More Related Content Similar to Catalyst 2015: Patrick Harding (20) More from Ping Identity (19) Catalyst 2015: Patrick Harding2. A NEW APPROACH TO SECURING
THE ENTERPRISE
IDENTITY DEFINED SECURITY
Patrick Harding
Chief Technology Officer
@patrickharding
3. Agenda
1. Changing Trends in Identity Architecture
2. Top 3 4 Security Design Rules
3. Apple Watch Demo
4. What Can be Accomplished Today
5. Recommendations
Copyright © 2015 Ping Identity Corp. All rights reserved.
3
4. CHANGING TRENDS IN IDENTITY
ARCHITECTURE
Spoiler: It’s Cloud! And Mobile!
Copyright © 2015 Ping Identity Corp. All rights reserved.
4
5. MAJOR TRENDS SHAPING THE MARKET
5.2B
Global mobile users
11.5B
Mobile-ready devices
4.6B
Smartphones
6. MAJOR TRENDS SHAPING THE MARKET
5.2B
Global mobile users
11.5B
Mobile-ready devices
4.6B
Smartphones
738
# of cloud services used by
an average enterprise`
82%
of enterprises have a
hybrid cloud strategy
7. MAJOR TRENDS SHAPING THE MARKET
5.2B
Global mobile users
11.5B
Mobile-ready devices
4.6B
Smartphones
738
# of cloud services used by
an average enterprise`
82%
of enterprises have a
hybrid cloud strategy
30XIncrease within
the decade
Connected devices
in 2020
26B
8. MAJOR TRENDS SHAPING THE MARKET
5.2B
Global mobile users
11.5B
Mobile-ready devices
4.6B
Smartphones
738
# of cloud services used by
an average enterprise`
82%
of enterprises have a
hybrid cloud strategy
30XIncrease within
the decade
Connected devices
in 2020
26B
9. BREACH, BREACH, BREACH …
Web App Attacks
• Phish customer ≥ get credentials ≥ abuse
web application ≥ empty bank/bitcoin
account.”
• Over 95% of these incidents involve
harvesting credentials from customer
devices, then logging into web applications
with them” Source: 2015 Verizon Data Breach Investigations R
10. Provisioning
WAM
You
Federation
LDAP
Your Partners
“Internal”
Web Apps
Partner Domain
Web Apps
SAML
The Golden Years of Leveraged AuthN
Copyright © 2015 Ping Identity Corp. All rights reserved.
10
• Users in Directories
– Security Policies:
• Expiry, Lockout, History
• Applications in Web
Browser
– Level 1: common
repository
– Level 2: Internal apps
secured via WAM
– Level 3: External apps
secured via SAML
11. What Those Architectures Do Well
Confidential — do not distribute
• Common Authentication Ceremony
– User manages one password, uses
it in a trusted place
• Secure introduction of users
between domains
• Security for “Passive” web contexts
– Where the user manipulates a
browser
• Central policy
definition/enforcementCopyright © 2015 Ping Identity Corp. All rights reserved.
11
12. What Those Architectures Do Poorly
• Address security risk of “active” software at
run-time
– Clients collecting & storing passwords for
replay
– Passwords transmitted on every API fetch
– Every API validating passwords
• Address pain for developers
– API keys & certificates poorly protected in
scripts
– Adding XML parsers & signature validation in
mobile apps is problematic
• Scale to millions of partners Copyright © 2015 Ping Identity Corp. All rights reserved.
12
13. One Trend to Bind them All
Copyright © 2015 Ping Identity Corp. All rights reserved.
13
• Cloud pushed the industry
towards externalized interfaces
for everything, not just identity,
and REST beat out SOAP
• Mobile forced us to accept
asymmetrical trust relationships,
because instead of BIG software
on websites we now also have
small software on devices
• Standards evolved to deliver:
OAuth 2.0. Not user identity, but
software (client) identity
14. TOP 4 SECURITY DESIGN
RULES
Bonus! 6 Architectural Principles
Copyright © 2015 Ping Identity Corp. All rights reserved.
14
16. Top 4 Security Rules
• Attackers will compromise access. Identity Tools to combat
include:
1. Compartmentalization
2. Ephemerality
3. Automation
4. Accountability
• Things happen fast, change often, are always
watched, and identity of all actors are explicitly part of all
interactions. If theft does occur, bad guys get as little as
possible for no time at all, and the path of compromise
can be traced
Copyright © 2015 Ping Identity Corp. All rights reserved.
16
17. Security Rules drive the Architecture
Copyright © 2015 Ping Identity Corp. All rights reserved.
17
Identity
Platform
DynamicAccessControl
User
Context
Automation
Resources
Bounded
Credentials
Client
Primary
Credentials
Primary
Credentials
18. The Identity Platform
• Abstracts Authentication
Services from resources
• Automates & controls
clients
• Issues and authorizes
tokens
• Recognizes context
• Coordinates ecosystemCopyright © 2015 Ping Identity Corp. All rights reserved.
18
Identity
Platform
19. Modern “Honeycomb” Identity Architecture
Copyright © 2015 Ping Identity Corp. All rights reserved.
