Upload
forgerock
View
80
Download
1
Embed Size (px)
Citation preview
Copyright © 2015 ForgeRock, all rights reserved.
Entitlements:Taking Control of the Big Data Gold Rush
Markus WeberAndy Forrest
August 18th, 2015
Copyright © 2015 ForgeRock, all rights reserved.
Achieving the Holy Grail of Identity
Knowing Who's Who, What's What,and Who Gets Access to What
Source: Scott McNealy, Identity Summit 2015
Copyright © 2015 ForgeRock, all rights reserved.
ForgeRockFastest-growing Open Source Identity Security Software company in the world ■ Founded 2010 with high double digit growth every year since inception■ Over 200 full time employees■ Over 400 customers ■ Active in over 30 countries ■ Locations: San Francisco, Vancouver (US), Bristol (UK), London (UK), Grenoble (FR), Oslo, Singapor,
Düsseldorf
Award winning platform driving innovation worldwide■ Gold winner of the CEO World awards 2014■ Silver Winner in the 6th Annual Golden Bridge Award 2014■ Silver winner for the Fastest-Growing Company of the Year in Best in Biz Awards 2014Investors: Our Origins:
Copyright © 2015 ForgeRock, all rights reserved.
275 survey respondents
Research by
Copyright © 2015 ForgeRock, all rights reserved.Research by
71% using ForgeRock for THEIR customer identities (USA)
88% deploy in less than a year
65% deploy in less than 6 months
70% reach payback in less than 18 months
91% rate ForgeRock speed to deployment superior to competition
96% rate ForgeRock scalability superior to competition
92% rate ForgeRock reliability superior to competition
100% of government and financial services customers rate
ForgeRock scalability superior to the competition
Copyright © 2015 ForgeRock, all rights reserved.
The Platform
Copyright © 2015 ForgeRock, all rights reserved.
The ForgeRock Identity Platform
(Identity Management) (Access Management)
(Directory Services) (Identity Gateway)
Copyright © 2015 ForgeRock, all rights reserved.Copyright © Identity Summit 2015, all rights reserved.
IDENTITY MANAGEMENT
ProvisioningSelf-ServicePassword ManagementSynchronization/ReconciliationWorkflow EngineSaaS Connectors
ACCESS MANAGEMENT
AuthenticationEntitlements ManagementFederationSocial Sign-OnAdaptive RiskREST Security Token ServiceAPI & MOBILE GATEWAYAPI SecurityMobile SecurityLegacy Application SecurityWeb Services SecurityPassword Capture and Replay
DIRECTORY SERVICESPerformance & ScalabilityHigh AvailabilityPassword Policy Active Directory SynchronizationIdentity Data ReplicationLDAPv3 and REST2LDAP
CO
MM
ON
SER
VIC
ES
RES
T A
PI
Sta
nd
ard
sU
ser
Inte
rface
The ForgeRock Identity Platform
Copyright © 2015 ForgeRock, all rights reserved.
customldapv3
User Data Stores
AuthenticationCoarse Grained Authorization
Policies
SSO Session Management
Federation Hub
Adaptive Risk
ForgeRock UI Framework
Password management
Audit Logging
UI Layer
Access Layer
Business Logic Layer
Services Layer
Persistence layer
SIEM | Reporting Tools(3rd party)
Authentication Systems
(out-of-the-box & 3rd party)
Analytics tools(3rd party)
Fine Grained Authorization
Pluggable
Common REST OpenID Connect OAuth2 SAMLv2 WS-*
Protected Resources
Web Application
Mobile Application
Policy AgentFirewall
Reverse Proxy
REST Client
Stateful StatelessSession Layer
Load balancer
Chip | Thing
End-User UI
JATO basedAdmin UI
Policy Editor
Monitoring
Copyright © 2015 ForgeRock, all rights reserved.
The Near Future
Copyright © 2015 ForgeRock, all rights reserved.
Return on Identity
Platform Focus for Maximizing ROI
API Economy
IoTScale
IoT Ready
Privacy &Consent
Security DataEnrichment
Run Anywhere
Copyright © 2015 ForgeRock, all rights reserved.
Privacy & ConsentUser Managed Access (UMA)
• Standards based privacy and consent
• Giving people the right to control access to their data across providers
• Interoperable OAuth2-based protocol
• Shipping as an integrated feature of OpenAM and OpenIG
Copyright © 2015 ForgeRock, all rights reserved.
