1. A NEW APPROACH TO SECURING THE ENTERPRISE IDENTITY DEFINED
SECURITY Patrick Harding Chief Technology Officer
@patrickharding
2. Agenda 1. Changing Trends in Identity Architecture 2. Top 3
4 Security Design Rules 3. Apple Watch Demo 4. What Can be
Accomplished Today 5. Recommendations Copyright 2015 Ping Identity
Corp. All rights reserved. 3
3. CHANGING TRENDS IN IDENTITY ARCHITECTURE Spoiler: Its Cloud!
And Mobile! Copyright 2015 Ping Identity Corp. All rights reserved.
4
4. MAJOR TRENDS SHAPING THE MARKET 5.2B Global mobile users
11.5B Mobile-ready devices 4.6B Smartphones
5. MAJOR TRENDS SHAPING THE MARKET 5.2B Global mobile users
11.5B Mobile-ready devices 4.6B Smartphones 738 # of cloud services
used by an average enterprise` 82% of enterprises have a hybrid
cloud strategy
6. MAJOR TRENDS SHAPING THE MARKET 5.2B Global mobile users
11.5B Mobile-ready devices 4.6B Smartphones 738 # of cloud services
used by an average enterprise` 82% of enterprises have a hybrid
cloud strategy 30XIncrease within the decade Connected devices in
2020 26B
7. MAJOR TRENDS SHAPING THE MARKET 5.2B Global mobile users
11.5B Mobile-ready devices 4.6B Smartphones 738 # of cloud services
used by an average enterprise` 82% of enterprises have a hybrid
cloud strategy 30XIncrease within the decade Connected devices in
2020 26B
8. BREACH, BREACH, BREACH Web App Attacks Phish customer get
credentials abuse web application empty bank/bitcoin account. Over
95% of these incidents involve harvesting credentials from customer
devices, then logging into web applications with them Source: 2015
Verizon Data Breach Investigations R
9. Provisioning WAM You Federation LDAP Your Partners Internal
Web Apps Partner Domain Web Apps SAML The Golden Years of Leveraged
AuthN Copyright 2015 Ping Identity Corp. All rights reserved. 10
Users in Directories Security Policies: Expiry, Lockout, History
Applications in Web Browser Level 1: common repository Level 2:
Internal apps secured via WAM Level 3: External apps secured via
SAML
10. What Those Architectures Do Well Confidential do not
distribute Common Authentication Ceremony User manages one
password, uses it in a trusted place Secure introduction of users
between domains Security for Passive web contexts Where the user
manipulates a browser Central policy
definition/enforcementCopyright 2015 Ping Identity Corp. All rights
reserved. 11
11. What Those Architectures Do Poorly Address security risk of
active software at run-time Clients collecting & storing
passwords for replay Passwords transmitted on every API fetch Every
API validating passwords Address pain for developers API keys &
certificates poorly protected in scripts Adding XML parsers &
signature validation in mobile apps is problematic Scale to
millions of partners Copyright 2015 Ping Identity Corp. All rights
reserved. 12
12. One Trend to Bind them All Copyright 2015 Ping Identity
Corp. All rights reserved. 13 Cloud pushed the industry towards
externalized interfaces for everything, not just identity, and REST
beat out SOAP Mobile forced us to accept asymmetrical trust
relationships, because instead of BIG software on websites we now
also have small software on devices Standards evolved to deliver:
OAuth 2.0. Not user identity, but software (client) identity
13. TOP 4 SECURITY DESIGN RULES Bonus! 6 Architectural
Principles Copyright 2015 Ping Identity Corp. All rights reserved.
14
14. ARCHITECTURAL PRINCIPLES INTERNET SCALE FEDERATED
ARCHITECTURE ALL IDENTITIES BUILT ON STANDAR DS WEB, MOBILE &
API FLEXIBLE DEPLOYME NT 6 PRINCIPLES THAT MEET MODERN SECURITY
COMPLEXITIES AND SCALE TO ADDRESS FU
15. Top 4 Security Rules Attackers will compromise access.
Identity Tools to combat include: 1. Compartmentalization 2.
