SlideShare a Scribd company logo

Catalyst 2015: Patrick Harding

Download as PPTX, PDF
Ping Identity
Ping Identity

"A New Approach to Securing the Enterprise with Identity Defined Security" by Ping Identity CTO Patrick Harding.

Technology
1 of 36
A NEW APPROACH TO SECURING THE ENTERPRISE IDENTITY DEFINED SECURITY Patrick Harding Chief Technology Officer @patrickharding
Agenda 1. Changing Trends in Identity Architecture 2. Top 3 4 Security Design Rules 3. Apple Watch Demo 4. What Can be Accomplished Today 5. Recommendations Copyright © 2015 Ping Identity Corp. All rights reserved. 3
CHANGING TRENDS IN IDENTITY ARCHITECTURE Spoiler: It’s Cloud! And Mobile! Copyright © 2015 Ping Identity Corp. All rights reserved. 4
MAJOR TRENDS SHAPING THE MARKET 5.2B Global mobile users 11.5B Mobile-ready devices 4.6B Smartphones
MAJOR TRENDS SHAPING THE MARKET 5.2B Global mobile users 11.5B Mobile-ready devices 4.6B Smartphones 738 # of cloud services used by an average enterprise` 82% of enterprises have a hybrid cloud strategy
MAJOR TRENDS SHAPING THE MARKET 5.2B Global mobile users 11.5B Mobile-ready devices 4.6B Smartphones 738 # of cloud services used by an average enterprise` 82% of enterprises have a hybrid cloud strategy 30XIncrease within the decade Connected devices in 2020 26B
MAJOR TRENDS SHAPING THE MARKET 5.2B Global mobile users 11.5B Mobile-ready devices 4.6B Smartphones 738 # of cloud services used by an average enterprise` 82% of enterprises have a hybrid cloud strategy 30XIncrease within the decade Connected devices in 2020 26B
BREACH, BREACH, BREACH … Web App Attacks • Phish customer ≥ get credentials ≥ abuse web application ≥ empty bank/bitcoin account.” • Over 95% of these incidents involve harvesting credentials from customer devices, then logging into web applications with them” Source: 2015 Verizon Data Breach Investigations R
Provisioning WAM You Federation LDAP Your Partners “Internal” Web Apps Partner Domain Web Apps SAML The Golden Years of Leveraged AuthN Copyright © 2015 Ping Identity Corp. All rights reserved. 10 • Users in Directories – Security Policies: • Expiry, Lockout, History • Applications in Web Browser – Level 1: common repository – Level 2: Internal apps secured via WAM – Level 3: External apps secured via SAML
What Those Architectures Do Well Confidential — do not distribute • Common Authentication Ceremony – User manages one password, uses it in a trusted place • Secure introduction of users between domains • Security for “Passive” web contexts – Where the user manipulates a browser • Central policy definition/enforcementCopyright © 2015 Ping Identity Corp. All rights reserved. 11
What Those Architectures Do Poorly • Address security risk of “active” software at run-time – Clients collecting & storing passwords for replay – Passwords transmitted on every API fetch – Every API validating passwords • Address pain for developers – API keys & certificates poorly protected in scripts – Adding XML parsers & signature validation in mobile apps is problematic • Scale to millions of partners Copyright © 2015 Ping Identity Corp. All rights reserved. 12
One Trend to Bind them All Copyright © 2015 Ping Identity Corp. All rights reserved. 13 • Cloud pushed the industry towards externalized interfaces for everything, not just identity, and REST beat out SOAP • Mobile forced us to accept asymmetrical trust relationships, because instead of BIG software on websites we now also have small software on devices • Standards evolved to deliver: OAuth 2.0. Not user identity, but software (client) identity
TOP 4 SECURITY DESIGN RULES Bonus! 6 Architectural Principles Copyright © 2015 Ping Identity Corp. All rights reserved. 14
ARCHITECTURAL PRINCIPLES INTERNET SCALE FEDERATED ARCHITECTURE ALL IDENTITIES BUILT ON STANDAR DS WEB, MOBILE & API FLEXIBLE DEPLOYME NT 6 PRINCIPLES THAT MEET MODERN SECURITY COMPLEXITIES AND SCALE TO ADDRESS FU
Top 4 Security Rules • Attackers will compromise access. Identity Tools to combat include: 1. Compartmentalization 2. Ephemerality 3. Automation 4. Accountability • Things happen fast, change often, are always watched, and identity of all actors are explicitly part of all interactions. If theft does occur, bad guys get as little as possible for no time at all, and the path of compromise can be traced Copyright © 2015 Ping Identity Corp. All rights reserved. 16
Security Rules drive the Architecture Copyright © 2015 Ping Identity Corp. All rights reserved. 17 Identity Platform DynamicAccessControl User Context Automation Resources Bounded Credentials Client Primary Credentials Primary Credentials
The Identity Platform • Abstracts Authentication Services from resources • Automates & controls clients • Issues and authorizes tokens • Recognizes context • Coordinates ecosystemCopyright © 2015 Ping Identity Corp. All rights reserved. 18 Identity Platform
Modern “Honeycomb” Identity Architecture Copyright © 2015 Ping Identity Corp. All rights reserved. 19 Your Data Your Identity InfrastructureOther Web, Mobile &API Other Data Your Mobile & API Other Identity Infrastructure All Kinds of B2B Clients All Kinds of Users Other Authentication Service Your Apps
Honeycomb Architecture • Pick the cells that fit your business use case – Mobile, IoT – Consumer/Enterprise SSO – Enterprise Service Bus • Cells may exist in separate internet contexts • Interaction between cells is standardized Copyright © 2015 Ping Identity Corp. All rights reserved. 20
Automation & Accountability Copyright © 2015 Ping Identity Corp. All rights reserved. 21 Identity Platform DynamicAccessControl User Context Automation Resources Bounded Credentials Client Primary Credentials Primary Credentials
• OAuth 2.0 (RFC 6749/50) – Authorization framework for software clients – Enables clients to present scoped authorization tokens to REST APIs • OpenID Connect (built on OAuth 2.0) – Clients and Identity Platform request & assert identifiers, attributes with integrity & confidentiality • SAML – Gold standard for Web SSO – SOAP-based Standards at Work Copyright © 2015 Ping Identity Corp. All rights reserved. 22 • SCIM – Standardized REST API for Creation, synchronization of user accounts/attributes • FIDO – Standardization of authenticators – Password-less and 2nd factor • Account Chooser – User discovery specification – Migration from IDP discovery to User discovery
Primary Credentials • Supply enough primary credentials, and the assumption is that the real “subject” is present. – Impersonation through compromise of primary credentials is greatest risk in industry today. See: Credential Farming • Goal: protect primary credentials in every way possible • Examples: passwords, API keys, MFA authenticator interactions, certificates, FIDO Copyright © 2015 Ping Identity Corp. All rights reserved. 23
Bounded Credentials • Ephemeral tokens representing not just the “subject” but subject and context. – Access Tokens: access to limited scope on behalf of subject executed by specific client valid for limited time – JWTs: introduction of subject to specific audience, valid for short period of time – ID Tokens: introduction of subject to specific audience from known issuer based on specific authentication interaction Copyright © 2015 Ping Identity Corp. All rights reserved. 24
APPLE WATCH DEMO Identity architecture demos are boring… unless they are cunningly disguised as Apple Watch Demos. Copyright © 2015 Ping Identity Corp. All rights reserved. 25
Copyright © 2015 Ping Identity Corp. All rights reserved. 26
What you just saw • Single trusted authentication ceremony • Low friction 2nd factor authentication • Transformation of primary credentials into bounded credentials • Protection of both web and native resources Copyright © 2015 Ping Identity Corp. All rights reserved. 27
WHAT CAN BE ACCOMPLISHED TODAY World Peace! Ok well let’s not go crazy… Copyright © 2015 Ping Identity Corp. All rights reserved. 28
Federated Access Management Copyright © 2015 Ping Identity Corp. All rights reserved. 29 Contextual Authentication Federated Sign-on Access Security • Contextual Authentication – Active and passive challenges and contexts, designed to mitigate risks • Federated Sign-on – Distribution of tokens and assertions that represent users in a compartmentalized, ephemeral, automated, accountable way – Application of policy at time of access request • Access Security – Validation of tokens and assertions – Enforcement of policy & intelligence beyond token validity at time of resource use
Copyright © 2015 Ping Identity Corp. All rights reserved. 30 User Administration Orchestration Federated Provisioning Federated Access Management (FAM) Federated Identity Management (FIM) Governance Intelligence (risk/fraud/analytics) Continuous Authentication™ Contextual Authentication Federated Sign-on Access Security Identity Defined Security
RECOMMENDATIONS Call your mother… Copyright © 2015 Ping Identity Corp. All rights reserved. 31
Create a Long Term Plan • New identity architectures must handle all identities, all channels, all interaction methods – at scale – OAuth 2.0 delivers scoped authorization as foundation for identity – clients and user identity is tracked – The Identity Platform becomes a central element of a set of honeycomb cells that interoperate with each other via standards • Limitation/mitigation of exposure starts with compartmentalization of primary credentials, bounded credentials are • Interaction between authentication services, identity platform, and access security at the resources will become more intelligent in the future Copyright © 2015 Ping Identity Corp. All rights reserved. 32
Address Immediate Risk • Credential Farming – If an employee reuses the same email and password at http://iloveipa.com and for your corporate VPN, and an attacker compromises http://iloveipa.com, can they walk right in your front door? – Now is the time to explore second factor auth. Be creative. Don’t expect the first thing to work. But at all costs, disrupt those password reuse attacks.Copyright © 2015 Ping Identity Corp. All rights reserved. 33
Read the Verizon Data Breach Report • 95% of breaches start with a compromised credential – http://www.verizonenterprise.com/DBIR/ • If you can’t detect them coming in, then detect them going out, egress monitoring can be your friend. • Long term planning is for analytics to find trends of sessions, usage patterns, anomaliesCopyright © 2015 Ping Identity Corp. All rights reserved. 34
Intelligence is the Future • Think about what your inputs could be into an intelligence engine • Think about what your social contract is with your users, and how you can signal that you are watching, but also how they can signal that they want privacy Copyright © 2015 Ping Identity Corp. All rights reserved. 35
Thank You! Confidential — do not distribute Copyright © 2015 Ping Identity Corp. All rights reserved. 36

