Embed Size (px)
DESCRIPTION
Keynote from Cloud Identity Summit 2014 (July 21). Focusing on modern identity's two primary attributes: heterogeneity and distance. Discusses the requirement for adaptive and local biometric authentication in the modern identity era, with specifics on OAuth/OpenID Connect, federation, and WAM.
Citation preview
heterogeneity and distance
Mark Diodati
modern identity:
CIS Survival Guide
99 sessions
48 possible workshops
12 hours of workshops
60 remaining sessions
24 sessions
12 hours of sessions
2 social events
caffeinate
hydrate
take your vitamins
get some rest
take good notes
get outside
make a friend
modern identity
applications services
user constituencies devices
heterogeneity
distance
distance: span of control
on-premises
in the cloud
applications
self-managed
partner-managed
SaaS-managed
applications
IaaS
SaaS
PaaS
applications
traditional IAM
IDaaS
identity bridge
services
self-managed
partner-managed
services
employees
partners
contractors
users
customers
AD-joined PC/Mac COPE devices
devices
BYOD devices PC/Mac
mobile devices
authentication: what matters
application support
4 things that matter
identity assurance
4 things that matter
identity assurance
cost
4 things that matter
$10,000 barn
$5,000 horse
4 things that matter
usability
eternal truths
first eternal truth
identity assurance
cost and decreased usability
your app’s assurance requirement
“sweet” spot
costs too much
identity assurance
session duration
second eternal truth
not good enough
reset expectations?
my career in heavy metal music
wristwatch
modern authentication
requires
adaptive and local biometrics
die darwin
adaptive origins
conventional
primary authentication
password
smart card one-time
password (OTP)
SMS
adaptive device ID
• ____ • ____ • ____
IP blacklist
• Bill pay $349 • Bill pay $610 • EFT $2,000,000
behavioral
geolocation
primary authentication
assurance over time
identity assurance
session duration
higher assurance
modern adaptive
53
degree of difficulty
distance
modern adaptive
prim
ary
adap
tive
adaptive server
resources resources
browser
adaptive: traditional
adaptive: WAM
(3) yes/no or risk score
adaptive server
(1) prim
ary
WAM policy enforcement point
WAM policy decision point
browser
adaptive: WAM
(3) yes/no
service provider identity provider adaptive server
(1) prim
ary
browser
adaptive: federation
resource server OpenID Provider authorization server user info endpoint
client/relying party/app
API
58
client/relying party/ app
client registration (admintime)
OpenID Provider/ authorization server
token refresh (runtime)
resource server token presentation (runtime)
frequency adaptive: API
mobile biometric
biometric reader in every pocket
adaptive enhanced device ID
A
privacy
playlists
eternal truths redux
first new eternal truth
identity assurance
cost and decreased usability
app requirement
first new eternal truth
identity assurance
cost and decreased usability
app requirement
identity assurance
session duration
second new eternal truth
app requirement
identity assurance
session duration
second new eternal truth
app requirement
identity assurance
session duration
continuous: our best aspiration
continuous
app requirement
heterogeneous, distant, continuous
authentication?
monitor adaptive
developments
layer authentication techniques to raise
assurance
plan for multiple authentication
types
get your proofing right
iden
tity ass
uran
ce
password mobile smart card
proofing matters proofing
tune your engine
