The document discusses the challenges of traditional identity and access management (IAM) in the context of APIs, mobile, and IoT, emphasizing the inadequacy of existing solutions. It introduces the concept of zero trust security and explores how emerging technologies can help transition to a more secure access management paradigm. The need for adaptive authorization practices and federated identities is highlighted, particularly in light of the bring-your-own-everything trend.

1. The New Venn Of Access Control
In The API-Mobile-IoT Era
Eve Maler, Principal Analyst, Security & Risk
June 4, 2014
@xmlgrrl

2. The business tech landscape is
handing us hard IAM problems.
Traditional solutions don’t “work less
well”…they don’t work at all.

3. © 2012 Forrester Research, Inc. Reproduction Prohibited
Agenda
What are the implications of “BYO”?
Emerging technologies help you
achieve a Zero Trust posture
What remains to be done?
3

4. © 2012 Forrester Research, Inc. Reproduction Prohibited
The extended enterprise forces IT to
handle bring-your-own-everything
4
Source: April 7, 2014, “Navigate The Future Of Identity And Access Management” Forrester report

5. © 2012 Forrester Research, Inc. Reproduction Prohibited
You can’t trust everything + everyone
inside your crunchy perimeter anyway
5
Source: November 15, 2012, “No More Chewy Centers: Introducing The Zero Trust Model Of Information Security” Forrester report
…so stop trying

6. © 2012 Forrester Research, Inc. Reproduction Prohibited
Many APIs have acquired business
models, driven by mobile
6

7. © 2012 Forrester Research, Inc. Reproduction Prohibited
IT now confronts webdevification
7
value X
friction
Y

8. © 2012 Forrester Research, Inc. Reproduction Prohibited
Our worlds are colliding
8
UNIFY YOUR STANCE AND PREPARE FOR ANYTHING
B2C
B2E
B2B
the identity
singularity
B2D

9. © 2012 Forrester Research, Inc. Reproduction Prohibited
Agenda
What are the implications of “BYO”?
Emerging technologies help you
achieve a Zero Trust posture
What remains to be done?
9

10. © 2012 Forrester Research, Inc. Reproduction Prohibited
A tour through some previous Venns
10
vintage 2007

11. © 2012 Forrester Research, Inc. Reproduction Prohibited
A tour through some previous Venns
11
vintage 2007

12. © 2012 Forrester Research, Inc. Reproduction Prohibited 12
vintage 2009
A tour through some previous Venns

13. © 2012 Forrester Research, Inc. Reproduction Prohibited 13
vintage 2009
A tour through some previous Venns

14. © 2012 Forrester Research, Inc. Reproduction Prohibited 14Source: October 2012 “TechRadar™ For Security Pros: Zero Trust Identity Standards, Q3 2012”
Emerging standards have an edge over traditional ones for Zero Trust
Key features:
• Governance
• Hubris
Key features:
• “Solving the right problem”
• Enterprise-only scope
Key features:
• Agility
• Mobile/cloud friendliness
• Robustness

15. © 2012 Forrester Research, Inc. Reproduction Prohibited
A new Venn for “access management 2.0”
15
JUST WHAT THE API-MOBILE-IOT AXIS NEEDS*

16. © 2012 Forrester Research, Inc. Reproduction Prohibited 16
IT LETS A RESOURCE OWNER DELEGATE CONSTRAINED ACCESS
OAuth is about more than the
“password anti-pattern”

17. © 2012 Forrester Research, Inc. Reproduction Prohibited
OpenID Connect turns SSO into a
standard OAuth-protected identity API
SAML 2.0, OpenID 2.0
17
OAuth 2.0 OpenID Connect
X
Initiating user’s login
session
Not responsible for
collecting user
consent
High-security identity
tokens (SAML only)
Distributed and
aggregated claims
Session timeout
X
X
Dynamic introduction
(OpenID only)
X Not responsible for
session initiation
Collecting user’s
consent to share
attributes
No identity tokens
per se
X
Client onboarding is
static
X
No claims per se;
protects arbitrary
APIs
X
Initiating user’s login
session
Collecting user’s
consent to share
attributes
High-security identity
tokens (using JSON
Web Tokens)
Distributed and
aggregated claims
Session timeout (in
the works)
Dynamic introduction
No sessions per seX

