cis14: lean in: enterprise cloud identity
DESCRIPTION
Mark Diodati, Ping Identity An exploration of three specific trends—the inevitability of adaptive identity (and its impact on APIs), requirements for enterprise-grade IDaaS, and the great challenges of hybrid identity governance—along with recommendations for enterprises that are leaning into modern identityTRANSCRIPT
Nimble: Rethinking Enterprise Cloud Identity Mark Diodati Lean In: Enterprise Cloud Identity
@mark_diodati
Laura E. Hunter Zen and the Art of Enterprise Authentication
@adfskitteh
John Tolbert Is the Cloud Ready for Enterprise Identity and Security Requirements?
Lean In: Enterprise Cloud Identity
Mark Diodati Mon 14-07-21 [email protected] @mark_diodati
enterprises are leaning in to address cloud identity challenges
• constituencies to applications problem
• inability to provide identity services for most applications
4
leaning in: cloud identity management
IDaaS
• expansion and complexity
– who
– what
• (im)maturity of cloud applications and platforms
5
leaning in: cloud IGA
||who
what
CLOUD IDENTITY MANAGEMENT
7
why cloud IAM?
• IAM requirements for apps in the cloud • corporate apps (email and office), CRM • IAM services are not necessarily in the
cloud • Desire for IDaaS (identity
management -aaS) • SaaS application model is disrupting
IAM vendors • Turnkey (faster time to value) • Reduced costs (hardware and software) • Elastic (pay as you grow)
8
cloud identity components
• bi-directional on-premises gateway
• translates on-premises 1.0 identity protocols to cloud 2.0 protocols
• essential for most enterprises
IDaaS
9
to: identity bridge
hosted on-premises federation
IDP directory
sync Kerberos X.509
SaaS application
SS
O
LDAP
prov
isio
nin
g (R
ES
T)
application
from: identity bridge
hosted on-premises
SAML SP STS
application
partners partners
application
WAM cookie
OAuth RS and AS
OpenID Provider
11
cloud identity components
IDaaS • Identity Management as a
Service • externally-hosted, turnkey SaaS • frequently used with an identity
bridge
12
IDaaS market trends
• More IaaS and PaaS vendors are moving into IDaaS • Salesforce, Microsoft • AWS - evolving towards
externalized identity
13
IDaaS market trends
• Mobile authentication vendors will be absorbed into IDaaS • Completes IDaaS offering/ has
become/will be table stakes • MFA has diminished value without
other identity services
Confidential — do not distribute
IDaaS sub-market convergence
provisioning/ governance
SSO/ authentication
password vaulting
directory sync
federation
user management
Provisioning
access certification
multi-factor authn
sep of duties
self-service administrative scoping
& delegation
cloud directory
15
in: IDaaS
hosted on-premises
SaaS applicati
on
provisioning
SSO authentication user
IDaaS
provisioning
SSO
16
IDaaS: internal directory
hosted on-premises
SaaS applicati
on
authentication user
IDaaS
IDaaS: single directory (AD)
hosted on-premises
SaaS applicati
on
authentication
IDaaS
provisioning
SSO
directory sync Kerberos
IDaaS: single directory (Google)
directory sync/ runtime store
hosted on-premises
SaaS applicati
on
authentication
IDaaS provisioning
SSO
Sync or runtime
IDaaS: many-to-many directories
IDaaS partner
partner developer you
Central access policy
20
enterprise grade IDaaS
hosted on-premises
IDaaS
identity bridge WAM
EC2`
SaaS application app
CLOUD IGA
22
IGA: a wealth of talents
Provisioning self-service
access certification
separation of duties role management
entitlement management
An entitlement is a system object that can be granted to enable a user to
perform some set of actions in an application.
Burton Group, 2009
ENTITLEMENT
what
who
24
expansion of who
employees contractors
constituency
identity stores
partners consumers
on-premises LDAP
Active
Directory HR
somewhere else LDAP
Active
Directory Facebook
25
complexity of who
governance
complexity
“un-control” over identity stores
expansion of what
applications accessibility
good Active
Directory WAM SharePoint
ERP
maturing SaaS application IaaS
platform
27
complexity of what
governance
complexity
“un-control” over applications
good ole days of IGA ;-)
IGA entitlement management
access certification SoD role management
hosted on-premises
prov
isio
nin
g (R
ES
T)
SS
O
reminder: to the cloud SSO
hosted on-premises federation IDP directory sync
Kerberos X.509
SaaS application
LDAP
cloud SSO: entitlement management
hosted on-premises
SaaS application
federation IDP
identity store
IGA entitlements
to the cloud SSO: entitlement view
CRM LDAP group IS_CRM_MGR LDAP
attribute
federation IDP
SaaS application
identity store
LDAP group and attribute(s) mapped to SaaS profile
CRM_MANAGER
CRM_MANAGER profile has access to SaaS and to specific transactions
Cou
rse
to fi
ne
CRM LDAP group get access to SaaS app with
IS_CRM_MGR attribute
32
evolution of cloud IGA
quality of
governance
Component maturity
“distance” of identity store
AD/LDAP groups
federation IDP
entitlements
SaaS/IaaS entitlemen
ts federation/SaaSactivit
y logs
RECOMMENDATIONS the path forward
recommendations
• cloud IAM – clarify your vision for modern IAM
– monitor cloud IAM developments
• holistic, SaaS-style integration
• multi-constituency support
• broader application management
34
recommendations
• cloud IGA – understand your IGA requirements before migrating
applications to the cloud
– define a transitional IGA strategy for cloud applications • Push your SaaS/IaaS vendors to add entitlement and activity
management capabilities