Upload File

catalyst 2015: patrick harding

36

Upload: wwwpingidentitycom

Post on 17-Aug-2015

116 views

Category:

Technology


1 download

Report

Tags:

TRANSCRIPT

  1. 1. A NEW APPROACH TO SECURING THE ENTERPRISE IDENTITY DEFINED SECURITY Patrick Harding Chief Technology Officer @patrickharding
  2. 2. Agenda 1. Changing Trends in Identity Architecture 2. Top 3 4 Security Design Rules 3. Apple Watch Demo 4. What Can be Accomplished Today 5. Recommendations Copyright 2015 Ping Identity Corp. All rights reserved. 3
  3. 3. CHANGING TRENDS IN IDENTITY ARCHITECTURE Spoiler: Its Cloud! And Mobile! Copyright 2015 Ping Identity Corp. All rights reserved. 4
  4. 4. MAJOR TRENDS SHAPING THE MARKET 5.2B Global mobile users 11.5B Mobile-ready devices 4.6B Smartphones
  5. 5. MAJOR TRENDS SHAPING THE MARKET 5.2B Global mobile users 11.5B Mobile-ready devices 4.6B Smartphones 738 # of cloud services used by an average enterprise` 82% of enterprises have a hybrid cloud strategy
  6. 6. MAJOR TRENDS SHAPING THE MARKET 5.2B Global mobile users 11.5B Mobile-ready devices 4.6B Smartphones 738 # of cloud services used by an average enterprise` 82% of enterprises have a hybrid cloud strategy 30XIncrease within the decade Connected devices in 2020 26B
  7. 7. MAJOR TRENDS SHAPING THE MARKET 5.2B Global mobile users 11.5B Mobile-ready devices 4.6B Smartphones 738 # of cloud services used by an average enterprise` 82% of enterprises have a hybrid cloud strategy 30XIncrease within the decade Connected devices in 2020 26B
  8. 8. BREACH, BREACH, BREACH Web App Attacks Phish customer get credentials abuse web application empty bank/bitcoin account. Over 95% of these incidents involve harvesting credentials from customer devices, then logging into web applications with them Source: 2015 Verizon Data Breach Investigations R
  9. 9. Provisioning WAM You Federation LDAP Your Partners Internal Web Apps Partner Domain Web Apps SAML The Golden Years of Leveraged AuthN Copyright 2015 Ping Identity Corp. All rights reserved. 10 Users in Directories Security Policies: Expiry, Lockout, History Applications in Web Browser Level 1: common repository Level 2: Internal apps secured via WAM Level 3: External apps secured via SAML
  10. 10. What Those Architectures Do Well Confidential do not distribute Common Authentication Ceremony User manages one password, uses it in a trusted place Secure introduction of users between domains Security for Passive web contexts Where the user manipulates a browser Central policy definition/enforcementCopyright 2015 Ping Identity Corp. All rights reserved. 11
  11. 11. What Those Architectures Do Poorly Address security risk of active software at run-time Clients collecting & storing passwords for replay Passwords transmitted on every API fetch Every API validating passwords Address pain for developers API keys & certificates poorly protected in scripts Adding XML parsers & signature validation in mobile apps is problematic Scale to millions of partners Copyright 2015 Ping Identity Corp. All rights reserved. 12
  12. 12. One Trend to Bind them All Copyright 2015 Ping Identity Corp. All rights reserved. 13 Cloud pushed the industry towards externalized interfaces for everything, not just identity, and REST beat out SOAP Mobile forced us to accept asymmetrical trust relationships, because instead of BIG software on websites we now also have small software on devices Standards evolved to deliver: OAuth 2.0. Not user identity, but software (client) identity
  13. 13. TOP 4 SECURITY DESIGN RULES Bonus! 6 Architectural Principles Copyright 2015 Ping Identity Corp. All rights reserved. 14
  14. 14. ARCHITECTURAL PRINCIPLES INTERNET SCALE FEDERATED ARCHITECTURE ALL IDENTITIES BUILT ON STANDAR DS WEB, MOBILE & API FLEXIBLE DEPLOYME NT 6 PRINCIPLES THAT MEET MODERN SECURITY COMPLEXITIES AND SCALE TO ADDRESS FU
  15. 15. Top 4 Security Rules Attackers will compromise access. Identity Tools to combat include: 1. Compartmentalization 2. Ephemerality 3. Automation 4. Accountability Things happen fast, change often, are always watched, and identity of all actors are explicitly part of all interactions. If theft does occur, bad guys get as little as possible for no time at all, and the path of compromise can be traced Copyright 2015 Ping Identity Corp. All rights reserved. 16
  16. 16. Security Rules drive the Architecture Copyright 2015 Ping Identity Corp. All rights reserved. 17 Identity Platform DynamicAccessControl User Context Automation Resources Bounded Credentials Client Primary Credentials Primary Credentials
  17. 17. The Identity Platform Abstracts Authentication Services from resources Automates & controls clients Issues and authorizes tokens Recognizes context Coordinates ecosystemCopyright 2015 Ping Identity Corp. All rights reserved. 18 Identity Platform
  18. 18. Modern Honeycomb Identity Architecture Copyright 2015 Ping Identity Corp. All rights reserved. 19 Your Data Your Identity InfrastructureOther Web, Mobile &API Other Data Your Mobile & API Other Identity Infrastructure All Kinds of B2B Clients All Kinds of Users Other Authentication Service Your Apps
  19. 19. Honeycomb Architecture Pick the cells that fit your business use case Mobile, IoT Consumer/Enterprise SSO Enterprise Service Bus Cells may exist in separate internet contexts Interaction between cells is standardized Copyright 2015 Ping Identity Corp. All rights reserved. 20
