Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
The	
  story	
  of	
  MITREid	
  
Jus3n	
  Richer	
  
The	
  MITRE	
  Corpora3on	
  
© 2014 The MITRE Corporation. All rig...
The	
  plight	
  of	
  a	
  so;ware	
  developer	
  
•  I	
  build	
  things	
  that	
  people	
  use	
  
•  I	
  want	
  ...
1.	
  Make	
  local	
  accounts	
  
1.	
  Make	
  local	
  accounts	
  
1.	
  Make	
  local	
  accounts	
  
2.	
  Use	
  LDAP	
  
2.	
  Use	
  LDAP	
  
3.	
  Use	
  Enterprise	
  SSO	
  
3.	
  Use	
  Enterprise	
  SSO	
  
3.	
  Use	
  Enterprise	
  SSO	
  
Firewall
Intranet
Internet
What	
  to	
  do?	
  
Give	
  people	
  a	
  digital	
  iden3ty	
  
Let’s	
  build	
  something	
  
•  OpenID	
  2.0	
  Server	
  
•  Running	
  on	
  corporate	
  IT	
  hardware	
  in	
  
c...
Why	
  OpenID?	
  
•  Open	
  standard	
  protocol	
  
•  Network-­‐based	
  federa3on	
  
•  User-­‐driven	
  trust	
  mo...
Make	
  it	
  easy	
  for	
  developers:	
  
PlaXorm	
  support	
  
•  Libraries:	
  
–  Java	
  
–  PHP	
  
–  Python	
  ...
Usage	
  Profile:	
  The	
  prototype	
  
Firewall
Intranet
Internet
OpenID Server
SSO	
  
Usage	
  Profile:	
  The	
  external	
  service	
  
Firewall
Intranet
Internet
OpenID Server
SSO	
  
User	
  Profiles:	
  The	
  mobile	
  user	
  
Firewall
Intranet
Internet
OpenID Server
2FA	
  
The	
  architecture	
  
Firewall
User Profiles
Shared
Database
Internal OP External OP
Intranet
Internet
Two-­‐Factor	
  A...
Run3me	
  security	
  decisions	
  
Adop3on	
  by	
  the	
  extended	
  enterprise	
  
The	
  Long	
  Tail	
  
1	
  
10	
  
100	
  
1000	
  
10000	
  
We	
  didn’t	
  even	
  plan	
  this	
  
Mul3ple	
  types	
  of	
  user	
  
Moving	
  on	
  from	
  OpenID	
  2.0	
  
Let’s	
  build	
  it	
  (again)!	
  
•  OAuth	
  2.0	
  and	
  OpenID	
  Connect	
  server	
  
•  OpenID	
  Connect	
  cli...
Open	
  Source	
  
We’re	
  running	
  it	
  ourselves	
  
Building	
  the	
  specifica3ons	
  
Moving	
  toward	
  federa3on	
  across	
  
the	
  extended	
  enterprise	
  
Beaer	
  security:	
  Separa3on	
  
OpenID
Provider
Delega3ng	
  services:	
  OAuth	
  
OpenID
Provider
Beaer	
  security:	
  Revoca3on	
  
Easier	
  integra3on	
  by	
  developers	
  
OpenID
Provider•  Standard	
  
•  Agile	
  
•  Flexible	
  
•  Distributed	
 ...
Beaer	
  administra3on:	
  	
  
An	
  abstrac3on	
  layer	
  
OpenID
Provider
Scalable	
  security	
  decisions	
  
Whitelist
Trusted partners, business contracts, customer
organizations, trust framew...
Conclusions	
  
•  Use	
  open	
  standards	
  
•  Give	
  your	
  people	
  digital	
  iden33es	
  and	
  let	
  
them	
 ...
Ques3ons?	
  
jricher@mitre.org	
  
CIS14: Implementing MITREid
Upcoming SlideShare
Loading in …5
×

CIS14: Implementing MITREid

455 views

Published on

Justin Richer, The MITRE Corporation

A report on MITRE’s MITREid platform, which allows thousands of active users to access hundreds of relying parties inside and outside the company; how and why we built MITREid and why we see the promotion of external identities as an important pattern for enterprise organizations.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

