The Case For Next Generation IAM
-
Upload
patrick-harding -
Category
Technology
-
view
1.341 -
download
0
Transcript of The Case For Next Generation IAM
GARTNER IAM 2014 THE CASE FOR NEXT GENERATION IAM Patrick Harding, CTO @patrickharding
100214.01.02 Copyright © 2014 Ping Identity Corp. All rights reserved. 2
“Big 3” Trends Driving Industry Change
Copyright © 2014 Ping Identity Corp. All rights reserved. 3
Increasing data breach and fraud
SaaS, IaaS/PaaS & Private Clouds
Mobile Devices and Things
Changing Application Mediums
Changing Consumption Mediums
Changing Risk Mediums
2013: Another Year of Stolen Credentials
Copyright © 2014 Ping Identity Corp. All rights reserved. 4
2,164 security breaches
822M records exposed
48% of the time passwords
were exposed (top data type exposed)
2 out of 3 involve stolen
or misused credentials
Sources: 2014 Verizon DBIR and Data Breach Quickview 2014
Future State: ‘Coffee Shop IT’
Confidential — do not distribute Copyright © 2014 Ping Identity Corp. All rights reserved. 7
User
Future State: ‘Coffee Shop IT’
Confidential — do not distribute Copyright © 2014 Ping Identity Corp. All rights reserved. 8
User
Many more
Public Cloud
Private Cloud
APIs
WEBSITES
APIs
WEBSITES
SaaS
Future State: ‘Coffee Shop IT’
Confidential — do not distribute Copyright © 2014 Ping Identity Corp. All rights reserved. 9
User
Many more
Public Cloud
Private Cloud
APIs
WEBSITES
APIs
WEBSITES
SaaS
Cloud Rail
Future State: ‘Coffee Shop IT’
Confidential — do not distribute Copyright © 2014 Ping Identity Corp. All rights reserved. 10
User
Many more
Public Cloud
Private Cloud
APIs
WEBSITES
APIs
WEBSITES
SaaS
Cloud Rail
• All enterprises will ‘connect’ with their customers
• Products will have an identity and collect data
• Mobile device becomes the control hub
• Users access product data via web and native apps • Protect customer and product data from unauthorized use
• New authentication processes
• Different access privileges
Confidential — do not distribute Copyright © 2014 Ping Identity Corp. All rights reserved. 14
Future State: Smart, Connected Products
The Paradigm Shift driven by cloud and mobile
Identity is the new perimeter – Dan Headrick, GE
76% of Network Intrusions Exploited Weak or Stolen Passwords
Traditional IDENTITY MANAGEMENT not working
How To Design Access to Resources?
Getting users to their resources is a product of standards and scale
What emerging trends will change the way
this is done?
Yesterday’s IAM
• Single domain • Web-only • On-premises software • Stack of products • Proprietary technology • Complex integration
Copyright © 2014 Ping Identity Corp. All rights reserved. 17
• Federated Architecture
• Built on Standards
• Web, Mobile & API
• All Identities
• Internet Scale
• IDaaS + Software
Copyright © 2014 Ping Identity Corp. All rights reserved. 18
Next Generation IAM | SIX PILLARS
A Basic Web SSO Architecture
IdentityRepository
AuthenticationService(s)
FederationServices
Your Web Apps
Third Party Apps
SAML
Integration or
SAML
SAML: Big, Trusted, Web Browser Centric
<saml:Assertion Issuer=”YourBank" ID="iTbhngStGlagG.TpT"> <saml:Conditions NotBefore="2014-04-30"/> <saml:Subject>pharding</saml:Subject> <saml:AuthenticationStatement AuthenticationMethod=
"urn:oasis:names:tc:SAML:1.0:am:password"/> <saml:AttributeStatement> <saml:Attribute name=”FirstName"> Patrick </saml:Attribute> <saml:Attribute name=”LastName"> Harding </saml:Attribute> </saml:AttributeStatement> <ds:Signature>…crypto…</ds:Signature>
</saml:Assertion>
SAML ROI
• Introduction Service – Sends structured, signed, XML documents to applications – Includes a subject
• Security/Validation – Issuer – Audience – Validity Window – Signatures
• Visibility – Nobody visits an app unless central infrastructure approves
If you only need Web SSO, Stop Here
• Well known design pattern
• You can buy the whole thing as IDaaS with very little technical know-how
• Scale up, go crazy Courtesy https://flic.kr/p/4Btadi
Some Folks Need More
Courtesy Matt Morgan https://flic.kr/p/6Thyod
• API’s and Mobile • Massive Scale • Customer &
Workforce • Lower Overhead • Self-Service
Why are Mobile/API Different?
• Web SSO – the user is present, manipulating a “passive” client – the browser
• Mobile and API – A piece of active software (client) is executing, even if the user is not
around – This active client may not be in a position to validate signatures or parse
XML
YOUR IAM SYSTEM MUST KNOW THE DIFFERENCE BETWEEN THESE TWO USE CASES
OpenID Connect: Small, Not just Browser
{ "iss": "https://yourbank.example.com", "sub": "pharding", "aud": "s6BhdRkqt3", "nonce": "n-0S6_WzA2Mj", "exp": 1311281970, "iat": 1311280970, "auth_time": 1311280969, "acr": "urn:mace:incommon:iap:silver" }
OpenID Connect: Delegated Missions
• Built on OAuth 2.0
• OAuth 2.0 gives you Access Tokens – Delegated authorization tokens – Made for active clients to access APIs
• OpenID Connect gives you ID Tokens – Assertions similar to SAML – Works as initial introduction so client can validate the
authentication moment associated to an access token
• Next Gen Identity Protocol Stack – OAuth 2.0, OpenID Connect, SCIM
• Consistent architecture – For workforce, partners and customers
– For web, devices, apps and things
• BONUS: Federated architecture allows for migration away from passwords
Future Of IAM