CIS13: Identity Trends and Transients
-
Upload
cloudidsummit -
Category
Technology
-
view
314 -
download
3
description
Transcript of CIS13: Identity Trends and Transients
Making Leaders Successful Every Day
Trends, Transients, Tropes, and Transparents
Eve Maler, Principal Analyst, Security & Risk
Cloud Identity Summit July 10, 2013
© 2012 Forrester Research, Inc. Reproduction Prohibited
What are the T4 all about?
3
Less well noticed Well noticed
Transparents
Transients
Trends
Tropes
Clo
ser t
o tru
thin
ess
Clo
ser t
o es
sent
ial t
ruth
• What are they? • What is the evidence? • What should you do about them?
© 2012 Forrester Research, Inc. Reproduction Prohibited
Trend: webdevification of IT
4
Source: John Musser (formerly) of ProgrammableWeb.com
IN THE FUTURE, EVERY ENTERPRISE WILL OPEN AN API CHANNEL TO ITS DIGITAL PLATFORM
© 2012 Forrester Research, Inc. Reproduction Prohibited
Confront the changes in your power relationship
5
value X
friction Y
ACCESS CONTROL IS ABOUT PROTECTION AND MONETIZATION
© 2012 Forrester Research, Inc. Reproduction Prohibited 6
Source: April 5, 2013 Forrester report “API Management For Security Pros”
A lot of identities float around an API ecosystem
© 2012 Forrester Research, Inc. Reproduction Prohibited
Open Web APIs are, fortunately, friendly to the Zero Trust security model
7
Initially treat all access requesters as untrusted. Require opt-in access. Apply
identity federation through APIs.
Source: November 15, 2012, Forrester report “No More Chewy Centers: Introducing The Zero Trust Model Of Information Security”
© 2012 Forrester Research, Inc. Reproduction Prohibited
Trend: IAM x cloud
8
ZERO TRUST CALLS FOR DISTRIBUTED SINGLE SOURCES OF TRUTH
Federate at run time
Bind to authn
repository
Synch accounts
Issue an unrelated account
© 2012 Forrester Research, Inc. Reproduction Prohibited
Identity plays only an infrastructural role in most cloud platforms
9
cloud services
IAM functions user base and attributes
cloud identity product with an actual SKU
KEEP AN EYE OUT FOR DISRUPTION COMING FROM THE “CISDH” PLAYERS
© 2012 Forrester Research, Inc. Reproduction Prohibited
Transient: XACML
Adoption has government/compliance drivers, few accelerators, and many inhibitors It’s critical to open up the market for long-tail policy evaluation engines Webdevified scenarios demand different patterns of outsourced authorization
XACML 3 IS STUCK AT MODERATE SUCCESS AND IS HEADING FOR DECLINE
© 2012 Forrester Research, Inc. Reproduction Prohibited
Authz grain needs to get…finer-grained
11
policy input
resource accessed
roles groups
attributes
entitlements
domain URL path sets of API calls
field
XACML etc.
scope- grained
authz
WAM
© 2012 Forrester Research, Inc. Reproduction Prohibited
Plan for a new “Venn” of access control
12
AN “XACML LITE” WOULD HAVE A POTENTIALLY VALUABLE ROLE TO PLAY
© 2012 Forrester Research, Inc. Reproduction Prohibited
Trope: “Passwords are dead” OH, YEAH?
correct horse battery staple
© 2012 Forrester Research, Inc. Reproduction Prohibited
We struggle to maximize authentication quality
14
Source: June 12, 20113 “Introducing The Customer Authentication Assessment Framework” Forrester report
PARTICULARLY IN CONSUMER-FACING SERVICES
© 2012 Forrester Research, Inc. Reproduction Prohibited
Authentication schemes have different characteristics
15
Source: June 12, 20113 “Introducing The Customer Authentication Assessment Framework” Forrester report, based on “The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes”
✘ ✔
?✔
✘
✔
✘
✔
✔
✔
✔
✔
✔
✔
✔
✘
✘
✘
✘
✘
✘
✘
✘
✔
✔
✔
✔
*
*S2 is an affordance of passwords for “consensual impersonation”
© 2012 Forrester Research, Inc. Reproduction Prohibited
Think in terms of “responsive design” for authentication
16
LEVERAGE STRENGTHS AND MITIGATE RISKS – ONCE YOU KNOW THEM
User identification
based on something
they…
Know
Have
Are
Do
© 2012 Forrester Research, Inc. Reproduction Prohibited
Transparent: time-to-live strategies EXPIRATION HAS OUTSIZED VALUE VS. EXPLICIT REVOCATION OF ACCESS IN ZERO-TRUST ENVIRONMENTS
© 2012 Forrester Research, Inc. Reproduction Prohibited
Summary of the T4
18
Less well noticed Well noticed
Transparent: Time-to-live strategies
Transient: XACML
Trends: Webdevification of IT Cloud x IAM
Trope: “Passwords are dead”
Clo
ser t
o tru
thin
ess
Clo
ser t
o es
sent
ial t
ruth
Thank you Eve Maler +1 617.613.8820 [email protected] @xmlgrrl