Identity access and privacy in the new hybrid enterprise slides
-
Upload
ca-api-management -
Category
Technology
-
view
886 -
download
0
Transcript of Identity access and privacy in the new hybrid enterprise slides
Identity, Access & Privacy in the New Hybrid Enterprise Scott Morrison
CTO, Layer 7 Technologies Eve Maler
Principal Analyst, Forrester Research, Inc.
May 17, 2012
Housekeeping
Questions - Chat any questions you have and we’ll answer them at the end of this call
Twitter - Today’s event hashtag:
- #L7webinar
- Follow us on Twitter:
- @layer7
- @forrester
- @xmlgrrl
- @kscottmorrison
facebook.com/layer7
layer7.com/blogs
layer7.com/linkedin
© 2011 Forrester Research, Inc. Reproduction Prohibited 2 © 2009 Forrester Research, Inc. Reproduction Prohibited
Identity, Access, And Privacy In The New Hybrid Enterprise
Eve Maler, Principal Analyst
May 17, 2012
© 2011 Forrester Research, Inc. Reproduction Prohibited 3
Sounds awesome – maybe later? SAML and friends have succeeded in one realm, but the extended enterprise has strained them to the breaking point.
“ ”
© 2011 Forrester Research, Inc. Reproduction Prohibited 4
Many enterprises aren’t just extended – they’re over-extended.
IAM challenges favor Zero Trust and emerging technologies.
Plan for the new “Venn” of access control in the API economy.
Learn from your peers: Brandish IT carrots instead of sticks.
Agenda
© 2011 Forrester Research, Inc. Reproduction Prohibited 5
Steve Yegge’s rant crystallized the challenge
[Jeff Bezos] issued a mandate that was so out there, so huge and eye-bulgingly ponderous, that it made all of his other mandates look like unsolicited peer bonuses. … “1) All teams will henceforth expose their data and functionality through service interfaces.” …
Like anything else big and important in life, Accessibility has an evil twin who, jilted by the unbalanced affection displayed by their parents in their youth, has grown into an equally powerful Arch-Nemesis (yes, there's more than one nemesis to accessibility) named Security. And boy howdy are the two ever at odds.
But I'll argue that Accessibility is actually more important than Security because dialing Accessibility to zero means you have no product at all, whereas dialing Security to zero can still get you a reasonably successful product such as the Playstation Network.
© 2011 Forrester Research, Inc. Reproduction Prohibited 6
The extended enterprise requires you to think outside the box (or…get a bigger box)
Partner apps
SaaS apps
Contractors Partners
Members
Enterprise computers
App sourcing and hosting
App access channels User populations
Apps in public clouds
Enterprise-issued devices
Personal devices
Public computers
Customers
On-premises enterprise apps
Apps in private clouds
Employees
© 2011 Forrester Research, Inc. Reproduction Prohibited 7
Even social use cases press for better access control with accessibility and agility
© 2011 Forrester Research, Inc. Reproduction Prohibited 8
And yet SAML-based identity federation still reaches mostly large enterprises with deep pockets
Source: October 26, 2011, “OpenID Connect Heralds The ‘Identity Singularity’” Forrester report
© 2011 Forrester Research, Inc. Reproduction Prohibited 9
And loosely coupled SOA security solutions aren’t rushing to fill the gap
Source: January 5, 2009 Forrester report “Web Services Security Specifications: WS-Security Achieves Critical Mass Of User Adoption”
© 2011 Forrester Research, Inc. Reproduction Prohibited 10
Many enterprises aren’t just extended – they’re over-extended.
IAM challenges favor Zero Trust and emerging technologies.
Plan for the new “Venn” of access control in the API economy.
Learn from your peers: Brandish IT carrots instead of sticks.
Agenda
© 2011 Forrester Research, Inc. Reproduction Prohibited 11 Source: September 14, 2010, “No More Chewy Centers: Introducing The Zero Trust Model Of Information Security” Forrester report
In Zero Trust, all interfaces are untrusted. Assume every business and IAM function is “equally far apart,” and treat all traffic among them as untrusted until it proves itself otherwise.
Introducing Zero Trust Identity
© 2011 Forrester Research, Inc. Reproduction Prohibited 12
Plan for both inward and outward identity propagation
Source: March 22, 2012 “Navigate The Future of IAM” Forrester report
Organization serves asan identity server for
business functions
Organization serves asan identity client of
user stores
A security token service (STS)handles token issuance, translation,and consumption.
Staffuser store
Consumeruser store
Internal to theorganization
At externalpartners
Exposed tocustomers
For functions internalto the organization
Staffuser store
Institutionaluser store
Consumeruser store
© 2011 Forrester Research, Inc. Reproduction Prohibited 13
Go from IDaaS to “IAM as an API”
Source: March 22, 2012 “Navigate The Future of IAM” Forrester report
The business app’sown API determinesaccess controlgranularity
Robustly protect allinterfaces, regardlessof their sourcingmodel
Back-end apps, web apps, mobile apps . . .