Recommended

Identity-Defined Privacay & Security for Internet of Things
Identity-Defined Privacay & Security for Internet of ThingsIdentity-Defined Privacay & Security for Internet of Things
Identity-Defined Privacay & Security for Internet of Things
Ping Identity
 
Managing Identity without Boundaries
Managing Identity without BoundariesManaging Identity without Boundaries
Managing Identity without Boundaries
Ping Identity
 
You Can't Spell Enterprise Security without MFA
You Can't Spell Enterprise Security without MFA You Can't Spell Enterprise Security without MFA
You Can't Spell Enterprise Security without MFA
Ping Identity
 
9.35am robert humphrey
9.35am robert humphrey9.35am robert humphrey
9.35am robert humphrey
Argyle Executive Forum
 
Connecting The Real World With The Virtual World
Connecting The Real World With The Virtual WorldConnecting The Real World With The Virtual World
Connecting The Real World With The Virtual World
Ping Identity
 
Webinar: Deep Diving Into the KuppingerCole IDaaS Leadership Compass
Webinar: Deep Diving Into the KuppingerCole IDaaS Leadership Compass Webinar: Deep Diving Into the KuppingerCole IDaaS Leadership Compass
Webinar: Deep Diving Into the KuppingerCole IDaaS Leadership Compass
Ping Identity
 
Gartner IAM London 2017 Session - Security, Standards & User Experience: The ...
Gartner IAM London 2017 Session - Security, Standards & User Experience: The ...Gartner IAM London 2017 Session - Security, Standards & User Experience: The ...
Gartner IAM London 2017 Session - Security, Standards & User Experience: The ...
Ping Identity
 
