Identity access and privacy in the new hybrid enterprise slides

Identity, Access & Privacy in the New Hybrid Enterprise Scott Morrison

CTO, Layer 7 Technologies Eve Maler

Principal Analyst, Forrester Research, Inc.

May 17, 2012

Housekeeping

Questions - Chat any questions you have and we’ll answer them at the end of this call

Twitter - Today’s event hashtag:

- #L7webinar

- Follow us on Twitter:

- @layer7

- @forrester

- @xmlgrrl

- @kscottmorrison

facebook.com/layer7

layer7.com/blogs

layer7.com/linkedin

© 2011 Forrester Research, Inc. Reproduction Prohibited 2 © 2009 Forrester Research, Inc. Reproduction Prohibited

Identity, Access, And Privacy In The New Hybrid Enterprise

Eve Maler, Principal Analyst

May 17, 2012

© 2011 Forrester Research, Inc. Reproduction Prohibited 3

Sounds awesome – maybe later? SAML and friends have succeeded in one realm, but the extended enterprise has strained them to the breaking point.

“ ”


Many enterprises aren’t just extended – they’re over-extended.

IAM challenges favor Zero Trust and emerging technologies.

Plan for the new “Venn” of access control in the API economy.

Learn from your peers: Brandish IT carrots instead of sticks.

Agenda


Steve Yegge’s rant crystallized the challenge

[Jeff Bezos] issued a mandate that was so out there, so huge and eye-bulgingly ponderous, that it made all of his other mandates look like unsolicited peer bonuses. … “1) All teams will henceforth expose their data and functionality through service interfaces.” …

Like anything else big and important in life, Accessibility has an evil twin who, jilted by the unbalanced affection displayed by their parents in their youth, has grown into an equally powerful Arch-Nemesis (yes, there's more than one nemesis to accessibility) named Security. And boy howdy are the two ever at odds.

But I'll argue that Accessibility is actually more important than Security because dialing Accessibility to zero means you have no product at all, whereas dialing Security to zero can still get you a reasonably successful product such as the Playstation Network.


The extended enterprise requires you to think outside the box (or…get a bigger box)

Partner apps

SaaS apps

Contractors Partners

Members

Enterprise computers

App sourcing and hosting

App access channels User populations

Apps in public clouds

Enterprise-issued devices

Personal devices

Public computers

Customers

On-premises enterprise apps

Apps in private clouds

Employees


Even social use cases press for better access control with accessibility and agility


And yet SAML-based identity federation still reaches mostly large enterprises with deep pockets

Source: October 26, 2011, “OpenID Connect Heralds The ‘Identity Singularity’” Forrester report


And loosely coupled SOA security solutions aren’t rushing to fill the gap

Source: January 5, 2009 Forrester report “Web Services Security Specifications: WS-Security Achieves Critical Mass Of User Adoption”






Agenda

© 2011 Forrester Research, Inc. Reproduction Prohibited 11 Source: September 14, 2010, “No More Chewy Centers: Introducing The Zero Trust Model Of Information Security” Forrester report

In Zero Trust, all interfaces are untrusted. Assume every business and IAM function is “equally far apart,” and treat all traffic among them as untrusted until it proves itself otherwise.

Introducing Zero Trust Identity


Plan for both inward and outward identity propagation

Source: March 22, 2012 “Navigate The Future of IAM” Forrester report

Organization serves asan identity server for

business functions

Organization serves asan identity client of

user stores

A security token service (STS)handles token issuance, translation,and consumption.

Staffuser store

Consumeruser store

Internal to theorganization

At externalpartners

Exposed tocustomers

For functions internalto the organization

Staffuser store

Institutionaluser store

Consumeruser store


Go from IDaaS to “IAM as an API”

Source: March 22, 2012 “Navigate The Future of IAM” Forrester report

The business app’sown API determinesaccess controlgranularity

Robustly protect allinterfaces, regardlessof their sourcingmodel

Back-end apps, web apps, mobile apps . . .

API clientAPI client

Internet

Web service and app APIs

Scale-outinfrastructure

API façade pattern

IAMinfrastructure

Applying the patternto IAM functions

IAM API client IAM API client

APIs for authentication,authorization, provisioning . . .

Business apps

Internet


New identity solutions disrupt…but attract.

