Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

CIS14: Lean In: Enterprise Cloud Identity


Published on

Mark Diodati, Ping Identity
An exploration of three specific trends—the inevitability of adaptive identity (and its impact on APIs), requirements for enterprise-grade IDaaS, and the great challenges of hybrid identity governance—along with recommendations for enterprises that are leaning into modern identity

Published in: Technology
  • Be the first to comment

CIS14: Lean In: Enterprise Cloud Identity

  1. 1. Nimble: Rethinking Enterprise Cloud Identity Mark Diodati Lean In: Enterprise Cloud Identity @mark_diodati Laura E. Hunter Zen and the Art of Enterprise Authentication @adfskitteh John Tolbert Is the Cloud Ready for Enterprise Identity and Security Requirements?
  2. 2. Lean In: Enterprise Cloud Identity Mark Diodati Mon 14-07-21 @mark_diodati
  3. 3. enterprises are leaning in to address cloud identity challenges
  4. 4. •  constituencies to applications problem •  inability to provide identity services for most applications 4   leaning in: cloud identity management IDaaS
  5. 5. •  expansion and complexity –  who –  what •  (im)maturity of cloud applications and platforms 5   leaning in: cloud IGA ||wh o wh at
  7. 7. 7   why cloud IAM? •  IAM requirements for apps in the cloud •  corporate apps (email and office), CRM •  IAM services are not necessarily in the cloud •  Desire for IDaaS (identity management -aaS) •  SaaS application model is disrupting IAM vendors •  Turnkey (faster time to value)
  8. 8. 8   cloud identity components •  bi-directional on-premises gateway •  translates on-premises 1.0 identity protocols to cloud 2.0 protocols •  essential for most enterprises IDaaS
  9. 9. to: identity bridge hoste don- premises federation IDP directory syncKerberos X.509 SaaS application SSO LDAP provisionin g(REST)
  10. 10. application from: identity bridge hoste don- premises SAML SP STS application partners partners application WAM cookie   OAuth RS and AS OpenID Provider
  11. 11. 11   cloud identity components IDaaS •  Identity Management as a Service •  externally-hosted, turnkey SaaS •  frequently used with an identity bridge
  12. 12. 12   IDaaS market trends •  More IaaS and PaaS vendors are moving into IDaaS •  Salesforce, Microsoft •  AWS - evolving towards externalized identity
  13. 13. 13   IDaaS market trends •  Mobile authentication vendors will be absorbed into IDaaS •  Completes IDaaS offering/ has become/will be table stakes •  MFA has diminished value without other identity services
  14. 14. Confidential  —  do  not  distribute   IDaaS sub-market convergence provisionin g/ governanc e SSO/ authenticat ion password vaulting directory sync federation user management Provisioning access certification multi-factor authn sep of duties self-serviceadministrative scoping & delegation cloud directory
  15. 15. 15   in: IDaaS hosted on-premises SaaS applicati on provisioning SSO authenticationuser IDaaS
  16. 16. provisioning SSO 16   IDaaS: internal directory hoste don- premises SaaS applicati on authentication user IDaaS
  17. 17. IDaaS: single directory (AD) hoste don- premises SaaS applicati on authentication IDaaS provisioning SSO directorysync Kerberos
  18. 18. IDaaS: single directory (Google) directory sync/ runtime store hosted on-premises SaaS applicati on authentication IDaaS provisioning SSO Sync orruntime
  19. 19. IDaaS: many-to-many directories IDaaS partner partner developeryou Central access policy
  20. 20. enterprise grade IDaaS hosted on-premises IDaaS identity bridge WAM EC2` SaaS application app
  21. 21. CLOUD IGA
  22. 22. 22   IGA: a wealth of talents Provisioningself-service access certification separation of dutiesrole management entitlement management
  23. 23. An entitlement is a system object that can be granted to enable a user to perform some set of actions in an application. Burton Group, 2009 ENTITLEMENT wha who
  24. 24. expansion of who employees contractors constituenc y identity stores partners consumers on-premises LDAP Active Directory HR somewhere else LDAP Active Directory Facebook
  25. 25. 25   complexity of who governa nce complex ity “un-control” over identity
  26. 26. expansion of what applications accessibility good Active DirectoryWAM SharePoint ERP maturingSaaS applicationIaaS platform
  27. 27. 27   complexity of what governa nce complex ity “un-control” over
  28. 28. good ole days of IGA ;-) IGA entitlement management access certification SoD role management hoste don- premises
  29. 29. provisionin g(REST) SSO reminder: to the cloud SSO hoste don- premises federation IDPdirectory sync Kerberos X.509 SaaS application LDAP
  30. 30. cloud SSO: entitlement management hoste don- premises SaaS application federation IDP identity store IGAentitlements
  31. 31. to the cloud SSO: entitlement view CRM LDAP group IS_CRM_MGR LDAP attribute federation IDP SaaS application identity store LDAP group and attribute(s) mapped to SaaS profile CRM_MANAGER CRM_MANAGER profile has access to SaaS and to specific transactions Coursetofine CRM LDAP group get access to SaaS app with IS_CRM_MGR attribute
  32. 32. 32   evolution of cloud IGA quality of governa nce Component maturity store AD/LDAP groups federation IDP entitlement s SaaS/IaaS entitlemen ts federation/ SaaSactivit y logs
  33. 33. RECOMMENDATIONS the path forward
  34. 34. recommendations • cloud IAM –  clarify your vision for modern IAM –  monitor cloud IAM developments •  holistic, SaaS-style integration •  multi-constituency support •  broader application management 34  
  35. 35. recommendations • cloud IGA –  understand your IGA requirements before migrating applications to the cloud –  define a transitional IGA strategy for cloud applications •  Push your SaaS/IaaS vendors to add entitlement and activity management capabilities