or Punt - Identity management tug-of-war: Then, Now, and Beyond (20)

The SharePoint Migration Playbook
The SharePoint Migration PlaybookThe SharePoint Migration Playbook
The SharePoint Migration Playbook
 
Are you Ready to Rumble? Let's Migrate Some Jira Data
Are you Ready to Rumble? Let's Migrate Some Jira DataAre you Ready to Rumble? Let's Migrate Some Jira Data
Are you Ready to Rumble? Let's Migrate Some Jira Data
 
Public Key Infrastructures
Public Key InfrastructuresPublic Key Infrastructures
Public Key Infrastructures
 
CIS14: Identity Souffle: Creating a Well-baked Identity Lifecycle
CIS14: Identity Souffle: Creating a Well-baked Identity LifecycleCIS14: Identity Souffle: Creating a Well-baked Identity Lifecycle
CIS14: Identity Souffle: Creating a Well-baked Identity Lifecycle
 
CIS14: Identity Souffle: Creating a Well-baked Identity Lifecycle
CIS14: Identity Souffle: Creating a Well-baked Identity LifecycleCIS14: Identity Souffle: Creating a Well-baked Identity Lifecycle
CIS14: Identity Souffle: Creating a Well-baked Identity Lifecycle
 
Efficiencies in RPA with UiPath and CyberArk Technologies - Session 2
Efficiencies in RPA with UiPath and CyberArk Technologies - Session 2Efficiencies in RPA with UiPath and CyberArk Technologies - Session 2
Efficiencies in RPA with UiPath and CyberArk Technologies - Session 2
 
DO WE HAVE A ROUND WHEEL YET?
DO WE HAVE A ROUND WHEEL YET?DO WE HAVE A ROUND WHEEL YET?
DO WE HAVE A ROUND WHEEL YET?
 
Tech essentials for Product managers
Tech essentials for Product managersTech essentials for Product managers
Tech essentials for Product managers
 
BeyondCorp New York Meetup: Closing the Adherence Gap
BeyondCorp New York Meetup: Closing the Adherence GapBeyondCorp New York Meetup: Closing the Adherence Gap
BeyondCorp New York Meetup: Closing the Adherence Gap
 
IoT mobile app device cloud identity and security architecture
IoT mobile app device cloud identity and security architectureIoT mobile app device cloud identity and security architecture
IoT mobile app device cloud identity and security architecture
 
Mr. desmond cloud security_format
Mr. desmond cloud security_formatMr. desmond cloud security_format
Mr. desmond cloud security_format
 
SharePoint Authentication And Authorization SPTechCon San Francisco
SharePoint Authentication And Authorization SPTechCon San FranciscoSharePoint Authentication And Authorization SPTechCon San Francisco
SharePoint Authentication And Authorization SPTechCon San Francisco
 
Cloud identity management meetup 150108
Cloud identity management meetup 150108Cloud identity management meetup 150108
Cloud identity management meetup 150108
 
Telecom Agent Marketing: The Rock, Paper, Scissors Method
Telecom Agent Marketing: The Rock, Paper, Scissors MethodTelecom Agent Marketing: The Rock, Paper, Scissors Method
Telecom Agent Marketing: The Rock, Paper, Scissors Method
 
Stop Treating Your Customers Like Your Employees (Ian Glazer, Salesforce)
Stop Treating Your Customers Like Your Employees (Ian Glazer, Salesforce)Stop Treating Your Customers Like Your Employees (Ian Glazer, Salesforce)
Stop Treating Your Customers Like Your Employees (Ian Glazer, Salesforce)
 
Stop treating your customers like your employees
Stop treating your customers like your employeesStop treating your customers like your employees
Stop treating your customers like your employees
 
IIW 13 - Scalability Point to Point Federation
IIW 13 - Scalability Point to Point FederationIIW 13 - Scalability Point to Point Federation
IIW 13 - Scalability Point to Point Federation
 
Solving the Credit Union 'Tower of Babel' (Conference Session Slides)
Solving the Credit Union 'Tower of Babel' (Conference Session Slides)Solving the Credit Union 'Tower of Babel' (Conference Session Slides)
Solving the Credit Union 'Tower of Babel' (Conference Session Slides)
 
SharePoint Saturday Austin - Share point authentication and authorization
SharePoint Saturday Austin - Share point authentication and authorizationSharePoint Saturday Austin - Share point authentication and authorization
SharePoint Saturday Austin - Share point authentication and authorization
 
