The New Venn Of Access ControlIn The API-Mobile-IoT EraEve Maler, Principal Analyst, Security & Risk
June 4, 2014
@xmlgrrl
The business tech landscape is handing us hard IAM problems.Traditional solutions don’t “work less well”…they don’t work at all.
3© 2012 Forrester Research, Inc. Reproduction Prohibited
Agenda
What are the implications of “BYO”?
Emerging technologies help you achieve a Zero Trust posture
What remains to be done?
© 2012 Forrester Research, Inc. Reproduction Prohibited
The extended enterprise forces IT to handle bring-your-own-everything
4
Source: April 7, 2014, “Navigate The Future Of Identity And Access Management” Forrester report
5© 2012 Forrester Research, Inc. Reproduction Prohibited
You can’t trust everything + everyone inside your crunchy perimeter anyway
Source: November 15, 2012, “No More Chewy Centers: Introducing The Zero Trust Model Of Information Security” Forrester report
…so stop trying
Start with Zero TrustElevate trust selectively
6© 2012 Forrester Research, Inc. Reproduction Prohibited
Many APIs have acquired business models, driven by mobile
7© 2012 Forrester Research, Inc. Reproduction Prohibited
IT now confronts webdevification
value X
friction Y
8© 2012 Forrester Research, Inc. Reproduction Prohibited
Our worlds are collidingUNIFY YOUR STANCE AND PREPARE FOR ANYTHING
B2C
B2E
B2B
the identity singularity
B2D
9© 2012 Forrester Research, Inc. Reproduction Prohibited
Agenda
What are the implications of “BYO”?
Emerging technologies help you achieve a Zero Trust posture
What remains to be done?
10© 2012 Forrester Research, Inc. Reproduction Prohibited
A tour through some previous Venns
vintage 2007
11© 2012 Forrester Research, Inc. Reproduction Prohibited
A tour through some previous Venns
vintage 2007
12© 2012 Forrester Research, Inc. Reproduction Prohibited
vintage 2009
A tour through some previous Venns
13© 2012 Forrester Research, Inc. Reproduction Prohibited
vintage 2009
A tour through some previous Venns
14© 2012 Forrester Research, Inc. Reproduction Prohibited Source: October 2012 “TechRadar™ For Security Pros: Zero Trust Identity Standards, Q3 2012”
Emerging standards have an edge over traditional ones for Zero Trust
Key features:• Governance• Hubris
Key features:• “Solving the right problem”• Enterprise-only scope
Key features:• Agility• Mobile/cloud friendliness• Robustness
15© 2012 Forrester Research, Inc. Reproduction Prohibited
A new Venn for “access management 2.0”JUST WHAT THE API-MOBILE-IOT AXIS NEEDS*
16© 2012 Forrester Research, Inc. Reproduction Prohibited
IT LETS A RESOURCE OWNER DELEGATE CONSTRAINED ACCESS
OAuth is about more than the “password anti-pattern”
17© 2012 Forrester Research, Inc. Reproduction Prohibited
OpenID Connect turns SSO into a standard OAuth-protected identity API
SAML 2.0, OpenID 2.0 OAuth 2.0 OpenID Connect
X
Initiating user’s login session
Not responsible for collecting user consent
High-security identity tokens (SAML only)
Distributed and aggregated claims
Session timeout
X
X
Dynamic introduction (OpenID only)
X Not responsible for session initiation
Collecting user’s consent to share attributes
No identity tokensper seX
Client onboarding is staticX
No claims per se; protects arbitrary APIsX
Initiating user’s login session
Collecting user’s consent to share attributesHigh-security identity tokens (using JSON Web Tokens)
Distributed and aggregated claims
Session timeout (in the works)
Dynamic introduction
No sessions per seX
18© 2012 Forrester Research, Inc. Reproduction Prohibited
UMA enables authorization that’s friendly to OAuth, APIs, PbD, and (it appears) IoT
Standardized APIs enable Internet-scale authz-as-a-service
Outsources protection to a centralized “digital footprint control console” for Alice or an IT admin
The “user” in User-Managed Access (UMA) – can be an organization (“headless”)
Some guy not accounted for in OAuth…
19© 2012 Forrester Research, Inc. Reproduction Prohibited
Mapping UMA to classic authorization architecture
~PDP~PEP
Deliberately prepared for n:n relationships
Implicitly a PAP and PIP, or a client to them
Together,~requester
Claims and context gathered at run time
Policymaker (no std policy expression or evaluation)
20© 2012 Forrester Research, Inc. Reproduction Prohibited
The RS exposes whatever value-add API it wants, protected by an AS
App-specific API
UM
A-enabled
client
RPTrequesting party token
(can be profiled to move the PDP/PEP line)
21© 2012 Forrester Research, Inc. Reproduction Prohibited
The AS exposes an UMA-standardized protection API to the RS
Protection A
PI
Pro
tect
ion
clie
nt
PAT
protection API token
includes resource registration API and token
introspection API
22© 2012 Forrester Research, Inc. Reproduction Prohibited
The AS exposes an UMA-standardized authorization API to the client
Authorization API
Authorization client
AATauthorization API token
supports OpenID Connect-based claims-
gathering for authz
© 2012 Forrester Research, Inc. Reproduction Prohibited
Detailed summary
24© 2012 Forrester Research, Inc. Reproduction Prohibited
Agenda
What are the implications of “BYO”?
Emerging technologies help you achieve a Zero Trust posture
What remains to be done?
25© 2012 Forrester Research, Inc. Reproduction Prohibited
After the REST maturity ladder must come “scope design best practices”
actors(“subjects”)
resources accessed (“objects”) and operations (“verbs”)
rolesgroups
arbitrary otherauthz context
domain URL path HTTPmethod
field
Classicfine-
grained
Emergingscope-
grained
Classiccoarse-grained
authncontext
attributes/claims
© 2012 Forrester Research, Inc. Reproduction Prohibited
Webdevs and IoT demand the right appsec design center and footprint
27© 2012 Forrester Research, Inc. Reproduction Prohibited
Federations must grow to accommodate outsourced access
I promise to Adhere-to-Terms once I get access using a valid RPT with the right authz data!
I promise to Adhere-to-Terms once the AS adds authz data to your RPT!
28© 2012 Forrester Research, Inc. Reproduction Prohibited
IRM for healthcare requires serious security, privacy, and discoverability
AS AS AS
RS RS RS RS
C C C C C C
C C
• Likely EHR operators in the US
• Healthcare providers• Wearables and other
quantified-self apps
• “Mint for patients and caregivers”
Benefits• Proactive, trackable consent
directives• Blue Button+-friendly data delivery
Challenges• Sclerotic IT practices• Nth-degree security, privacy, and
discoverability requirements
RS RS