CIS14: Implementing MITREid

  1. 1. The  story  of  MITREid   Jus3n  Richer   The  MITRE  Corpora3on   © 2014 The MITRE Corporation. All rights reserved. Approved for Public Release: Distribution Unlimited (Case Number: 14-1639)
  2. 2. The  plight  of  a  so;ware  developer   •  I  build  things  that  people  use   •  I  want  to  know  who’s  there   •  What  can  I  do?  
  3. 3. 1.  Make  local  accounts  
  4. 4. 1.  Make  local  accounts  
  5. 5. 1.  Make  local  accounts  
  6. 6. 2.  Use  LDAP  
  7. 7. 2.  Use  LDAP  
  8. 8. 3.  Use  Enterprise  SSO  
  9. 9. 3.  Use  Enterprise  SSO  
  10. 10. 3.  Use  Enterprise  SSO   Firewall Intranet Internet
  11. 11. What  to  do?  
  12. 12. Give  people  a  digital  iden3ty  
  13. 13. Let’s  build  something   •  OpenID  2.0  Server   •  Running  on  corporate  IT  hardware  in   corporate  IT  environment   •  Backed  by  corporate  SSO  and  user  profile   informa3on   •  “We  do  SSO  so  you  don’t  have  to”  
  14. 14. Why  OpenID?   •  Open  standard  protocol   •  Network-­‐based  federa3on   •  User-­‐driven  trust  model   •  Simple  to  use  and  develop  
  15. 15. Make  it  easy  for  developers:   PlaXorm  support   •  Libraries:   –  Java   –  PHP   –  Python   –  Javascript   –  Ruby   –  Perl   –  …   •  PlaXorms  &  Plugins:   –  Spring  Security   –  Elgg   –  Wordpress   –  Mediawiki   –  Omniauth   –  Drupal   –  …  
  16. 16. Usage  Profile:  The  prototype   Firewall Intranet Internet OpenID Server SSO  
  17. 17. Usage  Profile:  The  external  service   Firewall Intranet Internet OpenID Server SSO  
  18. 18. User  Profiles:  The  mobile  user   Firewall Intranet Internet OpenID Server 2FA  
  19. 19. The  architecture   Firewall User Profiles Shared Database Internal OP External OP Intranet Internet Two-­‐Factor  Authn  Corporate  SSO  
  20. 20. Run3me  security  decisions  
  21. 21. Adop3on  by  the  extended  enterprise  
  22. 22. The  Long  Tail   1   10   100   1000   10000  
  23. 23. We  didn’t  even  plan  this  
  24. 24. Mul3ple  types  of  user  
  25. 25. Moving  on  from  OpenID  2.0  
  26. 26. Let’s  build  it  (again)!   •  OAuth  2.0  and  OpenID  Connect  server   •  OpenID  Connect  client  library   •  Enterprise-­‐friendly  features  and  plaXorm   •  Flexible  deployment   and...  
  27. 27. Open  Source  
  28. 28. We’re  running  it  ourselves  
  29. 29. Building  the  specifica3ons  
  30. 30. Moving  toward  federa3on  across   the  extended  enterprise  
  31. 31. Beaer  security:  Separa3on   OpenID Provider
  32. 32. Delega3ng  services:  OAuth   OpenID Provider
  33. 33. Beaer  security:  Revoca3on  
  34. 34. Easier  integra3on  by  developers   OpenID Provider•  Standard   •  Agile   •  Flexible   •  Distributed   •  Proprietary   •  Fragile   •  Rigid   •  Centralized  
  35. 35. Beaer  administra3on:     An  abstrac3on  layer   OpenID Provider
  36. 36. Scalable  security  decisions   Whitelist Trusted partners, business contracts, customer organizations, trust frameworks Graylist User-based trust decisions Follow Trust on First Use model, keep logs Blacklist Very bad sites we don’t want to deal with, ever Organiza3ons   decide  these   End-­‐users     decide  these  
  37. 37. Conclusions   •  Use  open  standards   •  Give  your  people  digital  iden33es  and  let   them  decide  where  to  use  them   •  Use  federa3on  where  possible  
  38. 38. Ques3ons?   jricher@mitre.org  

×