GDPR & Customer IAM: The Real Winners Won’t Stop At Compliance
GDPR & Customer IAM: The Real Winners Won’t Stop At ComplianceGDPR & Customer IAM: The Real Winners Won’t Stop At Compliance
GDPR & Customer IAM: The Real Winners Won’t Stop At Compliance
Ping Identity
 

Recommended

Identity-Defined Privacay & Security for Internet of Things
Identity-Defined Privacay & Security for Internet of ThingsIdentity-Defined Privacay & Security for Internet of Things
Identity-Defined Privacay & Security for Internet of Things
Ping Identity
 
Managing Identity without Boundaries
Managing Identity without BoundariesManaging Identity without Boundaries
Managing Identity without Boundaries
Ping Identity
 
You Can't Spell Enterprise Security without MFA
You Can't Spell Enterprise Security without MFA You Can't Spell Enterprise Security without MFA
You Can't Spell Enterprise Security without MFA
Ping Identity
 
9.35am robert humphrey
9.35am robert humphrey9.35am robert humphrey
9.35am robert humphrey
Argyle Executive Forum
 
Connecting The Real World With The Virtual World
Connecting The Real World With The Virtual WorldConnecting The Real World With The Virtual World
Connecting The Real World With The Virtual World
Ping Identity
 
Webinar: Deep Diving Into the KuppingerCole IDaaS Leadership Compass
Webinar: Deep Diving Into the KuppingerCole IDaaS Leadership Compass Webinar: Deep Diving Into the KuppingerCole IDaaS Leadership Compass
Webinar: Deep Diving Into the KuppingerCole IDaaS Leadership Compass
Ping Identity
 
Gartner IAM London 2017 Session - Security, Standards & User Experience: The ...
Gartner IAM London 2017 Session - Security, Standards & User Experience: The ...Gartner IAM London 2017 Session - Security, Standards & User Experience: The ...
Gartner IAM London 2017 Session - Security, Standards & User Experience: The ...
Ping Identity
 
GDPR & Customer IAM: The Real Winners Won’t Stop At Compliance
GDPR & Customer IAM: The Real Winners Won’t Stop At ComplianceGDPR & Customer IAM: The Real Winners Won’t Stop At Compliance
GDPR & Customer IAM: The Real Winners Won’t Stop At Compliance
Ping Identity
 
Standard Based API Security, Access Control and AI Based Attack - API Days Pa...
Standard Based API Security, Access Control and AI Based Attack - API Days Pa...Standard Based API Security, Access Control and AI Based Attack - API Days Pa...
Standard Based API Security, Access Control and AI Based Attack - API Days Pa...
Ping Identity
 
Identity Beyond Employees: How Customer Experience Impacts Your IAM Practices
Identity Beyond Employees: How Customer Experience Impacts Your IAM PracticesIdentity Beyond Employees: How Customer Experience Impacts Your IAM Practices
Identity Beyond Employees: How Customer Experience Impacts Your IAM Practices
Ping Identity
 
Webinar: Three Steps to Transform Your Mobile App into a Security Factor
Webinar: Three Steps to Transform Your Mobile App into a Security FactorWebinar: Three Steps to Transform Your Mobile App into a Security Factor
Webinar: Three Steps to Transform Your Mobile App into a Security Factor
Ping Identity
 
Clear and Present Danger
Clear and Present DangerClear and Present Danger
Clear and Present Danger
Ping Identity
 
Hitchhikers Guide to the Identiverse - How Federated Business will Rule the W...
Hitchhikers Guide to the Identiverse - How Federated Business will Rule the W...Hitchhikers Guide to the Identiverse - How Federated Business will Rule the W...
Hitchhikers Guide to the Identiverse - How Federated Business will Rule the W...
Ping Identity
 
Hybrid IAM: Fuelling Agility in the Cloud Transformation Journey | Gartner IA...
Hybrid IAM: Fuelling Agility in the Cloud Transformation Journey | Gartner IA...Hybrid IAM: Fuelling Agility in the Cloud Transformation Journey | Gartner IA...
Hybrid IAM: Fuelling Agility in the Cloud Transformation Journey | Gartner IA...
Ping Identity
 
Criteria for Effective Modern IAM Strategies (Gartner IAM 2018)
Criteria for Effective Modern IAM Strategies (Gartner IAM 2018)Criteria for Effective Modern IAM Strategies (Gartner IAM 2018)
Criteria for Effective Modern IAM Strategies (Gartner IAM 2018)
Ping Identity
 
The Case For Next Generation IAM
The Case For Next Generation IAM The Case For Next Generation IAM
The Case For Next Generation IAM
Patrick Harding
 
IDENTITY IN THE WORLD OF IOT
IDENTITY IN THE WORLD OF IOTIDENTITY IN THE WORLD OF IOT
IDENTITY IN THE WORLD OF IOT
ForgeRock
 
Identity's Role in a Zero Trust Strategy
Identity's Role in a Zero Trust StrategyIdentity's Role in a Zero Trust Strategy
Identity's Role in a Zero Trust Strategy
Okta-Inc
 
Okta Digital Enterprise Report
Okta Digital Enterprise ReportOkta Digital Enterprise Report
Okta Digital Enterprise Report
Okta-Inc
 
Con8896 securely enabling mobile access for business transformation - final
Con8896 securely enabling mobile access for business transformation - finalCon8896 securely enabling mobile access for business transformation - final
Con8896 securely enabling mobile access for business transformation - final
OracleIDM
 
SWM_WP_MaturityModel_July15
SWM_WP_MaturityModel_July15SWM_WP_MaturityModel_July15
SWM_WP_MaturityModel_July15
Mike Lemons
 
Onboarding in the IoT
Onboarding in the IoTOnboarding in the IoT
Onboarding in the IoT
Paul Madsen
 
CIS 2013 Ping Identity Chalktalk
CIS 2013 Ping Identity ChalktalkCIS 2013 Ping Identity Chalktalk
CIS 2013 Ping Identity Chalktalk
Craig Wu
 
Managing Mobile Business Insecurities
Managing Mobile Business InsecuritiesManaging Mobile Business Insecurities
Managing Mobile Business Insecurities
Ping Identity
 
