Steven Lewis,
Advanced Systems Engineering Corporation
(ASEC)
Real-world contextual use case scenarios and the associated
token standards, specifications, and integration approach to
implement interoperable trust chains and identity propagation
within and across operating environments.
2. What
we
learned:
Trusted
Iden//es
2
• Trust
starts
with
the
user
• Trust
must
con1nue
thru
service
chaining
• Context
for
run
1me
access
control
• Fully
supported
standards
and
interoperability
• Web
SSO,
SAML2,
Oauth2,
OpenID
Connect,
WS-‐Trust,
JWT
• Support
for
both
RESTful
and
SOAP
services
Every
Web
Service
Client
and
Provider
create/use
non-‐standard
“Trust”
tokens
STS Handles
All Security Token Processing
Without
STS
With STS
STS
3. Extending
use
of
Secure
Token
Services
(STS)
• Significant
flexibility
to
our
web
applica1ons
– Separates
the
authen1ca1on
from
the
applica1on/services
• Provides
the
ability
to
support
single
or
mul1-‐factor
authen1ca1on
external
to
the
applica1on
– Acts
as
an
authen1ca1on
bridge
between
applica1ons
that
require
dual
hos1ng
in
public
and
internal
facing
• Provides
federated
aPributes
to
our
enterprise
directories
for
use
within
desktop
– Connects
our
provisioning
services
to
the
token
services
• Needed
for
authoriza1on
services
– Enables
authoriza1on
services
to
derive
a
complete
context
of
the
person
and
non-‐person
en11es,
and
services
reques1ng
data
3
7. Access Control:
A Top Ten List of Red Herrings
Copyright
(c)
2014
by
nMed
LLC.
All
Rights
Reserved.
7
8. 1.
Discover
the
Silver
Bullet
Copyright
(c)
2014
by
nMed
LLC.
All
Rights
Reserved.
8
We’ll
Never
“Arrive”
9. 2.
Add
More
Un/l
Finally
Secure
Copyright
(c)
2014
by
nMed
LLC.
All
Rights
Reserved.
9
10. 3.
Solve
at
the
Point
of
Vulnerability
8/4/14
Copyright
(c)
2014
by
nMed
LLC.
All
Rights
Reserved.
10
11. 4.
Let
IT
Manage
Security
8/4/14
Copyright
(c)
2014
by
nMed
LLC.
All
Rights
Reserved.
11
1. Mission
ascends
2. Heat
rises
3. Wax
melts
4. Feathers
detach
5. Opera1on
aborts
6. World
watches
12. 5.
A
Friendly
GUI
is
Nice
to
Have
8/4/14
Copyright
(c)
2014
by
nMed
LLC.
All
Rights
Reserved.
12
“Dude!
It’s
ALL
about
the
Interface!”
13. 6.
“Policy
is
SoYware.
Not
my
bag!”
Copyright
(c)
2014
by
nMed
LLC.
All
Rights
Reserved.
13
• Informa/on
Security
Officer
• Privacy
Officer
• Risk
Management
Officer
• Privacy
Manager
• Security
Analyst
• Compliance
&
Risk
14. 7.
Policy
=
SoYware
Copyright
(c)
2014
by
nMed
LLC.
All
Rights
Reserved.
14
Doré’s
Confusio
Linguarum*
*
“I
dunno.
Ask
the
Legal
Department.”
.
.
.
and
moreover,
we
believe,
Natural
Language
15. 8.
Access
Control
=
Subject
+
Resource
+
Ac/on.
Copyright
(c)
2014
by
nMed
LLC.
All
Rights
Reserved.
15
16. 9.
ABAC
Product
is
The
Answer
Copyright
(c)
2014
by
nMed
LLC.
All
Rights
Reserved.
16
17. 10.
Oh
yeah.
Goha
think
about
Audit.
Copyright
(c)
2014
by
nMed
LLC.
All
Rights
Reserved.
17
19. Use
Case
1:
Externalize
Authen1ca1on
• Standup
an
external
applica1on
that
can
support
the
use
of
an
External
STS
• Provide
the
ability
for
future
integra1on
to
support
service
chaining
19
External
Applica1on
External
STS
SAML
APributes
Providers
Other
Applica1on
Partners
Data
Exchanges
20. Use
Case
2:
Re-‐pladorming
of
Applica1on
• Rehost
“External
Applica1on”
suppor1ng
IWA
Authen1ca1on
but
also
s1ll
provide
aPributes
that
were
required
from
External
Network
• Prepare
for
future
integra1on
to
receive
data
from
“External
Applica1on”
20
Internal
Applica1on
External
STS
Internal
STS
External
Trust
APributes
Providers
X.509
APribute
Sharing
Profile
SAML
21. Use
Case
2b:
Data
Exchanges
• Enable
“Internal”
and
“External”
applica1on
interconnect
services
via
service
chaining
21
Internal
Applica1on
External
STS
Internal
STS
External
Trust
APributes
Providers
X.509
APribute
Sharing
Profile
SAML
External
Applica1on
SAML
Other
Applica1on
Partners
Data
Exchanges
Data
Exchanges
22. Use
Case
3:
Provisioning
• Standup
External
APribute
Provisioning
Service
to
retrieve
External
Network
APribute
Provider
data
for
use
on
Internal
Network
22
External
STS
Internal
STS
External
Trust
APributes
Providers
External
APribute
Provisioning
X.509
APribute
Sharing
Profile
23. Use
Case
4:
Desktop
Claims
• Leverage
the
external
aPributes
provided
for
authoriza1on
services
on
desktop
23
File
Services
Kerberos
Desktop
DAC