SlideShare a Scribd company logo
1 of 127
Push, Pull, or Punt?!
Identity tug-of-war: then, now & beyond

                  Ian Glazer
         Research Director, Gartner
          ian.glazer@gartner.com
                   @iglazer
What are we doing today

    Push in the Enterprise
Catalog entitlements
Entitlements


• The highest-order assignable object in
  a security model
• Cataloging is more than just names
 • Descriptions and meanings
 • Owners, risk, sensitivity
Group them
Bundles of entitlements


• Technical roles
 • But that name is losing cachet
• What has to be assigned to make
  business function X go?
Build business roles
Roles

• Multiple attempts to build role
  models
• Regular, semi-homogenous orgs work
  best
 • Don’t try this with development shops
• No silver bullets have ever or will
  ever exist
Build (provisioning)
      policies
Push, Pull, or Punt - Identity management tug-of-war: Then, Now, and Beyond
1.Membership
1.Membership
2.Attributes & Entitlements
Membership Clause

• Governs eligibility
• Can be static
 • Membership in business role
• Can be dynamic
 • (orgUnitId in (102,103,53,142))
• Or combinations of both
Attributes & Entitlements

• Describes what needs to be set in
  target systems
• Could be pointers to bundles of
  entitlements
• More likely pointers + some
  attributes that also need to be set
Build approval
  processes
Build and/or reuse
fulfillment mechanisms
Fulfill this!
• Need to set attributes and assign
  entitlements in the target systems
• How that is done is less and less
  important
 • User provisioning
 • Help Desk ticket
 • Email
 • Directory sync
Push bits into
managed resources
Review as needed
Access Certification


• Increasingly important in enterprise
 • SP 800-53 AC-2
• Rise of Identity and Access Governance
 • Separates operations from management
Push, Pull, or Punt - Identity management tug-of-war: Then, Now, and Beyond
Spray old data
 everywhere
Managed systems
 never built to be
remotely managed
Manage systems never
  built to externalize
authorization decisions
What are we doing today

    Push in a Federation
Sign business
 agreement
Determine RPs needs
• Attributes
• Entitlements
Start building SAML
      metadata
Hub and Spoke
Network of peers
Map local attributes
to RPs entitlements
   and attributes
Perform telekinesis
Perform telekinesis?
Action at a distance
Telekinesis
Telekinesis

• Want to effect the authorizations in a
  remote system
Telekinesis

• Want to effect the authorizations in a
  remote system
• Provisioning local objects to effect
  remote authorization state
Telekinesis

• Want to effect the authorizations in a
  remote system
• Provisioning local objects to effect
  remote authorization state
• But this is a hoax
Telekinesis

• Want to effect the authorizations in a
  remote system
• Provisioning local objects to effect
  remote authorization state
• But this is a hoax
 • Provision remote objects too
Push, Pull, or Punt - Identity management tug-of-war: Then, Now, and Beyond
Spray old data everywhere
Spray old data everywhere


• But now with less visibility
Spray old data everywhere


• But now with less visibility
 • RPs don’t know the quality of the data
Spray old data everywhere


• But now with less visibility
 • RPs don’t know the quality of the data
 • RPs don’t know the data’s “Sell By” date
Spray old data everywhere


• But now with less visibility
 • RPs don’t know the quality of the data
 • RPs don’t know the data’s “Sell By” date
 • Information sources don’t always know
   where the data went
Federated
provisioning
SPML
  =
push
SAML
    =
push & pull
Proprietary APIs
       =
   push / pull
LDAP
  =
 pull
No one best approach
Emerging architecture
of identity management
         Pull
Catalog capabilities
Determine authorization
       policies
Push, Pull, or Punt - Identity management tug-of-war: Then, Now, and Beyond
1.Membership
1.Membership
2.Attributes & Entitlements
1.Membership
2.Attributes & Entitlements
3.Context
Context


