How the Cloud is Changing Federated Identy Requirements · CTO, Ping Identy @ ... – SAML –...
Transcript of How the Cloud is Changing Federated Identy Requirements · CTO, Ping Identy @ ... – SAML –...
TheReturnofTimesharing
http://www.flickr.com/photos/quinnanya/2690873096/
Copyright(c)2010PingIden3tyCorpora3on
http
://w
ww
.flic
kr.c
om/p
hoto
s/qu
inna
nya/
2690
8730
96/
FromEarthtoSky• Nolongerbuildvs.buy– Nowbuild,buyorsubscribe
• Enterprisedataandaccountsaremovingtoremotelyrun“cloudservices”
• LessITinvolvement– Doubleedgedsword
http://www.flickr.com/photos/quinnanya/2690873096/
Copyright(c)2010PingIden3tyCorpora3on
ButwhataretheTradeoffs?
• HowdorequirementschangewhendataandaccessareoutofthedirectcontroloftheEnterprise?
• Whatcanbedonetoprotectcorporateresourceswhiles3llembracingthisnewparadigm?
Copyright(c)2010PingIden3tyCorpora3on
Oh,HowOurJobsHaveChanged
• Rememberwhenallwehadtodowaslockthingsup?
• Rememberwheneveryapplica3onhaditsownportnumber?
• Rememberwhenaccesstotheinternetwasaluxuryratherthananecessity?
• Rememberthedayswhenyourbossesideaofintegra3onwascollatedpaperreports?
Copyright(c)2010PingIden3tyCorpora3on
Protec4onismisout
• NowweneedtobeOpen–butSecure• PorousbutProtected• EasytousebutHardtoAbuse• AgilebutArmored• ConnectedbutSelf‐Contained• Ournewjobdescrip3on:
ImplementanOxymoron
Copyright(c)2010PingIden3tyCorpora3on
Security:LastAgain
Pre90’s
Early90’s
Late90’s
Early00’s
Late00’s
Mainframe&Mini‐computer
MVS,TopSecret,RACF,ACF
Client/Server&DistributedCompu4ngVB,C++,SmallTalk,ERP,Tuxedo,MQ,
DCE,COM,DCOM,Corba
WebApplica4onsHTTP,HTML,.Net,Java,J2EE,TCP/IP
WebServices&SOAXML,SOAP,WS‐*,REST,ESB,WSM,Java
CloudCompu4ngRIA’s,AJAX,Flash,Silverlight,SaaS,IaaS,PaaS,VirtualizaUon,RSS,
SocialMedia,Wikis,CollaboraUon
10’s
100’s
1000’s
10000’s
NumberofApplica0ons
Time
Copyright(c)2010PingIden3tyCorpora3on
Services:AnytoAny
• Organiza3onsNeedtoSupport:– InternalUserAccesstoInternalApplica3ons– InternalUserAccesstoCloudApplica3ons
• E.g.SaaS,BPO,Partner,VendorApps– ExternalUserAccesstoInternalApplica3ons
• E.g.Customer,Partner,Vendoraccess
– “Mashups”• Iden3ty‐EnabledWebServices
Copyright(c)2010PingIden3tyCorpora3on
Audit:NoLongeranAVerthought• Sarbanes‐Oxley• HealthInsurancePortability&AccountabilityAct(HIPAA)
• Gramm‐Leach‐Bliley• EUDirec3ve95/46/EC
Prerequisites:
● Iden3tySecurity● DataSecurity● AccessControl● InternalandExternal
Applica3ons
Copyright(c)2010PingIden3tyCorpora3on
Visibility:ExpectedbyManagement
• Complianceisthenewreligion
• Oeenpurchased,rarelyachieved
• Personalopinion:– Govern,don’tcomply
hfp://www.flickr.com/photos/roman_emin/3388408921/
Copyright(c)2010PingIden3tyCorpora3on
SummaryofChallenges• NewBusinessApplica3onDeliveryModelsDemandaInternet‐friendly,Iden3ty‐basedSecurityModel– InternalandExternalWebApplica3ons/WebServices– AnyDevice,Anywhere– Secure,Portable,Standards‐based
• TheOverheadandRiskFromPasswordsMustBeReduced– ComplianceIssues– SecurityandRiskFactors– UserandITProduc3vityGains
Copyright(c)2010PingIden3tyCorpora3on
EnterpriseITImpact• SignificantEnterpriseIdMInfrastructureCanBeMadeIrrelevant• Directories• Iden3tyManagementSystems• StrongUserAuthen3ca3on
• e.g.SecurityTokens,X.509Cer3ficates
• TheseareMul3‐millionDollar,Mul3‐yearInvestments– Drivenby
• EaseofUse• CostReduc3on• Risk,SecurityandCompliance
Copyright(c)2010PingIden3tyCorpora3on
hfp://w
ww.flickr.com
/photos/streetart‐berlin/3374855273/
hfp://w
ww.flickr.com
/photos/toffehoff/244870161/
RequirementsMustChange
• Everycloudapplica3onMUSTbetreatedlikeablackbox
• EveryRFPshouldbeasking:– “HowdoIexternalizeAuthN,?AuthZ?Audit?Provisioning?”
