SlideShare a Scribd company logo
Federation for the cloud: opportunities for a single identityVladimir JirasekApril 2011
TeaserCloud computing has changed the way IT departments deliver the services to the business. Many organisations, small or big, need to share the data with their partners. Furthermore, organisations need to give access to their systems to the users furthermore organisations. Traditional models relied on creating accounts in local identity databases. More recent approach uses federation between two organisations that trust each other. However, what if you take federation concept to the cloud. Can there be such a service as federated identity in the cloud? Could we all end-up with one single identity that is used for all our activities? The presentation will give some fresh views on this topic.
Problem definition – Personal spaceUsers have multiple “credentials” that they use to access different resourcesPasswords are usually reused thus increasing the risk of account compromisePKI has not solved the problem, created new; has challenges where user interaction is neededUsers want seamless access to resources without losing the comfort – one identity reusable everywhere?Can I use my personal identity at work? No? Why not?
How many identities do I have?I have over 200 identities in my 1Password dabatase
Problem definition – corporate spaceManagement of user identities in a typical corporation is a challenge. Size does matter.Typical applications can reuse existing identity and access platforms (AD, LDAP, Kerberos, PKI) however this requires good project governance and architectureCompanies have business relationships with 3rd parties – built on trust and supported by contracts, yet many corporations manage 3rd party account on their internal IAM platforms – security, cost and compliance issuesCompanies engage with cloud providers and the problem of managing identities and access to cloud service is something that needs to be solved
User identity experience in a typical company – still challengesBusiness applications placed on the company networkMany applications support SSO with odd ones out of SSO platformIAM platform
User identity experience in a typical company with a number of 3rd parties3rd parties access company’s applications3rd parties providersOffering services to the businessBusiness applications placed on the company networkInternal Systems use IAM platformIAM platform
User identity experience in a typical company with cloudCloud providersBusiness applications placed on the company networkMany applications support SSO with odd ones out of SSO platformIAM platform
Put it all together and there are lots of challengesChallenges in internal IAM platforms and its implementationChallenges in accessing Cloud services and managing users identities and entitlementsChallenges in accessing 3rd party servicesChallenges in managing 3rd party access to company resourcesAdd the challenges with end users and their personal identities and the situation becomes very hard to manageMindset change resistance with lack of guidance and maturity models
One personal identity?Use the identityCan I end up with just one identity?Issue an identityTrusted agency
Business solutionSSO inside a companyIdentity federation and automated account provisioning with 3rd parties and cloud providers (in content provider mode)Inbound federation with 3rd parties (in identity provider mode)
Solution for both?Cloud providersBusiness applications placed in the cloudGovernment trusted assured cloud identity brokerIAM platform
Where are we today?Different assurance standards even for paper travel documents (such as passports) issued by different governmentSome government issue e-Identity – usually used for message signing and eGovernment portals accessIM cloud providers promised yet not emerging (is there a business model?)Technology supports the vision
What next?Sort internal SSOCloud providers to support prominent cloud identity provider platformsDevelop world-wide standards for identity assurance – both business and government related (CAMM can help at least with the business side)Create business model for cloud providers to support new identity platforms

More Related Content

What's hot

Saleswax - -public
Saleswax - -publicSaleswax - -public
Saleswax - -public
Saleswax
 
Cloud Identity and Access Management
Cloud Identity and Access ManagementCloud Identity and Access Management
Cloud Identity and Access Management
Jarek Sokolnicki
 
Evolveum: All you need to know about identity & access management
Evolveum: All you need to know about identity & access managementEvolveum: All you need to know about identity & access management
Evolveum: All you need to know about identity & access management
Evolveum
 
Authentication cloud
Authentication cloudAuthentication cloud
Authentication cloud
vidhya dharmarajan
 
Federation Services
Federation ServicesFederation Services
Federation Services
EmpowerID
 
Cloud computing
Cloud computingCloud computing
Cloud computing
shahzaib suleman
 
3 Building Blocks For Managing Cloud Applications Webinar
3 Building Blocks For Managing Cloud Applications Webinar3 Building Blocks For Managing Cloud Applications Webinar
3 Building Blocks For Managing Cloud Applications Webinar
Todd Clayton
 
Leading Trends in IAM Webinar 2: Minimizing Complexities in IT Operations
Leading Trends in IAM Webinar 2: Minimizing Complexities in IT OperationsLeading Trends in IAM Webinar 2: Minimizing Complexities in IT Operations
Leading Trends in IAM Webinar 2: Minimizing Complexities in IT Operations
OneLogin
 