• Time of day
• Authenticator type
• Geolocation
• Transaction “value”
Identify authoritative
       sources
Push, Pull, or Punt - Identity management tug-of-war: Then, Now, and Beyond
Codify access policies
Authorize & enforce
Push, Pull, or Punt - Identity management tug-of-war: Then, Now, and Beyond
But my apps don’t
know how to do that!
Push policies to
 XACMLoids
Push, Pull, or Punt - Identity management tug-of-war: Then, Now, and Beyond
Where is the market?
Pull-centric identity
 architecture is just
beginning to emerge
Last year was a quiet
year for finer-grained
    authorization
External authZ is
 gaining vendor
     traction
• Oracle Entitlement Server
• Microsoft Active Directory
  Federation Services v2
• Axiomatics
But it doesn’t have a
lot of momentum yet
Use cases we see are:
Internal, non-federation
Bespoke systems
where EA has a had a
   strong voice
ADFS v2, Geneva, &
 SharePoint 2010
But as a design
   pattern
external authorization
doesn’t have
wide-spread mindshare
Amusement Park Parable
     This tall to ride
Goal:
Authorize people to ride
Condition:
No existing agreement
Push, Pull, or Punt - Identity management tug-of-war: Then, Now, and Beyond
PDP
PDP




   Not
authorized
You carry claims
Do not treat height as
token for relationship
Push, Pull, or Punt - Identity management tug-of-war: Then, Now, and Beyond
Do not use height as
  an entitlement
Push, Pull, or Punt - Identity management tug-of-war: Then, Now, and Beyond
Don’t confuse attributes
   for relationships
Don’t mistake attributes
   for entitlements
Push, Pull, or Punt - Identity management tug-of-war: Then, Now, and Beyond
You must be
 as tall as the
  Speedzone
logo to drive
    this car
You must be
 as tall as the
  Speedzone
logo to drive
    this car
Auditing challenges
Push, Pull, or Punt - Identity management tug-of-war: Then, Now, and Beyond
Push, Pull, or Punt - Identity management tug-of-war: Then, Now, and Beyond
Push, Pull, or Punt - Identity management tug-of-war: Then, Now, and Beyond
Problems
validating policy
But I wanna go on the ride...
But I wanna go on the ride...


• I’m tall enough
But I wanna go on the ride...


• I’m tall enough
• But Mom doesn’t want me to ride the ride
But I wanna go on the ride...


• I’m tall enough
• But Mom doesn’t want me to ride the ride
• How does her “policy” get represented?
But I wanna go on the ride...


• I’m tall enough
• But Mom doesn’t want me to ride the ride
• How does her “policy” get represented?
• How is it acted upon?
Inappropriate
authorizations
Push, Pull, Punt

 A way forward
The business of
identity providers
Push, Pull, or Punt - Identity management tug-of-war: Then, Now, and Beyond
Federated virtual
   directory
Push, Pull, or Punt - Identity management tug-of-war: Then, Now, and Beyond
Rise of the XACMLoids
Push, Pull, or Punt - Identity management tug-of-war: Then, Now, and Beyond
Cache and Stash
Push, Pull, or Punt - Identity management tug-of-war: Then, Now, and Beyond
Apps aren’t built
    for this
Push, Pull, or Punt - Identity management tug-of-war: Then, Now, and Beyond
Audit patterns
Push, Pull, or Punt - Identity management tug-of-war: Then, Now, and Beyond
Regardless whether
       you
push, pull, or punt
IdM is changing
under your feet
Reference
• Gartner ITP / Burton Group Research
 • The Emergent Architecture for Identity
   Management - Bob Blakley
 • Provisioning’s Role in the Next-Generation IdM
   Architecture - Lori Rowland
 • Characteristics of an Effective Identity
   Management Governance Program - Kevin
   Kampman
 • Market Profile: Identity and Access Governance
   2010 - Ian Glazer & Mark Diodati
Images courtesy of

• croweb        • sundazed
• nickso        • andy castro
• Graham        • tkksummers
  Ballantyne    • spacesuitcatalyst
Push, Pull, or Punt - Identity management tug-of-war: Then, Now, and Beyond

More Related Content

Similar to Push, Pull, or Punt - Identity management tug-of-war: Then, Now, and Beyond

The SharePoint Migration Playbook
The SharePoint Migration PlaybookThe SharePoint Migration Playbook
The SharePoint Migration PlaybookJoAnna Cheshire
 
