Kim Cameron

Integration Imperative

Integration Imperative

Cloud ComputingCloud Computing

C

ompl

ianc

e++

Com

plia

nce+

+

Mergers, Supply Chain, Outsourcing,

Partnering, Globalization, …

Kim Cameron

The cloud cadence is the fastest way to get users new capabilities – including on-premises

State-of-the-art cloud architectures provide the highest availability and scale with good TCO

Significant innovation occurring on the internet; ensure headroom for your solutions

Kim Cameron

In some ways, nothing new here. Just more challenging…

As predicted, growing need for access while crossing boundaries

Still need to be able to provision, authenticate, and authorize

Still need to track, manage, and report

With high-availability, high-scale, great management, low TCO, …

But increasingly organizations control less of the solution

Applications and developers can be in other organizations and are probably on different or new platforms

Identities and profiles can be external – and need to be “validated”

And the regulatory complexity is growing

Kim Cameron

“Hybrid” is the Norm

Current systems and applications remain critical indefinitely

And you need to be able to integrate with applications in other organizations and with SaaS solutions

Want to be able to deliver applications that are accessible to any device running anywhere

Enterprise

Enterprise’s CustomersEnterprise’s Partners

Example of Microsoft Services

DSDS

FIMFIM

ADFSADFS

SyncSync

Consumer

ID(Facebook, Google, Live)

Consumer

ID(Facebook, Google, Live)

Office 365

ExchangeSharePoint

OCS

Office 365

ExchangeSharePoint

OCS

InTune (device

management)

InTune (device

management)

WindowsAzureApps

WindowsAzureApps

App/Service managementApp/Service management

Verified

ID(DMV, banks, credit agencies)

Verified

ID(DMV, banks, credit agencies)

MarketsMarkets

SyncSync

DirDir

ID(Potentially not AD)

ID(Potentially not AD)

HeathVaultHeathVault

Identity ManagementIdentity Management

Fed SvcFed Svc

Fed SvcFed SvcFed SvcFed Svc

SQL AzureSQL

Azure

ExchangeSharePoint

OCS

Custom LOB Apps

App/Service management

Identity ManagementSQL

Kim Cameron

Claims-Based Identity

Organizations like RBAC, entitlements, and other policy-driven approaches

The claims model provides a comprehensive foundation to enable these solutions in a distributed, cloud-friendly manner – learn more at http://identityblog.com

The technology generalizes the proven mechanisms found in Kerberos, PKI, SAML, ACLs, RBAC, Entitlements, …

These technologies are embedded in products from MS, IBM, Oracle, Ping as well as many existing and emerging standards

Enables cross-organization collaboration and new scenarios; e.g. distributed delegation; distributed groups and role management; high-scale, capability-based access control; …

OED Definitions:• An assertion is a “confident and forceful

statement of fact or belief”. • A claim is “an assertion of the truth of

something, typically one which is disputed or in doubt”.• Better than: “To state as being the case,

without being able to give proof” (TD 0910)• A claim is always spoken by some entity, and

the fact that a claim is signed by that entity does not in itself reduce that doubt.

• Essence is building an infrastructure in which relying parties can deal with doubt

Need-to-know Internet:Internet services operating on behalf of ALL actors assume other services may be rogue and defend themselvesIdentity information released is ONLY that required for transaction to complete (proportionality).Contextual linking should be opt-in by individuals in return for benefits – not done by services or behind their backsCompliance requirement: Profile information must be isolated from natural identityAudit requirements should be proportionate to context (e.g. financial transactions, youth sites, search engines)Audit information should be visible only to auditors and only as required – not weaken overall Internet security and privacy

Clarify how identifiers relate to minimal disclosure:• Wrong:

• Generally, identifiers, and/or attributes will uniquely characterise an entity within a particular context.

• Right: • Identity: A representation of an entity in the

form of one or more attributes that allow the entity or entities to be sufficiently distinguished within a context.

Kim Cameron

Cloud directory++ that

Synchronizes with and synergizes with enterprise directory

Shares a logical schema with enterprise and device directories

Is multi-tenant

Is secure (more than lip service!)

Is based on “Privacy By Design”

Privacy of individuals

Privacy of enterprises

Supports “hybrid applications”

E.g. Sharepoint

Shares and supports common policy system

Directory ServiceDirectory Service SynchronizationSynchronizationOrganizationData ModelsOrganizationData Models

ServiceManagement

ServiceManagement

Authentication, Claims

Transformation

Authentication, Claims

Transformation

Multi-tenant, Extensible, Secure Identity StoreMulti-tenant, Extensible, Secure Identity Store

Ope

nID

Ope

nID

SAM

LSA

ML

WS-

Fed

WS-

Fed

OAu

thO

Auth

LDAP

LDAP

WS-

Trus

tW

S-Tr

ust

Kim Cameron

Identity Fabric (Look at Windows Azure ACS V2)

Loosely coupled approach built on interoperable protocols and claims-based architecture

Integrated authentication and authorization spanning Servers, cloud hosting environments, private clouds, extranets, and clients

Authorization that enables coordinated, cross-system policies

Seamless Experiences

Borderless collaboration – BYOI SSO, integrated connectivity

Deep integration applications

Integrated device management, group policy

CoreIdentity Fabric

Kim Cameron

Developer Ecosystem

Standards-based protocols for integration

Great developer assets - Visual Studio and Marketplace integration

Integrated Management

Common management on-premises and in the cloud

Common experience across directories, applications and services

Enhanced self-service

CoreIdentity Fabric