Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

2019 | Cloud Native Customer Identity and Access Management | Identiverse | Day 4, June 28

277 views

Published on

As businesses drives digital transformation and strives to support new business models, Customer Identity and Access Management is transforming to be a critical component to marketing, customer success and product strategies. In addition, the security and privacy landscape are driving new requirements and capabilities. Ideal vs reality – what we learned and learning in our journey.
• What we learned and still learning deploying Ping Directory, open source, and custom component cloud native (microservices and containers) and in a hybrid cloud.
• What is the security and privacy capabilities we are building to meet the new demands of GDPR, FedRamp, etc.
• What capabilities are needed to support digital transformation and new business models (Subscription, Everything as a Service). Opportunities for the industry.

Published in: Technology
  • Be the first to comment

2019 | Cloud Native Customer Identity and Access Management | Identiverse | Day 4, June 28

  1. 1. ® CLOUD NATIVE CUSTOMER IDENTITY AND ACCESS MANAGEMENT (CIAM) WHAT WE LEARNED AND STILL LEARNING IMPLEMENTING CISCO ONEID
  2. 2. ® Agenda 1 2 3 4 5 Our CIAM Journey Business Opportunities and Challenges Architecture Learnings Ping Directory Cloud Native Learnings 6 Opportunities for the Industry
  3. 3. ® Speaker Info • Kristina Williams, Sr. Manager, Cisco Systems Email: kriswill@cisco.com Twitter: @kristinaswill LinkedIn: linkedin.com/in/kswilliams07 • Dileep Gorrepati, Cloud & Platform Architect, Cisco Systems Email: pgorrepa@cisco.com • Makesh Rao, IT Architect, Cisco Systems Email: marao@cisco.com
  4. 4. ® Our CIAM Journey • Strategy Phase -- 6 months: Business case and strategy • Execution – Year 1: Implemented Cloud Native IDaaS using Ping Directory on OpenShift/Kubernetes & Docker • Execution – Year 2: Brownfield migration of legacy CIAM supporting Cisco.com • Execution – Year 3: Scaling for adopters, Hybrid Cloud, Risk & Compliance Strategy Phase Greenfield Platform and Capability Build 6 Months Year 1 Year 2 Year 3 Brownfield migration and Capability Build Scaling, Hybrid Cloud and Capability Build
  5. 5. ® CIAM Business Opportunities and Challenges
  6. 6. ® Customer Identity and Access Management (CIAM): The Actors Internal Administrators External Users Machine Accounts Employees Contractors Bots Service Accounts Guests, Customers, Partners Suppliers IOT
  7. 7. ® CIAM: Know Your Customer Content Browsing, Events Quotes, Trainings, Certifications, Trial Activations Technical Support, Professional Services, Returns I'm Aware I Shop I Buy I Use I Need Support Purchasing, Account Renewals Setup, Licensing, Product & Service Use The IDENTITY CRISIS: Fragmented Identity Systems – We need to know the use throughout their interactions with us!
  8. 8. ® CIAM: The Opportunities Customers want convenient, omni-channel, personalized and secure experiences. Select Evaluate Need Renew Adopt Onboard Implement Use Purchase Recommend Advocate Customer Optimize Engage 73% 52% 16% Good experience is key to their brand loyalty. They would spend more for a fast and efficient customer experience. Price premium for excellent customer experience. source: https://www.pwc.com/future-of-cx
  9. 9. ® CIAM: The Opportunities Business Enabler: Unified View of the Customer “Companies that want to provide truly transformative customer experiences need customer data that is real-time, intelligent, and predictive, … enterprises focused on building a seamless flow of connected customer data – behavioral, transactional, financial, operational, and more – to get a true end-to-end view of their customer for immediate actionability" The 5 Biggest Marketing Trends For 2019 1. Data-driven creativity and intelligence will be a strategic differentiator in customer experience 2. Seamless experiences across different channels and platforms. 3. Personalization: connecting content & data - ethically 4. Account-based marketing in B2B. Tightening alignment between marketing and sales. 5. Experience business 2.0: The next steps in digital transformation source: https://www.cmo.com/features/articles/2018/12/12/the-5-biggest-marketing-trends-for-2019.html#gs.jxz8dk
  10. 10. ® CIAM Architecture
  11. 11. ® CIAM: Architecture Drivers Resiliency Agility PortabilitySecurity IDaaS For Products & Services Compliance
  12. 12. ® CIAM: Architecture React / Redux UI Apps API Gateway LDAP NoSQL RDBMS Stateless Services Profile Stateful Services Credentials Invitation Registration Consent Discovery Federation Authentication Authorization Session Cache Service Registry & Discovery Key Management Configuration Mgmt App Runtime Services Logging Metrics Tracing Observability Services Build Automation Automated Testing Security Testing CI /CD Container Registry Container Orchestration Infrastructure Services Monitoring Data Stores