Source: tom-margie | CC BY-SA 2.0 | flickr.com

*Douglas Crockford, inventor of JavaScript Object Notation (JSON)

Or, The good thing about reinventing the wheel is that you can get a round one.*


Emerging standards for IAM interfaces have an edge over traditional ones for Zero Trust

SCIM

Provisioning, proofing,

self service

Authentication, session management,

SSO, federation

Authorization, consent,

access control IAM

functionality

Established SOA-friendly

standards

Emerging web-friendly standards Connect

http://www.cafepress.ca/oasis_open.18754389


Why are these technologies attractive? Security pros’ control diminishes with distance






Agenda



OAuth magic: let a person delegate constrained access from one app to another

© 2011 Forrester Research, Inc. Reproduction Prohibited 20 © 2011 Forrester Research, Inc. Reproduction Prohibited

OpenID Connect magic: turn SSO into a robust OAuth-protected identity API

SAML and OpenID SSO standardize…

OAuth delegated authorization

standardizes…

OpenID Connect standardizes…

X

Initiating user’s login session

Collecting user’s consent to share attributes

High-security identity tokens (SAML only)

X Initiating user’s login session


High-security identity tokens

Initiating user’s login session


High-security identity tokens (using JSON Web Tokens)

X

Distributed and aggregated claims

Session timeout (on the docket)

Distributed and aggregated claims

Session timeout

X

X


An OpenID Connect killer app: “Street Identity” 1. Service provider (SP) needs

trusted data

2. Attribute provider (AP) has it

3. Identity provider (IdP) can broker your permission to provide it

4. AP can demand a fee from SP for it

5. Lather, rinse, and repeat for: – Credit scores

– Verified email addresses

– Proofed identities backed by strong authentication…


OpenID Connect will dramatically lower the price and complexity bar for all identity federation

Already exposing customer identities using a draft OpenID Connect-style API

Working to expose workforce identities through OpenID Connect

LOB apps and smaller partners can get into the federation game more easily; complex SAML-based solutions will see price pressure over time


UMA magic: turn sharing of online access with others into OAuth-derived “privacy by design” solution

Alice-to-Alice, Alice-to-Bob, Alice-to-org…and org-to-org

Claims-based and policy-based authorization

– Not just consent

User can impose terms and conditions on requesters

– Not just accept terms

Centralizable authorization function

– Not just point-to-point


Killer apps for UMA

UMAnized Street Identity: – Centralized management

and policy-driven sharing of addresses etc. with anyone

APIified access management:

– Direct control and auditing of all employee SaaS access

Zero Trust B2B2C privacy: – Telco allows location

sharing today – and health record sharing tomorrow

IdP AP

RP

PDP PEP

requester

AS RS

client






Agenda


One research organization’s experience with emerging IAM technologies for “Enterprise 2.0”

Approach:

IdP proxy from internal SAML SSO systems

Leverage OpenID (and soon OpenID Connect)

“Graylist” approach: users take responsibility for dynamic external service provider choices – Organization is in charge of

whitelists and blacklists

Devs partnered with IT from the beginning – Rationale that worked: “Ad hoc

login creation is worse”

Objectives:

Unified authentication and authorization flows for all protected resources

Serve internal and external users alike, using internal and external apps

Remove friction and risk in getting all new internal apps to federate

Enable brokered distributed attribute provisioning

Enable use by people with pre-proofed high-quality credentials


Its architecture

Corporate Firewall

DMZ

User Data

Intranet

Database

Internal OP

External OP

Corporate SSO

Two-Factor Signon


Its results

IT gets a level of comfort by operating production-quality servers itself

New internal apps federate “by default” even if they’re in the long tail

Dynamic associations with external apps are auditable

Not enough external SaaS providers are enabling standardized inbound SSO

While they prefer OAuth-based tech, OpenID 2.0 has become legacy already!