Security On The Edge - A New Way To Think About Securing the Internet of Things
Security On The Edge - A New Way To Think About Securing the Internet of ThingsSecurity On The Edge - A New Way To Think About Securing the Internet of Things
Security On The Edge - A New Way To Think About Securing the Internet of Things
ForgeRock
 
API World 2019 Presentation on Securing sensitive data through APIs and AI pa...
API World 2019 Presentation on Securing sensitive data through APIs and AI pa...API World 2019 Presentation on Securing sensitive data through APIs and AI pa...
API World 2019 Presentation on Securing sensitive data through APIs and AI pa...
dsapps
 
Multi-Factor Authentication - "Moving Towards the Enterprise"
Multi-Factor Authentication - "Moving Towards the Enterprise" Multi-Factor Authentication - "Moving Towards the Enterprise"
Multi-Factor Authentication - "Moving Towards the Enterprise"
mycroftinc
 
T-Systems. Automating ForgeRock Full Stack Deployments to a Magenta Cloud.
T-Systems. Automating ForgeRock Full Stack Deployments to a Magenta Cloud.T-Systems. Automating ForgeRock Full Stack Deployments to a Magenta Cloud.
T-Systems. Automating ForgeRock Full Stack Deployments to a Magenta Cloud.
ForgeRock
 
APIdays London 2019 - Why the Financial Industry Needs Intelligent API Securi...
APIdays London 2019 - Why the Financial Industry Needs Intelligent API Securi...APIdays London 2019 - Why the Financial Industry Needs Intelligent API Securi...
APIdays London 2019 - Why the Financial Industry Needs Intelligent API Securi...
apidays
 
Smart Identity for the Hybrid Multicloud World
Smart Identity for the Hybrid Multicloud WorldSmart Identity for the Hybrid Multicloud World
Smart Identity for the Hybrid Multicloud World
Katherine Cola
 

More Related Content

What's hot

Webinar: Three Steps to Transform Your Mobile App into a Security Factor
Webinar: Three Steps to Transform Your Mobile App into a Security FactorWebinar: Three Steps to Transform Your Mobile App into a Security Factor
Webinar: Three Steps to Transform Your Mobile App into a Security Factor
Ping Identity
 
Hitchhikers Guide to the Identiverse - How Federated Business will Rule the W...
Hitchhikers Guide to the Identiverse - How Federated Business will Rule the W...Hitchhikers Guide to the Identiverse - How Federated Business will Rule the W...
Hitchhikers Guide to the Identiverse - How Federated Business will Rule the W...
Ping Identity
 
Hybrid IAM: Fuelling Agility in the Cloud Transformation Journey | Gartner IA...
Hybrid IAM: Fuelling Agility in the Cloud Transformation Journey | Gartner IA...Hybrid IAM: Fuelling Agility in the Cloud Transformation Journey | Gartner IA...
Hybrid IAM: Fuelling Agility in the Cloud Transformation Journey | Gartner IA...
Ping Identity
 
Criteria for Effective Modern IAM Strategies (Gartner IAM 2018)
Criteria for Effective Modern IAM Strategies (Gartner IAM 2018)Criteria for Effective Modern IAM Strategies (Gartner IAM 2018)
Criteria for Effective Modern IAM Strategies (Gartner IAM 2018)
Ping Identity
 
SWM_WP_MaturityModel_July15
SWM_WP_MaturityModel_July15SWM_WP_MaturityModel_July15
SWM_WP_MaturityModel_July15
Mike Lemons
 
Multi-Factor Authentication - "Moving Towards the Enterprise"
Multi-Factor Authentication - "Moving Towards the Enterprise" Multi-Factor Authentication - "Moving Towards the Enterprise"
Multi-Factor Authentication - "Moving Towards the Enterprise"
mycroftinc
 

What's hot (20)

Standard Based API Security, Access Control and AI Based Attack - API Days Pa...
Standard Based API Security, Access Control and AI Based Attack - API Days Pa...Standard Based API Security, Access Control and AI Based Attack - API Days Pa...
Standard Based API Security, Access Control and AI Based Attack - API Days Pa...
 
Identity Beyond Employees: How Customer Experience Impacts Your IAM Practices
Identity Beyond Employees: How Customer Experience Impacts Your IAM PracticesIdentity Beyond Employees: How Customer Experience Impacts Your IAM Practices
Identity Beyond Employees: How Customer Experience Impacts Your IAM Practices
 
Webinar: Three Steps to Transform Your Mobile App into a Security Factor
Webinar: Three Steps to Transform Your Mobile App into a Security FactorWebinar: Three Steps to Transform Your Mobile App into a Security Factor
Webinar: Three Steps to Transform Your Mobile App into a Security Factor
 
Clear and Present Danger
Clear and Present DangerClear and Present Danger
Clear and Present Danger
 
Hitchhikers Guide to the Identiverse - How Federated Business will Rule the W...
Hitchhikers Guide to the Identiverse - How Federated Business will Rule the W...Hitchhikers Guide to the Identiverse - How Federated Business will Rule the W...
Hitchhikers Guide to the Identiverse - How Federated Business will Rule the W...
 
Hybrid IAM: Fuelling Agility in the Cloud Transformation Journey | Gartner IA...
Hybrid IAM: Fuelling Agility in the Cloud Transformation Journey | Gartner IA...Hybrid IAM: Fuelling Agility in the Cloud Transformation Journey | Gartner IA...
Hybrid IAM: Fuelling Agility in the Cloud Transformation Journey | Gartner IA...
 