Leading Trends in IAM Webinar 3: Optimizing User Experience in Cloud Initiatives
Leading Trends in IAM Webinar 3: Optimizing User Experience in Cloud InitiativesLeading Trends in IAM Webinar 3: Optimizing User Experience in Cloud Initiatives
Leading Trends in IAM Webinar 3: Optimizing User Experience in Cloud Initiatives
OneLogin
 
Symposium Cloud En Grid Computing Microsoft Online Strategy - 21-4-2009
Symposium Cloud En Grid Computing   Microsoft Online Strategy - 21-4-2009Symposium Cloud En Grid Computing   Microsoft Online Strategy - 21-4-2009
Symposium Cloud En Grid Computing Microsoft Online Strategy - 21-4-2009
Peter de Haas
 
IdM vs. IDaaS
IdM vs. IDaaSIdM vs. IDaaS
IdM vs. IDaaS
Drew Koenig
 
Zero-compromise IDaaS: Achieve Both Security and Workforce Productivity
Zero-compromise IDaaS:  Achieve Both Security and Workforce ProductivityZero-compromise IDaaS:  Achieve Both Security and Workforce Productivity
Zero-compromise IDaaS: Achieve Both Security and Workforce Productivity
OneLogin
 
Greytower identity Overview
Greytower identity  OverviewGreytower identity  Overview
Greytower identity Overview
William Brant
 
Identity and Access Management
Identity and Access ManagementIdentity and Access Management
Identity and Access Management
Neo4j
 
Enterprise Social Computing
Enterprise Social ComputingEnterprise Social Computing
Enterprise Social Computing
Allyis
 
Microsoft Cloud Identity and Access Management Poster - Atidan
Microsoft Cloud Identity and Access Management Poster - AtidanMicrosoft Cloud Identity and Access Management Poster - Atidan
Microsoft Cloud Identity and Access Management Poster - Atidan
David J Rosenthal
 
barcamphanoi - Enterprise 2.0
barcamphanoi - Enterprise 2.0barcamphanoi - Enterprise 2.0
barcamphanoi - Enterprise 2.0
brevenan
 
Bring your own... Everything! The Rise of the Networked Individual
Bring your own... Everything! The Rise of the Networked IndividualBring your own... Everything! The Rise of the Networked Individual
Bring your own... Everything! The Rise of the Networked Individual
Sharon Richardson
 
Growing Cloud Identity Crisis: Survey Report on Cloud-Based Solutions for Ide...
Growing Cloud Identity Crisis: Survey Report on Cloud-Based Solutions for Ide...Growing Cloud Identity Crisis: Survey Report on Cloud-Based Solutions for Ide...
Growing Cloud Identity Crisis: Survey Report on Cloud-Based Solutions for Ide...
CloudEntr
 
Identity and Access Management Tools
Identity and Access Management ToolsIdentity and Access Management Tools
Identity and Access Management Tools
ijtsrd
 

What's hot (20)

Saleswax - -public
Saleswax - -publicSaleswax - -public
Saleswax - -public
 
Cloud Identity and Access Management
Cloud Identity and Access ManagementCloud Identity and Access Management
Cloud Identity and Access Management
 
Evolveum: All you need to know about identity & access management
Evolveum: All you need to know about identity & access managementEvolveum: All you need to know about identity & access management
Evolveum: All you need to know about identity & access management
 
Authentication cloud
Authentication cloudAuthentication cloud
Authentication cloud
 
Federation Services
Federation ServicesFederation Services
Federation Services
 
Cloud computing
Cloud computingCloud computing
Cloud computing
 
3 Building Blocks For Managing Cloud Applications Webinar
3 Building Blocks For Managing Cloud Applications Webinar3 Building Blocks For Managing Cloud Applications Webinar
3 Building Blocks For Managing Cloud Applications Webinar
 
Leading Trends in IAM Webinar 2: Minimizing Complexities in IT Operations
Leading Trends in IAM Webinar 2: Minimizing Complexities in IT OperationsLeading Trends in IAM Webinar 2: Minimizing Complexities in IT Operations
Leading Trends in IAM Webinar 2: Minimizing Complexities in IT Operations
 
Leading Trends in IAM Webinar 3: Optimizing User Experience in Cloud Initiatives
Leading Trends in IAM Webinar 3: Optimizing User Experience in Cloud InitiativesLeading Trends in IAM Webinar 3: Optimizing User Experience in Cloud Initiatives
Leading Trends in IAM Webinar 3: Optimizing User Experience in Cloud Initiatives
 
Symposium Cloud En Grid Computing Microsoft Online Strategy - 21-4-2009
Symposium Cloud En Grid Computing   Microsoft Online Strategy - 21-4-2009Symposium Cloud En Grid Computing   Microsoft Online Strategy - 21-4-2009
Symposium Cloud En Grid Computing Microsoft Online Strategy - 21-4-2009
 
