Iden%ty@Scale	
  
Angle	
  on	
  Iden%ty	
  Data	
  for	
  scaling	
  
Growth	
  
•  Organiza%ons	
  offering	
  more	
  consumer	
  Web-­‐	
  and	
  
mobile-­‐based	
  services	
  
•  2.4	
  bi...
IAM	
  industry	
  is	
  catching	
  up	
  
•  IAM	
  technologies	
  con%nue	
  to	
  enable	
  
•  Tools	
  and	
  techn...
Directories	
  for	
  Authen/ca/on	
  
-­‐	
  Stores	
  iden/ty	
  
(And	
  some	
  authoriza%on)	
  
Databases	
  for	
  ...
Current	
  state	
  applica%on/Service	
  Silos	
  
Disconnected	
  IT	
  Roles	
  created	
  for	
  each	
  
individual	
...
And	
  we	
  keep	
  hearing	
  about	
  context	
  
•  XACML	
  
•  OpenID	
  Connect	
  
•  UMA	
  
Name	
  
Brand	
  Informa%on	
  
Market	
  Segment	
  
Billing	
  Status	
  
Licensing	
  &	
  
Cer%fica%on	
  
Role	
  
Co...
Business	
  context	
  o]en	
  remains	
  in	
  back-­‐office	
  
	
  systems	
  
Front	
  of	
  house	
   Back	
  Office	
  
...
“Killing	
  IAM	
  in	
  order	
  to	
  save	
  it”	
  
•  Need	
  to	
  beder	
  define	
  and	
  describe	
  business	
  ...
Back	
  to	
  the	
  Future	
  
•  Directories	
  store	
  informa%on	
  once	
  for	
  many	
  
applica%ons	
  and	
  ser...
Build	
  Namespace	
  according	
  to	
  objects	
  and	
  
func%ons	
  –	
  Not	
  hierarchies	
  
OU=	
  
En/tlements	
 ...
Adding	
  it	
  all	
  up	
  
=	
  
+	
  
Business	
  Context	
   Rela/onships	
  
Scalable	
  +	
  contextual	
  
Iden/ty...
Well	
  designed	
  informa%on	
  sets	
  provide	
  business	
  
efficiency	
  and	
  scale	
  
System	
  Scale	
  
Self-­‐...
Provides	
  a	
  ready-­‐made	
  recipe	
  for	
  cloud	
  
Single	
  user	
  view	
  
-­‐	
  with	
  context	
  
Iden%ty	...
Beder	
  prepared	
  for	
  paradigm	
  shi]	
  
•  An	
  API-­‐centric	
  methodology	
  relies	
  on	
  well	
  managed	...
Making	
  progress	
  
=	
  Hundreds	
  
of	
  iden//es	
  
We	
  s%ll	
  need	
  to	
  move	
  
away	
  from	
  this	
  
...
Next	
  Steps	
  
• 	
  Get	
  a	
  handle	
  on	
  the	
  number	
  of	
  iden%%es	
  out	
  there	
  
• 	
  Use	
  tools...
Next	
  Steps	
  
$$	
  
• 	
  Use	
  the	
  context	
  in	
  the	
  systems	
  you	
  own	
  and	
  build	
  a	
  
richer...
When	
  you	
  get	
  back	
  to	
  the	
  office	
  
•  Understand	
  vision	
  for	
  customer	
  centricity	
  
•  Start	...
Ques%ons?	
  
Anthony	
  Randall	
  
Security	
  Architect	
  –	
  IAM	
  
anthony.randall@monsanto.com	
  
Back-­‐Up	
  Stuff	
  
There	
  is	
  a	
  lot	
  of	
  valuable	
  context	
  informa%on	
  in	
  billing	
  
systems	
  and	
  CRMs	
  that	
  ...
Graph	
  databases	
  offer	
  another	
  way	
  to	
  
depict	
  the	
  same	
  core	
  problem	
  
Is	
  it	
  a	
  stora...
Requirements	
  and	
  Processes	
  
Business	
   User	
   Solu%on	
  
Vision	
  
Goals	
  and	
  drivers	
  
Legal	
  and...
Model	
  for	
  Scale	
  
Namespace,	
  business	
  objects	
  that	
  provide	
  specific	
  func%on	
  and	
  
context;	
...
Upcoming SlideShare
Loading in …5
×

CIS14: Identity at Scale: Building from the Ground Up

383
-1

Published on

Anthony Randall, Monsanto

A discussion of the concept of large-scale engineering of millions of customer identities combined with many applications and partners, identity information engineering, and thoughts about how to better to mesh the internal IT landscape to improve identity services, user support and user experience.

