Anil saldhana cloudidentitybestpractices
Upcoming SlideShare
Loading in...5
×
 

Anil saldhana cloudidentitybestpractices

on

  • 613 views

Best Practices for Cloud Identity Management.

Best Practices for Cloud Identity Management.

Statistics

Views

Total Views
613
Views on SlideShare
612
Embed Views
1

Actions

Likes
1
Downloads
9
Comments
0

1 Embed 1

https://www.linkedin.com 1

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Anil saldhana cloudidentitybestpractices Anil saldhana cloudidentitybestpractices Presentation Transcript

    • Best Practices for Cloud Identity InJavaEE Enabled PaaS Anil Saldhana Red Hat Inc.
    • Agenda•  Introduction To Cloud Identity –  Concept of Identity and Trust•  JavaEE Enabled PaaS –  OpenShift•  What Identity Standard should I adopt? –  SAML, OpenID, OAuth, WS-Trust,Kerberos –  NIST 800-63 Levels of Assurance 2
    • Agenda•  Best Practices –  User Registration –  Identity Management •  Cloud Directories and Corporate Directories –  Authentication –  Authorization –  Mobile Devices –  Identity Providers –  API Access 3
    • Agenda•  Demo•  Other Relevant Standards Work –  JSR 351•  Resources 4
    • Concept of Identity and Trust 5
    • Concept of Trust•  Twitter Verified Accounts 6
    • Concept of Trust•  Twitter Verified Accounts –  President Obama (Identity) –  Blue Check Sign (Trust) 7
    • Concept of Trust•  Twitter Verified Accounts –  Tim Oreilly (Identity) –  Blue Check Sign (Trust) 8
    • JavaEE Enabled PaaS (OpenShift)http://openshift.com 9
    • OpenShift•  OpenShift by RedHat is a polyglot PaaS•  Run Java,Ruby,Perl,Python,PHP and Node.js in the Cloud•  JavaEE Full Profile support via JBoss Application Server v7.x as well as JBoss Enterprise Application Platform.•  Free 10
    • Which Identity Management Standard is relevant? (SAML, OpenID, OAuth,WS-Trust, Kerberos)? 11
    • Levels of Assurance•  NIST 800-63 Special Publication•  Four Levels of Assurance –  Level 1: •  Little or no confidence in asserted identity. •  OpenID, Oauth. –  Level 2: •  Some confidence in the asserted identity. •  Passwords and SAML Password Auth Mech. 12
    • Levels of Assurance•  Four Levels of Assurance –  Level 3: •  High Confidence. •  Soft/Hard Crypto Tokens and OTP. –  Level 4: •  Very High Confidence. •  PKI and Smart Cards. 13
    • Which standard is relevant?•  Community Type Environment –  Forums, Blogs etc. –  Level 1 Assurance. –  Decentralized setup; Internet Scale –  OpenID and Oauth. 14
    • Which standard is relevant?•  Enterprise Type Environment –  Need Level 2 assurance level. •  SAML Assertions (Password based authentication) –  Need Level 3 or 4 assurance of identity. •  SAML Assertions (PKI/x509 Certificates) 15
    • Best Practices 16
    • User Registration•  All Security Systems need users.•  Users can come from corporate identity stores or need to be dynamically registered.•  Dynamic Registration –  CAPTCHA technology.•  Password Strength Meters/Indicators.•  Important to understand Cloud Directories. 17
    • User Registration•  Password Management –  Salt and Hash each password –  Just hashing •  Susceptible to Dictionary or Brute Force Attacks. –  Password Reset •  Send 15 min validity single use tokens to user email. 18
    • Identity Management•  Directories of Users/Applications –  Cloud based. –  Corporate based. –  Hybrid (Both Cloud and Corporate). •  Synching Issues. •  Legal and Compliance Issues. 19
    • Identity Management 20
    • Authentication•  Classic Username/Password•  Two Factor Authentication –  Additional factor : One Time Password.•  Kerberos Based Login for API•  External Authentication –  Sign In using Facebook, Twitter, Google.. •  Eliminates Password Management Headaches. 21
    • Authorization•  Coarse Grained Authorization –  Role Based Access Control.•  Fine Grained Authorization –  ACL, XACML•  OAuth Style Authorization. 22
    • Mobile Devices•  Device Registration –  UDID, SIM ID, Chip ID can all be Identifiers for the same device.•  Mobile devices may need token based security. 23
    • Identity Providers•  Central Identity Provider for the entire PaaS system. –  Global directory service for all tenants.•  Identity Provider for the applications of a single tenant. –  Tenant deploys IDP application.•  Delegated Identity Providers to Corporate Identity Providers. –  Salesforce to corporate Identity services. 24
    • Identity Providers 25
    • Cloud API Access•  Majority of Cloud Access may be via API –  (Salesforce, Twitter, Facebook) 3rd party apps.•  Token based REST system –  OAuth2 is a good candidate. •  Various drafts and flavors in the industry. –  User has control over approval/revocation of access. 26
    • Cloud API Access•  OAuth2 Interactions –  Register Application with server •  Obtain Client Identifier and Client Secret –  Resource owner (User) authorizes application with server, for various scopes •  Obtain Authorization Code 27
    • Cloud API Access•  OAuth2 Interactions –  Application uses authorization code to obtain access token and refresh token •  Refresh token helps obtain new access token on expiry –  Application provides token to resource server •  Access to resource 28
    • Demo 29
    • Aerogear TODO Application•  Typical JavaEE6 application –  HTML5 –  CDI Application Programming –  Jax-RS Endpoints –  JPA 30
    • Aerogear TODO Application•  Deployed on OpenShift PaaS. –  Identity User Registration Pattern –  Identity Authentication Pattern •  Username/Password •  Facebook Authentication •  Google Authentication –  Role Based Authorization 31
    • Relevant Standards 32
    • JSR 351•  Java Identity JSR•  http://jcp.org/en/jsr/detail?id=351•  http://java.net/projects/identity-api-spec/ pages/Home•  Define API and identity interaction models for applications and in access control decisions. 33
    • Oasis IDCloud TC•  Oasis Identity In The Cloud TC –  Use Cases for Identity Management in the Cloud Ecosystem. –  http://docs.oasis-open.org/id-cloud/IDCloud- usecases/v1.0/cn01/IDCloud-usecases-v1.0- cn01.html –  Gap Analysis in existing standards 34
    • Oasis Cloud Authorization TC•  Oasis Cloud Authorization TC –  Brand new TC at Oasis. –  Build Profiles for Cloud Authorization using XACML and Oauth. •  SaaS, PaaS and IaaS models. –  Build Profiles for Cloud Entitlements. 35
    • Resources•  OpenShift PaaS. –  http://openshift.com•  Project PicketLink –  http://jboss.org/picketlink•  My Blog –  http://anil-identity.blogspot.com 36