Internet of Things ScaleStateless Sessions
• Built on new stateless sessions
• JWT-based sessions• Per-Realm configuration• Enables true elastic
deployment• Massive horizontal scalability
12:00:00 AM
1:00:00 AM
2:00:00 AM
3:00:00 AM
4:00:00 AM
5:00:00 AM
6:00:00 AM
7:00:00 AM
8:00:00 AM
9:00:00 AM
10:00:00 AM
11:00:00 AM
11:59:59 AM
Demand
Clus
ter S
ize
Internet
Elastic Load Balancer
Copyright © 2015 ForgeRock, all rights reserved.
SecurityContinuous Authorization
OpenAM Session
Contextual Change
System Detects New Location
System detects change during session and
requests 1x password
• Context based authentication and authorization
• Includes the device print and request context in the policy evaluation
• Custom logic easily integrated into Policy decisions with JavaScript, Groovy, or Java
• REST-calls to external Policy Information Points
Copyright © 2015 ForgeRock, all rights reserved.
Entitlements
Taking Control of the Big Data Gold Rush
Andy Forrest (@apforrest)[email protected]
Copyright © 2015 ForgeRock, all rights reserved.
“Information is the new currency”
Copyright © 2015 ForgeRock, all rights reserved.
Let’s rewind a little...
Subject ResourceAction
Environment
• Authentication• Authorization
Copyright © 2015 ForgeRock, all rights reserved.
What has a policy looked like?
Typically used to protect a web resource:
“Can Bob who is part of the admin group see the admin web page?”
Copyright © 2015 ForgeRock, all rights reserved.
Policy solutions
• ACLs (access control lists)- focused on the subject
• RBAC (role based access control)- focused on the subject and resource- role explosion
Copyright © 2015 ForgeRock, all rights reserved.
Policy characteristics
• Coarse grained• Allow / deny• Inflexible • Low volume• Minimal performance demand
Copyright © 2015 ForgeRock, all rights reserved.
PEP
Common policy architecture
Protected resource
Bob
PDP
PAP
PIPs
Copyright © 2015 ForgeRock, all rights reserved.
Common policy architecture
Policy agent
Protected resource
Bob
OpenAM
Copyright © 2015 ForgeRock, all rights reserved.
What’s next for policy?
“Authorization is the new cool kid”
Copyright © 2015 ForgeRock, all rights reserved.
IoT (Internet of Things)
• Not just web pages• Richer relationships• Descriptive demand
Copyright © 2015 ForgeRock, all rights reserved.
UMA (User Managed Access)
• In the hands of the consumer• High scale• Decoupled• Distributed
Copyright © 2015 ForgeRock, all rights reserved.
Some of the buzz
• ABAC (attribute based access control)
• XACML (extensible access control markup language)
Copyright © 2015 ForgeRock, all rights reserved.
Future policy characteristics
• Attribute based• Fine grained• Entitlements• Unknown entities• High volume• Performance speed• Outward facing
Copyright © 2015 ForgeRock, all rights reserved.
What about OpenAM?
“We’re the real deal”
Copyright © 2015 ForgeRock, all rights reserved.
OpenAM policy
• Complete REST API• Intuitive UI• Organisational structure• Expressive rules• Contextual authz
• Rich entitlement decisions
• Selective evaluation• Scaling and replication• XACML export/import
Copyright © 2015 ForgeRock, all rights reserved.
Demo
Copyright © 2015 ForgeRock, all rights reserved.
Mobile Twitter Raspberry PI
OpenAM Device 1
Radio Tx
Radio Rx
Device 3
Radio Rx
Device 2
Radio Rx
Web App
Policy
Demo topology
Copyright © 2015 ForgeRock, all rights reserved.
Demo topology
Copyright © 2015 ForgeRock, all rights reserved.
DJ 2
OpenAM 2
DJ 1
OpenAM 1
Replication
Cross talk
8 x 3.3GHz, 64GB 8 x 3.3GHz, 64GB
Performance topology
Copyright © 2015 ForgeRock, all rights reserved.
Copyright © 2015 ForgeRock, all rights reserved.
How does OpenAM continue to lead?
• Continually looking to push performance• More fine grained through ABAC
- generic attribute model- application rules- nested applications
• Simplified UIs
Copyright © 2015 ForgeRock, all rights reserved.
“Information is the new currency”
Copyright © 2015 ForgeRock, all rights reserved.
IDENTITY SUMMIT SERIES 2015: EUROPE
8 OctoberLondon
5 NovemberAmsterdam
10 November Düsseldorf
Visit summits.forgerock.com
Copyright © 2015 ForgeRock, all rights reserved.
Q & A