Anil saldhana cloudidentitybestpractices
Upcoming SlideShare
Loading in...5

Anil saldhana cloudidentitybestpractices



Best Practices for Cloud Identity Management.

Best Practices for Cloud Identity Management.



Total Views
Views on SlideShare
Embed Views



1 Embed 1 1



Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

    Anil saldhana cloudidentitybestpractices Anil saldhana cloudidentitybestpractices Presentation Transcript

    • Best Practices for Cloud Identity InJavaEE Enabled PaaS Anil Saldhana Red Hat Inc.
    • Agenda•  Introduction To Cloud Identity –  Concept of Identity and Trust•  JavaEE Enabled PaaS –  OpenShift•  What Identity Standard should I adopt? –  SAML, OpenID, OAuth, WS-Trust,Kerberos –  NIST 800-63 Levels of Assurance 2
    • Agenda•  Best Practices –  User Registration –  Identity Management •  Cloud Directories and Corporate Directories –  Authentication –  Authorization –  Mobile Devices –  Identity Providers –  API Access 3
    • Agenda•  Demo•  Other Relevant Standards Work –  JSR 351•  Resources 4
    • Concept of Identity and Trust 5
    • Concept of Trust•  Twitter Verified Accounts 6
    • Concept of Trust•  Twitter Verified Accounts –  President Obama (Identity) –  Blue Check Sign (Trust) 7
    • Concept of Trust•  Twitter Verified Accounts –  Tim Oreilly (Identity) –  Blue Check Sign (Trust) 8
    • JavaEE Enabled PaaS (OpenShift) 9
    • OpenShift•  OpenShift by RedHat is a polyglot PaaS•  Run Java,Ruby,Perl,Python,PHP and Node.js in the Cloud•  JavaEE Full Profile support via JBoss Application Server v7.x as well as JBoss Enterprise Application Platform.•  Free 10
    • Which Identity Management Standard is relevant? (SAML, OpenID, OAuth,WS-Trust, Kerberos)? 11
    • Levels of Assurance•  NIST 800-63 Special Publication•  Four Levels of Assurance –  Level 1: •  Little or no confidence in asserted identity. •  OpenID, Oauth. –  Level 2: •  Some confidence in the asserted identity. •  Passwords and SAML Password Auth Mech. 12
    • Levels of Assurance•  Four Levels of Assurance –  Level 3: •  High Confidence. •  Soft/Hard Crypto Tokens and OTP. –  Level 4: •  Very High Confidence. •  PKI and Smart Cards. 13
    • Which standard is relevant?•  Community Type Environment –  Forums, Blogs etc. –  Level 1 Assurance. –  Decentralized setup; Internet Scale –  OpenID and Oauth. 14
    • Which standard is relevant?•  Enterprise Type Environment –  Need Level 2 assurance level. •  SAML Assertions (Password based authentication) –  Need Level 3 or 4 assurance of identity. •  SAML Assertions (PKI/x509 Certificates) 15
    • Best Practices 16
    • User Registration•  All Security Systems need users.•  Users can come from corporate identity stores or need to be dynamically registered.•  Dynamic Registration –  CAPTCHA technology.•  Password Strength Meters/Indicators.•  Important to understand Cloud Directories. 17
    • User Registration•  Password Management –  Salt and Hash each password –  Just hashing •  Susceptible to Dictionary or Brute Force Attacks. –  Password Reset •  Send 15 min validity single use tokens to user email. 18
    • Identity Management•  Directories of Users/Applications –  Cloud based. –  Corporate based. –  Hybrid (Both Cloud and Corporate). •  Synching Issues. •  Legal and Compliance Issues. 19
    • Identity Management 20
    • Authentication•  Classic Username/Password•  Two Factor Authentication –  Additional factor : One Time Password.•  Kerberos Based Login for API•  External Authentication –  Sign In using Facebook, Twitter, Google.. •  Eliminates Password Management Headaches. 21
    • Authorization•  Coarse Grained Authorization –  Role Based Access Control.•  Fine Grained Authorization –  ACL, XACML•  OAuth Style Authorization. 22
    • Mobile Devices•  Device Registration –  UDID, SIM ID, Chip ID can all be Identifiers for the same device.•  Mobile devices may need token based security. 23
    • Identity Providers•  Central Identity Provider for the entire PaaS system. –  Global directory service for all tenants.•  Identity Provider for the applications of a single tenant. –  Tenant deploys IDP application.•  Delegated Identity Providers to Corporate Identity Providers. –  Salesforce to corporate Identity services. 24
    • Identity Providers 25
    • Cloud API Access•  Majority of Cloud Access may be via API –  (Salesforce, Twitter, Facebook) 3rd party apps.•  Token based REST system –  OAuth2 is a good candidate. •  Various drafts and flavors in the industry. –  User has control over approval/revocation of access. 26
    • Cloud API Access•  OAuth2 Interactions –  Register Application with server •  Obtain Client Identifier and Client Secret –  Resource owner (User) authorizes application with server, for various scopes •  Obtain Authorization Code 27
    • Cloud API Access•  OAuth2 Interactions –  Application uses authorization code to obtain access token and refresh token •  Refresh token helps obtain new access token on expiry –  Application provides token to resource server •  Access to resource 28
    • Demo 29
    • Aerogear TODO Application•  Typical JavaEE6 application –  HTML5 –  CDI Application Programming –  Jax-RS Endpoints –  JPA 30
    • Aerogear TODO Application•  Deployed on OpenShift PaaS. –  Identity User Registration Pattern –  Identity Authentication Pattern •  Username/Password •  Facebook Authentication •  Google Authentication –  Role Based Authorization 31
    • Relevant Standards 32
    • JSR 351•  Java Identity JSR•• pages/Home•  Define API and identity interaction models for applications and in access control decisions. 33
    • Oasis IDCloud TC•  Oasis Identity In The Cloud TC –  Use Cases for Identity Management in the Cloud Ecosystem. – usecases/v1.0/cn01/IDCloud-usecases-v1.0- cn01.html –  Gap Analysis in existing standards 34
    • Oasis Cloud Authorization TC•  Oasis Cloud Authorization TC –  Brand new TC at Oasis. –  Build Profiles for Cloud Authorization using XACML and Oauth. •  SaaS, PaaS and IaaS models. –  Build Profiles for Cloud Entitlements. 35
    • Resources•  OpenShift PaaS. –•  Project PicketLink –•  My Blog – 36