CIS13: Identity Trends and Transients

Making Leaders Successful Every Day

Trends, Transients, Tropes, and Transparents

Eve Maler, Principal Analyst, Security & Risk

Cloud Identity Summit July 10, 2013

© 2012 Forrester Research, Inc. Reproduction Prohibited

What are the T4 all about?

3

Less well noticed Well noticed

Transparents

Transients

Trends

Tropes

Clo

ser t

o tru

thin

ess

Clo

ser t

o es

sent

ial t

ruth

•  What are they? •  What is the evidence? •  What should you do about them?


Trend: webdevification of IT

4

Source: John Musser (formerly) of ProgrammableWeb.com

IN THE FUTURE, EVERY ENTERPRISE WILL OPEN AN API CHANNEL TO ITS DIGITAL PLATFORM


Confront the changes in your power relationship

5

value X

friction Y

ACCESS CONTROL IS ABOUT PROTECTION AND MONETIZATION

© 2012 Forrester Research, Inc. Reproduction Prohibited 6

Source: April 5, 2013 Forrester report “API Management For Security Pros”

A lot of identities float around an API ecosystem


Open Web APIs are, fortunately, friendly to the Zero Trust security model

7

Initially treat all access requesters as untrusted. Require opt-in access. Apply

identity federation through APIs.

Source: November 15, 2012, Forrester report “No More Chewy Centers: Introducing The Zero Trust Model Of Information Security”


Trend: IAM x cloud

8

ZERO TRUST CALLS FOR DISTRIBUTED SINGLE SOURCES OF TRUTH

Federate at run time

Bind to authn

repository

Synch accounts

Issue an unrelated account


Identity plays only an infrastructural role in most cloud platforms

9

cloud services

IAM functions user base and attributes

cloud identity product with an actual SKU

KEEP AN EYE OUT FOR DISRUPTION COMING FROM THE “CISDH” PLAYERS


Transient: XACML

Adoption has government/compliance drivers, few accelerators, and many inhibitors It’s critical to open up the market for long-tail policy evaluation engines Webdevified scenarios demand different patterns of outsourced authorization

XACML 3 IS STUCK AT MODERATE SUCCESS AND IS HEADING FOR DECLINE


Authz grain needs to get…finer-grained

11

policy input

resource accessed

roles groups

attributes

entitlements

domain URL path sets of API calls

field

XACML etc.

scope- grained

authz

WAM


Plan for a new “Venn” of access control

12

AN “XACML LITE” WOULD HAVE A POTENTIALLY VALUABLE ROLE TO PLAY


Trope: “Passwords are dead” OH, YEAH?

correct horse battery staple


We struggle to maximize authentication quality

14

Source: June 12, 20113 “Introducing The Customer Authentication Assessment Framework” Forrester report

PARTICULARLY IN CONSUMER-FACING SERVICES


Authentication schemes have different characteristics

15

Source: June 12, 20113 “Introducing The Customer Authentication Assessment Framework” Forrester report, based on “The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes”

✘ ✔

?✔

✘

✔

✘

✔

✔

✔

✔

✔

✔

✔

✔

✘

✘

✘

✘

✘

✘

✘

✘

✔

✔

✔

✔

*

*S2 is an affordance of passwords for “consensual impersonation”


Think in terms of “responsive design” for authentication

16

LEVERAGE STRENGTHS AND MITIGATE RISKS – ONCE YOU KNOW THEM

User identification

based on something

they…

Know

Have

Are

Do


Transparent: time-to-live strategies EXPIRATION HAS OUTSIZED VALUE VS. EXPLICIT REVOCATION OF ACCESS IN ZERO-TRUST ENVIRONMENTS


Summary of the T4

18

Less well noticed Well noticed

Transparent: Time-to-live strategies

Transient: XACML

Trends: Webdevification of IT Cloud x IAM

Trope: “Passwords are dead”

Clo

ser t

o tru

thin

ess

Clo

ser t

o es

sent

ial t

ruth

Thank you Eve Maler +1 617.613.8820 [email protected] @xmlgrrl

CIS13: Identity Trends and Transients

Technology

Transcript of CIS13: Identity Trends and Transients