Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Entitlements: Taking Control of the Big Data Gold Rush

2,873 views

Published on

Andy Forrest, Sr Software Developer, ForgeRock:
Information is the new currency, and as more “things” come online the volume of data will dramatically
increase. Typically, this data is stored in multiple repositories, and different personas have different
levels of access. This session will discuss the challenges of keeping this data, which is often very
personal, secure as well as accessible. How do we manage authorization policies related to this data?
How do we manage entitlements for not only web apps, but also users, devices, and things?

Published in: Technology
  • D0WNL0AD FULL ▶ ▶ ▶ ▶ http://1lite.top/zVkKi ◀ ◀ ◀ ◀
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

Entitlements: Taking Control of the Big Data Gold Rush

  1. 1. Copyright © Identity Summit 2015, all rights reserved. Entitlements Taking Control of the Big Data Gold Rush Andy Forrest (@apforrest) andrew.forrest@forgerock.com
  2. 2. Copyright © Identity Summit 2015, all rights reserved. “Information is the new currency”
  3. 3. Copyright © Identity Summit 2015, all rights reserved. Let’s rewind a little... Subject Resource Action Environment • Authentication • Authorization
  4. 4. Copyright © Identity Summit 2015, all rights reserved. What has a policy looked like? Typically used to protect a web resource: “Can Bob who is part of the admin group see the admin web page?”
  5. 5. Copyright © Identity Summit 2015, all rights reserved. Policy solutions • ACLs (access control lists) - focused on the subject
 • RBAC (role based access control) - focused on the subject and resource - role explosion
  6. 6. Copyright © Identity Summit 2015, all rights reserved. Policy characteristics • Coarse grained • Allow / deny • Inflexible • Low volume • Minimal performance demand
  7. 7. Copyright © Identity Summit 2015, all rights reserved. PEP Common policy architecture Protected resource Bob PDP PAP PIPs
  8. 8. Copyright © Identity Summit 2015, all rights reserved. Common policy architecture Policy agent Protected resource Bob OpenAM
  9. 9. Copyright © Identity Summit 2015, all rights reserved. What’s next for policy? “Authorization is the new cool kid”
  10. 10. Copyright © Identity Summit 2015, all rights reserved. IoT (Internet of Things) • Not just web pages • Richer relationships • Descriptive demand
  11. 11. Copyright © Identity Summit 2015, all rights reserved. UMA (User Managed Access) • In the hands of the consumer • High scale • Decoupled • Distributed
  12. 12. Copyright © Identity Summit 2015, all rights reserved. Some of the buzz • ABAC (attribute based access control)
 • XACML (extensible access control markup language)
  13. 13. Copyright © Identity Summit 2015, all rights reserved. Future policy characteristics • Attribute based • Fine grained • Entitlements • Unknown entities • High volume • Performance speed • Outward facing
  14. 14. Copyright © Identity Summit 2015, all rights reserved. What about OpenAM? “We’re the real deal”
  15. 15. Copyright © Identity Summit 2015, all rights reserved. OpenAM policy • Complete REST API • Intuitive UI • Organisational structure • Expressive rules • Contextual authz • Rich entitlement decisions • Selective evaluation • Scaling and replication • XACML export/import
  16. 16. Copyright © Identity Summit 2015, all rights reserved. Demo
  17. 17. Copyright © Identity Summit 2015, all rights reserved. Mobile Twitter Raspberry PI OpenAM Device 1 Radio Tx Radio Rx Device 3 Radio Rx Device 2 Radio Rx Web App Policy Demo topology
  18. 18. Copyright © Identity Summit 2015, all rights reserved. DJ 2 OpenAM 2 DJ 1 OpenAM 1 Replication Cross talk 8 x 3.3GHz, 64GB 8 x 3.3GHz, 64GB Performance topology
  19. 19. Copyright © Identity Summit 2015, all rights reserved.
  20. 20. Copyright © Identity Summit 2015, all rights reserved. How does OpenAM continue to lead? • Continually looking to push performance • More fine grained through ABAC - generic attribute model - application rules - nested applications • Simplified UIs
  21. 21. Copyright © Identity Summit 2015, all rights reserved. “Information is the new currency”
  22. 22. Copyright © Identity Summit 2015, all rights reserved. Thank you Q&A Andy Forrest (@apforrest) andrew.forrest@forgerock.com

×