IdM vs. IDaaS
IdM vs. IDaaSIdM vs. IDaaS
IdM vs. IDaaS
 
Zero-compromise IDaaS: Achieve Both Security and Workforce Productivity
Zero-compromise IDaaS:  Achieve Both Security and Workforce ProductivityZero-compromise IDaaS:  Achieve Both Security and Workforce Productivity
Zero-compromise IDaaS: Achieve Both Security and Workforce Productivity
 
Greytower identity Overview
Greytower identity  OverviewGreytower identity  Overview
Greytower identity Overview
 
Identity and Access Management
Identity and Access ManagementIdentity and Access Management
Identity and Access Management
 
Enterprise Social Computing
Enterprise Social ComputingEnterprise Social Computing
Enterprise Social Computing
 
Microsoft Cloud Identity and Access Management Poster - Atidan
Microsoft Cloud Identity and Access Management Poster - AtidanMicrosoft Cloud Identity and Access Management Poster - Atidan
Microsoft Cloud Identity and Access Management Poster - Atidan
 
barcamphanoi - Enterprise 2.0
barcamphanoi - Enterprise 2.0barcamphanoi - Enterprise 2.0
barcamphanoi - Enterprise 2.0
 
Bring your own... Everything! The Rise of the Networked Individual
Bring your own... Everything! The Rise of the Networked IndividualBring your own... Everything! The Rise of the Networked Individual
Bring your own... Everything! The Rise of the Networked Individual
 
Growing Cloud Identity Crisis: Survey Report on Cloud-Based Solutions for Ide...
Growing Cloud Identity Crisis: Survey Report on Cloud-Based Solutions for Ide...Growing Cloud Identity Crisis: Survey Report on Cloud-Based Solutions for Ide...
Growing Cloud Identity Crisis: Survey Report on Cloud-Based Solutions for Ide...
 
Identity and Access Management Tools
Identity and Access Management ToolsIdentity and Access Management Tools
Identity and Access Management Tools
 

Similar to Federation For The Cloud Opportunities For A Single Identity

Identity Management In Cloud Computing
Identity Management In Cloud ComputingIdentity Management In Cloud Computing
Identity and Access Management Introduction
Identity and Access Management IntroductionIdentity and Access Management Introduction
Identity and Access Management Introduction
Aidy Tificate
 
Identity is key - Robin Gorris
Identity is key - Robin GorrisIdentity is key - Robin Gorris
Identity is key - Robin Gorris
InspireX
 
Hybrid identity by Sandeep Kumar Seeram
Hybrid identity by Sandeep Kumar Seeram Hybrid identity by Sandeep Kumar Seeram
Hybrid identity by Sandeep Kumar Seeram
Sandeep Kumar Seeram
 
What is Microsoft Enterprise Mobility Suite and how to deploy it
What is Microsoft Enterprise Mobility Suite and how to deploy itWhat is Microsoft Enterprise Mobility Suite and how to deploy it
What is Microsoft Enterprise Mobility Suite and how to deploy it
Peter De Tender
 
Identity_and_Access_Management_Overview.ppt
Identity_and_Access_Management_Overview.pptIdentity_and_Access_Management_Overview.ppt
Identity_and_Access_Management_Overview.ppt
mamathajagarlamudi2
 
Iam cloud security_vision_wp_236732
Iam cloud security_vision_wp_236732Iam cloud security_vision_wp_236732
Iam cloud security_vision_wp_236732
Sandeep Sharma IIMK Smart City,IoT,Bigdata,Cloud,BI,DW
 
Cloud Computing Applications and Benefits for Small Businesses .docx
Cloud Computing Applications and Benefits for Small Businesses   .docxCloud Computing Applications and Benefits for Small Businesses   .docx
Cloud Computing Applications and Benefits for Small Businesses .docx
clarebernice
 
Directions Answer each question individual and respond with full .docx
Directions Answer each question individual and respond with full .docxDirections Answer each question individual and respond with full .docx
Directions Answer each question individual and respond with full .docx
mariona83
 
IAM Cloud
IAM CloudIAM Cloud
IAM Cloud
Aidy Tificate
 
Whitepaper: Cloud – A view on why it’s still overcast in CIOs’ minds - Happie...
Whitepaper: Cloud – A view on why it’s still overcast in CIOs’ minds - Happie...Whitepaper: Cloud – A view on why it’s still overcast in CIOs’ minds - Happie...
Whitepaper: Cloud – A view on why it’s still overcast in CIOs’ minds - Happie...
Happiest Minds Technologies
 