SharePoint Online vs. On-Premise
SharePoint Online vs. On-PremiseSharePoint Online vs. On-Premise
SharePoint Online vs. On-Premise
 

Kürzlich hochgeladen

Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...itnewsafrica
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Alkin Tezuysal
 
React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...Karmanjay Verma
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityIES VE
 
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...Jeffrey Haguewood
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsRavi Sanghani
 
Infrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platformsInfrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platformsYoss Cohen
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch TuesdayIvanti
 
Kuma Meshes Part I - The basics - A tutorial
Kuma Meshes Part I - The basics - A tutorialKuma Meshes Part I - The basics - A tutorial
Kuma Meshes Part I - The basics - A tutorialJoão Esperancinha
 
Microservices, Docker deploy and Microservices source code in C#
Microservices, Docker deploy and Microservices source code in C#Microservices, Docker deploy and Microservices source code in C#
Microservices, Docker deploy and Microservices source code in C#Karmanjay Verma
 
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...panagenda
 
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data IntegrationBridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integrationmarketing932765
 
Accelerating Enterprise Software Engineering with Platformless
Accelerating Enterprise Software Engineering with PlatformlessAccelerating Enterprise Software Engineering with Platformless
Accelerating Enterprise Software Engineering with PlatformlessWSO2
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Mark Goldstein
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesKari Kakkonen
 
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...BookNet Canada
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Mark Simos
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfNeo4j
 

Kürzlich hochgeladen (20)

Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
 
React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a reality
 
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and Insights
 
Infrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platformsInfrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platforms
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch Tuesday
 
Kuma Meshes Part I - The basics - A tutorial
Kuma Meshes Part I - The basics - A tutorialKuma Meshes Part I - The basics - A tutorial
Kuma Meshes Part I - The basics - A tutorial
 
Microservices, Docker deploy and Microservices source code in C#
Microservices, Docker deploy and Microservices source code in C#Microservices, Docker deploy and Microservices source code in C#
Microservices, Docker deploy and Microservices source code in C#
 
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
 
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data IntegrationBridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
 
Accelerating Enterprise Software Engineering with Platformless
Accelerating Enterprise Software Engineering with PlatformlessAccelerating Enterprise Software Engineering with Platformless
Accelerating Enterprise Software Engineering with Platformless
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examples
 