• Itisn'tanylongeraboutBUYINGcompliance– Itisaboutseeingit
• Hookingauditlogsintodashboardswillbethenewmetric– notpromisesfromITstaffthatthingsarebeingloggedsilently
Copyright(c)2010PingIden3tyCorpora3on
New:CrossDomainOversight• Authen3ca3on&SSO
– SAML– OpenID
• Delega3on– WS‐Trust
• Authoriza3on– XACML– OAuth
• Provisioning– SPML– ProprietaryAPI
• Audit– A6
Copyright(c)2010PingIden3tyCorpora3on
hfp://www.flickr.com/photos/jay_que/301153387/
LongAwaited:LevelsofAssurance
• Matchingprotocoltodomainofuse– Noteveryapplica3oniscreated‘equal’• Contextiskey
– Mul3pleToolsformul3plepurposes• SocialNetworkingappshaveaplaceintheEnterprise– Conversionsarethedrawingfactor
• Customers• Recrui3ng
• Alongsideregulatedapplica3ons(e.g.SARBOX,HIPAA)
Copyright(c)2010PingIden3tyCorpora3on
hfp://www.flickr.com
/pho
tos/mne
mon
ic/205
3011
2/
ChangedRisk:Passwords
• Ifyoudon’tfederateyouarefacedwithtwochoices:– Forceyouruserstosettheirownseparatepasswordateverycorporatecloudsiteyoucontractwith• Guesswhichpasswordtheywilluse?
– Synchronizeyourusers’passwordstoeverycorporatecloudsiteyoucontractwith• Thatwaythehackersgetallthepasswordsinonefellswoop
Copyright(c)2010PingIden3tyCorpora3on
ExpandedU4lity:SSO• Cookiesdidn’tcutit–tokensraisethebar
• AccesscontrolviaEXPLICITSecurity
• Ownershipofuservalida3onstaysintheEnterprise
• Usergainsaccesstotheresourcesofmul3plesoewaresystemswithoutbeingpromptedtologinagain
Copyright(c)2010PingIden3tyCorpora3on
TodaywePush
• Federa3onwithSaaSisPush‐Oriented
• IdP‐Ini3atedSSO– Usermuststartatcorporateportal– Portalrequireslistofallcloudapplica3ons
• APIDrivenUserProvisioning– Startswithgroupsincorporatedirectory
– Batchoriented
Copyright(c)2010PingIden3tyCorpora3onhfp://www.flickr.com/photos/chavals/2655131515/
TomorrowwePull• Pushwon’tscaletosupporthundredsofapplica3onsinthecloud
– Useraccessany3me,anywhere,anydevice– Just‐in‐3meaccessverifica3on
• SP‐Ini3atedSSO– MustaddressIdPDiscovery– Authen3ca3onattheEdge
• Asser3onBasedProvisioning– withAfributeQueryServices– andreal3merequestsforroleverifica3onetc
• viaFederatedAuthoriza3on
• Access&AuditlogsaccessedviasecurePub/Sub[future]
Copyright(c)2010PingIden3tyCorpora3on
hfp://www.flickr.com/photos/caveman_92223/3024787175/
PrivilegedUserManagement• CloudAppsallow‘superuser’access– SalesforceCRMAdmins– AmazonEC2Admins
• Equivalentto‘root’or‘Admin’onproduc3onsystems
• BusinessImpera3ves– Strongauthen3ca3on– Accessappropriatetorole
Copyright(c)2010PingIden3tyCorpora3onhfp://www.flickr.com/photos/sillygwailo/348769786
StrongAuthImpera4ve
• “Nopasswordsinthecloud”
• ImplementCentralizedStrongAuth
• FederatedSSOcanmakeStrongAuthcosteffec3ve– Tokens,Certs,MFA
Copyright(c)2010PingIden3tyCorpora3on
Summary• CloudrequiresInternet‐friendly,Iden3ty‐basedSecurityModel
• #PasswordsMustBeReducedviaSSO– ‘NoPasswordsintheCloud’
• CloudScalewillrequirePull,notPush
• ConsiderStrongAuthasde‐factoAuthMechanism
PingIdenUtyCanAddressTheOxymoron
Copyright(c)2010PingIden3tyCorpora3on