API clientAPI client
Internet
Web service and app APIs
Scale-outinfrastructure
API façade pattern
IAMinfrastructure
Applying the patternto IAM functions
IAM API client IAM API client
APIs for authentication,authorization, provisioning . . .
Business apps
Internet
© 2011 Forrester Research, Inc. Reproduction Prohibited 14
New identity solutions disrupt…but attract.
Source: tom-margie | CC BY-SA 2.0 | flickr.com
*Douglas Crockford, inventor of JavaScript Object Notation (JSON)
Or, The good thing about reinventing the wheel is that you can get a round one.*
© 2011 Forrester Research, Inc. Reproduction Prohibited 15
Emerging standards for IAM interfaces have an edge over traditional ones for Zero Trust
SCIM
Provisioning, proofing,
self service
Authentication, session management,
SSO, federation
Authorization, consent,
access control IAM
functionality
Established SOA-friendly
standards
Emerging web-friendly standards Connect
© 2011 Forrester Research, Inc. Reproduction Prohibited 16
Why are these technologies attractive? Security pros’ control diminishes with distance
© 2011 Forrester Research, Inc. Reproduction Prohibited 17
Many enterprises aren’t just extended – they’re over-extended.
IAM challenges favor Zero Trust and emerging technologies.
Plan for the new “Venn” of access control in the API economy.
Learn from your peers: Brandish IT carrots instead of sticks.
Agenda
© 2011 Forrester Research, Inc. Reproduction Prohibited 19
OAuth magic: let a person delegate constrained access from one app to another
© 2011 Forrester Research, Inc. Reproduction Prohibited 20 © 2011 Forrester Research, Inc. Reproduction Prohibited
OpenID Connect magic: turn SSO into a robust OAuth-protected identity API
SAML and OpenID SSO standardize…
OAuth delegated authorization
standardizes…
OpenID Connect standardizes…
X
Initiating user’s login session
Collecting user’s consent to share attributes
High-security identity tokens (SAML only)
X Initiating user’s login session
Collecting user’s consent to share attributes
High-security identity tokens
Initiating user’s login session
Collecting user’s consent to share attributes
High-security identity tokens (using JSON Web Tokens)
X
Distributed and aggregated claims
Session timeout (on the docket)
Distributed and aggregated claims
Session timeout
X
X
© 2011 Forrester Research, Inc. Reproduction Prohibited 21
An OpenID Connect killer app: “Street Identity” 1. Service provider (SP) needs
trusted data
2. Attribute provider (AP) has it
3. Identity provider (IdP) can broker your permission to provide it
4. AP can demand a fee from SP for it
5. Lather, rinse, and repeat for: – Credit scores
– Verified email addresses
– Proofed identities backed by strong authentication…
© 2011 Forrester Research, Inc. Reproduction Prohibited 22
OpenID Connect will dramatically lower the price and complexity bar for all identity federation
Already exposing customer identities using a draft OpenID Connect-style API
Working to expose workforce identities through OpenID Connect
LOB apps and smaller partners can get into the federation game more easily; complex SAML-based solutions will see price pressure over time
© 2011 Forrester Research, Inc. Reproduction Prohibited 23
UMA magic: turn sharing of online access with others into OAuth-derived “privacy by design” solution
Alice-to-Alice, Alice-to-Bob, Alice-to-org…and org-to-org
Claims-based and policy-based authorization
– Not just consent
User can impose terms and conditions on requesters
– Not just accept terms
Centralizable authorization function
– Not just point-to-point
© 2011 Forrester Research, Inc. Reproduction Prohibited 24
Killer apps for UMA
UMAnized Street Identity: – Centralized management
and policy-driven sharing of addresses etc. with anyone
APIified access management:
– Direct control and auditing of all employee SaaS access
Zero Trust B2B2C privacy: – Telco allows location
sharing today – and health record sharing tomorrow
IdP AP
RP
PDP PEP
requester
AS RS
client
© 2011 Forrester Research, Inc. Reproduction Prohibited 25
Many enterprises aren’t just extended – they’re over-extended.
IAM challenges favor Zero Trust and emerging technologies.
Plan for the new “Venn” of access control in the API economy.
Learn from your peers: Brandish IT carrots instead of sticks.