  13. 13. ® Twelve Factor App Principles 1. Codebase One codebase tracked in revision control, many deploys 2. Dependencies Explicitly declare and isolate dependencies. Never rely on implicit existence of system-wide packages. 3. Configurations Store config in environment variables. Maintain strict separation of config from code. 4. Backing Services Treat backing services as attached resources. Make no distinction between local and third party services. 5. Build, release, run Strictly separate build and run stages. Strict separation between the build, release, and run stages. 6. Stateless Processes Execute the app as one or more stateless processes. Processes are stateless and share nothing. Any data that needs to persist must be stored in a stateful backing service, typically a database. 7. Port Binding Export services via port binding. App is completely self- contained and does not rely on runtime injection of a webserver into the execution environment to create a web-facing service. 8. Concurrency Scale out via the Unix process model 9. Disposability Maximize robustness with fast startup and graceful shutdown. Processes are disposable, meaning they can be started or stopped at moment’s notice. 10. Development & Production Parity Keep development, staging, and production as similar as possible. App is designed for continuous deployment by keeping that gap between development and production small. 11. Logs Treat logs as event streams. App never concerns itself with routing or storage of its output stream. 12. Admin Processes Run admin/management tasks as one-off processes. One-off admin processes should be run in an identical environment as the regular long-running processes of the app. Admin code must ship with the application code to avoid synchronization issues source: https://12factor.net/
  14. 14. ® Our Learnings on CIAM and Cloud-Native Implementations
  15. 15. ® Migration Learnings: Brownfield Migration • Data migration • Inactive users • Just-In-Time for real time migrations • Custom data sync • Synchronize updates made to legacy store • Decomposing into microservices • Profile state is assumed on synchronous rule execution • Re-wiring existing tools with microservices integration • Multi-tenancy • Webfinger to enable applications to discover the users’ tenancy • Applications need to know about tenancy context
  16. 16. ® Functional Learnings • Varying risk appetite based on IDP • Identity broker chaining • Attribute store • User Lifecycle Management: Users changing companies; company mergers and divestitures • Merging personal and professional profile (e.g. certifications) • 100% identity federation is far fetch goal • Delegated administration • Customers • Partner models • Adapting to evolving business models
  17. 17. ® Technical Learnings: Docker Image • Standardized base images • Smaller image • Versioning and tagging • Image version / Artifact version / Service (API) version • One process per container • Debugging tools • Content trust • Image vulnerability scanning
  18. 18. ® Technical Learnings : Java • Java SE < 8.u212 is not container aware • Out of Memory (OOM) killer • Slow bootup time • Modular JDK
  19. 19. ® Technical Learnings: Databases in Containers • Database deployment models (master slave vs multi master vs quorum ) • Mutable instances (StatefulSets) • No static IPs • Volumes are local to availability zones • Node affinity / anti-affinity • Rolling updates / Upgrades of versions • Database clustering across Kubernetes clusters
  20. 20. ® Technical Learnings: Observability • Tracing • Across microservices • Across custom code vs Off the shelf products • Tracing in multithreaded apps • Monitoring • Pull vs Push • Service determines its health check needs • Circuit breaker
  21. 21. ® Technical Learnings: Development Practices • Local Env (Mock Services / proxy service / Native IDE) • Config management • Peer review • Branching, versioning and tagging strategies • Developers should build the containers
  22. 22. ® Technical Learnings: Hybrid Cloud • Data sharding & traffic shaping – compliance, resiliency • No change to application stack • Choosing the platform • PaaS management layer • Single pane of glass for observability across clouds • Security : IAM, WAF, DDOS, IDS, IPS • Path from Hybrid to Multi-cloud
  23. 23. ® Ping Directory Cloud Native Learnings
  24. 24. ® Setup / Deployment Learnings • Utilizing Ping Directory’s extensive configuration commands (dsconfig), we group configuration into files that are executed/loaded in steps by custom Python installation scripts • Ping Directory image is built once. Lifecycle parameters are pass via service discovery and secrets store. • Only backup backend-dataset • Sharding based on region across data centers • Robust health check/alert system and defined failure recovery process is the key to minimize impacts
  25. 25. ® Configuration Learnings • Use secret store to maintain admin passwords • PLUGINS are great way to provide extra functionalities, which can be still bundled as part of the system, yet does not require extensive development or a separate system to implement Example: Custom login handler from user migration Custom attribute copier
  26. 26. ® Challenges • System upgrade requires lots of testing because of the customization • Bigger the topology, the more effort to upgrade/make changes to configurations • Need to understand combination of Ping Directory commands to manage your processes • Not all Ping Directory processes are automated
  27. 27. ® CIAM Opportunities for the Industry
  28. 28. ® CIAM: Opportunities for the Industry • Multi-tenancy • Delegated admin (partner models) • IOT, Bots, APIs, … • Privacy and consent • Standardized data and tagging to aid analytics
  29. 29. ®

×