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
383
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
20
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

CIS14: Identity at Scale: Building from the Ground Up

  1. 1. Iden%ty@Scale   Angle  on  Iden%ty  Data  for  scaling  
  2. 2. Growth   •  Organiza%ons  offering  more  consumer  Web-­‐  and   mobile-­‐based  services   •  2.4  billion  internet  users  on  the  planet   •  1.75  billion  smart  phones   •  Six  fold-­‐growth  in  Mobile  e-­‐commerce  thru  2017   •  IoT  50  billion  devices  in  2020  
  3. 3. IAM  industry  is  catching  up   •  IAM  technologies  con%nue  to  enable   •  Tools  and  technologies  are  improving   •  New  standards  for  mobile,  cloud  +  API  economy   •  And  new  ways  of  doing  things  
  4. 4. Directories  for  Authen/ca/on   -­‐  Stores  iden/ty   (And  some  authoriza%on)   Databases  for  authoriza/on   -­‐  Also  stores  iden/ty     =  Hundreds  =  Few   Security   Business  IT   Iden%ty  Data  Management  is  lagging  behind  
  5. 5. Current  state  applica%on/Service  Silos   Disconnected  IT  Roles  created  for  each   individual  applica/on/service   New  database  for  each  applica/on   containing  iden/ty  and  applica/on  roles  
  6. 6. And  we  keep  hearing  about  context   •  XACML   •  OpenID  Connect   •  UMA  
  7. 7. Name   Brand  Informa%on   Market  Segment   Billing  Status   Licensing  &   Cer%fica%on   Role   Contact  informa%on   Account  Status   Devices       Consent   Loca%on   Organiza%on   Iden%fiers   Interac%ons   Agreements   Product  subscrip/ons   Authorized  Acct   Rela%onships   But  we  have  a  lot  of  informa%on  about  our   customers     We  don’t  use  it!  
  8. 8. Business  context  o]en  remains  in  back-­‐office    systems   Front  of  house   Back  Office   Directory   Services   -­‐  Iden%ty   -­‐  Email  Address   -­‐  Group   OIen  no  user   context   -­‐  Iden%ty   -­‐  authoriza%on   -­‐  Iden%ty   -­‐  User  context   Customer   CRM   Integra/on    Services   Spend  lots  $$$  doing  the  same  things  over  -­‐  Iden%ty   -­‐  authoriza%on   Targets  
  9. 9. “Killing  IAM  in  order  to  save  it”   •  Need  to  beder  define  and  describe  business  rela%onships  and   context  for  online  ac%vity   •  Create  single  user  views  for  mul%ple  services   Parental   Controls  
  10. 10. Back  to  the  Future   •  Directories  store  informa%on  once  for  many   applica%ons  and  services  to  use   •  Business-­‐oriented  object  based  systems  with  security   and  distribu%on   X  User  Iden%ty  /  Authoriza%on  
  11. 11. Build  Namespace  according  to  objects  and   func%ons  –  Not  hierarchies   OU=   En/tlements   OU=   Devices   OU=   Profiles   OU=   Names   OU=   Roles   OU=   Users   OU=   Products   OU=   Configura/on   Mgt   OU=   Preferences   OU=   Apps   OU=   Addr  Books   Tie  users  to  objects  using  GUIDs  to  create  rela%onships  
  12. 12. Adding  it  all  up   =   +   Business  Context   Rela/onships   Scalable  +  contextual   Iden/ty  Data  Model  
  13. 13. Well  designed  informa%on  sets  provide  business   efficiency  and  scale   System  Scale   Self-­‐Managed   CRM  /  Billing   Directory  NameSpace(s)   Updates  /  Reads   Reflected  in   informa%on   objects   Single  user  view   VMs   VMs   VMs   VMs  
  14. 14. Provides  a  ready-­‐made  recipe  for  cloud   Single  user  view   -­‐  with  context   Iden%ty   Bridge   Portable  context  
  15. 15. Beder  prepared  for  paradigm  shi]   •  An  API-­‐centric  methodology  relies  on  well  managed  and   described  informa%on  about  users   •  Requires  closer  integra%on  with  data  architecture   Services   Services   Services   Services   Services   Web  Services   Updates  Self-­‐service   Self-­‐subscribing   Names   Users   Devices   Products   Profiles   Roles   Addr.   Books   Apps   Prefs   Config.   Web  