GoodDogLabs IAM Cloud Migration - Bridging the Gap
GoodDogLabs IAM Cloud Migration - Bridging the GapGoodDogLabs IAM Cloud Migration - Bridging the Gap
GoodDogLabs IAM Cloud Migration - Bridging the Gap
Aldo Pietropaolo
 
ClientSummit2010_CloudWorkshop
ClientSummit2010_CloudWorkshopClientSummit2010_CloudWorkshop
ClientSummit2010_CloudWorkshop
Razorfish
 
School of Computer & Information SciencesITS-532 Cloud C.docx
School of Computer & Information SciencesITS-532 Cloud C.docxSchool of Computer & Information SciencesITS-532 Cloud C.docx
School of Computer & Information SciencesITS-532 Cloud C.docx
jeffsrosalyn
 
Cloud Computing Security Needs & Problems Alon Refaeli
Cloud Computing Security Needs & Problems   Alon RefaeliCloud Computing Security Needs & Problems   Alon Refaeli
Cloud Computing Security Needs & Problems Alon Refaeli
refaeli
 
Authentication in cloud computing
Authentication in cloud computingAuthentication in cloud computing
Authentication in cloud computing
vidhya dharmarajan
 
Cloud Computing for Nonprofits - What's Microsoft Got?
Cloud Computing for Nonprofits - What's Microsoft Got?Cloud Computing for Nonprofits - What's Microsoft Got?
Cloud Computing for Nonprofits - What's Microsoft Got?
George Durham
 
Top Emerging Cloud Computing Trends To Look for in 2021.pdf
Top Emerging Cloud Computing Trends To Look for in 2021.pdfTop Emerging Cloud Computing Trends To Look for in 2021.pdf
Top Emerging Cloud Computing Trends To Look for in 2021.pdf
infosec train
 
CIS13: Cloud, Identity Bridges, and ITSM: Three is Not a Crowd
CIS13: Cloud, Identity Bridges, and ITSM: Three is Not a CrowdCIS13: Cloud, Identity Bridges, and ITSM: Three is Not a Crowd
CIS13: Cloud, Identity Bridges, and ITSM: Three is Not a Crowd
CloudIDSummit
 
5 Top Enterprises Making IAM a Priority
5 Top Enterprises Making IAM a Priority5 Top Enterprises Making IAM a Priority
5 Top Enterprises Making IAM a Priority
Okta-Inc
 

Similar to Federation For The Cloud Opportunities For A Single Identity (20)

Identity Management In Cloud Computing
Identity Management In Cloud ComputingIdentity Management In Cloud Computing
Identity Management In Cloud Computing
 
Identity and Access Management Introduction
Identity and Access Management IntroductionIdentity and Access Management Introduction
Identity and Access Management Introduction
 
Identity is key - Robin Gorris
Identity is key - Robin GorrisIdentity is key - Robin Gorris
Identity is key - Robin Gorris
 
Hybrid identity by Sandeep Kumar Seeram
Hybrid identity by Sandeep Kumar Seeram Hybrid identity by Sandeep Kumar Seeram
Hybrid identity by Sandeep Kumar Seeram
 
What is Microsoft Enterprise Mobility Suite and how to deploy it
What is Microsoft Enterprise Mobility Suite and how to deploy itWhat is Microsoft Enterprise Mobility Suite and how to deploy it
What is Microsoft Enterprise Mobility Suite and how to deploy it
 
Identity_and_Access_Management_Overview.ppt
Identity_and_Access_Management_Overview.pptIdentity_and_Access_Management_Overview.ppt
Identity_and_Access_Management_Overview.ppt
 
Iam cloud security_vision_wp_236732
Iam cloud security_vision_wp_236732Iam cloud security_vision_wp_236732
Iam cloud security_vision_wp_236732
 
Cloud Computing Applications and Benefits for Small Businesses .docx
Cloud Computing Applications and Benefits for Small Businesses   .docxCloud Computing Applications and Benefits for Small Businesses   .docx
Cloud Computing Applications and Benefits for Small Businesses .docx
 
Directions Answer each question individual and respond with full .docx
Directions Answer each question individual and respond with full .docxDirections Answer each question individual and respond with full .docx
Directions Answer each question individual and respond with full .docx
 
IAM Cloud
IAM CloudIAM Cloud
IAM Cloud
 
Whitepaper: Cloud – A view on why it’s still overcast in CIOs’ minds - Happie...
Whitepaper: Cloud – A view on why it’s still overcast in CIOs’ minds - Happie...Whitepaper: Cloud – A view on why it’s still overcast in CIOs’ minds - Happie...
Whitepaper: Cloud – A view on why it’s still overcast in CIOs’ minds - Happie...
 