19
Your Data
Your Identity
InfrastructureOther Web,
Mobile &API
Other Data
Your Mobile &
API
Other Identity
Infrastructure
All Kinds of
B2B Clients
All Kinds of
Users
Other
Authentication
Service
Your Apps
20. Honeycomb Architecture
• Pick the cells that fit your business
use case
– Mobile, IoT
– Consumer/Enterprise SSO
– Enterprise Service Bus
• Cells may exist in separate internet
contexts
• Interaction between cells is
standardized
Copyright © 2015 Ping Identity Corp. All rights reserved.
20
21. Automation & Accountability
Copyright © 2015 Ping Identity Corp. All rights reserved.
21
Identity
Platform
DynamicAccessControl
User
Context
Automation
Resources
Bounded
Credentials
Client
Primary
Credentials
Primary
Credentials
22. • OAuth 2.0 (RFC 6749/50)
– Authorization framework for
software clients
– Enables clients to present scoped
authorization tokens to REST APIs
• OpenID Connect (built on OAuth
2.0)
– Clients and Identity Platform
request & assert identifiers,
attributes with integrity &
confidentiality
• SAML
– Gold standard for Web SSO
– SOAP-based
Standards at Work
Copyright © 2015 Ping Identity Corp. All rights reserved.
22
• SCIM
– Standardized REST API for Creation,
synchronization of user
accounts/attributes
• FIDO
– Standardization of authenticators
– Password-less and 2nd factor
• Account Chooser
– User discovery specification
– Migration from IDP discovery to User
discovery
23. Primary Credentials
• Supply enough primary credentials, and the
assumption is that the real “subject” is present.
– Impersonation through compromise of primary
credentials is greatest risk in industry today.
See: Credential Farming
• Goal: protect primary credentials in every way possible
• Examples: passwords, API keys, MFA authenticator
interactions, certificates, FIDO
Copyright © 2015 Ping Identity Corp. All rights reserved.
23
24. Bounded Credentials
• Ephemeral tokens representing not just the
“subject” but subject and context.
– Access Tokens: access to limited scope on
behalf of subject executed by specific client valid
for limited time
– JWTs: introduction of subject to specific audience,
valid for short period of time
– ID Tokens: introduction of subject to specific
audience from known issuer based on specific
authentication interaction Copyright © 2015 Ping Identity Corp. All rights reserved.
24
25. APPLE WATCH DEMO
Identity architecture demos are boring… unless they are cunningly
disguised as Apple Watch Demos.
Copyright © 2015 Ping Identity Corp. All rights reserved.
25
27. What you just saw
• Single trusted authentication ceremony
• Low friction 2nd factor authentication
• Transformation of primary credentials into
bounded credentials
• Protection of both web and native
resources
Copyright © 2015 Ping Identity Corp. All rights reserved.
27
28. WHAT CAN BE ACCOMPLISHED
TODAY
World Peace! Ok well let’s not go crazy…
Copyright © 2015 Ping Identity Corp. All rights reserved.
28
29. Federated Access Management
Copyright © 2015 Ping Identity Corp. All rights reserved.
29
Contextual
Authentication
Federated
Sign-on
Access Security
• Contextual Authentication
– Active and passive challenges and contexts, designed to mitigate risks
• Federated Sign-on
– Distribution of tokens and assertions that represent users in a
compartmentalized, ephemeral, automated, accountable way
– Application of policy at time of access request
• Access Security
– Validation of tokens and assertions
– Enforcement of policy & intelligence beyond token validity at time of
resource use
30. Copyright © 2015 Ping Identity Corp. All rights reserved.
30
User Administration Orchestration
Federated
Provisioning
Federated Access Management (FAM)
Federated Identity Management (FIM)
Governance
Intelligence
(risk/fraud/analytics)
Continuous Authentication™
Contextual
Authentication
Federated
Sign-on
Access Security
Identity Defined Security
32. Create a Long Term Plan
• New identity architectures must handle all identities, all
channels, all interaction methods – at scale
– OAuth 2.0 delivers scoped authorization as foundation for
identity – clients and user identity is tracked
– The Identity Platform becomes a central element of a set of
honeycomb cells that interoperate with each other via standards
• Limitation/mitigation of exposure starts with
compartmentalization of primary credentials, bounded
credentials are
• Interaction between authentication services, identity platform,
and access security at the resources will become more
intelligent in the future Copyright © 2015 Ping Identity Corp. All rights reserved.
32
33. Address Immediate Risk
• Credential Farming
– If an employee reuses the same email and
password at http://iloveipa.com and for your
corporate VPN, and an attacker compromises
http://iloveipa.com, can they walk right in your
front door?
– Now is the time to explore second factor auth. Be
creative. Don’t expect the first thing to work. But
at all costs, disrupt those password reuse attacks.Copyright © 2015 Ping Identity Corp. All rights reserved.
33
34. Read the Verizon Data Breach Report
• 95% of breaches start with a compromised
credential
– http://www.verizonenterprise.com/DBIR/
• If you can’t detect them coming in, then detect
them going out, egress monitoring can be
your friend.
• Long term planning is for analytics to find
trends of sessions, usage patterns, anomaliesCopyright © 2015 Ping Identity Corp. All rights reserved.
34
35. Intelligence is the Future
• Think about what your inputs could be into
an intelligence engine
• Think about what your social contract is
with your users, and how you can signal
that you are watching, but also how they
can signal that they want privacy
Copyright © 2015 Ping Identity Corp. All rights reserved.
35
Editor's Notes Gartn Authentication
Federation
Access Security
Fraud and Risk
User Management
Identity Orchestration
Federated Provisioning