Are you Ready to Rumble? Let's Migrate Some Jira Data
Are you Ready to Rumble? Let's Migrate Some Jira DataAre you Ready to Rumble? Let's Migrate Some Jira Data
Are you Ready to Rumble? Let's Migrate Some Jira DataAtlassian
 
Public Key Infrastructures
Public Key InfrastructuresPublic Key Infrastructures
Public Key InfrastructuresZefren Edior
 
CIS14: Identity Souffle: Creating a Well-baked Identity Lifecycle
CIS14: Identity Souffle: Creating a Well-baked Identity LifecycleCIS14: Identity Souffle: Creating a Well-baked Identity Lifecycle
CIS14: Identity Souffle: Creating a Well-baked Identity LifecycleCloudIDSummit
 
CIS14: Identity Souffle: Creating a Well-baked Identity Lifecycle
CIS14: Identity Souffle: Creating a Well-baked Identity LifecycleCIS14: Identity Souffle: Creating a Well-baked Identity Lifecycle
CIS14: Identity Souffle: Creating a Well-baked Identity LifecycleCloudIDSummit
 
DO WE HAVE A ROUND WHEEL YET?
DO WE HAVE A ROUND WHEEL YET?DO WE HAVE A ROUND WHEEL YET?
DO WE HAVE A ROUND WHEEL YET?ForgeRock
 
Tech essentials for Product managers
Tech essentials for Product managersTech essentials for Product managers
Tech essentials for Product managersNitin T Bhat
 
BeyondCorp New York Meetup: Closing the Adherence Gap
BeyondCorp New York Meetup: Closing the Adherence GapBeyondCorp New York Meetup: Closing the Adherence Gap
BeyondCorp New York Meetup: Closing the Adherence GapIvan Dwyer
 
IoT mobile app device cloud identity and security architecture
IoT mobile app device cloud identity and security architectureIoT mobile app device cloud identity and security architecture
IoT mobile app device cloud identity and security architectureVinod Wilson
 
Mr. desmond cloud security_format
Mr. desmond cloud security_formatMr. desmond cloud security_format
Mr. desmond cloud security_formatMULTIMATICS_ID
 
SharePoint Authentication And Authorization SPTechCon San Francisco
SharePoint Authentication And Authorization SPTechCon San FranciscoSharePoint Authentication And Authorization SPTechCon San Francisco
SharePoint Authentication And Authorization SPTechCon San FranciscoLiam Cleary [MVP]
 
Cloud identity management meetup 150108
Cloud identity management meetup 150108Cloud identity management meetup 150108
Cloud identity management meetup 150108Morteza Ansari
 
Telecom Agent Marketing: The Rock, Paper, Scissors Method
Telecom Agent Marketing: The Rock, Paper, Scissors MethodTelecom Agent Marketing: The Rock, Paper, Scissors Method
Telecom Agent Marketing: The Rock, Paper, Scissors MethodMojenta
 
Stop Treating Your Customers Like Your Employees (Ian Glazer, Salesforce)
Stop Treating Your Customers Like Your Employees (Ian Glazer, Salesforce)Stop Treating Your Customers Like Your Employees (Ian Glazer, Salesforce)
Stop Treating Your Customers Like Your Employees (Ian Glazer, Salesforce)ForgeRock
 
Stop treating your customers like your employees
Stop treating your customers like your employeesStop treating your customers like your employees
Stop treating your customers like your employeesIan Glazer
 
IIW 13 - Scalability Point to Point Federation
IIW 13 - Scalability Point to Point FederationIIW 13 - Scalability Point to Point Federation
IIW 13 - Scalability Point to Point FederationSteve Sidner
 
Solving the Credit Union 'Tower of Babel' (Conference Session Slides)
Solving the Credit Union 'Tower of Babel' (Conference Session Slides)Solving the Credit Union 'Tower of Babel' (Conference Session Slides)
Solving the Credit Union 'Tower of Babel' (Conference Session Slides)NAFCU Services Corporation
 
SharePoint Saturday Austin - Share point authentication and authorization
SharePoint Saturday Austin - Share point authentication and authorizationSharePoint Saturday Austin - Share point authentication and authorization
SharePoint Saturday Austin - Share point authentication and authorizationLiam Cleary [MVP]
 
