The document discusses the need for an open source alternative to expensive commercial web access management solutions. It proposes documenting a recipe for building an enterprise-class web access management system using 100% open source components. This recipe has been developed by Gluu over 5 years and is proven to work for deployments varying in size. The recipe aims to provide a standards-based solution to authentication and authorization challenges faced by many organizations.
1. What is it, exactly, that you’re focusing on?
Deploying an application access management suite is currently too expensive for any but
the largest enterprises who can afford platforms like Oracle Access Manager, IBM Tivoli
Access Manager or CA Site Minder. These security suites use proprietary protocols which
frequently result in “vendor lock-in.” This book would document a recipe to leverage open
standards to build an enterprise class web access management using 100% open source
components. This recipe has been developed by Gluu over the last five years, and is proven
to work in a variety of deployments around the globe that vary in size from small to
humongous.
Why does the community use this tool?
People–employees, customers, and partners–need to be identified to interact electronically
with an organization. Authentication (authn) and authorization (authz) is a challenge
faced by almost every organization large enough to register an Internet domain. And it’s
not just people that need to be authenticated and authorized. “Clients” are online agents
that can interact with services on your behalf. With the emergence of the IoT and the API
economy, developers and system administrators are urgently searching for standards
based solutions and best practices to improve the security of web and mobile applications.
2. While commercial solutions exist, there are many organizations that prefer the do-it-
yourself approach. Authentication impacts the integrity of every transaction performed
by a person or client on the network. In some cases, web authentication is the
organization’s keys to the kingdom. There are many organizations that will never
outsource this function. And there are many organizations that see excellence in
authentication–which is the front door to their Internet presence–as a competitive
advantage to drive adoption of their products and services. For these organizations, a
recipe for open source access management would be extremely helpful.
What are people doing with it on a daily basis?
Application security is a very difficult and scary topic for the average system
administrator. Authentication and authorization is the first step for almost any content
of value. If the central authn/authz service is down, even the CEO of the company may
not be able to read her email. Or worse, a security breach may result in a financial loss
for the organization or even dismissal. This book would document a proven solution to
enable sysadmins to confidently deploy a modern, flexible authn/authz service that
would be available day after day for many years to come.
What are its benefits to users, compared to a new/old rival?
The recipe documented in the book is a proven stack of wam software used by
universities, governments, large companies and websites.
3. This stack has more features and is easier to manage than commercial alternatives. If you
are paranoid about the NSA spying on you, then you can read all the code. This recipe
includes some of the most widely deployed and some of the most cutting edge security
solutions available anywhere.
Organizations who don’t use open source may use expensive commercial software or a
SaaS service. As application security is a universal requirement, both of these options will
make sense for some organizations.
The recipe documented in this book is not the only open source recipe possible the book is
not intended to be a compendium of all open source security solutions. It’s a curated recipe
of a suite of software proven to work together to satisfy the requirements of many
organizations large and small.
What issues does your community face, day to day?
A recent Verizon study indicated that 80% of Internet breaches were the direct result of
bad password security. But how can organizations reduce reliance on passwords, without
tightly coupling authentication technology into applications? How can the deploy ability
issues of strong authentication be addressed?
4. Mobile applications are creating new requirements for companies. There has been a
paradigm shift where enterprise services are published with JSON/REST APIs to support both
web sites and mobile apps. Organizations are using more services hosted by third parties.
Some web sites are facing requirements to support the standards based security
infrastructures of their customers or partners.
It’s impossible for the average system administrator to patch together a solution to address
all these challenges. It’s time for an open source alternative.
What else can it do?
The solution is very flexible. It is solving a wide range of use cases today. One area that could
be expanded is “enrollment,” which involves creating an internal profile for a person who is
authenticated at another domain (like Google). Another extra-credit topic that is not needed
by the average domain is multi-party federation hosting. This enables an organization to vet
a list of trusted, autonomous partners who publish applications or authenticate people.
What do its friends look like?
Many governments are anxious to see open source alternatives for security. The Internet will
not become a safer place if only big companies can afford security. Higher Education has
also been early adopters of open standards for security
5. . Part of the solution is based on open source software already popular in this segment.
Finally, many companies are anxious for more cost effective solutions to recommend to
partners. If you need your partners to support secure open standards for security, you
can’t ask them to buy expensive enterprise software. Finally, privacy advocates around
the globe prefer open source security solutions, especially in light of recent revelations
regarding US government spying.
What does the future look like?
There is a major paradigm shift happening right now. In the past, there were too many
Internet standards for web authentication: Opined 2.0, OAuth 1.0, WS-Federation, CAS,
and many other protocols are on the trash heap of failed or fading efforts. Finally, new
standards have arisen that use the OAuth2 pattern, leveraging a JSON/REST API
architecture that is friendly to application developers. There is more consensus than
ever on how to achieve interoperable security. If authentication and authorization
becomes a decentralized Internet infrastructure like SMTP or DNS, the know-how for
how to launch a manage these services will be in high demand across the globe.
Product Proposal
API and Mobile Access Management
6. What is the vision and purpose of this product?
While the vision for securing the Internet is clear to the “identerati”–the experts who
developed the standards–we need to get the information into the hands of a much wider
audience. It is imperative for our society that we decentralize identity.
Face book and Google have bridged our inability to identify our friends on the Internet
by providing a centralized solution–you can share a Google doc with someone only
because they also have a Google account. With a myriad of vendors producing hardware
and software that interact on our behalf, we cannot build our society on these central
identity silos. Like enlightened despotism, it seems efficient. But over time, it
undermines the original design goal of the Internet… the largest federation of
autonomous entities ever assembled into one network. The Internet was made possible
by standards like TCP/IP, DNS, http and ssl. After 20 years, we have an Internet identity
infrastructure, and it’s time to get the word out. For this, we need paper!
Who is the reader/viewer at the start?
The basic profile of the person is a “Unix system administrator.” However, others in the
organization who use or rely on the infrastructure may also want to read it.
7. To read this book, the person will need to understand the current infrastructure of the
Internet: TCP/IP, DNS, SMTP, HTTP, and SSL. Some knowledge of private-public key
cryptography would also helpful, although the required concepts will be reviewed–it’s
so critical, it can’t be assumed. No programming is assumed, although some additional
material will be referenced, as many programmers will certainly read this book.
Who is the reader/viewer at the end?
After reading the book, the reader should be ready to deploy the components to enable
application testing and development to proceed. The roadmap for security should be
clear, including which services are needed to meet the requirements of the reader’s
organization. Importantly, after reading this book, the programmers, system
administrators, and Chief Information Security Officer should be able to get alignment
much more quickly on the important standards, and the moving pieces that need to be
addressed from a business perspective, not just a technical perspective.
Article resource:-https://sites.google.com/site/thegluuserver/packt-publishing-book-
proposal-api-and-mobile-access-management