Agenda
© 2011 Forrester Research, Inc. Reproduction Prohibited 26
One research organization’s experience with emerging IAM technologies for “Enterprise 2.0”
Approach:
IdP proxy from internal SAML SSO systems
Leverage OpenID (and soon OpenID Connect)
“Graylist” approach: users take responsibility for dynamic external service provider choices – Organization is in charge of
whitelists and blacklists
Devs partnered with IT from the beginning – Rationale that worked: “Ad hoc
login creation is worse”
Objectives:
Unified authentication and authorization flows for all protected resources
Serve internal and external users alike, using internal and external apps
Remove friction and risk in getting all new internal apps to federate
Enable brokered distributed attribute provisioning
Enable use by people with pre-proofed high-quality credentials
© 2011 Forrester Research, Inc. Reproduction Prohibited 27
Its architecture
Corporate Firewall
DMZ
User Data
Intranet
Database
Internal OP
External OP
Corporate SSO
Two-Factor Signon
© 2011 Forrester Research, Inc. Reproduction Prohibited 28
Its results
IT gets a level of comfort by operating production-quality servers itself
New internal apps federate “by default” even if they’re in the long tail
Dynamic associations with external apps are auditable
Not enough external SaaS providers are enabling standardized inbound SSO
While they prefer OAuth-based tech, OpenID 2.0 has become legacy already!
© 2011 Forrester Research, Inc. Reproduction Prohibited 29
Drawing lessons from this experience
Low-usage internal apps aren’t necessarily low-sensitivity apps; protect them by reducing friction
For extranet apps and APIs, think light weight, particularly for partners with unsophisticated IT
Expect protocol discussions to reflect partner power relationships
Bet on “reach” vs. “rich” – in distributed computing, it always wins in the end
The Old Enterprise
Formal and structured security & connectivity VPNs & prop. Protocols for thick clients
HTTP(s) for browsers
SOAP+WS-* for B2B
Enterprise Network
Line of business servers
Road Warriors with
VPN
Browser Clients
Formal Trading Partners
Firewall
VPN
SSL WS-S
The New Hybrid Enterprise
Highly agile security & connectivity REST, OAuth, OpenID Connect, UMA
Enterprise Network
Line of business servers
Mobile Devices
Informal, API-driven
integrations
Firewall
Clouds
The Hybrid Enterprise Made Possible By APIs
5 5
Web App
API Server
Web Client
Mobile App
An API is a RESTful service
For Example:
7
{ "firstName": ”Scott ", "lastName" : ”Morrison", ”title" : “CTO”, "address" : { "streetAddress": ”405-1100 Melville", "city" : ”Vancouver", ”prov" : ”BC", "postalCode" : ”V6E 4A6" }, "phoneNumber": [ { "type" : ”office", "number": ”605 681-9377" }, { "type" : ”home", "number": ”604 555-4567" } ] }
http://services.layer7.com/staff/Scott
Why Zero Trust?
Source: http://www.yurock.net/santa-getting-arrested/
What Do These Do?
OAuth
OpenID Connect
UMA
To get access to an API.
To share information about users.
To give a user the power to control how their attributes are shared.
How to Make OAuth Easy
Simple, drop-in virtual or hardware gateway
Acts as both Authorization Server (AS) and Resource Server (RS)
Advanced security on all APIs
Threat detection, audit, QoS mgmt, etc
Enterprise Network
SecureSpan Gateway
Protecting RS
Informal, API-driven
integrations
Firewall
Mobile Devices
Clouds, Webapps, etc
Protected Resource
Directory
SecureSpan Gateway as
AS
All Authorization Grants ➠ Authorization code
➠ Implicit
➠ Resource owner password credentials
➠ Client credentials
How to Make OAuth Web Scale
DMZ Firewall 1
Protected Resource
Directory
SecureSpan Gateway as
Secure Token Store
Secure Zone
Firewall 2
SecureSpan Gateway
cluster RS
SecureSpan Gateway
cluster as AS
How to Make OAuth Scale – Architecture
OVP
Client Store
Token Store
Internal (secure) network DMZ
Resource Server
Authorization Server
API Proxy Server
Token Server
IDMS
client
Internet
Accessed when client requests
resources
Accessed when client requests
user authorization and tokens
Endpoints accessible through an API
Endpoints accessible through OAuth protocol API
Resource provider
Accessible through an LDAP query
• Who is asking • Which API? • What scope? • Is token valid? • etc…
• Prove who you are • Authorize entitlement • etc…
• Create • Check • Expire • Revoke • etc…
Priority #2: Introduce OpenID Connect
OVP
Client Store
Token Store
Internal (secure) network DMZ
Resource Server
UserInfo
CheckID
SessionMgmt
IDMS
client
Internet
Endpoints accessible through an API
Endpoints accessible to outside clients
Resource provider
Accessible through an LDAP query
DynamicReg
Discovery
• Provide access token • Get attributes (eg:
family_name, picture, gender, birthdate, etc)
• Provide IDtoken • Validate and return claims
Optional
Optional
Core
1. Refresh endpoint 2. End session endpoint
Summary Implement OAuth now!
- Don’t roll your own
- Plan for failure
- Plan for scale
Plan for OpenID Connect
- Understand what you need to share
- Look to integration with existing identity providers
Keep a very close eye on UMA
- This is the missing piece in the puzzle
- Maturing very fast
Questions?
Scott Morrison CTO Layer 7 Technologies [email protected]
Eve Maler Principal Analyst Forrester Research, Inc. [email protected]