GoodDogLabs IAM Cloud Migration - Bridging the Gap
GoodDogLabs IAM Cloud Migration - Bridging the GapGoodDogLabs IAM Cloud Migration - Bridging the Gap
GoodDogLabs IAM Cloud Migration - Bridging the Gap
 
ClientSummit2010_CloudWorkshop
ClientSummit2010_CloudWorkshopClientSummit2010_CloudWorkshop
ClientSummit2010_CloudWorkshop
 
School of Computer & Information SciencesITS-532 Cloud C.docx
School of Computer & Information SciencesITS-532 Cloud C.docxSchool of Computer & Information SciencesITS-532 Cloud C.docx
School of Computer & Information SciencesITS-532 Cloud C.docx
 
Cloud Computing Security Needs & Problems Alon Refaeli
Cloud Computing Security Needs & Problems   Alon RefaeliCloud Computing Security Needs & Problems   Alon Refaeli
Cloud Computing Security Needs & Problems Alon Refaeli
 
Authentication in cloud computing
Authentication in cloud computingAuthentication in cloud computing
Authentication in cloud computing
 
Cloud Computing for Nonprofits - What's Microsoft Got?
Cloud Computing for Nonprofits - What's Microsoft Got?Cloud Computing for Nonprofits - What's Microsoft Got?
Cloud Computing for Nonprofits - What's Microsoft Got?
 
Top Emerging Cloud Computing Trends To Look for in 2021.pdf
Top Emerging Cloud Computing Trends To Look for in 2021.pdfTop Emerging Cloud Computing Trends To Look for in 2021.pdf
Top Emerging Cloud Computing Trends To Look for in 2021.pdf
 
CIS13: Cloud, Identity Bridges, and ITSM: Three is Not a Crowd
CIS13: Cloud, Identity Bridges, and ITSM: Three is Not a CrowdCIS13: Cloud, Identity Bridges, and ITSM: Three is Not a Crowd
CIS13: Cloud, Identity Bridges, and ITSM: Three is Not a Crowd
 
5 Top Enterprises Making IAM a Priority
5 Top Enterprises Making IAM a Priority5 Top Enterprises Making IAM a Priority
5 Top Enterprises Making IAM a Priority
 

More from Vladimir Jirasek

Vulnerability management - beyond scanning
Vulnerability management - beyond scanningVulnerability management - beyond scanning
Vulnerability management - beyond scanning
Vladimir Jirasek
 
Vulnerability Management @ DevSecOps London Gathering
Vulnerability Management @ DevSecOps London GatheringVulnerability Management @ DevSecOps London Gathering
Vulnerability Management @ DevSecOps London Gathering
Vladimir Jirasek
 
C-Level tools for Cloud security
C-Level tools for Cloud securityC-Level tools for Cloud security
C-Level tools for Cloud security
Vladimir Jirasek
 
Secure your cloud applications by building solid foundations with enterprise ...
Secure your cloud applications by building solid foundations with enterprise ...Secure your cloud applications by building solid foundations with enterprise ...
Secure your cloud applications by building solid foundations with enterprise ...
Vladimir Jirasek
 
Cloud security and security architecture
Cloud security and security architectureCloud security and security architecture
Cloud security and security architecture
Vladimir Jirasek
 
2012 10 cloud security architecture
2012 10 cloud security architecture2012 10 cloud security architecture
2012 10 cloud security architecture
Vladimir Jirasek
 
Mobile phone as Trusted identity assistant
Mobile phone as Trusted identity assistantMobile phone as Trusted identity assistant
Mobile phone as Trusted identity assistant
Vladimir Jirasek
 
Security architecture for LSE 2009
Security architecture for LSE 2009Security architecture for LSE 2009
Security architecture for LSE 2009
Vladimir Jirasek
 
Mobile security summit - 10 mobile risks
Mobile security summit - 10 mobile risksMobile security summit - 10 mobile risks
Mobile security summit - 10 mobile risks
Vladimir Jirasek
 
Information Risk Security model and metrics
Information Risk Security model and metricsInformation Risk Security model and metrics
Information Risk Security model and metrics
Vladimir Jirasek
 
Integrating Qualys into the patch and vulnerability management processes
Integrating Qualys into the patch and vulnerability management processesIntegrating Qualys into the patch and vulnerability management processes
Integrating Qualys into the patch and vulnerability management processes
Vladimir Jirasek
 
Securing mobile population for White Hats
Securing mobile population for White HatsSecuring mobile population for White Hats
Securing mobile population for White Hats
Vladimir Jirasek
 
Security models for security architecture
Security models for security architectureSecurity models for security architecture
Security models for security architecture
Vladimir Jirasek
 