18. © 2012 Forrester Research, Inc. Reproduction Prohibited
UMA enables authorization that’s friendly to
OAuth, APIs, PbD, and (it appears) IoT
18
Standardized APIs
enable Internet-scale
authz-as-a-service
Outsources protection to
a centralized “digital
footprint control console”
for Alice or an IT admin
The “user” in User-Managed
Access (UMA) – can be an
organization (“headless”)
Some guy not
accounted for
in OAuth…

19. © 2012 Forrester Research, Inc. Reproduction Prohibited
Mapping UMA to classic authorization
architecture
19
~PDP~PEP
Deliberately
prepared for n:n
relationships
Implicitly a PAP
and PIP, or a
client to them
Together,
~requester
Claims and
context gathered
at run time
Policymaker (no std
policy expression or
evaluation)

20. © 2012 Forrester Research, Inc. Reproduction Prohibited 20
The RS
exposes
whatever
value-add
API it wants,
protected by
an AS
App-specific API
UMA-enabled
client
RPT
requesting party token
(can be profiled to move
the PDP/PEP line)

21. © 2012 Forrester Research, Inc. Reproduction Prohibited 21
The AS
exposes an
UMA-
standardized
protection
API to the RS
ProtectionAPI
Protectionclient
PAT
protection API token
includes resource
registration API and token
introspection API

22. © 2012 Forrester Research, Inc. Reproduction Prohibited 22
The AS
exposes an
UMA-
standardized
authorization
API to the
client
Authorization API
Authorization client
AAT
authorization API token
supports OpenID
Connect-based claims-
gathering for authz

23. © 2012 Forrester Research, Inc. Reproduction Prohibited
You delegate scope-
constrained access
to other apps
OpenID
Connect
UMA
OAuth 2.0
Apps can get
access using a variety
of token types
You grant access to
apps operated by you
You achieve federated
single sign-on and
login-time attribute
exchange
You control access
to claims about you
You can control access to
any type of web resource
You can grant access
to apps operated by anyone
You grant
access by
consenting to
terms at run time
You can grant access by
setting policies and terms
ahead of time
Profiles as a claims-gathering option
ProfilesforSSOAPIprotection
Requesting party
is authorized
based on
claims
Profilestosolveaccessmanagement
Claims can come
from distributed sources
Apps can get
access after you
go offline
You control access
to web APIs
Apps get access
using bearer-style
tokens
The authorization function
is effectively local to resources
The authorization function
is standard and
centralizable
Calling app is recognized
based on authenticated
identity
Detailed
summary

24. © 2012 Forrester Research, Inc. Reproduction Prohibited
Agenda
What are the implications of “BYO”?
Emerging technologies help you
achieve a Zero Trust posture
What remains to be done?
24

25. © 2012 Forrester Research, Inc. Reproduction Prohibited
After the REST maturity ladder must
come “scope design best practices”
25
actors
(“subjects”)
resources accessed (“objects”) and operations (“verbs”)
roles
groups
arbitrary other
authz context
domain URL path HTTP
method
field
Classic
fine-
grained
Emerging
scope-
grained
Classic
coarse-
grained
authn
context
attributes/
claims

26. © 2012 Forrester Research, Inc. Reproduction Prohibited
Webdevs and IoT demand the right
appsec design center and footprint

27. © 2012 Forrester Research, Inc. Reproduction Prohibited
Federations must grow to accommodate
outsourced access
27
I promise to Adhere-to-
Terms once I get access
using a valid RPT with the
right authz data!
I promise to Adhere-to-
Terms once the AS adds
authz data to your RPT!

28. © 2012 Forrester Research, Inc. Reproduction Prohibited
IRM for healthcare requires serious
security, privacy, and discoverability
28
AS AS AS
RS RS RS RS
C C C C C C
C C
• Likely EHR operators in the
US
• Healthcare providers
• Wearables and other
quantified-self apps
• “Mint for patients and
caregivers”
Benefits
• Proactive, trackable consent
directives
• Blue Button+-friendly data delivery
Challenges
• Sclerotic IT practices
• Nth-degree security, privacy, and
discoverability requirements
RS RS

29. Thank you
Eve Maler
+1 425.345.6756
emaler@forrester.com
@xmlgrrl