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdf
 

Push, Pull, or Punt - Identity management tug-of-war: Then, Now, and Beyond

Hinweis der Redaktion

  20. The problems with push Image courtesy of croweb - http://www.flickr.com/photos/croweb/2904702979
  22. Think about a typical COTS application. Users and their privileges are managed within the app and often there is very little in terms of remote user management capabilities. This has led to some of the complexities in user provisioning systems.
  29. Traditional applications of federation technology follow two deployment patterns. The first is hub and spoke in which a heavy-weight company is the center of the federation and its trading partners federate on the hub’s terms. Image courtesy of nickso - http://www.flickr.com/photos/nickso/3045996440/
  30. The second federation deployment pattern is the network of peers. With no heave-weight at the center, the federation is composed of peers who federate amongst each other. Image courtesy of Graham Ballantyne - http://www.flickr.com/photos/grahamb/2355477036/in/pool-324690@N20
  35. Provisioning locally is (barely) tolerable. Provisioning locally and remotely is wasted effort.
  36. Provisioning locally is (barely) tolerable. Provisioning locally and remotely is wasted effort.
  37. Provisioning locally is (barely) tolerable. Provisioning locally and remotely is wasted effort.
  38. Provisioning locally is (barely) tolerable. Provisioning locally and remotely is wasted effort.
  39. The problems with push in a federated environment: federated provisioning Image courtesy of croweb - http://www.flickr.com/photos/croweb/2904702979
  44. A variety of approaches have been taken to try and solve the challenge of federated provisioning.
  45. One approach was to use SPML. First, not all service providers have an SPML interface. Second, not every enterprise has a provisioning process that can generate SPML messages.
  46. Another approach is to use SAML. There have been two approaches to this. One is to establish an agreement that requires more than needed to perform authentication. This extra data is used back a backend provisioning process. The problem with this approach is that this data always is sent which can violate the privacy principle of data minimization among other things. The second approach is to use Metadata-Exchange to facilitate attribute exchange on an as-needed basis.
  47. Cloud providers have been building their own provisioning interfaces using neither the SAML or SPML standards.
  48. A few service providers have offered LDAP as a means of provisioning. In some cases, a provider can issue LDAP queries to the enterprise.
  49. Needless to say, there is no one best approach. Or at least, there is no one agreed upon approach.
  51. Same basic idea as cataloging entitlements.
  53. These policies seem similar to provisioning policies but they have an extra clause - Context.
  54. These policies seem similar to provisioning policies but they have an extra clause - Context.
  55. These policies seem similar to provisioning policies but they have an extra clause - Context.
  56. The above are example of contextual items that can be considered during an authorization event.
  58. No single provider has close relationships with all the individuals a modern enterprise needs to deal with. So no organization can be a sole-source provider of low-cost, high-quality provider of all the identities an enterprise needs.
  61. This is what a pull-based authorization systems looks like. A user initiates an action in a system that system asks the federated virtual directory (FVD) for all of the data needed to make the authorization decision. The FVD returns that data to the endpoint which makes a go/no-go authorization decision.
  63. We’ll add another step to accommodate applications that don’t know how to ask for external information to make authorization decisions.
  64. The XAMLoids know how to ask the FVD for information and then can present the go/no-go decision to the endpoint.
  74. We expect SharePoint2010 as the “infection vector” by which claims-aware computing becomes popular in the enterprise.
  81. To authorize people, the amusement park installs a sign at a given heigh. Image courtesy of sundazed - http://www.flickr.com/photos/sundazed/555071016/
  82. To authorize people, the amusement park installs a sign at a given heigh. Image courtesy of sundazed - http://www.flickr.com/photos/sundazed/555071016/
  85. That’s what a ticket is for. Image courtesy of andycastro - http://www.flickr.com/photos/andycastro/2615845976/
  87. That’s what the date on the ticket is for. Image courtesy of andycastro - http://www.flickr.com/photos/andycastro/2615845976/
  90. This is a great policy but it is awfully hard to audit. Image courtesy of tkksummers - http://www.flickr.com/photos/tkksummers/2888454076/
  91. This is a great policy but it is awfully hard to audit. Image courtesy of tkksummers - http://www.flickr.com/photos/tkksummers/2888454076/
  92. This is a great policy but it is awfully hard to audit. Image courtesy of tkksummers - http://www.flickr.com/photos/tkksummers/2888454076/
  93. This is a great policy but it is awfully hard to audit. Image courtesy of tkksummers - http://www.flickr.com/photos/tkksummers/2888454076/
  95. Consider you build the policy above. Image courtesy of spacesuitcatalyst - http://www.flickr.com/photos/spacesuitcatalyst/438010405/
  96. Someone arrives with a claim that looks like the above. Image courtesy of spacesuitcatalyst - http://www.flickr.com/photos/spacesuitcatalyst/438010405/
  97. This is the policy you meant to write. Image courtesy of spacesuitcatalyst - http://www.flickr.com/photos/spacesuitcatalyst/438010405/
  106. No single provider has close relationships with all the individuals a modern enterprise needs to deal with. So no organization can be a sole-source provider of low-cost, high-quality provider of all the identities an enterprise needs.
  108. No single provider has close relationships with all the individuals a modern enterprise needs to deal with. So no organization can be a sole-source provider of low-cost, high-quality provider of all the identities an enterprise needs.
  112. Data-intensive applications will require information to be “closer.” In these situations, the FVD and the endpoint can work with a cache or stash. Of course by adding a cache/stash, the chance that an authorization decision is made on “bad” or out-of-date data goes up.
  114. The reality is that we will have push-only applications for long time. The hybrid approach of having both push and pull in the enterprise is the more likely future.
  120. The Emerging Architecture of Identity Management - http://www.burtongroup.com/Client/Research/Document.aspx?cid=1895 Market Profile: Identity and Access Governance 2010 - http://www.burtongroup.com/Client/Research/Document.aspx?cid=1858 Characteristics of an Effective Identity Management Governance Program - http://www.burtongroup.com/Client/Research/Document.aspx?cid=1731 Provisioning’s Role in the Next-Generation IdM Architecture - http://www.burtongroup.com/Client/Research/Document.aspx?cid=1993
  122. All images unless otherwise sourced where found on Flickr