Push, Pull, or Punt - Identity management tug-of-war: Then, Now, and Beyond

10,830 views

Published on

Some thoughts on how both push- and pull-based identity architectures have been used in enterprises.

Published in: Technology
  • Be the first to comment

Push, Pull, or Punt - Identity management tug-of-war: Then, Now, and Beyond

  1. Push, Pull, or Punt?! Identity tug-of-war: then, now & beyond Ian Glazer Research Director, Gartner ian.glazer@gartner.com @iglazer
  2. What are we doing today Push in the Enterprise
  3. Catalog entitlements
  4. Entitlements • The highest-order assignable object in a security model • Cataloging is more than just names • Descriptions and meanings • Owners, risk, sensitivity
  5. Group them
  6. Bundles of entitlements • Technical roles • But that name is losing cachet • What has to be assigned to make business function X go?
  7. Build business roles
  8. Roles • Multiple attempts to build role models • Regular, semi-homogenous orgs work best • Don’t try this with development shops • No silver bullets have ever or will ever exist
  9. Build (provisioning) policies
  10. 1.Membership
  11. 1.Membership 2.Attributes & Entitlements
  12. Membership Clause • Governs eligibility • Can be static • Membership in business role • Can be dynamic • (orgUnitId in (102,103,53,142)) • Or combinations of both
  13. Attributes & Entitlements • Describes what needs to be set in target systems • Could be pointers to bundles of entitlements • More likely pointers + some attributes that also need to be set
  14. Build approval processes
  15. Build and/or reuse fulfillment mechanisms
  16. Fulfill this! • Need to set attributes and assign entitlements in the target systems • How that is done is less and less important • User provisioning • Help Desk ticket • Email • Directory sync
  17. Push bits into managed resources
  18. Review as needed
  19. Access Certification • Increasingly important in enterprise • SP 800-53 AC-2 • Rise of Identity and Access Governance • Separates operations from management
  20. Spray old data everywhere
  21. Managed systems never built to be remotely managed
  22. Manage systems never built to externalize authorization decisions
  23. What are we doing today Push in a Federation
  24. Sign business agreement
  25. Determine RPs needs
  26. • Attributes • Entitlements
  27. Start building SAML metadata
  28. Hub and Spoke
  29. Network of peers
  30. Map local attributes to RPs entitlements and attributes
  31. Perform telekinesis
  32. Perform telekinesis?
  33. Action at a distance
  34. Telekinesis
  35. Telekinesis • Want to effect the authorizations in a remote system
  36. Telekinesis • Want to effect the authorizations in a remote system • Provisioning local objects to effect remote authorization state
  37. Telekinesis • Want to effect the authorizations in a remote system • Provisioning local objects to effect remote authorization state • But this is a hoax
  38. Telekinesis • Want to effect the authorizations in a remote system • Provisioning local objects to effect remote authorization state • But this is a hoax • Provision remote objects too
  39. Spray old data everywhere
  40. Spray old data everywhere • But now with less visibility
  41. Spray old data everywhere • But now with less visibility • RPs don’t know the quality of the data
  42. Spray old data everywhere • But now with less visibility • RPs don’t know the quality of the data • RPs don’t know the data’s “Sell By” date
  43. Spray old data everywhere • But now with less visibility • RPs don’t know the quality of the data • RPs don’t know the data’s “Sell By” date • Information sources don’t always know where the data went
  44. Federated provisioning
  45. SPML = push
  46. SAML = push & pull
  47. Proprietary APIs = push / pull
  48. LDAP = pull
  49. No one best approach
  50. Emerging architecture of identity management Pull
  51. Catalog capabilities
  52. Determine authorization policies
  53. 1.Membership
  54. 1.Membership 2.Attributes & Entitlements
  55. 1.Membership 2.Attributes & Entitlements 3.Context
  56. Context • Time of day • Authenticator type • Geolocation • Transaction “value”
  57. Identify authoritative sources
  58. Codify access policies
  59. Authorize & enforce
  60. But my apps don’t know how to do that!
  61. Push policies to XACMLoids
  62. Where is the market?
  63. Pull-centric identity architecture is just beginning to emerge
  64. Last year was a quiet year for finer-grained authorization
  65. External authZ is gaining vendor traction
  66. • Oracle Entitlement Server • Microsoft Active Directory Federation Services v2 • Axiomatics
  67. But it doesn’t have a lot of momentum yet
  68. Use cases we see are:
  69. Internal, non-federation
  70. Bespoke systems where EA has a had a strong voice
  71. ADFS v2, Geneva, & SharePoint 2010
  72. But as a design pattern
  73. external authorization
  74. doesn’t have wide-spread mindshare
  75. Amusement Park Parable This tall to ride
  76. Goal: Authorize people to ride
  77. Condition: No existing agreement
  78. PDP
  79. PDP Not authorized
  80. You carry claims
  81. Do not treat height as token for relationship
  82. Do not use height as an entitlement
  83. Don’t confuse attributes for relationships
  84. Don’t mistake attributes for entitlements
  85. You must be as tall as the Speedzone logo to drive this car
  86. You must be as tall as the Speedzone logo to drive this car
  87. Auditing challenges
  88. Problems validating policy
  89. But I wanna go on the ride...
  90. But I wanna go on the ride... • I’m tall enough
  91. But I wanna go on the ride... • I’m tall enough • But Mom doesn’t want me to ride the ride
  92. But I wanna go on the ride... • I’m tall enough • But Mom doesn’t want me to ride the ride • How does her “policy” get represented?
  93. But I wanna go on the ride... • I’m tall enough • But Mom doesn’t want me to ride the ride • How does her “policy” get represented? • How is it acted upon?
  94. Inappropriate authorizations
  95. Push, Pull, Punt A way forward
  96. The business of identity providers
  97. Federated virtual directory
  98. Rise of the XACMLoids
  99. Cache and Stash
  100. Apps aren’t built for this
  101. Audit patterns
  102. Regardless whether you
  103. push, pull, or punt
  104. IdM is changing under your feet
  105. Reference • Gartner ITP / Burton Group Research • The Emergent Architecture for Identity Management - Bob Blakley • Provisioning’s Role in the Next-Generation IdM Architecture - Lori Rowland • Characteristics of an Effective Identity Management Governance Program - Kevin Kampman • Market Profile: Identity and Access Governance 2010 - Ian Glazer & Mark Diodati
  106. Images courtesy of • croweb • sundazed • nickso • andy castro • Graham • tkksummers Ballantyne • spacesuitcatalyst

×