SharePoint Online vs. On-Premise
SharePoint Online vs. On-PremiseSharePoint Online vs. On-Premise
SharePoint Online vs. On-PremiseEvan Hodges
 
Salesforce Architect Group, Frederick, United States April 2023 - Architect’s...
Salesforce Architect Group, Frederick, United States April 2023 - Architect’s...Salesforce Architect Group, Frederick, United States April 2023 - Architect’s...
Salesforce Architect Group, Frederick, United States April 2023 - Architect’s...NadinaLisbon1
 

Similar to Push, Pull, or Punt - Identity management tug-of-war: Then, Now, and Beyond (20)

The SharePoint Migration Playbook
The SharePoint Migration PlaybookThe SharePoint Migration Playbook
The SharePoint Migration Playbook
 
Are you Ready to Rumble? Let's Migrate Some Jira Data
Are you Ready to Rumble? Let's Migrate Some Jira DataAre you Ready to Rumble? Let's Migrate Some Jira Data
Are you Ready to Rumble? Let's Migrate Some Jira Data
 
Public Key Infrastructures
Public Key InfrastructuresPublic Key Infrastructures
Public Key Infrastructures
 
CIS14: Identity Souffle: Creating a Well-baked Identity Lifecycle
CIS14: Identity Souffle: Creating a Well-baked Identity LifecycleCIS14: Identity Souffle: Creating a Well-baked Identity Lifecycle
CIS14: Identity Souffle: Creating a Well-baked Identity Lifecycle
 
CIS14: Identity Souffle: Creating a Well-baked Identity Lifecycle
CIS14: Identity Souffle: Creating a Well-baked Identity LifecycleCIS14: Identity Souffle: Creating a Well-baked Identity Lifecycle
CIS14: Identity Souffle: Creating a Well-baked Identity Lifecycle
 
DO WE HAVE A ROUND WHEEL YET?
DO WE HAVE A ROUND WHEEL YET?DO WE HAVE A ROUND WHEEL YET?
DO WE HAVE A ROUND WHEEL YET?
 
Tech essentials for Product managers
Tech essentials for Product managersTech essentials for Product managers
Tech essentials for Product managers
 
BeyondCorp New York Meetup: Closing the Adherence Gap
BeyondCorp New York Meetup: Closing the Adherence GapBeyondCorp New York Meetup: Closing the Adherence Gap
BeyondCorp New York Meetup: Closing the Adherence Gap
 
IoT mobile app device cloud identity and security architecture
IoT mobile app device cloud identity and security architectureIoT mobile app device cloud identity and security architecture
IoT mobile app device cloud identity and security architecture
 
Mr. desmond cloud security_format
Mr. desmond cloud security_formatMr. desmond cloud security_format
Mr. desmond cloud security_format
 
SharePoint Authentication And Authorization SPTechCon San Francisco
SharePoint Authentication And Authorization SPTechCon San FranciscoSharePoint Authentication And Authorization SPTechCon San Francisco
SharePoint Authentication And Authorization SPTechCon San Francisco
 
Cloud identity management meetup 150108
Cloud identity management meetup 150108Cloud identity management meetup 150108
Cloud identity management meetup 150108
 
Telecom Agent Marketing: The Rock, Paper, Scissors Method
Telecom Agent Marketing: The Rock, Paper, Scissors MethodTelecom Agent Marketing: The Rock, Paper, Scissors Method
Telecom Agent Marketing: The Rock, Paper, Scissors Method
 
Stop Treating Your Customers Like Your Employees (Ian Glazer, Salesforce)
Stop Treating Your Customers Like Your Employees (Ian Glazer, Salesforce)Stop Treating Your Customers Like Your Employees (Ian Glazer, Salesforce)
Stop Treating Your Customers Like Your Employees (Ian Glazer, Salesforce)
 
Stop treating your customers like your employees
Stop treating your customers like your employeesStop treating your customers like your employees
Stop treating your customers like your employees
 
IIW 13 - Scalability Point to Point Federation
IIW 13 - Scalability Point to Point FederationIIW 13 - Scalability Point to Point Federation
IIW 13 - Scalability Point to Point Federation
 