  20. 20. Automation & Accountability Copyright 2015 Ping Identity Corp. All rights reserved. 21 Identity Platform DynamicAccessControl User Context Automation Resources Bounded Credentials Client Primary Credentials Primary Credentials
  21. 21. OAuth 2.0 (RFC 6749/50) Authorization framework for software clients Enables clients to present scoped authorization tokens to REST APIs OpenID Connect (built on OAuth 2.0) Clients and Identity Platform request & assert identifiers, attributes with integrity & confidentiality SAML Gold standard for Web SSO SOAP-based Standards at Work Copyright 2015 Ping Identity Corp. All rights reserved. 22 SCIM Standardized REST API for Creation, synchronization of user accounts/attributes FIDO Standardization of authenticators Password-less and 2nd factor Account Chooser User discovery specification Migration from IDP discovery to User discovery
  22. 22. Primary Credentials Supply enough primary credentials, and the assumption is that the real subject is present. Impersonation through compromise of primary credentials is greatest risk in industry today. See: Credential Farming Goal: protect primary credentials in every way possible Examples: passwords, API keys, MFA authenticator interactions, certificates, FIDO Copyright 2015 Ping Identity Corp. All rights reserved. 23
  23. 23. Bounded Credentials Ephemeral tokens representing not just the subject but subject and context. Access Tokens: access to limited scope on behalf of subject executed by specific client valid for limited time JWTs: introduction of subject to specific audience, valid for short period of time ID Tokens: introduction of subject to specific audience from known issuer based on specific authentication interaction Copyright 2015 Ping Identity Corp. All rights reserved. 24
  24. 24. APPLE WATCH DEMO Identity architecture demos are boring unless they are cunningly disguised as Apple Watch Demos. Copyright 2015 Ping Identity Corp. All rights reserved. 25
  25. 25. Copyright 2015 Ping Identity Corp. All rights reserved. 26
  26. 26. What you just saw Single trusted authentication ceremony Low friction 2nd factor authentication Transformation of primary credentials into bounded credentials Protection of both web and native resources Copyright 2015 Ping Identity Corp. All rights reserved. 27
  27. 27. WHAT CAN BE ACCOMPLISHED TODAY World Peace! Ok well lets not go crazy Copyright 2015 Ping Identity Corp. All rights reserved. 28
  28. 28. Federated Access Management Copyright 2015 Ping Identity Corp. All rights reserved. 29 Contextual Authentication Federated Sign-on Access Security Contextual Authentication Active and passive challenges and contexts, designed to mitigate risks Federated Sign-on Distribution of tokens and assertions that represent users in a compartmentalized, ephemeral, automated, accountable way Application of policy at time of access request Access Security Validation of tokens and assertions Enforcement of policy & intelligence beyond token validity at time of resource use
  29. 29. Copyright 2015 Ping Identity Corp. All rights reserved. 30 User Administration Orchestration Federated Provisioning Federated Access Management (FAM) Federated Identity Management (FIM) Governance Intelligence (risk/fraud/analytics) Continuous Authentication Contextual Authentication Federated Sign-on Access Security Identity Defined Security
  30. 30. RECOMMENDATIONS Call your mother Copyright 2015 Ping Identity Corp. All rights reserved. 31
  31. 31. Create a Long Term Plan New identity architectures must handle all identities, all channels, all interaction methods at scale OAuth 2.0 delivers scoped authorization as foundation for identity clients and user identity is tracked The Identity Platform becomes a central element of a set of honeycomb cells that interoperate with each other via standards Limitation/mitigation of exposure starts with compartmentalization of primary credentials, bounded credentials are Interaction between authentication services, identity platform, and access security at the resources will become more intelligent in the future Copyright 2015 Ping Identity Corp. All rights reserved. 32
  32. 32. Address Immediate Risk Credential Farming If an employee reuses the same email and password at http://iloveipa.com and for your corporate VPN, and an attacker compromises http://iloveipa.com, can they walk right in your front door? Now is the time to explore second factor auth. Be creative. Dont expect the first thing to work. But at all costs, disrupt those password reuse attacks.Copyright 2015 Ping Identity Corp. All rights reserved. 33
  33. 33. Read the Verizon Data Breach Report 95% of breaches start with a compromised credential http://www.verizonenterprise.com/DBIR/ If you cant detect them coming in, then detect them going out, egress monitoring can be your friend. Long term planning is for analytics to find trends of sessions, usage patterns, anomaliesCopyright 2015 Ping Identity Corp. All rights reserved. 34
  34. 34. Intelligence is the Future Think about what your inputs could be into an intelligence engine Think about what your social contract is with your users, and how you can signal that you are watching, but also how they can signal that they want privacy Copyright 2015 Ping Identity Corp. All rights reserved. 35
  35. 35. Thank You! Confidential do not distribute Copyright 2015 Ping Identity Corp. All rights reserved. 36

