How the Cloud is Changing Federated Identy Requirements · CTO, Ping Identy @ ... – SAML – OpenID ... • If you don’t federate you are faced with two choices:

HowtheCloudisChangingFederatedIden4tyRequirements

PatrickHardingCTO,PingIden3ty

@pingctoMarch1,2010

TheReturnofTimesharing

http://www.flickr.com/photos/quinnanya/2690873096/

Copyright(c)2010PingIden3tyCorpora3on

http

://w

ww

.flic

kr.c

om/p

hoto

s/qu

inna

nya/

2690

8730

96/

FromEarthtoSky•  Nolongerbuildvs.buy– Nowbuild,buyorsubscribe

•  Enterprisedataandaccountsaremovingtoremotelyrun“cloudservices”

•  LessITinvolvement– Doubleedgedsword

http://www.flickr.com/photos/quinnanya/2690873096/


ButwhataretheTradeoffs?

•  HowdorequirementschangewhendataandaccessareoutofthedirectcontroloftheEnterprise?

•  Whatcanbedonetoprotectcorporateresourceswhiles3llembracingthisnewparadigm?


Oh,HowOurJobsHaveChanged

•  Rememberwhenallwehadtodowaslockthingsup?

•  Rememberwheneveryapplica3onhaditsownportnumber?

•  Rememberwhenaccesstotheinternetwasaluxuryratherthananecessity?

•  Rememberthedayswhenyourbossesideaofintegra3onwascollatedpaperreports?


Protec4onismisout

•  NowweneedtobeOpen–butSecure•  PorousbutProtected•  EasytousebutHardtoAbuse•  AgilebutArmored•  ConnectedbutSelf‐Contained•  Ournewjobdescrip3on:

ImplementanOxymoron


Security:LastAgain

Pre90’s

Early90’s

Late90’s

Early00’s

Late00’s

Mainframe&Mini‐computer

MVS,TopSecret,RACF,ACF

Client/Server&DistributedCompu4ngVB,C++,SmallTalk,ERP,Tuxedo,MQ,

DCE,COM,DCOM,Corba

WebApplica4onsHTTP,HTML,.Net,Java,J2EE,TCP/IP

WebServices&SOAXML,SOAP,WS‐*,REST,ESB,WSM,Java

CloudCompu4ngRIA’s,AJAX,Flash,Silverlight,SaaS,IaaS,PaaS,VirtualizaUon,RSS,

SocialMedia,Wikis,CollaboraUon

10’s

100’s

1000’s

10000’s

NumberofApplica0ons

Time


Complexity:WorsethanEver

Average#Applica4onsPerUser


Services:AnytoAny

•  Organiza3onsNeedtoSupport:–  InternalUserAccesstoInternalApplica3ons–  InternalUserAccesstoCloudApplica3ons

•  E.g.SaaS,BPO,Partner,VendorApps– ExternalUserAccesstoInternalApplica3ons

•  E.g.Customer,Partner,Vendoraccess

– “Mashups”•  Iden3ty‐EnabledWebServices


Audit:NoLongeranAVerthought•  Sarbanes‐Oxley•  HealthInsurancePortability&AccountabilityAct(HIPAA)

•  Gramm‐Leach‐Bliley•  EUDirec3ve95/46/EC

Prerequisites:

●  Iden3tySecurity●  DataSecurity●  AccessControl●  InternalandExternal

Applica3ons


Visibility:ExpectedbyManagement

•  Complianceisthenewreligion

•  Oeenpurchased,rarelyachieved

•  Personalopinion:– Govern,don’tcomply

hfp://www.flickr.com/photos/roman_emin/3388408921/


SummaryofChallenges•  NewBusinessApplica3onDeliveryModelsDemandaInternet‐friendly,Iden3ty‐basedSecurityModel–  InternalandExternalWebApplica3ons/WebServices–  AnyDevice,Anywhere–  Secure,Portable,Standards‐based

•  TheOverheadandRiskFromPasswordsMustBeReduced–  ComplianceIssues–  SecurityandRiskFactors–  UserandITProduc3vityGains


EnterpriseITImpact•  SignificantEnterpriseIdMInfrastructureCanBeMadeIrrelevant•  Directories•  Iden3tyManagementSystems•  StrongUserAuthen3ca3on

•  e.g.SecurityTokens,X.509Cer3ficates

•  TheseareMul3‐millionDollar,Mul3‐yearInvestments–  Drivenby

•  EaseofUse•  CostReduc3on•  Risk,SecurityandCompliance


hfp://w

ww.flickr.com

/photos/streetart‐berlin/3374855273/

hfp://w

ww.flickr.com

/photos/toffehoff/244870161/

RequirementsMustChange

•  Everycloudapplica3onMUSTbetreatedlikeablackbox

•  EveryRFPshouldbeasking:–  “HowdoIexternalizeAuthN,?AuthZ?Audit?Provisioning?”