Meaningfull security metrics
Meaningfull security metricsMeaningfull security metrics
Meaningfull security metrics
Vladimir Jirasek
 
CAMM presentation for Cyber Security Gas and Oil june 2011
CAMM presentation for Cyber Security Gas and Oil june 2011CAMM presentation for Cyber Security Gas and Oil june 2011
CAMM presentation for Cyber Security Gas and Oil june 2011
Vladimir Jirasek
 
ISE UK&Ireland 2008 Showcase Nominee Presentation Vladimir Jirasek
ISE UK&Ireland 2008  Showcase Nominee Presentation Vladimir JirasekISE UK&Ireland 2008  Showcase Nominee Presentation Vladimir Jirasek
ISE UK&Ireland 2008 Showcase Nominee Presentation Vladimir Jirasek
Vladimir Jirasek
 
Qualys Webex 24 June 2008
Qualys Webex 24 June 2008Qualys Webex 24 June 2008
Qualys Webex 24 June 2008
Vladimir Jirasek
 

More from Vladimir Jirasek (17)

Vulnerability management - beyond scanning
Vulnerability management - beyond scanningVulnerability management - beyond scanning
Vulnerability management - beyond scanning
 
Vulnerability Management @ DevSecOps London Gathering
Vulnerability Management @ DevSecOps London GatheringVulnerability Management @ DevSecOps London Gathering
Vulnerability Management @ DevSecOps London Gathering
 
C-Level tools for Cloud security
C-Level tools for Cloud securityC-Level tools for Cloud security
C-Level tools for Cloud security
 
Secure your cloud applications by building solid foundations with enterprise ...
Secure your cloud applications by building solid foundations with enterprise ...Secure your cloud applications by building solid foundations with enterprise ...
Secure your cloud applications by building solid foundations with enterprise ...
 
Cloud security and security architecture
Cloud security and security architectureCloud security and security architecture
Cloud security and security architecture
 
2012 10 cloud security architecture
2012 10 cloud security architecture2012 10 cloud security architecture
2012 10 cloud security architecture
 
Mobile phone as Trusted identity assistant
Mobile phone as Trusted identity assistantMobile phone as Trusted identity assistant
Mobile phone as Trusted identity assistant
 
Security architecture for LSE 2009
Security architecture for LSE 2009Security architecture for LSE 2009
Security architecture for LSE 2009
 
Mobile security summit - 10 mobile risks
Mobile security summit - 10 mobile risksMobile security summit - 10 mobile risks
Mobile security summit - 10 mobile risks
 
Information Risk Security model and metrics
Information Risk Security model and metricsInformation Risk Security model and metrics
Information Risk Security model and metrics
 
Integrating Qualys into the patch and vulnerability management processes
Integrating Qualys into the patch and vulnerability management processesIntegrating Qualys into the patch and vulnerability management processes
Integrating Qualys into the patch and vulnerability management processes
 
Securing mobile population for White Hats
Securing mobile population for White HatsSecuring mobile population for White Hats
Securing mobile population for White Hats
 
Security models for security architecture
Security models for security architectureSecurity models for security architecture
Security models for security architecture
 
Meaningfull security metrics
Meaningfull security metricsMeaningfull security metrics
Meaningfull security metrics
 
CAMM presentation for Cyber Security Gas and Oil june 2011
CAMM presentation for Cyber Security Gas and Oil june 2011CAMM presentation for Cyber Security Gas and Oil june 2011
CAMM presentation for Cyber Security Gas and Oil june 2011
 
ISE UK&Ireland 2008 Showcase Nominee Presentation Vladimir Jirasek
ISE UK&Ireland 2008  Showcase Nominee Presentation Vladimir JirasekISE UK&Ireland 2008  Showcase Nominee Presentation Vladimir Jirasek
ISE UK&Ireland 2008 Showcase Nominee Presentation Vladimir Jirasek
 
Qualys Webex 24 June 2008
Qualys Webex 24 June 2008Qualys Webex 24 June 2008
Qualys Webex 24 June 2008
 

