cis13: identity trends and transients
DESCRIPTION
Eve Maler, Principal Analyst Serving Security and Risk Professionals, Forrester What are the bona fide trends in the shifting identity and access landscape? Which are mere shiny objects, destined to fade quickly and leave their fans in IT disappointed.TRANSCRIPT
Making Leaders Successful Every Day
Trends, Transients, Tropes, and Transparents
Eve Maler, Principal Analyst, Security & Risk
Cloud Identity Summit July 10, 2013
© 2012 Forrester Research, Inc. Reproduction Prohibited
What are the T4 all about?
3
Less well noticed Well noticed
Transparents
Transients
Trends
Tropes
Clo
ser t
o tru
thin
ess
Clo
ser t
o es
sent
ial t
ruth
• What are they? • What is the evidence? • What should you do about them?
© 2012 Forrester Research, Inc. Reproduction Prohibited
Trend: webdevification of IT
4
Source: John Musser (formerly) of ProgrammableWeb.com
IN THE FUTURE, EVERY ENTERPRISE WILL OPEN AN API CHANNEL TO ITS DIGITAL PLATFORM
© 2012 Forrester Research, Inc. Reproduction Prohibited
Confront the changes in your power relationship
5
value X
friction Y
ACCESS CONTROL IS ABOUT PROTECTION AND MONETIZATION
© 2012 Forrester Research, Inc. Reproduction Prohibited 6
Source: April 5, 2013 Forrester report “API Management For Security Pros”
A lot of identities float around an API ecosystem
© 2012 Forrester Research, Inc. Reproduction Prohibited
Open Web APIs are, fortunately, friendly to the Zero Trust security model
7
Initially treat all access requesters as untrusted. Require opt-in access. Apply
identity federation through APIs.
Source: November 15, 2012, Forrester report “No More Chewy Centers: Introducing The Zero Trust Model Of Information Security”
© 2012 Forrester Research, Inc. Reproduction Prohibited
Trend: IAM x cloud
8
ZERO TRUST CALLS FOR DISTRIBUTED SINGLE SOURCES OF TRUTH
Federate at run time
Bind to authn
repository
Synch accounts
Issue an unrelated account
© 2012 Forrester Research, Inc. Reproduction Prohibited
Identity plays only an infrastructural role in most cloud platforms
9
cloud services
IAM functions user base and attributes
cloud identity product with an actual SKU
KEEP AN EYE OUT FOR DISRUPTION COMING FROM THE “CISDH” PLAYERS
© 2012 Forrester Research, Inc. Reproduction Prohibited
Transient: XACML
Adoption has government/compliance drivers, few accelerators, and many inhibitors It’s critical to open up the market for long-tail policy evaluation engines Webdevified scenarios demand different patterns of outsourced authorization
XACML 3 IS STUCK AT MODERATE SUCCESS AND IS HEADING FOR DECLINE
© 2012 Forrester Research, Inc. Reproduction Prohibited
Authz grain needs to get…finer-grained
11
policy input
resource accessed
roles groups
attributes
entitlements
domain URL path sets of API calls
field
XACML etc.
scope- grained
authz
WAM
© 2012 Forrester Research, Inc. Reproduction Prohibited
Plan for a new “Venn” of access control
12
AN “XACML LITE” WOULD HAVE A POTENTIALLY VALUABLE ROLE TO PLAY
© 2012 Forrester Research, Inc. Reproduction Prohibited
Trope: “Passwords are dead” OH, YEAH?
correct horse battery staple
© 2012 Forrester Research, Inc. Reproduction Prohibited
We struggle to maximize authentication quality
14
Source: June 12, 20113 “Introducing The Customer Authentication Assessment Framework” Forrester report
PARTICULARLY IN CONSUMER-FACING SERVICES
© 2012 Forrester Research, Inc. Reproduction Prohibited
Authentication schemes have different characteristics
15
Source: June 12, 20113 “Introducing The Customer Authentication Assessment Framework” Forrester report, based on “The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes”
✘ ✔
?✔
✘
✔
✘
✔
✔
✔
✔
✔
✔
✔
✔
✘
✘
✘
✘
✘
✘
✘
✘
✔
✔
✔
✔
*
*S2 is an affordance of passwords for “consensual impersonation”
© 2012 Forrester Research, Inc. Reproduction Prohibited
Think in terms of “responsive design” for authentication
16
LEVERAGE STRENGTHS AND MITIGATE RISKS – ONCE YOU KNOW THEM
User identification
based on something
they…
Know
Have
Are
Do
© 2012 Forrester Research, Inc. Reproduction Prohibited
Transparent: time-to-live strategies EXPIRATION HAS OUTSIZED VALUE VS. EXPLICIT REVOCATION OF ACCESS IN ZERO-TRUST ENVIRONMENTS
© 2012 Forrester Research, Inc. Reproduction Prohibited
Summary of the T4
18
Less well noticed Well noticed
Transparent: Time-to-live strategies
Transient: XACML
Trends: Webdevification of IT Cloud x IAM
Trope: “Passwords are dead”
Clo
ser t
o tru
thin
ess
Clo
ser t
o es
sent
ial t
ruth
Thank you Eve Maler +1 617.613.8820 [email protected] @xmlgrrl