cis13: identity trends and transients

Making Leaders Successful Every Day

Trends, Transients, Tropes, and Transparents

Eve Maler, Principal Analyst, Security & Risk

Cloud Identity Summit July 10, 2013

© 2012 Forrester Research, Inc. Reproduction Prohibited

What are the T4 all about?

3

Less well noticed Well noticed

Transparents

Transients

Trends

Tropes

Clo

ser t

o tru

thin

ess

Clo

ser t

o es

sent

ial t

ruth

•  What are they? •  What is the evidence? •  What should you do about them?

© 2012 Forrester Research, Inc. Reproduction Prohibited

Trend: webdevification of IT

4

Source: John Musser (formerly) of ProgrammableWeb.com

IN THE FUTURE, EVERY ENTERPRISE WILL OPEN AN API CHANNEL TO ITS DIGITAL PLATFORM

© 2012 Forrester Research, Inc. Reproduction Prohibited

Confront the changes in your power relationship

5

value X

friction Y

ACCESS CONTROL IS ABOUT PROTECTION AND MONETIZATION

© 2012 Forrester Research, Inc. Reproduction Prohibited 6

Source: April 5, 2013 Forrester report “API Management For Security Pros”

A lot of identities float around an API ecosystem

© 2012 Forrester Research, Inc. Reproduction Prohibited

Open Web APIs are, fortunately, friendly to the Zero Trust security model

7

Initially treat all access requesters as untrusted. Require opt-in access. Apply

identity federation through APIs.

Source: November 15, 2012, Forrester report “No More Chewy Centers: Introducing The Zero Trust Model Of Information Security”

© 2012 Forrester Research, Inc. Reproduction Prohibited

Trend: IAM x cloud

8

ZERO TRUST CALLS FOR DISTRIBUTED SINGLE SOURCES OF TRUTH

Federate at run time

Bind to authn

repository

Synch accounts

Issue an unrelated account

© 2012 Forrester Research, Inc. Reproduction Prohibited

Identity plays only an infrastructural role in most cloud platforms

9

cloud services

IAM functions user base and attributes

cloud identity product with an actual SKU

KEEP AN EYE OUT FOR DISRUPTION COMING FROM THE “CISDH” PLAYERS

© 2012 Forrester Research, Inc. Reproduction Prohibited

Transient: XACML

Adoption has government/compliance drivers, few accelerators, and many inhibitors It’s critical to open up the market for long-tail policy evaluation engines Webdevified scenarios demand different patterns of outsourced authorization

XACML 3 IS STUCK AT MODERATE SUCCESS AND IS HEADING FOR DECLINE

© 2012 Forrester Research, Inc. Reproduction Prohibited

Authz grain needs to get…finer-grained

11

policy input

resource accessed

roles groups

attributes

entitlements

domain URL path sets of API calls

field

XACML etc.

scope- grained

authz

WAM

© 2012 Forrester Research, Inc. Reproduction Prohibited

Plan for a new “Venn” of access control

12

AN “XACML LITE” WOULD HAVE A POTENTIALLY VALUABLE ROLE TO PLAY

© 2012 Forrester Research, Inc. Reproduction Prohibited

Trope: “Passwords are dead” OH, YEAH?

correct horse battery staple

© 2012 Forrester Research, Inc. Reproduction Prohibited

We struggle to maximize authentication quality

14

Source: June 12, 20113 “Introducing The Customer Authentication Assessment Framework” Forrester report

PARTICULARLY IN CONSUMER-FACING SERVICES

© 2012 Forrester Research, Inc. Reproduction Prohibited

Authentication schemes have different characteristics

15

Source: June 12, 20113 “Introducing The Customer Authentication Assessment Framework” Forrester report, based on “The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes”

✘ ✔

?✔

✘

✔

✘

✔

✔

✔

✔

✔

✔

✔

✔

✘

✘

✘

✘

✘

✘

✘

✘

✔

✔

✔

✔

*

*S2 is an affordance of passwords for “consensual impersonation”

© 2012 Forrester Research, Inc. Reproduction Prohibited

Think in terms of “responsive design” for authentication

16

LEVERAGE STRENGTHS AND MITIGATE RISKS – ONCE YOU KNOW THEM

User identification

based on something

they…

Know

Have

Are

Do

© 2012 Forrester Research, Inc. Reproduction Prohibited

Transparent: time-to-live strategies EXPIRATION HAS OUTSIZED VALUE VS. EXPLICIT REVOCATION OF ACCESS IN ZERO-TRUST ENVIRONMENTS

© 2012 Forrester Research, Inc. Reproduction Prohibited

Summary of the T4

18

Less well noticed Well noticed

Transparent: Time-to-live strategies

Transient: XACML

Trends: Webdevification of IT Cloud x IAM

Trope: “Passwords are dead”

Clo

ser t

o tru

thin

ess

Clo

ser t

o es

sent

ial t

ruth

Thank you Eve Maler +1 617.613.8820 emaler@forrester.com @xmlgrrl