Criteria for Effective Modern IAM Strategies (Gartner IAM 2018)
Criteria for Effective Modern IAM Strategies (Gartner IAM 2018)Criteria for Effective Modern IAM Strategies (Gartner IAM 2018)
Criteria for Effective Modern IAM Strategies (Gartner IAM 2018)
 
The Case For Next Generation IAM
The Case For Next Generation IAM The Case For Next Generation IAM
The Case For Next Generation IAM
 
IDENTITY IN THE WORLD OF IOT
IDENTITY IN THE WORLD OF IOTIDENTITY IN THE WORLD OF IOT
IDENTITY IN THE WORLD OF IOT
 
Identity's Role in a Zero Trust Strategy
Identity's Role in a Zero Trust StrategyIdentity's Role in a Zero Trust Strategy
Identity's Role in a Zero Trust Strategy
 
Okta Digital Enterprise Report
Okta Digital Enterprise ReportOkta Digital Enterprise Report
Okta Digital Enterprise Report
 
Con8896 securely enabling mobile access for business transformation - final
Con8896 securely enabling mobile access for business transformation - finalCon8896 securely enabling mobile access for business transformation - final
Con8896 securely enabling mobile access for business transformation - final
 
SWM_WP_MaturityModel_July15
SWM_WP_MaturityModel_July15SWM_WP_MaturityModel_July15
SWM_WP_MaturityModel_July15
 
Onboarding in the IoT
Onboarding in the IoTOnboarding in the IoT
Onboarding in the IoT
 
CIS 2013 Ping Identity Chalktalk
CIS 2013 Ping Identity ChalktalkCIS 2013 Ping Identity Chalktalk
CIS 2013 Ping Identity Chalktalk
 
Managing Mobile Business Insecurities
Managing Mobile Business InsecuritiesManaging Mobile Business Insecurities
Managing Mobile Business Insecurities
 
Security On The Edge - A New Way To Think About Securing the Internet of Things
Security On The Edge - A New Way To Think About Securing the Internet of ThingsSecurity On The Edge - A New Way To Think About Securing the Internet of Things
Security On The Edge - A New Way To Think About Securing the Internet of Things
 
API World 2019 Presentation on Securing sensitive data through APIs and AI pa...
API World 2019 Presentation on Securing sensitive data through APIs and AI pa...API World 2019 Presentation on Securing sensitive data through APIs and AI pa...
API World 2019 Presentation on Securing sensitive data through APIs and AI pa...
 
Multi-Factor Authentication - "Moving Towards the Enterprise"
Multi-Factor Authentication - "Moving Towards the Enterprise" Multi-Factor Authentication - "Moving Towards the Enterprise"
Multi-Factor Authentication - "Moving Towards the Enterprise"
 
T-Systems. Automating ForgeRock Full Stack Deployments to a Magenta Cloud.
T-Systems. Automating ForgeRock Full Stack Deployments to a Magenta Cloud.T-Systems. Automating ForgeRock Full Stack Deployments to a Magenta Cloud.
T-Systems. Automating ForgeRock Full Stack Deployments to a Magenta Cloud.
 

Similar to Catalyst 2015: Patrick Harding

Embracing secure, scalable BYOD with Sencha and Centrify
Embracing secure, scalable BYOD with Sencha and CentrifyEmbracing secure, scalable BYOD with Sencha and Centrify
Embracing secure, scalable BYOD with Sencha and Centrify
Sumana Mehta
 
Mobilize your workforce with secure identity services
Mobilize your workforce with secure identity servicesMobilize your workforce with secure identity services
Mobilize your workforce with secure identity services
Sumana Mehta
 
[2021 Somos Summit] - Rethinking Identity Access Management and The Rise of t...
[2021 Somos Summit] - Rethinking Identity Access Management and The Rise of t...[2021 Somos Summit] - Rethinking Identity Access Management and The Rise of t...
[2021 Somos Summit] - Rethinking Identity Access Management and The Rise of t...
WSO2
 
[EIC 2021] The Rise of the Developer in IAM
[EIC 2021] The Rise of the Developer in IAM[EIC 2021] The Rise of the Developer in IAM
[EIC 2021] The Rise of the Developer in IAM
WSO2
 

Similar to Catalyst 2015: Patrick Harding (20)

APIdays London 2019 - Why the Financial Industry Needs Intelligent API Securi...
APIdays London 2019 - Why the Financial Industry Needs Intelligent API Securi...APIdays London 2019 - Why the Financial Industry Needs Intelligent API Securi...
APIdays London 2019 - Why the Financial Industry Needs Intelligent API Securi...
 
Smart Identity for the Hybrid Multicloud World
Smart Identity for the Hybrid Multicloud WorldSmart Identity for the Hybrid Multicloud World
Smart Identity for the Hybrid Multicloud World
 
Deploying FIDO Authentication - Business Considerations
Deploying FIDO Authentication - Business ConsiderationsDeploying FIDO Authentication - Business Considerations
Deploying FIDO Authentication - Business Considerations
 
Why Network and Endpoint Security Isn’t Enough
Why Network and Endpoint Security Isn’t EnoughWhy Network and Endpoint Security Isn’t Enough
Why Network and Endpoint Security Isn’t Enough
 
Ping Identity: Corporate Overview Financial Services
Ping Identity: Corporate Overview Financial ServicesPing Identity: Corporate Overview Financial Services
Ping Identity: Corporate Overview Financial Services
 
Embracing secure, scalable BYOD with Sencha and Centrify
Embracing secure, scalable BYOD with Sencha and CentrifyEmbracing secure, scalable BYOD with Sencha and Centrify
Embracing secure, scalable BYOD with Sencha and Centrify
 
Mobilize your workforce with secure identity services
Mobilize your workforce with secure identity servicesMobilize your workforce with secure identity services
Mobilize your workforce with secure identity services
 
[2021 Somos Summit] - Rethinking Identity Access Management and The Rise of t...
[2021 Somos Summit] - Rethinking Identity Access Management and The Rise of t...[2021 Somos Summit] - Rethinking Identity Access Management and The Rise of t...
[2021 Somos Summit] - Rethinking Identity Access Management and The Rise of t...
 
[EIC 2021] The Rise of the Developer in IAM
[EIC 2021] The Rise of the Developer in IAM[EIC 2021] The Rise of the Developer in IAM
[EIC 2021] The Rise of the Developer in IAM
 
Be Aware Webinar – Office 365 Seguro? Sym, Cloud!
Be Aware Webinar – Office 365 Seguro? Sym, Cloud!Be Aware Webinar – Office 365 Seguro? Sym, Cloud!
Be Aware Webinar – Office 365 Seguro? Sym, Cloud!
 
