Vlad Mihnea, R&D Manager

Cloud Identity Crisis and the Identity Broker

Identity: Definition

Set of information (attributes) by which an individual is definitively distinguished within a context, such as an application

þ Identity Attributes: §  Physiological attributes §  Biographical information §  Issued credentials §  “Secret” information (e.g. history)

þ  Height: 192cm þ  Weight: 106kg þ  Skin Color: White þ  Eye Color: Blue þ  Hair Color: Black þ  Place of Birth: Krypton þ  Identity: Secret

þ  Citizenship: Kryptonian, American

þ  Base: Metropolis, Fortress of Solitude

þ  Occupation: Journalist, Super Hero

þ  Employer: Daily Planet, Self-employed

Superman is Clark Kent

Clark Kent is an employee of Daily Planet

Clark Kent is a social being

Clark Kent is an adopted son

Superman is also Kal El, citizen of Krypton

Superman: One User – Many Identities

Login Email Credentials

superman superman@superman.superman **********

Login Email Credentials

kel kal.el@krypton.gov.ws **********

Login Email Credentials

clark.kent clark.kent@dailyplanet.com **********

Login Email Credentials

superboy1977 superboy1977@gmail.com **********

Cloud Identity Crisis: Complex & Fragmented

3

CreateDelete

AttributeSync

Active Directory

HR (PeopleSoft, SAP)

Cloud

Office365, Workday, Salesforce, etc

ApplicationOwner

BusinessManager

Users

IT Helpdesk

Administrator

Administrator

Financials

SharePoint

Sales

Partners, customers, etc.

þ Complexity: One user, many identities §  If a user has more than one identity then they will deal

with that complexity by having easy to remember credentials which makes them a weak link for hackers

þ Fragmentation: Many apps, many systems §  If applications have separate identity systems then it

becomes a manual job to maintain the integrity of the identities on that system for events such as staff changes

þ Complexity & Fragmentation => Entropy §  A fragmented identity system leads to fragmented

accountability, allowing suspect users to identify using unapproved applications

Cloud Identity Crisis: Complex & Hybrid

Cloud Service Broker Social Sign-on

Enterprise IAM

Consumer

B2B

`````````````````````

SaaS/PaaS/IaaS

On-premise / Legacy

Consumer Apps

•  Employees •  Contractors •  Partners

Marketplace

SSO

IdM

Billing

Portal

⊆ Cloud Identity Broker

þ Service Brokers - The Cloud Marketplace §  Cloud Exchange for the enterprise and cloud

services: broker service that integrates, manages and bills cloud services

§  Essential to the transformation of traditional IT into IT as a Service

þ Identity Brokers - The Cloud Identity Hub §  IDaaS: Enables the provisioning and life-cycle

management of users across external cloud services

§  Virtual Directory in the cloud that brokers identity from the enterprise to external clouds providers

Cloud Service Broker ⊆ Cloud Identity Broker

2 Operations ① Provisioning ② Single Sing-On

2 Worlds ① Work ② Home

2 Directions ①  Inbound ② Outbound

Identity Broker: Functions

Key Features: •  Governance •  Hubris

Key Features: •  “Solving the right problem” •  Enterprise-only scope

Key Features: •  Agility •  Cloud friendliness •  Robustness

ID Protocols: Emerging Standards have an Edge

Source: TechRadar For Security Pros: Zero Trust Identity Standards, Q3 2012

ID Protocols: Relevant Jargon

OAuth 2.0

§  Auth Server §  Resource Server

OpenID Connect 1.0

§  OpenID Provider §  Relying Party §  User Claims §  Client Claims

SAML 2.0

§  Identity Provider §  Service Provider §  Attributes §  SP Metadata

§  Service Provider: A web application that provides identity information via the SCIM protocol

§  Consumer: An application that uses the SCIM protocol to manage identity data maintained by the Service Provider

§  Resource: The Service Provider managed artifact containing one or more attributes; e.g., User or Group

SCIM

ID Protocols: Comparison

OAuth 2.0

§  Not responsible for session initiation

§  Collects user’s consent to share attributes

§  No actual identity tokens

§  No actual claims, protects APIs

§  Client onboarding is static

§  No session

OpenID Connect 1.0

§  Initiating user’s login session

§  Collects user’s consent to share attributes

§  High-security identity tokens

§  Distributed and aggregated claims

§  Dynamic onboarding

§  Session timeout

SAML 2.0

§  Initiating user’s login session

§  Not responsible for collecting user consent

§  High-security identity tokens

§  Distributed and aggregated claims

§  Client onboarding is static

§  Session timeout

þ  SAML þ  OpenID þ  OpenID Connect þ  OAuth þ  SPML þ  SCIM þ  WS-Federation þ  XACML

Identified Standards Identified Gaps

¨  Configuration and association with an IdP is not standardized

¨  No standards or rules for mapping or transforming attributes between different domains

¨  No profiles or standard roles and related attributes

¨  No standards for attributes ¨  No audit standards for IDM

systems

ID Protocols: Standards & Gaps

Identity Broker & Protocols: Our Vision

SOAP

HTTP

OpenID

Connect

SCIM

OAuth2

OpenID

OpenID

Connect

SCIM

SAML2

Cloud Apps

Social

Enterprise

Superman: Identity Broker – Identity Union

Global ID Local Login Email Credentials

kal.el

superman superman@superman.superman **********

clark.kent clark.kent@dailyplanet.com **********

superboy1977 superboy1977@gmail.com **********

kel kal.el@krypton.gov.ws **********

① Open Standards Matter

② Cloud Identity is Hybrid

③ BYOA permeates the Enterprise

④  Identity is the new Control Plane

Cloud Identity: Future

Cloud Identity: Final Thoughts

“So long, Superman!

Your secret identity is safe with me!”

The Simpsons TV Episode 1992

vlad.mihnea@ymens.com