Solving the Credit Union 'Tower of Babel' (Conference Session Slides)
Solving the Credit Union 'Tower of Babel' (Conference Session Slides)Solving the Credit Union 'Tower of Babel' (Conference Session Slides)
Solving the Credit Union 'Tower of Babel' (Conference Session Slides)
 
SharePoint Saturday Austin - Share point authentication and authorization
SharePoint Saturday Austin - Share point authentication and authorizationSharePoint Saturday Austin - Share point authentication and authorization
SharePoint Saturday Austin - Share point authentication and authorization
 
SharePoint Online vs. On-Premise
SharePoint Online vs. On-PremiseSharePoint Online vs. On-Premise
SharePoint Online vs. On-Premise
 
Salesforce Architect Group, Frederick, United States April 2023 - Architect’s...
Salesforce Architect Group, Frederick, United States April 2023 - Architect’s...Salesforce Architect Group, Frederick, United States April 2023 - Architect’s...
Salesforce Architect Group, Frederick, United States April 2023 - Architect’s...
 

Recently uploaded

Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemAsko Soukka
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxMatsuo Lab
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPathCommunity
 
20230202 - Introduction to tis-py
20230202 - Introduction to tis-py20230202 - Introduction to tis-py
20230202 - Introduction to tis-pyJamie (Taka) Wang
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintMahmoud Rabie
 
VoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXVoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXTarek Kalaji
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Adtran
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1DianaGray10
 
How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?IES VE
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Commit University
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAshyamraj55
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1DianaGray10
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UbiTrack UK
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024D Cloud Solutions
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IES VE
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdfPedro Manuel
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Websitedgelyza
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6DianaGray10
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfinfogdgmi
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfDianaGray10
 

Recently uploaded (20)

Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystem
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptx
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation Developers
 
20230202 - Introduction to tis-py
20230202 - Introduction to tis-py20230202 - Introduction to tis-py
20230202 - Introduction to tis-py
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership Blueprint
 
VoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXVoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBX
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
 
How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdf
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Website
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdf
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
 