Secure Identity: The Future is Now
Secure Identity: The Future is NowSecure Identity: The Future is Now
Secure Identity: The Future is Now
 
The Value of User and Data Centricity Beyond IoT Devices: Stein Myrseth and G...
The Value of User and Data Centricity Beyond IoT Devices: Stein Myrseth and G...The Value of User and Data Centricity Beyond IoT Devices: Stein Myrseth and G...
The Value of User and Data Centricity Beyond IoT Devices: Stein Myrseth and G...
 
Compliance & Identity access management
Compliance & Identity access management Compliance & Identity access management
Compliance & Identity access management
 
The 5 Crazy Mistakes IoT Administrators Make with System Credentials
The 5 Crazy Mistakes IoT Administrators Make with System CredentialsThe 5 Crazy Mistakes IoT Administrators Make with System Credentials
The 5 Crazy Mistakes IoT Administrators Make with System Credentials
 
CIS 2015 Multi-factor for All, the Easy Way - Ran Ne'man
CIS 2015 Multi-factor for All, the Easy Way - Ran Ne'manCIS 2015 Multi-factor for All, the Easy Way - Ran Ne'man
CIS 2015 Multi-factor for All, the Easy Way - Ran Ne'man
 
DIRECTORY CIS 2015 - Eric Fazendin
DIRECTORY CIS 2015 - Eric FazendinDIRECTORY CIS 2015 - Eric Fazendin
DIRECTORY CIS 2015 - Eric Fazendin
 
The Platform Big Picture
The Platform Big PictureThe Platform Big Picture
The Platform Big Picture
 
2015 Identity Summit - CTO Innovation Center
2015 Identity Summit - CTO Innovation Center2015 Identity Summit - CTO Innovation Center
2015 Identity Summit - CTO Innovation Center
 
[WSO2 Integration Summit San Francisco 2019] Protecting API Infrastructures —...
[WSO2 Integration Summit San Francisco 2019] Protecting API Infrastructures —...[WSO2 Integration Summit San Francisco 2019] Protecting API Infrastructures —...
[WSO2 Integration Summit San Francisco 2019] Protecting API Infrastructures —...
 
Proven Practices for Office 365 Deployment, Security and Management
Proven Practices for Office 365 Deployment, Security and ManagementProven Practices for Office 365 Deployment, Security and Management
Proven Practices for Office 365 Deployment, Security and Management
 

More from Ping Identity

More from Ping Identity (19)

Healthcare Patient Experiences Matter
Healthcare Patient Experiences MatterHealthcare Patient Experiences Matter
Healthcare Patient Experiences Matter
 
Optimize Your Zero Trust Infrastructure
Optimize Your Zero Trust InfrastructureOptimize Your Zero Trust Infrastructure
Optimize Your Zero Trust Infrastructure
 
Ping’s Technology Partner Program
Ping’s Technology Partner ProgramPing’s Technology Partner Program
Ping’s Technology Partner Program
 
Remote Work Fuels Zero Trust Growth
Remote Work Fuels Zero Trust GrowthRemote Work Fuels Zero Trust Growth
Remote Work Fuels Zero Trust Growth
 
Identity Verification: Who’s Really There?
Identity Verification: Who’s Really There? Identity Verification: Who’s Really There?
Identity Verification: Who’s Really There?
 
Extraordinary Financial Customer Experiences
Extraordinary Financial Customer ExperiencesExtraordinary Financial Customer Experiences
Extraordinary Financial Customer Experiences
 
Extraordinary Retail Customer Experiences
Extraordinary Retail Customer ExperiencesExtraordinary Retail Customer Experiences
Extraordinary Retail Customer Experiences
 
Security Practices: The Generational Gap | Infographic
Security Practices: The Generational Gap | InfographicSecurity Practices: The Generational Gap | Infographic
Security Practices: The Generational Gap | Infographic
 
Security Concerns Around the World | Infographic
Security Concerns Around the World | InfographicSecurity Concerns Around the World | Infographic
Security Concerns Around the World | Infographic
 
LES ATTITUDES DES CONSOMMATEURS À L’ÈRE DES CYBERATTAQUES
LES ATTITUDES DES CONSOMMATEURS À L’ÈRE DES CYBERATTAQUESLES ATTITUDES DES CONSOMMATEURS À L’ÈRE DES CYBERATTAQUES
LES ATTITUDES DES CONSOMMATEURS À L’ÈRE DES CYBERATTAQUES
 
WIE TICKEN VERBRAUCHER IM ZEITALTER DER DATENSCHUTZVERLETZUNGEN?
WIE TICKEN VERBRAUCHER IM ZEITALTER DER DATENSCHUTZVERLETZUNGEN?WIE TICKEN VERBRAUCHER IM ZEITALTER DER DATENSCHUTZVERLETZUNGEN?
WIE TICKEN VERBRAUCHER IM ZEITALTER DER DATENSCHUTZVERLETZUNGEN?
 
Consumer Attitudes in a Post-breach Era: The Geographical Gap
Consumer Attitudes in a Post-breach Era: The Geographical GapConsumer Attitudes in a Post-breach Era: The Geographical Gap
Consumer Attitudes in a Post-breach Era: The Geographical Gap
 
ATTITUDES DES CONSOMMATEURS A L’ERE DES PIRATAGES LE CONFLIT DE GENERATIONS
ATTITUDES DES CONSOMMATEURS A L’ERE DES PIRATAGES LE CONFLIT DE GENERATIONSATTITUDES DES CONSOMMATEURS A L’ERE DES PIRATAGES LE CONFLIT DE GENERATIONS
ATTITUDES DES CONSOMMATEURS A L’ERE DES PIRATAGES LE CONFLIT DE GENERATIONS
 
2018 Survey: Consumer Attitudes in a Post-Breach Era - The Generational Gap
2018 Survey: Consumer Attitudes in a Post-Breach Era - The Generational Gap2018 Survey: Consumer Attitudes in a Post-Breach Era - The Generational Gap
2018 Survey: Consumer Attitudes in a Post-Breach Era - The Generational Gap
 
WIE TICKEN VERBRAUCHER IM ZEITALTER DER DATENSCHUTZVERLETZUNGEN? ALLES EINE F...
WIE TICKEN VERBRAUCHER IM ZEITALTER DER DATENSCHUTZVERLETZUNGEN? ALLES EINE F...WIE TICKEN VERBRAUCHER IM ZEITALTER DER DATENSCHUTZVERLETZUNGEN? ALLES EINE F...
WIE TICKEN VERBRAUCHER IM ZEITALTER DER DATENSCHUTZVERLETZUNGEN? ALLES EINE F...
 