  16. 16. Making  progress   =  Hundreds   of  iden//es   We  s%ll  need  to  move   away  from  this   DBs   Single  Iden/ty   Towards  this   CRM  /  Billing   $$  
  17. 17. Next  Steps   •   Get  a  handle  on  the  number  of  iden%%es  out  there   •   Use  tools  to  discover,  map  and  clean  up  duplicate   iden%%es   •   Use  Tools  to  understand  which  applica%ons  are  using   which  iden%ty  stores   VDS   •   Create  a  taxonomy  of  applica%ons  that  require   authen%ca%on/authoriza%on  and  the  condi%ons  for   access  (e.g.,  Gold  subscriber,  all  users,  certain  users)   VDS  
  18. 18. Next  Steps   $$   •   Use  the  context  in  the  systems  you  own  and  build  a   richer  set  of  user  context   •   CRM/Billing  systems  don’t  sign-­‐in  users   •   Build  systems  that  represents  the  business  context  of   users  and  what  they  do   •   Needs  to  be  scalable,  distributed  and  secure   •   Transi%on  authen%ca%on  to  new  tools   •   Work  with  app  owners  to  lifecycle  current  apps   •   Use  new  tools  to  build  new  apps   VDS  
  19. 19. When  you  get  back  to  the  office   •  Understand  vision  for  customer  centricity   •  Start  cleaning  up  the  iden%ty  silos  that  cause  a   disconnected  view  of  the  customer   •  Change  legacy  mindsets  and  look  to  beder  combine   iden%ty  with  data  architecture   •  Correlate  insufficient  technology  investments  to   current  problem  sets   •  Build  the  business  case  and  understand  dimensions    
  20. 20. Ques%ons?   Anthony  Randall   Security  Architect  –  IAM   anthony.randall@monsanto.com  
  21. 21. Back-­‐Up  Stuff  
  22. 22. There  is  a  lot  of  valuable  context  informa%on  in  billing   systems  and  CRMs  that  can  replace  IT  security  groups   Name   Brand  Informa%on   Market  Segment   Billing  Status   Licensing  &   Cer%fica%on   Role   Contact  informa%on   Account  Status   Devices       Consent   Loca%on   Organiza%on   Iden%fiers   Interac%ons   Agreements   Product  subscrip%ons   Authorized  Acct   Rela%onships   CRM  /  Billing   $$   Applica/on   iden/ty  silos  
  23. 23. Graph  databases  offer  another  way  to   depict  the  same  core  problem   Is  it  a  storage  and  scale  problem…   Or  the  method  we  use  to  represent  informa/on?     VS  
  24. 24. Requirements  and  Processes   Business   User   Solu%on   Vision   Goals  and  drivers   Legal  and  Regulatory   Use-­‐cases   Product  Defini/on   Simple  to  use   Fast   Self-­‐service   Self-­‐controlled   Online  trust   Customer  support   Parental  controls   Privacy  control   Personaliza%on   Massive  scale   Millions  of  users   Mobile  Op/mized   Cloud-­‐based   Ensure  data  privacy   Secure   Support  social  IDs   Integrated   Federated   Account  crea%on/registra%on   Product  Management   Provisioning     Processes   Context-­‐driven  access   Account  Management     User  lifecycle  Mgt     Configura%on  Mgt   Business/Decision  Support   Customer  care    
  25. 25. Model  for  Scale   Namespace,  business  objects  that  provide  specific  func%on  and   context;  Can  be  scaled  independently  according  to  need   SaaS CRM 3Rd Party Billing Administration Tools Self-Service Tools Identity Information Service Provisioning SelfService Administration Product Mgt Tool Data Tools Provisioning Synchronization Service Access/ Policy Information Point Audit Authoritative Sources People Products Name Mgt Devices Servers SaaS Satellite Information SaaS Profiles Role Def. eMail SF.com Name Mgt Config. Mgt. <new>@service.com Single User View Addr Books Policies Registration/ Account Creation Prefs Registration/ Account Creation MDM Business Context
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×