Federation For The Cloud Opportunities For A Single Identity

  • 1. Federation for the cloud: opportunities for a single identityVladimir JirasekApril 2011
  • 2. TeaserCloud computing has changed the way IT departments deliver the services to the business. Many organisations, small or big, need to share the data with their partners. Furthermore, organisations need to give access to their systems to the users furthermore organisations. Traditional models relied on creating accounts in local identity databases. More recent approach uses federation between two organisations that trust each other. However, what if you take federation concept to the cloud. Can there be such a service as federated identity in the cloud? Could we all end-up with one single identity that is used for all our activities? The presentation will give some fresh views on this topic.
  • 3. Problem definition – Personal spaceUsers have multiple “credentials” that they use to access different resourcesPasswords are usually reused thus increasing the risk of account compromisePKI has not solved the problem, created new; has challenges where user interaction is neededUsers want seamless access to resources without losing the comfort – one identity reusable everywhere?Can I use my personal identity at work? No? Why not?
  • 4. How many identities do I have?I have over 200 identities in my 1Password dabatase
  • 5. Problem definition – corporate spaceManagement of user identities in a typical corporation is a challenge. Size does matter.Typical applications can reuse existing identity and access platforms (AD, LDAP, Kerberos, PKI) however this requires good project governance and architectureCompanies have business relationships with 3rd parties – built on trust and supported by contracts, yet many corporations manage 3rd party account on their internal IAM platforms – security, cost and compliance issuesCompanies engage with cloud providers and the problem of managing identities and access to cloud service is something that needs to be solved
  • 6. User identity experience in a typical company – still challengesBusiness applications placed on the company networkMany applications support SSO with odd ones out of SSO platformIAM platform
  • 7. User identity experience in a typical company with a number of 3rd parties3rd parties access company’s applications3rd parties providersOffering services to the businessBusiness applications placed on the company networkInternal Systems use IAM platformIAM platform
  • 8. User identity experience in a typical company with cloudCloud providersBusiness applications placed on the company networkMany applications support SSO with odd ones out of SSO platformIAM platform
  • 9. Put it all together and there are lots of challengesChallenges in internal IAM platforms and its implementationChallenges in accessing Cloud services and managing users identities and entitlementsChallenges in accessing 3rd party servicesChallenges in managing 3rd party access to company resourcesAdd the challenges with end users and their personal identities and the situation becomes very hard to manageMindset change resistance with lack of guidance and maturity models
  • 10. One personal identity?Use the identityCan I end up with just one identity?Issue an identityTrusted agency
  • 11. Business solutionSSO inside a companyIdentity federation and automated account provisioning with 3rd parties and cloud providers (in content provider mode)Inbound federation with 3rd parties (in identity provider mode)
  • 12. Solution for both?Cloud providersBusiness applications placed in the cloudGovernment trusted assured cloud identity brokerIAM platform
  • 13. Where are we today?Different assurance standards even for paper travel documents (such as passports) issued by different governmentSome government issue e-Identity – usually used for message signing and eGovernment portals accessIM cloud providers promised yet not emerging (is there a business model?)Technology supports the vision
  • 14. What next?Sort internal SSOCloud providers to support prominent cloud identity provider platformsDevelop world-wide standards for identity assurance – both business and government related (CAMM can help at least with the business side)Create business model for cloud providers to support new identity platforms