API Security Needs AI Now More Than Ever
API Security Needs AI Now More Than EverAPI Security Needs AI Now More Than Ever
API Security Needs AI Now More Than Ever
 
Fishing for a CIAM Platform? 11 Question to Ask Before You Buy
Fishing for a CIAM Platform? 11 Question to Ask Before You BuyFishing for a CIAM Platform? 11 Question to Ask Before You Buy
Fishing for a CIAM Platform? 11 Question to Ask Before You Buy
 
Digital Transformation and the Role of IAM
Digital Transformation and the Role of IAMDigital Transformation and the Role of IAM
Digital Transformation and the Role of IAM
 
How Aligned Are IT, Employees and Security Practices in Today's Mobile World?
How Aligned Are IT, Employees and Security Practices in Today's Mobile World?How Aligned Are IT, Employees and Security Practices in Today's Mobile World?
How Aligned Are IT, Employees and Security Practices in Today's Mobile World?
 

Recently uploaded

Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Angeliki Cooney
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
UiPathCommunity
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 

Recently uploaded (20)

Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 

Catalyst 2015: Patrick Harding

  • 1.
  • 2. A NEW APPROACH TO SECURING THE ENTERPRISE IDENTITY DEFINED SECURITY Patrick Harding Chief Technology Officer @patrickharding
  • 3. Agenda 1. Changing Trends in Identity Architecture 2. Top 3 4 Security Design Rules 3. Apple Watch Demo 4. What Can be Accomplished Today 5. Recommendations Copyright © 2015 Ping Identity Corp. All rights reserved. 3
  • 4. CHANGING TRENDS IN IDENTITY ARCHITECTURE Spoiler: It’s Cloud! And Mobile! Copyright © 2015 Ping Identity Corp. All rights reserved. 4
  • 5. MAJOR TRENDS SHAPING THE MARKET 5.2B Global mobile users 11.5B Mobile-ready devices 4.6B Smartphones
  • 6. MAJOR TRENDS SHAPING THE MARKET 5.2B Global mobile users 11.5B Mobile-ready devices 4.6B Smartphones 738 # of cloud services used by an average enterprise` 82% of enterprises have a hybrid cloud strategy
  • 7. MAJOR TRENDS SHAPING THE MARKET 5.2B Global mobile users 11.5B Mobile-ready devices 4.6B Smartphones 738 # of cloud services used by an average enterprise` 82% of enterprises have a hybrid cloud strategy 30XIncrease within the decade Connected devices in 2020 26B
  • 8. MAJOR TRENDS SHAPING THE MARKET 5.2B Global mobile users 11.5B Mobile-ready devices 4.6B Smartphones 738 # of cloud services used by an average enterprise` 82% of enterprises have a hybrid cloud strategy 30XIncrease within the decade Connected devices in 2020 26B
  • 9. BREACH, BREACH, BREACH … Web App Attacks • Phish customer ≥ get credentials ≥ abuse web application ≥ empty bank/bitcoin account.” • Over 95% of these incidents involve harvesting credentials from customer devices, then logging into web applications with them” Source: 2015 Verizon Data Breach Investigations R
  • 10. Provisioning WAM You Federation LDAP Your Partners “Internal” Web Apps Partner Domain Web Apps SAML The Golden Years of Leveraged AuthN Copyright © 2015 Ping Identity Corp. All rights reserved. 10 • Users in Directories – Security Policies: • Expiry, Lockout, History • Applications in Web Browser – Level 1: common repository – Level 2: Internal apps secured via WAM – Level 3: External apps secured via SAML
  • 11. What Those Architectures Do Well Confidential — do not distribute • Common Authentication Ceremony – User manages one password, uses it in a trusted place • Secure introduction of users between domains • Security for “Passive” web contexts – Where the user manipulates a browser • Central policy definition/enforcementCopyright © 2015 Ping Identity Corp. All rights reserved. 11
  • 12. What Those Architectures Do Poorly • Address security risk of “active” software at run-time – Clients collecting & storing passwords for replay – Passwords transmitted on every API fetch – Every API validating passwords • Address pain for developers – API keys & certificates poorly protected in scripts – Adding XML parsers & signature validation in mobile apps is problematic • Scale to millions of partners Copyright © 2015 Ping Identity Corp. All rights reserved. 12
  • 13. One Trend to Bind them All Copyright © 2015 Ping Identity Corp. All rights reserved. 13 • Cloud pushed the industry towards externalized interfaces for everything, not just identity, and REST beat out SOAP • Mobile forced us to accept asymmetrical trust relationships, because instead of BIG software on websites we now also have small software on devices • Standards evolved to deliver: OAuth 2.0. Not user identity, but software (client) identity
  • 14. TOP 4 SECURITY DESIGN RULES Bonus! 6 Architectural Principles Copyright © 2015 Ping Identity Corp. All rights reserved. 14
  • 15. ARCHITECTURAL PRINCIPLES INTERNET SCALE FEDERATED ARCHITECTURE ALL IDENTITIES BUILT ON STANDAR DS WEB, MOBILE & API FLEXIBLE DEPLOYME NT 6 PRINCIPLES THAT MEET MODERN SECURITY COMPLEXITIES AND SCALE TO ADDRESS FU
  • 16. Top 4 Security Rules • Attackers will compromise access. Identity Tools to combat include: 1. Compartmentalization 2. Ephemerality 3. Automation 4. Accountability • Things happen fast, change often, are always watched, and identity of all actors are explicitly part of all interactions. If theft does occur, bad guys get as little as possible for no time at all, and the path of compromise can be traced Copyright © 2015 Ping Identity Corp. All rights reserved. 16
  • 17. Security Rules drive the Architecture Copyright © 2015 Ping Identity Corp. All rights reserved. 17 Identity Platform DynamicAccessControl User Context Automation Resources Bounded Credentials Client Primary Credentials Primary Credentials
  • 18. The Identity Platform • Abstracts Authentication Services from resources • Automates & controls clients • Issues and authorizes tokens • Recognizes context • Coordinates ecosystemCopyright © 2015 Ping Identity Corp. All rights reserved. 18 Identity Platform
  • 19. Modern “Honeycomb” Identity Architecture Copyright © 2015 Ping Identity Corp. All rights reserved. 19 Your Data Your Identity InfrastructureOther Web, Mobile &API Other Data Your Mobile & API Other Identity Infrastructure All Kinds of B2B Clients All Kinds of Users Other Authentication Service Your Apps