Ephemerality 3. Automation 4. Accountability Things happen fast,
change often, are always watched, and identity of all actors are
explicitly part of all interactions. If theft does occur, bad guys
get as little as possible for no time at all, and the path of
compromise can be traced Copyright 2015 Ping Identity Corp. All
rights reserved. 16
16. Security Rules drive the Architecture Copyright 2015 Ping
Identity Corp. All rights reserved. 17 Identity Platform
DynamicAccessControl User Context Automation Resources Bounded
Credentials Client Primary Credentials Primary Credentials
17. The Identity Platform Abstracts Authentication Services
from resources Automates & controls clients Issues and
authorizes tokens Recognizes context Coordinates ecosystemCopyright
2015 Ping Identity Corp. All rights reserved. 18 Identity
Platform
18. Modern Honeycomb Identity Architecture Copyright 2015 Ping
Identity Corp. All rights reserved. 19 Your Data Your Identity
InfrastructureOther Web, Mobile &API Other Data Your Mobile
& API Other Identity Infrastructure All Kinds of B2B Clients
All Kinds of Users Other Authentication Service Your Apps
19. Honeycomb Architecture Pick the cells that fit your
business use case Mobile, IoT Consumer/Enterprise SSO Enterprise
Service Bus Cells may exist in separate internet contexts
Interaction between cells is standardized Copyright 2015 Ping
Identity Corp. All rights reserved. 20
20. Automation & Accountability Copyright 2015 Ping
Identity Corp. All rights reserved. 21 Identity Platform
DynamicAccessControl User Context Automation Resources Bounded
Credentials Client Primary Credentials Primary Credentials
21. OAuth 2.0 (RFC 6749/50) Authorization framework for
software clients Enables clients to present scoped authorization
tokens to REST APIs OpenID Connect (built on OAuth 2.0) Clients and
Identity Platform request & assert identifiers, attributes with
integrity & confidentiality SAML Gold standard for Web SSO
SOAP-based Standards at Work Copyright 2015 Ping Identity Corp. All
rights reserved. 22 SCIM Standardized REST API for Creation,
synchronization of user accounts/attributes FIDO Standardization of
authenticators Password-less and 2nd factor Account Chooser User
discovery specification Migration from IDP discovery to User
discovery
22. Primary Credentials Supply enough primary credentials, and
the assumption is that the real subject is present. Impersonation
through compromise of primary credentials is greatest risk in
industry today. See: Credential Farming Goal: protect primary
credentials in every way possible Examples: passwords, API keys,
MFA authenticator interactions, certificates, FIDO Copyright 2015
Ping Identity Corp. All rights reserved. 23
23. Bounded Credentials Ephemeral tokens representing not just
the subject but subject and context. Access Tokens: access to
limited scope on behalf of subject executed by specific client
valid for limited time JWTs: introduction of subject to specific
audience, valid for short period of time ID Tokens: introduction of
subject to specific audience from known issuer based on specific
authentication interaction Copyright 2015 Ping Identity Corp. All
rights reserved. 24
24. APPLE WATCH DEMO Identity architecture demos are boring
unless they are cunningly disguised as Apple Watch Demos. Copyright
2015 Ping Identity Corp. All rights reserved. 25
25. Copyright 2015 Ping Identity Corp. All rights reserved.
26
26. What you just saw Single trusted authentication ceremony
Low friction 2nd factor authentication Transformation of primary
credentials into bounded credentials Protection of both web and
native resources Copyright 2015 Ping Identity Corp. All rights
reserved. 27
27. WHAT CAN BE ACCOMPLISHED TODAY World Peace! Ok well lets
not go crazy Copyright 2015 Ping Identity Corp. All rights
reserved. 28
28. Federated Access Management Copyright 2015 Ping Identity
Corp. All rights reserved. 29 Contextual Authentication Federated
Sign-on Access Security Contextual Authentication Active and
passive challenges and contexts, designed to mitigate risks
Federated Sign-on Distribution of tokens and assertions that
represent users in a compartmentalized, ephemeral, automated,
accountable way Application of policy at time of access request
Access Security Validation of tokens and assertions Enforcement of
policy & intelligence beyond token validity at time of resource
use
29. Copyright 2015 Ping Identity Corp. All rights reserved. 30
User Administration Orchestration Federated Provisioning Federated
Access Management (FAM) Federated Identity Management (FIM)
Governance Intelligence (risk/fraud/analytics) Continuous
Authentication Contextual Authentication Federated Sign-on Access
Security Identity Defined Security
30. RECOMMENDATIONS Call your mother Copyright 2015 Ping
Identity Corp. All rights reserved. 31
31. Create a Long Term Plan New identity architectures must
handle all identities, all channels, all interaction methods at
scale OAuth 2.0 delivers scoped authorization as foundation for
identity clients and user identity is tracked The Identity Platform
becomes a central element of a set of honeycomb cells that
interoperate with each other via standards Limitation/mitigation of
exposure starts with compartmentalization of primary credentials,
bounded credentials are Interaction between authentication
services, identity platform, and access security at the resources
will become more intelligent in the future Copyright 2015 Ping
Identity Corp. All rights reserved. 32
32. Address Immediate Risk Credential Farming If an employee
reuses the same email and password at http://iloveipa.com and for
your corporate VPN, and an attacker compromises
http://iloveipa.com, can they walk right in your front door? Now is
the time to explore second factor auth. Be creative. Dont expect
the first thing to work. But at all costs, disrupt those password
reuse attacks.Copyright 2015 Ping Identity Corp. All rights
reserved. 33
33. Read the Verizon Data Breach Report 95% of breaches start
with a compromised credential
http://www.verizonenterprise.com/DBIR/ If you cant detect them
coming in, then detect them going out, egress monitoring can be
your friend. Long term planning is for analytics to find trends of
sessions, usage patterns, anomaliesCopyright 2015 Ping Identity
Corp. All rights reserved. 34
34. Intelligence is the Future Think about what your inputs
could be into an intelligence engine Think about what your social
contract is with your users, and how you can signal that you are
watching, but also how they can signal that they want privacy
Copyright 2015 Ping Identity Corp. All rights reserved. 35
35. Thank You! Confidential do not distribute Copyright 2015
Ping Identity Corp. All rights reserved. 36