Editor's Notes

  1. A typical user has very big problem, without even realising it. Multitude of internet services require users to create “new account” and repeat the registration process all over again. This bring two problems:Multiple accounts to managePassword problemLet’s start with the first one. When I looked into my 1Password database this morning I counted 380 credential details for various websites and further 50 accounts for non web based services. It is truly incredible number and without the help of a password manager software I could not manage this exposition of accounts. That leads me us to the second problem – passwords, still, only supported authentication by most websites. Recent studies and security incidents have confirmed our suspicion: that people choose simple passwords and share it across many systems. This is not only problem for those users but also for companies. I will come to that later.Sheer number of various website guarantees that people will not use unique passwords and those password are unlikely to be anything considered strong. I believe people have desire to use one identity system across many resources and it is up to us, security professionals, business, service providers and also governments to come up with a usable system. The generation Y has shown us that bringing personal internet experiences and ways of working to business is inevitable. Many businesses banned Facebook few year ago, while many business now are allowing social networks to thrive amongst their employees. Times are changing. Inevitably we will be facing questions from new employees, such as “I want to use my Facebook, Google, Live ID to sign in to the network… What, it is not possible. You are so 2011.”
  2. I tried to illustrate some of the most popular websites on my password keying. I cannot reuse my credentials across any of them. Let’s now go to the business side of the problems.
  3. Business face even bigger challenges related to identities. The number of internal applications in business tends to rise with the size of the company. And if the businesses are not careful and operate good project and architecture governance, many of these applications might implement their own authentication and authorisation capabilities. The matter is also not helped by software vendors that, sometimes, require specific Idm system implementation in order for their application/system to operate correctly or even with a warranty.In the end an organisation may have a few IAM systems (AD, LDAP (many variations), Kerberos, PKI (many implementations)) which further confuses both company users and projects.Building on this complexity, companies also want to do business with 3rd parties. These trusted partners, trusted limited by the contract signed, need to access company resources (data and systems). The policy has always been that 3rd party users must have their named accounts created in the 1st party IAM systems. This brings a raft of challenge, such as managing the flow of the information about leavers and joiners between two companies; so my company can disable the accounts for users in your company. In effect I do not trust your company to manage your users properly, so I’d rather do it myself and control the process. In many cases this approach leads to ghost accounts of 3rd party users that still have access to my system, yet they have long left the 32rd party company.Final piece I the puzzle is the Cloud. The problem with cloud and identities in business is similar to the problems in the personal space. Unless the cloud provider and the business can agree and support compatible IAM architecture, the business users will need to use yet another credentials to access the cloud provide services. This is especially problem in SME sector, very same sector that is most likely to actually use Cloud services.However, on the other and, there is genuinely lack of a good trust assurance model that companies could use easily, scaled to their needs and most importantly agreeable by all parties.
  4. In this example the corporate user uses his personal device to access company applications. Just ignore the location of the user, intranet, internet for now. The company has one or many IAM platforms (pictures on the left). In many organisations this is Active directory also used to authenticate users to their computers. Now there are numerous applications available to the user. Again, ignore the location of the systems an the access path. In the example here, there on odd application that is not hooked into the company IAM system. Hence the user has to remember another set of credentials. These credential, usually set by user, are likely to be exactly the same as with in the company IAM system, obviously for convenience reasons. What that means to company risk profile? The company has spend considerable amount of money building secure IAM platform. Yet there is an odd system that potentially has not gone through the same security architecture and review process and this system is storing exactly same password for the user. I hope you see the point here. Your IAM platform is as weak as the weakest application that is not using your IAM platform.The lessons learned from this example is: build usable, extendable and secure IAM platform and push very hard to hook all company systems into it!
  5. Building on the example from the previous slide, this time we add 3rd party to the mix. The business has linked all internal systems with the company’s IAM platform. Great. Now there are 3rd party systems that need to be accessed. Same problems arise, if even one 3rd party application is not using user’s company’s IAM platform. The situation is even less clear as there potentially little visibility about security controls within the 3rd party application (second from the left).The problem is even is exaggerated by the fact that the likelihood of compatible IAM solution on provider and user side is obviously lower then if discussing just systems within one organisation. The provisioning of the accounts on the 3rd party side is also an issue to be resolved. Even if the organisations have compatible IAM platforms and can so SSO between them, the account provisioning is usually done by a batch process.And, as discussed before 3rd parties may also want to access internal resources in your organisation. Most organisations simply create internal accounts for these users, which brings several management and risk challenges.
  6. Finally, with the Cloud services fully on the radar or company CIOs the issue of 3rd parties is replicated with the cloud providers. In effect some 3rd parties could be classed as Cloud providers actually. Here, the problem of reused passwords is even bigger as many cloud based services (especially SaaS) do allow acess from anywhere on the internet. Hence, if a username and password is compromised your organisation has little control over who actually accesses the cloud application. Some cloud providers provide additional controls and can limit IP ranges that can login to the application – effectively linking information from the network layer with the application layer.
  7. Let’s now summarise the challenges that businesses face in IAM space:Unless all internal systems in the company network do utilise services of the internal IAM platform, the risk of credential compromise though leakage in these systems needs to managed. This in essence is a usually unaccounted for element in the business cases for common IAM platform. Accessing cloud services and making sure the access control is fit for purpose is a problem organisations need to face. The standards are evolving and not all cloud providers offer federation and SSO services.Outsourcing services to 3rd parties face exactly the same challenges though the likelihood of tailored solution with 3rd party is higher.If 3rdparties needs to access your company internal resources, the cost of management of their internal accounts is usually higher thnafor internal users. Also, the out of sync issues are hard to resolve. Companies are also cautious to trust 3rd party to manage their IAM processes. Companies will be tested on how they adapt their identity capabilities when it comes to the personal space – that is both employees accessing company resources and customers accessing your business services. As new models for identity assurance emerge (more on that later) companies will be forced by market forces to adapt these new frameworks.
  8. Recent NSTIC (NATIONAL STRATEGY FOR TRUSTED IDENTITIES IN CYBERSPACE) vision document shows the way forward where an identity ecosystem framework is created. Such a vision will require a lot of work both on the technology and also policies and processes side. Ultimately the decision needs to be give to people of what identity attributes are shared with the service provider, while the service provider needs to have reasonable (required) level of assurance that the identity provided is actually as stated. collection of trusted accredited identity providers issue
  9. Point out different standards for getting physical identity, this is likely to be replicated to eID. Especially if those physical documents are used to obtain the eID.I personally use the eID to digitally sign the documents. However cannot use it to gain access to websites.