  • 20. Honeycomb Architecture • Pick the cells that fit your business use case – Mobile, IoT – Consumer/Enterprise SSO – Enterprise Service Bus • Cells may exist in separate internet contexts • Interaction between cells is standardized Copyright © 2015 Ping Identity Corp. All rights reserved. 20
  • 21. Automation & Accountability Copyright © 2015 Ping Identity Corp. All rights reserved. 21 Identity Platform DynamicAccessControl User Context Automation Resources Bounded Credentials Client Primary Credentials Primary Credentials
  • 22. • OAuth 2.0 (RFC 6749/50) – Authorization framework for software clients – Enables clients to present scoped authorization tokens to REST APIs • OpenID Connect (built on OAuth 2.0) – Clients and Identity Platform request & assert identifiers, attributes with integrity & confidentiality • SAML – Gold standard for Web SSO – SOAP-based Standards at Work Copyright © 2015 Ping Identity Corp. All rights reserved. 22 • SCIM – Standardized REST API for Creation, synchronization of user accounts/attributes • FIDO – Standardization of authenticators – Password-less and 2nd factor • Account Chooser – User discovery specification – Migration from IDP discovery to User discovery
  • 23. Primary Credentials • Supply enough primary credentials, and the assumption is that the real “subject” is present. – Impersonation through compromise of primary credentials is greatest risk in industry today. See: Credential Farming • Goal: protect primary credentials in every way possible • Examples: passwords, API keys, MFA authenticator interactions, certificates, FIDO Copyright © 2015 Ping Identity Corp. All rights reserved. 23
  • 24. Bounded Credentials • Ephemeral tokens representing not just the “subject” but subject and context. – Access Tokens: access to limited scope on behalf of subject executed by specific client valid for limited time – JWTs: introduction of subject to specific audience, valid for short period of time – ID Tokens: introduction of subject to specific audience from known issuer based on specific authentication interaction Copyright © 2015 Ping Identity Corp. All rights reserved. 24
  • 25. APPLE WATCH DEMO Identity architecture demos are boring… unless they are cunningly disguised as Apple Watch Demos. Copyright © 2015 Ping Identity Corp. All rights reserved. 25
  • 26. Copyright © 2015 Ping Identity Corp. All rights reserved. 26
  • 27. What you just saw • Single trusted authentication ceremony • Low friction 2nd factor authentication • Transformation of primary credentials into bounded credentials • Protection of both web and native resources Copyright © 2015 Ping Identity Corp. All rights reserved. 27
  • 28. WHAT CAN BE ACCOMPLISHED TODAY World Peace! Ok well let’s not go crazy… Copyright © 2015 Ping Identity Corp. All rights reserved. 28
  • 29. Federated Access Management Copyright © 2015 Ping Identity Corp. All rights reserved. 29 Contextual Authentication Federated Sign-on Access Security • Contextual Authentication – Active and passive challenges and contexts, designed to mitigate risks • Federated Sign-on – Distribution of tokens and assertions that represent users in a compartmentalized, ephemeral, automated, accountable way – Application of policy at time of access request • Access Security – Validation of tokens and assertions – Enforcement of policy & intelligence beyond token validity at time of resource use
  • 30. Copyright © 2015 Ping Identity Corp. All rights reserved. 30 User Administration Orchestration Federated Provisioning Federated Access Management (FAM) Federated Identity Management (FIM) Governance Intelligence (risk/fraud/analytics) Continuous Authentication™ Contextual Authentication Federated Sign-on Access Security Identity Defined Security
  • 31. RECOMMENDATIONS Call your mother… Copyright © 2015 Ping Identity Corp. All rights reserved. 31
  • 32. Create a Long Term Plan • New identity architectures must handle all identities, all channels, all interaction methods – at scale – OAuth 2.0 delivers scoped authorization as foundation for identity – clients and user identity is tracked – The Identity Platform becomes a central element of a set of honeycomb cells that interoperate with each other via standards • Limitation/mitigation of exposure starts with compartmentalization of primary credentials, bounded credentials are • Interaction between authentication services, identity platform, and access security at the resources will become more intelligent in the future Copyright © 2015 Ping Identity Corp. All rights reserved. 32
  • 33. Address Immediate Risk • Credential Farming – If an employee reuses the same email and password at http://iloveipa.com and for your corporate VPN, and an attacker compromises http://iloveipa.com, can they walk right in your front door? – Now is the time to explore second factor auth. Be creative. Don’t expect the first thing to work. But at all costs, disrupt those password reuse attacks.Copyright © 2015 Ping Identity Corp. All rights reserved. 33
  • 34. Read the Verizon Data Breach Report • 95% of breaches start with a compromised credential – http://www.verizonenterprise.com/DBIR/ • If you can’t detect them coming in, then detect them going out, egress monitoring can be your friend. • Long term planning is for analytics to find trends of sessions, usage patterns, anomaliesCopyright © 2015 Ping Identity Corp. All rights reserved. 34
  • 35. Intelligence is the Future • Think about what your inputs could be into an intelligence engine • Think about what your social contract is with your users, and how you can signal that you are watching, but also how they can signal that they want privacy Copyright © 2015 Ping Identity Corp. All rights reserved. 35
  • 36. Thank You! Confidential — do not distribute Copyright © 2015 Ping Identity Corp. All rights reserved. 36

Editor's Notes

  1. Gartn
  2. Authentication Federation Access Security Fraud and Risk User Management Identity Orchestration Federated Provisioning