Push, Pull, or Punt - Identity management tug-of-war: Then, Now, and Beyond

Editor's Notes

  1. The problems with push Image courtesy of croweb - http://www.flickr.com/photos/croweb/2904702979
  2. Think about a typical COTS application. Users and their privileges are managed within the app and often there is very little in terms of remote user management capabilities. This has led to some of the complexities in user provisioning systems.
  3. Traditional applications of federation technology follow two deployment patterns. The first is hub and spoke in which a heavy-weight company is the center of the federation and its trading partners federate on the hub’s terms. Image courtesy of nickso - http://www.flickr.com/photos/nickso/3045996440/
  4. The second federation deployment pattern is the network of peers. With no heave-weight at the center, the federation is composed of peers who federate amongst each other. Image courtesy of Graham Ballantyne - http://www.flickr.com/photos/grahamb/2355477036/in/pool-324690@N20
  5. Provisioning locally is (barely) tolerable. Provisioning locally and remotely is wasted effort.
  6. Provisioning locally is (barely) tolerable. Provisioning locally and remotely is wasted effort.
  7. Provisioning locally is (barely) tolerable. Provisioning locally and remotely is wasted effort.
  8. Provisioning locally is (barely) tolerable. Provisioning locally and remotely is wasted effort.
  9. The problems with push in a federated environment: federated provisioning Image courtesy of croweb - http://www.flickr.com/photos/croweb/2904702979
  10. A variety of approaches have been taken to try and solve the challenge of federated provisioning.
  11. One approach was to use SPML. First, not all service providers have an SPML interface. Second, not every enterprise has a provisioning process that can generate SPML messages.
  12. Another approach is to use SAML. There have been two approaches to this. One is to establish an agreement that requires more than needed to perform authentication. This extra data is used back a backend provisioning process. The problem with this approach is that this data always is sent which can violate the privacy principle of data minimization among other things. The second approach is to use Metadata-Exchange to facilitate attribute exchange on an as-needed basis.
  13. Cloud providers have been building their own provisioning interfaces using neither the SAML or SPML standards.
  14. A few service providers have offered LDAP as a means of provisioning. In some cases, a provider can issue LDAP queries to the enterprise.
  15. Needless to say, there is no one best approach. Or at least, there is no one agreed upon approach.
  16. Same basic idea as cataloging entitlements.
  17. These policies seem similar to provisioning policies but they have an extra clause - Context.
  18. These policies seem similar to provisioning policies but they have an extra clause - Context.
  19. These policies seem similar to provisioning policies but they have an extra clause - Context.
  20. The above are example of contextual items that can be considered during an authorization event.
  21. No single provider has close relationships with all the individuals a modern enterprise needs to deal with. So no organization can be a sole-source provider of low-cost, high-quality provider of all the identities an enterprise needs.
  22. This is what a pull-based authorization systems looks like. A user initiates an action in a system that system asks the federated virtual directory (FVD) for all of the data needed to make the authorization decision. The FVD returns that data to the endpoint which makes a go/no-go authorization decision.
  23. We’ll add another step to accommodate applications that don’t know how to ask for external information to make authorization decisions.
  24. The XAMLoids know how to ask the FVD for information and then can present the go/no-go decision to the endpoint.
  25. We expect SharePoint2010 as the “infection vector” by which claims-aware computing becomes popular in the enterprise.
  26. To authorize people, the amusement park installs a sign at a given heigh. Image courtesy of sundazed - http://www.flickr.com/photos/sundazed/555071016/
  27. To authorize people, the amusement park installs a sign at a given heigh. Image courtesy of sundazed - http://www.flickr.com/photos/sundazed/555071016/
  28. That’s what a ticket is for. Image courtesy of andycastro - http://www.flickr.com/photos/andycastro/2615845976/
  29. That’s what the date on the ticket is for. Image courtesy of andycastro - http://www.flickr.com/photos/andycastro/2615845976/
  30. This is a great policy but it is awfully hard to audit. Image courtesy of tkksummers - http://www.flickr.com/photos/tkksummers/2888454076/
  31. This is a great policy but it is awfully hard to audit. Image courtesy of tkksummers - http://www.flickr.com/photos/tkksummers/2888454076/
  32. This is a great policy but it is awfully hard to audit. Image courtesy of tkksummers - http://www.flickr.com/photos/tkksummers/2888454076/
  33. This is a great policy but it is awfully hard to audit. Image courtesy of tkksummers - http://www.flickr.com/photos/tkksummers/2888454076/
  34. Consider you build the policy above. Image courtesy of spacesuitcatalyst - http://www.flickr.com/photos/spacesuitcatalyst/438010405/
  35. Someone arrives with a claim that looks like the above. Image courtesy of spacesuitcatalyst - http://www.flickr.com/photos/spacesuitcatalyst/438010405/
  36. This is the policy you meant to write. Image courtesy of spacesuitcatalyst - http://www.flickr.com/photos/spacesuitcatalyst/438010405/
  37. No single provider has close relationships with all the individuals a modern enterprise needs to deal with. So no organization can be a sole-source provider of low-cost, high-quality provider of all the identities an enterprise needs.
  38. No single provider has close relationships with all the individuals a modern enterprise needs to deal with. So no organization can be a sole-source provider of low-cost, high-quality provider of all the identities an enterprise needs.
  39. Data-intensive applications will require information to be “closer.” In these situations, the FVD and the endpoint can work with a cache or stash. Of course by adding a cache/stash, the chance that an authorization decision is made on “bad” or out-of-date data goes up.
  40. The reality is that we will have push-only applications for long time. The hybrid approach of having both push and pull in the enterprise is the more likely future.
  41. The Emerging Architecture of Identity Management - http://www.burtongroup.com/Client/Research/Document.aspx?cid=1895 Market Profile: Identity and Access Governance 2010 - http://www.burtongroup.com/Client/Research/Document.aspx?cid=1858 Characteristics of an Effective Identity Management Governance Program - http://www.burtongroup.com/Client/Research/Document.aspx?cid=1731 Provisioning’s Role in the Next-Generation IdM Architecture - http://www.burtongroup.com/Client/Research/Document.aspx?cid=1993
  42. All images unless otherwise sourced where found on Flickr