•  Itisn'tanylongeraboutBUYINGcompliance–  Itisaboutseeingit

•  Hookingauditlogsintodashboardswillbethenewmetric–  notpromisesfromITstaffthatthingsarebeingloggedsilently


New:CrossDomainOversight•  Authen3ca3on&SSO

–  SAML–  OpenID

•  Delega3on–  WS‐Trust

•  Authoriza3on–  XACML–  OAuth

•  Provisioning–  SPML–  ProprietaryAPI

•  Audit–  A6


hfp://www.flickr.com/photos/jay_que/301153387/

LongAwaited:LevelsofAssurance

•  Matchingprotocoltodomainofuse– Noteveryapplica3oniscreated‘equal’•  Contextiskey

– Mul3pleToolsformul3plepurposes•  SocialNetworkingappshaveaplaceintheEnterprise–  Conversionsarethedrawingfactor

•  Customers•  Recrui3ng

•  Alongsideregulatedapplica3ons(e.g.SARBOX,HIPAA)


hfp://www.flickr.com

/pho

tos/mne

mon

ic/205

3011

2/

ChangedRisk:Passwords

•  Ifyoudon’tfederateyouarefacedwithtwochoices:– Forceyouruserstosettheirownseparatepasswordateverycorporatecloudsiteyoucontractwith•  Guesswhichpasswordtheywilluse?

– Synchronizeyourusers’passwordstoeverycorporatecloudsiteyoucontractwith•  Thatwaythehackersgetallthepasswordsinonefellswoop


ExpandedU4lity:SSO•  Cookiesdidn’tcutit–tokensraisethebar

•  AccesscontrolviaEXPLICITSecurity

•  Ownershipofuservalida3onstaysintheEnterprise

•  Usergainsaccesstotheresourcesofmul3plesoewaresystemswithoutbeingpromptedtologinagain


TodaywePush

•  Federa3onwithSaaSisPush‐Oriented

•  IdP‐Ini3atedSSO– Usermuststartatcorporateportal–  Portalrequireslistofallcloudapplica3ons

•  APIDrivenUserProvisioning–  Startswithgroupsincorporatedirectory

–  Batchoriented

Copyright(c)2010PingIden3tyCorpora3onhfp://www.flickr.com/photos/chavals/2655131515/

TomorrowwePull•  Pushwon’tscaletosupporthundredsofapplica3onsinthecloud

–  Useraccessany3me,anywhere,anydevice–  Just‐in‐3meaccessverifica3on

•  SP‐Ini3atedSSO–  MustaddressIdPDiscovery–  Authen3ca3onattheEdge

•  Asser3onBasedProvisioning–  withAfributeQueryServices–  andreal3merequestsforroleverifica3onetc

•  viaFederatedAuthoriza3on

•  Access&AuditlogsaccessedviasecurePub/Sub[future]


hfp://www.flickr.com/photos/caveman_92223/3024787175/

DomainBasedIdPDiscovery

STEP1

STEP2

PrivilegedUserManagement•  CloudAppsallow‘superuser’access–  SalesforceCRMAdmins– AmazonEC2Admins

•  Equivalentto‘root’or‘Admin’onproduc3onsystems

•  BusinessImpera3ves–  Strongauthen3ca3on– Accessappropriatetorole

Copyright(c)2010PingIden3tyCorpora3onhfp://www.flickr.com/photos/sillygwailo/348769786

StrongAuthImpera4ve

•  “Nopasswordsinthecloud”

•  ImplementCentralizedStrongAuth

•  FederatedSSOcanmakeStrongAuthcosteffec3ve– Tokens,Certs,MFA


Summary•  CloudrequiresInternet‐friendly,Iden3ty‐basedSecurityModel

•  #PasswordsMustBeReducedviaSSO–  ‘NoPasswordsintheCloud’

•  CloudScalewillrequirePull,notPush

•  ConsiderStrongAuthasde‐factoAuthMechanism

PingIdenUtyCanAddressTheOxymoron


Ques4ons


Documents

How the Cloud is Changing Federated Identy Requirements · CTO, Ping Identy @ ... – SAML – OpenID ... • If you don’t federate you are faced with two choices: