Identity access and privacy in the new hybrid enterprise slides

Like this? Share it with your network

Share

Identity access and privacy in the new hybrid enterprise slides

  • 1,010 views
Uploaded on

Identity, Access & Privacy in the New Hybrid Enterprise featuring Forrester Research, Inc. ...

Identity, Access & Privacy in the New Hybrid Enterprise featuring Forrester Research, Inc.

Make sense of OAuth, OpenID Connect and UMA

Overview
In the new hybrid enterprise, organizations need to manage business functions that flow across their domain boundaries in all directions: partners accessing internal applications; employees using mobile devices; internal developers mashing up Cloud services; internal business owners working with third-party app developers.

Integration increasingly happens via APIs and native apps, not browsers. Zero Trust is the new starting point for security and access control and it demands Internet scale and technical simplicity – requirements the go-to Web services solutions of the past decade, like SAML and WS-Trust, struggle to solve.

This webinar from Layer 7 Technologies, featuring special guest Eve Maler of Forrester Research, Inc., will:
• Discuss emerging trends for access control inside the enterprise
• Provide a blueprint for understanding adoption considerations

You Will Learn
• Why access control is evolving to support mobile, Cloud and API-based interactions
• How the new standards (OAuth, OpenID Connect and UMA) compare to technologies like SAML
• How to implement OAuth and OpenID Connect, based on case study examples
• Futures around UMA and enterprise-scale API access

Presented by
• Scott Morrison
CTO, Layer 7 Technologies
• Eve Maler
Principle Analyst, Forrester Research, Inc.

More in: Technology , Business
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
1,010
On Slideshare
915
From Embeds
95
Number of Embeds
1

Actions

Shares
Downloads
24
Comments
0
Likes
1

Embeds 95

http://www.scoop.it 95

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Identity, Access & Privacy in the New HybridEnterprise Scott Morrison  Eve Maler CTO, Layer 7 Technologies Principal Analyst, Forrester Research, Inc.May 17, 2012
  • 2. Housekeeping Questions - Chat any questions you have and we’ll answer them at the end of this call Twitter facebook.com/layer7 - Today’s event hashtag: layer7.com/linkedin - #L7webinar layer7.com/blogs - Follow us on Twitter: - @layer7 - @forrester - @xmlgrrl - @kscottmorrison
  • 3. Identity, Access, And PrivacyIn The New Hybrid EnterpriseEve Maler, Principal AnalystMay 17, 20122 © 2011 Forrester Research, Inc. Reproduction Prohibited 2009
  • 4. “ Sounds awesome – maybe later? SAML and friends have succeeded in ” one realm, but the extended enterprise has strained them to the breaking point.3 © 2011 Forrester Research, Inc. Reproduction Prohibited
  • 5. AgendaMany enterprises aren’t just extended – they’re over-extended.IAM challenges favor Zero Trust and emerging technologies.Plan for the new “Venn” of access control in the API economy.Learn from your peers: Brandish IT carrots instead of sticks.4 © 2011 Forrester Research, Inc. Reproduction Prohibited
  • 6. Steve Yegge’s rant crystallized thechallenge [Jeff Bezos] issued a mandate that was so out there, so huge and eye-bulgingly ponderous, that it made all of his other mandates look like unsolicited peer bonuses. … “1) All teams will henceforth expose their data and functionality through service interfaces.” … Like anything else big and important in life, Accessibility has an evil twin who, jilted by the unbalanced affection displayed by their parents in their youth, has grown into an equally powerful Arch-Nemesis (yes, theres more than one nemesis to accessibility) named Security. And boy howdy are the two ever at odds. But Ill argue that Accessibility is actually more important than Security because dialing Accessibility to zero means you have no product at all, whereas dialing Security to zero can still get you a reasonably successful product such as the Playstation Network.5 © 2011 Forrester Research, Inc. Reproduction Prohibited
  • 7. The extended enterprise requires you to think outsidethe box (or…get a bigger box) App sourcing and hosting SaaS apps Apps in public clouds Partner apps Apps in private clouds On-premises enterprise apps Enterprise computers Employees Contractors Enterprise-issued devices Partners Public computers Members Personal devices Customers App access channels User populations6 © 2011 Forrester Research, Inc. Reproduction Prohibited
  • 8. Even social use cases press for better accesscontrol with accessibility and agility7 © 2011 Forrester Research, Inc. Reproduction Prohibited
  • 9. And yet SAML-based identity federation still reachesmostly large enterprises with deep pockets8 © 2011 Forrester Research, Inc. Reproduction Prohibited Source: October 26, 2011, “OpenID Connect Heralds The ‘Identity Singularity’” Forrester report
  • 10. And loosely coupled SOA security solutions aren’trushing to fill the gap9 © 2011 Forrester Research, Inc. Reproduction Prohibited Source: January 5, 2009 Forrester report “Web Services Security Specifications: WS-Security Achieves Critical Mass Of User Adoption”
  • 11. Agenda Many enterprises aren’t just extended – they’re over-extended. IAM challenges favor Zero Trust and emerging technologies. Plan for the new “Venn” of access control in the API economy. Learn from your peers: Brandish IT carrots instead of sticks.10 © 2011 Forrester Research, Inc. Reproduction Prohibited
  • 12. Introducing Zero Trust Identity In Zero Trust, all interfaces are untrusted. Assume every business and IAM function is “equally far apart,” and treat all traffic among them as untrusted until it proves itself otherwise.11 © 2011 Forrester Research, Inc. Reproduction Prohibited Source: September 14, 2010, “No More Chewy Centers: Introducing The Zero Trust Model Of Information Security” Forrester report
  • 13. Internal to the organization Staff user store Organization serves as an identity server for At external business functions partners Consumer user store Exposed to customersPlan for bothinward and A security token service (STS)outward identity handles token issuance, translation, and consumption.propagation Staff user store Organization serves as an identity client of Institutional user stores user store For functions internal to the organization Consumer user store12 © 2011 Forrester Research, Inc. Reproduction Prohibited Source: March 22, 2012 “Navigate The Future of IAM” Forrester report
  • 14. Go from IDaaS to “IAM as an API” The business app’s own API determines access control granularity Back-end apps, web apps, mobile apps . . . Business apps API client API client IAM API client IAM API client Robustly protect all Internet interfaces, regardless Internet of their sourcing model APIs for authentication, Web service and app APIs authorization, provisioning . . . Scale-out IAM infrastructure infrastructure Applying the pattern API façade pattern to IAM functions13 © 2011 Forrester Research, Inc. Reproduction Prohibited Source: March 22, 2012 “Navigate The Future of IAM” Forrester report
  • 15. New identity solutions disrupt…but attract. Or, The good thing about reinventing the wheel is that you can get a round one.* *Douglas Crockford, inventor of JavaScript Object Notation (JSON)14 © 2011 Forrester Research, Inc. Reproduction Prohibited Source: tom-margie | CC BY-SA 2.0 | flickr.com
  • 16. Emerging standards for IAM interfaces have an edge over traditional ones for Zero Trust Provisioning, Authentication, Authorization, IAM session management, consent, proofing, functionality SSO, federation access control self service Established SOA-friendly standards Emerging web-friendly standards SCIM Connect15 © 2011 Forrester Research, Inc. Reproduction Prohibited
  • 17. Why are these technologies attractive? Security pros’ control diminishes with distance16 © 2011 Forrester Research, Inc. Reproduction Prohibited
  • 18. Agenda Many enterprises aren’t just extended – they’re over-extended. IAM challenges favor Zero Trust and emerging technologies. Plan for the new “Venn” of access control in the API economy. Learn from your peers: Brandish IT carrots instead of sticks.17 © 2011 Forrester Research, Inc. Reproduction Prohibited
  • 19. 18 © 2011 Forrester Research, Inc. Reproduction Prohibited
  • 20. OAuth magic: let a person delegate constrained access from one app to another19 © 2011 Forrester Research, Inc. Reproduction Prohibited
  • 21. OpenID Connect magic: turn SSO into a robust OAuth-protected identity API OAuth delegated SAML and OpenID SSO OpenID Connect authorization standardize… standardizes… standardizes… Initiating user’s login session X Initiating user’s login session Initiating user’s login sessionX Collecting user’s Collecting user’s Collecting user’s consent to share consent to share consent to share attributes attributes attributes X High-security identity High-security identity High-security identity tokens (using JSON tokens (SAML only) tokens Web Tokens)X Distributed and aggregated claims Distributed and aggregated claimsX Session timeout Session timeout (on the docket)20 © 2011 Forrester Research, Inc. Reproduction Prohibited
  • 22. An OpenID Connect killer app:“Street Identity”1. Service provider (SP) needs trusted data2. Attribute provider (AP) has it3. Identity provider (IdP) can broker your permission to provide it4. AP can demand a fee from SP for it5. Lather, rinse, and repeat for: – Credit scores – Verified email addresses – Proofed identities backed by strong authentication… 21 © 2011 Forrester Research, Inc. Reproduction Prohibited
  • 23. OpenID Connect will dramatically lower the price and complexity bar for all identity federation Already exposing customer identities using a draft OpenID Connect-style API Working to expose workforce identities through OpenID Connect LOB apps and smaller partners can get into the federation game more easily; complex SAML-based solutions will see price pressure over time22 © 2011 Forrester Research, Inc. Reproduction Prohibited
  • 24. UMA magic: turn sharing of online access with others into OAuth-derived “privacy by design” solution Alice-to-Alice, Alice-to-Bob, Alice-to-org…and org-to-org Claims-based and policy- based authorization – Not just consent User can impose terms and conditions on requesters – Not just accept terms Centralizable authorization function – Not just point-to-point23 © 2011 Forrester Research, Inc. Reproduction Prohibited
  • 25. Killer apps for UMA UMAnized Street Identity: – Centralized management and policy-driven sharing of addresses etc. with anyone APIified access management: IdP AP – Direct control and auditing of all employee SaaS access PEP RS PDP AS Zero Trust B2B2C privacy: – Telco allows location sharing today – and health record sharing tomorrow RP client requester24 © 2011 Forrester Research, Inc. Reproduction Prohibited
  • 26. Agenda Many enterprises aren’t just extended – they’re over-extended. IAM challenges favor Zero Trust and emerging technologies. Plan for the new “Venn” of access control in the API economy. Learn from your peers: Brandish IT carrots instead of sticks.25 © 2011 Forrester Research, Inc. Reproduction Prohibited
  • 27. One research organization’s experience with emerging IAM technologies for “Enterprise 2.0” Objectives: Approach:  Unified authentication and  IdP proxy from internal SAML authorization flows for all SSO systems protected resources  Leverage OpenID (and soon  Serve internal and external users OpenID Connect) alike, using internal and external  “Graylist” approach: users take apps responsibility for dynamic external  Remove friction and risk in getting service provider choices all new internal apps to federate – Organization is in charge of whitelists and blacklists  Enable brokered distributed attribute provisioning  Devs partnered with IT from the beginning  Enable use by people with pre- proofed high-quality credentials – Rationale that worked: “Ad hoc login creation is worse”26 © 2011 Forrester Research, Inc. Reproduction Prohibited
