Upload
tierra
View
19
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Key Challenges. Mergers, Supply Chain, Outsourcing, Partnering, Globalization, …. Integration Imperative. Cloud Computing. Compliance++. Why the Focus on the Cloud?. The cloud cadence is the fastest way to get users new capabilities – including on-premises - PowerPoint PPT Presentation
Citation preview
Kim Cameron
Integration Imperative
Integration Imperative
Cloud ComputingCloud Computing
C
ompl
ianc
e++
Com
plia
nce+
+
Mergers, Supply Chain, Outsourcing,
Partnering, Globalization, …
Kim Cameron
The cloud cadence is the fastest way to get users new capabilities – including on-premises
State-of-the-art cloud architectures provide the highest availability and scale with good TCO
Significant innovation occurring on the internet; ensure headroom for your solutions
Kim Cameron
In some ways, nothing new here. Just more challenging…
As predicted, growing need for access while crossing boundaries
Still need to be able to provision, authenticate, and authorize
Still need to track, manage, and report
With high-availability, high-scale, great management, low TCO, …
But increasingly organizations control less of the solution
Applications and developers can be in other organizations and are probably on different or new platforms
Identities and profiles can be external – and need to be “validated”
And the regulatory complexity is growing
Kim Cameron
“Hybrid” is the Norm
Current systems and applications remain critical indefinitely
And you need to be able to integrate with applications in other organizations and with SaaS solutions
Want to be able to deliver applications that are accessible to any device running anywhere
Enterprise
Enterprise’s CustomersEnterprise’s Partners
Example of Microsoft Services
DSDS
FIMFIM
ADFSADFS
SyncSync
Consumer
ID(Facebook, Google, Live)
Consumer
ID(Facebook, Google, Live)
Office 365
ExchangeSharePoint
OCS
Office 365
ExchangeSharePoint
OCS
InTune (device
management)
InTune (device
management)
WindowsAzureApps
WindowsAzureApps
App/Service managementApp/Service management
Verified
ID(DMV, banks, credit agencies)
Verified
ID(DMV, banks, credit agencies)
MarketsMarkets
SyncSync
DirDir
ID(Potentially not AD)
ID(Potentially not AD)
HeathVaultHeathVault
Identity ManagementIdentity Management
Fed SvcFed Svc
Fed SvcFed SvcFed SvcFed Svc
SQL AzureSQL
Azure
ExchangeSharePoint
OCS
Custom LOB Apps
App/Service management
Identity ManagementSQL
Kim Cameron
Claims-Based Identity
Organizations like RBAC, entitlements, and other policy-driven approaches
The claims model provides a comprehensive foundation to enable these solutions in a distributed, cloud-friendly manner – learn more at http://identityblog.com
The technology generalizes the proven mechanisms found in Kerberos, PKI, SAML, ACLs, RBAC, Entitlements, …
These technologies are embedded in products from MS, IBM, Oracle, Ping as well as many existing and emerging standards
Enables cross-organization collaboration and new scenarios; e.g. distributed delegation; distributed groups and role management; high-scale, capability-based access control; …
OED Definitions:• An assertion is a “confident and forceful
statement of fact or belief”. • A claim is “an assertion of the truth of
something, typically one which is disputed or in doubt”.• Better than: “To state as being the case,
without being able to give proof” (TD 0910)• A claim is always spoken by some entity, and
the fact that a claim is signed by that entity does not in itself reduce that doubt.
• Essence is building an infrastructure in which relying parties can deal with doubt
Need-to-know Internet:Internet services operating on behalf of ALL actors assume other services may be rogue and defend themselvesIdentity information released is ONLY that required for transaction to complete (proportionality).Contextual linking should be opt-in by individuals in return for benefits – not done by services or behind their backsCompliance requirement: Profile information must be isolated from natural identityAudit requirements should be proportionate to context (e.g. financial transactions, youth sites, search engines)Audit information should be visible only to auditors and only as required – not weaken overall Internet security and privacy
Clarify how identifiers relate to minimal disclosure:• Wrong:
• Generally, identifiers, and/or attributes will uniquely characterise an entity within a particular context.
• Right: • Identity: A representation of an entity in the
form of one or more attributes that allow the entity or entities to be sufficiently distinguished within a context.
Kim Cameron
Cloud directory++ that
Synchronizes with and synergizes with enterprise directory
Shares a logical schema with enterprise and device directories
Is multi-tenant
Is secure (more than lip service!)
Is based on “Privacy By Design”
Privacy of individuals
Privacy of enterprises
Supports “hybrid applications”
E.g. Sharepoint
Shares and supports common policy system
Directory ServiceDirectory Service SynchronizationSynchronizationOrganizationData ModelsOrganizationData Models
ServiceManagement
ServiceManagement
Authentication, Claims
Transformation
Authentication, Claims
Transformation
Multi-tenant, Extensible, Secure Identity StoreMulti-tenant, Extensible, Secure Identity Store
Ope
nID
Ope
nID
SAM
LSA
ML
WS-
Fed
WS-
Fed
OAu
thO
Auth
LDAP
LDAP
WS-
Trus
tW
S-Tr
ust
Kim Cameron
Identity Fabric (Look at Windows Azure ACS V2)
Loosely coupled approach built on interoperable protocols and claims-based architecture
Integrated authentication and authorization spanning Servers, cloud hosting environments, private clouds, extranets, and clients
Authorization that enables coordinated, cross-system policies
Seamless Experiences
Borderless collaboration – BYOI SSO, integrated connectivity
Deep integration applications
Integrated device management, group policy
CoreIdentity Fabric
Kim Cameron
Developer Ecosystem
Standards-based protocols for integration
Great developer assets - Visual Studio and Marketplace integration
Integrated Management
Common management on-premises and in the cloud
Common experience across directories, applications and services
Enhanced self-service
CoreIdentity Fabric