Drawing lessons from this experience

Low-usage internal apps aren’t necessarily low-sensitivity apps; protect them by reducing friction

For extranet apps and APIs, think light weight, particularly for partners with unsophisticated IT

Expect protocol discussions to reflect partner power relationships

Bet on “reach” vs. “rich” – in distributed computing, it always wins in the end

Scott Morrison CTO, Layer 7 Technologies

The Old Enterprise

Formal and structured security & connectivity VPNs & prop. Protocols for thick clients

HTTP(s) for browsers

SOAP+WS-* for B2B

Enterprise Network

Line of business servers

Road Warriors with

VPN

Browser Clients

Formal Trading Partners

Firewall

VPN

SSL WS-S

The New Hybrid Enterprise

Highly agile security & connectivity REST, OAuth, OpenID Connect, UMA

Enterprise Network

Line of business servers

Mobile Devices

Informal, API-driven

integrations

Firewall

Clouds

The Hybrid Enterprise Made Possible By APIs

5 5

Web App

API Server

Web Client

Mobile App

An API is a RESTful service

For Example:

6

GET http://services.layer7.com/staff/Scott

For Example:

7

{ "firstName": ”Scott ", "lastName" : ”Morrison", ”title" : “CTO”, "address" : { "streetAddress": ”405-1100 Melville", "city" : ”Vancouver", ”prov" : ”BC", "postalCode" : ”V6E 4A6" }, "phoneNumber": [ { "type" : ”office", "number": ”605 681-9377" }, { "type" : ”home", "number": ”604 555-4567" } ] }

http://services.layer7.com/staff/Scott

Why Zero Trust?

Source: http://www.yurock.net/santa-getting-arrested/

http://www.yurock.net/santa-getting-arrested/

http://www.yurock.net/santa-getting-arrested/

A Sensible Response

Source: http://skreened.com/impossiblethings6/keep-calm-trust-no-one

Or Better Yet:

OAUTH, OPENID

CONNECT & UMA

AND USE

What Do These Do?

OAuth

OpenID Connect

UMA

To get access to an API.

To share information about users.

To give a user the power to control how their attributes are shared.

Priority #1: OAuth

Make it easy

Make it scale

How to Make OAuth Easy

Simple, drop-in virtual or hardware gateway

Acts as both Authorization Server (AS) and Resource Server (RS)

Advanced security on all APIs

Threat detection, audit, QoS mgmt, etc

Enterprise Network

SecureSpan Gateway

Protecting RS

Informal, API-driven

integrations

Firewall

Mobile Devices

Clouds, Webapps, etc

Protected Resource

Directory

SecureSpan Gateway as

AS

All Authorization Grants ➠ Authorization code

➠ Implicit

➠ Resource owner password credentials

➠ Client credentials

How Easy?

How Easy?

How Easy?

How to Make OAuth Web Scale

DMZ Firewall 1

Protected Resource

Directory

SecureSpan Gateway as

Secure Token Store

Secure Zone

Firewall 2

SecureSpan Gateway

cluster RS

SecureSpan Gateway

cluster as AS

How to Make OAuth Scale – Architecture

OVP

Client Store

Token Store

Internal (secure) network DMZ

Resource Server

Authorization Server

API Proxy Server

Token Server

IDMS

client

Internet

Accessed when client requests

resources

Accessed when client requests

user authorization and tokens

Endpoints accessible through an API

Endpoints accessible through OAuth protocol API

Resource provider

Accessible through an LDAP query

• Who is asking • Which API? • What scope? • Is token valid? • etc…

• Prove who you are • Authorize entitlement • etc…

• Create • Check • Expire • Revoke • etc…

Priority #2: Introduce OpenID Connect

OVP

Client Store

Token Store

Internal (secure) network DMZ

Resource Server

UserInfo

CheckID

SessionMgmt

IDMS

client

Internet

Endpoints accessible through an API

Endpoints accessible to outside clients

Resource provider

Accessible through an LDAP query

DynamicReg

Discovery

• Provide access token • Get attributes (eg:

family_name, picture, gender, birthdate, etc)

• Provide IDtoken • Validate and return claims

Optional

Optional

Core

1. Refresh endpoint 2. End session endpoint

Summary Implement OAuth now!

- Don’t roll your own

- Plan for failure

- Plan for scale

Plan for OpenID Connect

- Understand what you need to share

- Look to integration with existing identity providers

Keep a very close eye on UMA

- This is the missing piece in the puzzle

- Maturing very fast

Questions?

Scott Morrison CTO Layer 7 Technologies [email protected]

Eve Maler Principal Analyst Forrester Research, Inc. [email protected]

Technology

Identity access and privacy in the new hybrid enterprise slides