  • 28. Its architecture External OP DatabaseDMZ Corporate FirewallIntranet User Data Two-Factor Signon Internal OP Corporate SSO27 © 2011 Forrester Research, Inc. Reproduction Prohibited
  • 29. Its results New internal apps federate “by default” even if they’re in the long tail IT gets a level of comfort by operating production- quality servers itself Dynamic associations with external apps are auditable While they prefer OAuth-based tech, OpenID 2.0 has become legacy already! Not enough external SaaS providers are enabling standardized inbound SSO28 © 2011 Forrester Research, Inc. Reproduction Prohibited
  • 30. Drawing lessons from this experience  Low-usage internal apps aren’t necessarily low- sensitivity apps; protect them by reducing friction  For extranet apps and APIs, think light weight, particularly for partners with unsophisticated IT  Expect protocol discussions to reflect partner power relationships  Bet on “reach” vs. “rich” – in distributed computing, it always wins in the end29 © 2011 Forrester Research, Inc. Reproduction Prohibited
  • 31. Scott Morrison CTO, Layer 7 Technologies
  • 32. The Old Enterprise Line ofFormal and structured security & connectivity business VPNs & prop. Protocols for thick clients servers HTTP(s) for browsers SOAP+WS-* for B2B Firewall VPN Enterprise Road NetworkWarriors with VPN SSL WS-S Browser Formal Clients Trading Partners
  • 33. The New Hybrid Enterprise Line ofHighly agile security & connectivity business REST, OAuth, OpenID Connect, UMA servers Firewall Enterprise Mobile Network Devices Clouds Informal, API-driven integrations
  • 34. The Hybrid Enterprise Made Possible By APIs API Server Mobile App An API is a RESTful service Web Client Web App 5 5
  • 35. For Example: GET http://services.layer7.com/staff/Scott 6
  • 36. http://services.layer7.com/staff/ScottFor Example: { "firstName": ”Scott ", "lastName" : ”Morrison", ”title" : “CTO”, "address" : { "streetAddress": ”405-1100 Melville", "city" : ”Vancouver", ”prov" : ”BC", "postalCode" : ”V6E 4A6" }, "phoneNumber": [ { "type" : ”office", "number": ”605 681-9377" }, { "type" : ”home", "number": ”604 555-4567" } ] } 7
  • 37. Why Zero Trust? Source: http://www.yurock.net/santa-getting- arrested/
  • 38. A Sensible Response Source: http://skreened.com/impossiblethings6/keep-calm-trust-no-one
  • 39. Or Better Yet: AND USE OAUTH, OPENID CONNECT & UMA
  • 40. What Do These Do?OAuth To get access to an API.OpenID To share information about users.ConnectUMA To give a user the power to control how their attributes are shared.
  • 41. Priority #1: OAuth  Make it easy  Make it scale
  • 42. How to Make OAuth EasySimple, drop-in virtual or hardware Protected gateway SecureSpan Resource Acts as both Authorization Server (AS) and Gateway Protecting RS Resource Server (RS) Advanced security on all APIs Directory Threat detection, audit, QoS mgmt, etc Firewall Enterprise Network SecureSpan Mobile Gateway as Devices AS All Authorization Grants ➠ Authorization code Clouds, Webapps, etc ➠ Implicit Informal, ➠ Resource owner password API-driven credentials integrations ➠ Client credentials
  • 43. How Easy?
  • 44. How Easy?
  • 45. How Easy?
  • 46. How to Make OAuth Web Scale SecureSpan Secure Zone Protected Gateway Resource Firewall 2 cluster RS DMZ Firewall 1 Directory SecureSpan Gateway as Secure Token Store SecureSpan Gateway cluster as AS
  • 47. How to Make OAuth Scale – Architecture Resource provider Internal (secure) network DMZ Internet • Who is asking • Which API? • What scope? • Is token valid? Resource • etc… Accessed when Server API Proxy client requests resources Server • Prove who you are • Authorize entitlement • etc… OVP Accessed when Authorization client Client client requests Serveruser authorization Store and tokens Token Token Store Server • Create • Check IDMS • Expire • Revoke • etc… Accessible through an LDAP query Endpoints accessible through an API Endpoints accessible through OAuth protocol API
  • 48. Priority #2: Introduce OpenID Connect Resource provider Internal (secure) network DMZ Internet Core • Provide IDtoken • Validate and return claims Resource CheckID Server UserInfo • Provide access token • Get attributes (eg: family_name, picture, gender, birthdate, etc) OVP Optional SessionMgmt client Client Store Optional 1. Refresh endpoint DynamicReg 2. End session endpoint Token Store Discovery IDMS Accessible through an LDAP query Endpoints accessible through an API Endpoints accessible to outside clients
  • 49. Summary Implement OAuth now! - Don’t roll your own - Plan for failure - Plan for scale Plan for OpenID Connect - Understand what you need to share - Look to integration with existing identity providers Keep a very close eye on UMA - This is the missing piece in the puzzle - Maturing very fast
  • 50. Questions? Scott Morrison Eve Maler CTO Principal Analyst Layer 7 Technologies Forrester Research, Inc. smorrison@layer7.com emaler@forrester.com