ymens - cloud identity crisis - dev talks 2015
TRANSCRIPT
Identity: Definition
Set of information (attributes) by which an individual is definitively distinguished within a context, such as an application
þ Identity Attributes: § Physiological attributes § Biographical information § Issued credentials § “Secret” information (e.g. history)
þ Height: 192cm þ Weight: 106kg þ Skin Color: White þ Eye Color: Blue þ Hair Color: Black þ Place of Birth: Krypton þ Identity: Secret
þ Citizenship: Kryptonian, American
þ Base: Metropolis, Fortress of Solitude
þ Occupation: Journalist, Super Hero
þ Employer: Daily Planet, Self-employed
Superman: One User – Many Identities
Login Email Credentials
superman [email protected] **********
Login Email Credentials
kel [email protected] **********
Login Email Credentials
clark.kent [email protected] **********
Login Email Credentials
superboy1977 [email protected] **********
Cloud Identity Crisis: Complex & Fragmented
3
CreateDelete
AttributeSync
Active Directory
HR (PeopleSoft, SAP)
Cloud
Office365, Workday, Salesforce, etc
ApplicationOwner
BusinessManager
Users
IT Helpdesk
Administrator
Administrator
Financials
SharePoint
Sales
Partners, customers, etc.
þ Complexity: One user, many identities § If a user has more than one identity then they will deal
with that complexity by having easy to remember credentials which makes them a weak link for hackers
þ Fragmentation: Many apps, many systems § If applications have separate identity systems then it
becomes a manual job to maintain the integrity of the identities on that system for events such as staff changes
þ Complexity & Fragmentation => Entropy § A fragmented identity system leads to fragmented
accountability, allowing suspect users to identify using unapproved applications
Cloud Identity Crisis: Complex & Hybrid
Cloud Service Broker Social Sign-on
Enterprise IAM
Consumer
B2B
`````````````````````
SaaS/PaaS/IaaS
On-premise / Legacy
Consumer Apps
• Employees • Contractors • Partners
Marketplace
SSO
IdM
Billing
Portal
⊆ Cloud Identity Broker
þ Service Brokers - The Cloud Marketplace § Cloud Exchange for the enterprise and cloud
services: broker service that integrates, manages and bills cloud services
§ Essential to the transformation of traditional IT into IT as a Service
þ Identity Brokers - The Cloud Identity Hub § IDaaS: Enables the provisioning and life-cycle
management of users across external cloud services
§ Virtual Directory in the cloud that brokers identity from the enterprise to external clouds providers
Cloud Service Broker ⊆ Cloud Identity Broker
2 Operations ① Provisioning ② Single Sing-On
2 Worlds ① Work ② Home
2 Directions ① Inbound ② Outbound
Identity Broker: Functions
Key Features: • Governance • Hubris
Key Features: • “Solving the right problem” • Enterprise-only scope
Key Features: • Agility • Cloud friendliness • Robustness
ID Protocols: Emerging Standards have an Edge
Source: TechRadar For Security Pros: Zero Trust Identity Standards, Q3 2012
ID Protocols: Relevant Jargon
OAuth 2.0
§ Auth Server § Resource Server
OpenID Connect 1.0
§ OpenID Provider § Relying Party § User Claims § Client Claims
SAML 2.0
§ Identity Provider § Service Provider § Attributes § SP Metadata
§ Service Provider: A web application that provides identity information via the SCIM protocol
§ Consumer: An application that uses the SCIM protocol to manage identity data maintained by the Service Provider
§ Resource: The Service Provider managed artifact containing one or more attributes; e.g., User or Group
SCIM
ID Protocols: Comparison
OAuth 2.0
§ Not responsible for session initiation
§ Collects user’s consent to share attributes
§ No actual identity tokens
§ No actual claims, protects APIs
§ Client onboarding is static
§ No session
OpenID Connect 1.0
§ Initiating user’s login session
§ Collects user’s consent to share attributes
§ High-security identity tokens
§ Distributed and aggregated claims
§ Dynamic onboarding
§ Session timeout
SAML 2.0
§ Initiating user’s login session
§ Not responsible for collecting user consent
§ High-security identity tokens
§ Distributed and aggregated claims
§ Client onboarding is static
§ Session timeout
þ SAML þ OpenID þ OpenID Connect þ OAuth þ SPML þ SCIM þ WS-Federation þ XACML
Identified Standards Identified Gaps
¨ Configuration and association with an IdP is not standardized
¨ No standards or rules for mapping or transforming attributes between different domains
¨ No profiles or standard roles and related attributes
¨ No standards for attributes ¨ No audit standards for IDM
systems
ID Protocols: Standards & Gaps
Identity Broker & Protocols: Our Vision
SOAP
HTTP
OpenID
Connect
SCIM
OAuth2
OpenID
OpenID
Connect
SCIM
SAML2
Cloud Apps
Social
Enterprise
Superman: Identity Broker – Identity Union
Global ID Local Login Email Credentials
kal.el
superman [email protected] **********
clark.kent [email protected] **********
superboy1977 [email protected] **********
kel [email protected] **********
① Open Standards Matter
② Cloud Identity is Hybrid
③ BYOA permeates the Enterprise
④ Identity is the new Control Plane
Cloud Identity: Future
Cloud Identity: Final Thoughts
“So long, Superman!
Your secret identity is safe with me!”
The Simpsons TV Episode 1992