Harding University

Harding University Scholar Works at Harding

DANIEL HARDING

1407424167 Harding, D. Harding D Dissertation 2014

Neuromuscular Connections Issue 03 Q3 2019 advocacy ...€¦ · 08/11/2019  · —Patrick J. McEnany Chairman and CEO of Catalyst To learn more about Catalyst Pathways™, how to

Harding tool corporation

Frances harding general_session

Thomas Harding

The Harding Presidency

Remnants by Rosemarie Freeney Harding with Rachel Elizabeth Harding

JT Harding Portfolio

Hardin Harding

Harding 1996

Sample file - watermark.pegasusdigital.de · 3 IMPRESSUM: WIlDWEChSEl Texte: Falk Behr, Lars Blumenstein, Robert Derie, John Dunn, Patrick Goodman, Jennifer Harding, Adam Large, Stephen

Harding Avenue - Blacksburg Transit · 2020. 6. 18. · Harding/Hethwood combined service all day Ascot Lane / Hampton Stop # 1511 Harding Avenue D RVICE 5/10/2020. Harding Avenue

Frances Harding

The Harding University A Cappella ChorusThe Harding University A Cappella Chorus The music of the Harding A Cappella Chorus has long been a recognizable facet of Harding University,

mellersh harding

49 Harding Blvd

Tim Harding

Robert Harding

Defined Categories of Service 2011 - Cloud Security Alliance · PDF fileScott Chasin: McAfee, Kevin Fielder: GE Global, Patrick Harding: ... Apollo Group Inc., ... enterprises to make

Peter Harding

Harding enrollment

Harding tool case

Catalyst Catalyst

ritland-32nd-iowa.com · 8 1979- 8 Joel WilliarrEcn 1982 - Anna 1950 - *Harold Steven Harding 1948 - 8 Anika Sarah Harding 1975 8 Paul Steven Harding 1977 - 8 Benjamin Joel Harding

Work Harding

Harding Magazine Article

John Harding

Harding Scandals. 1923 Economy improving Harding enjoyed popularity

Andrew harding

ARTICULOS Douglas Harding

ASYMMETRIC EPOXIDATION OF OLEFINS BY SHI’S CATALYST AND SYNTHESIS OF CRYPTOPHYCIN 52 1 st seminar Patrick Beaulieu October 30, 2003

Harding Herald - Home - Lakewood City School District. issue.pdf · Harding Herald Distinguish Honor ... Nijem, Dalal Wolf, Nicolette Mullen, ... Crawford, Sara Corrigan, Patrick