Modern IAM Trends and Themes by Eve Maler, Forrester

Making Leaders Successful Every Day

Trends, Transients, Tropes, and Transparents

Eve Maler, Principal Analyst, Security & Risk

ForgeRock Open Identity Stack Summit

October 15, 2013

© 2012 Forrester Research, Inc. Reproduction Prohibited

What are the T4 all about?

3

Less well noticed Well noticed

Transparents

Transients

Trends

Tropes

Clo

ser t

o tru

thin

ess

Clo

ser t

o es

sent

ial t

ruth

•  What are they? •  What is the evidence? •  What should you do about them?


Trend: webdevification of IT

4

Source: John Musser (formerly) of ProgrammableWeb.com

IN THE FUTURE, EVERY ENTERPRISE WILL OPEN AN API CHANNEL TO ITS DIGITAL PLATFORM


Confront the changes in your power relationship

5

value X

friction Y

ACCESS CONTROL IS ABOUT PROTECTION AND MONETIZATION

© 2012 Forrester Research, Inc. Reproduction Prohibited 6

Source: April 5, 2013 Forrester report “API Management For Security Pros”

A lot of identities float around an API ecosystem


Open Web APIs are, fortunately, friendly to the Zero Trust model of security

7

Initially treat all access requesters as untrusted. Require opt-in access. Apply

identity federation through APIs.

Source: November 15, 2012, Forrester report “No More Chewy Centers: Introducing The Zero Trust Model Of Information Security”


Trend: IAM x cloud

8

ZERO TRUST CALLS FOR DISTRIBUTED SINGLE SOURCES OF TRUTH

Prefer these

choices when

crossing domains Provision just

in time through SSO

Bind to a user store and replay credentials

Synchronize accounts

periodically

Issue and manage a

disconnected account


Identity plays only an infrastructural role in most cloud platforms

9

cloud services

IAM functions user base and attributes

cloud identity product with an actual SKU

DISRUPTION IS COMING FROM THE CLOUD IDENTITY SERVICES DARK HORSES


Transient: XACML

Adoption has government/compliance drivers, few accelerators, and many inhibitors It’s critical to open up the market for long-tail policy evaluation engines Webdevified and mobile-friendly scenarios demand different patterns of outsourced authorization

XACML 3 IS STUCK AT MODERATE SUCCESS AND IS HEADING FOR DECLINE


Authz grain needs to get…finer-grained

11

policy input

resource accessed

roles groups

attributes

field-level entitlements

domain URL path sets of API calls

field

XACML etc.

scope- grained

authz

WAM


Plan for a new “Venn” of access control

12

AN “XACML LITE” WOULD HAVE A POTENTIALLY VALUABLE ROLE TO PLAY


Trope: “Passwords are dead” OH, YEAH?

correct horse battery staple


We struggle to maximize authentication quality

14

Source: June 12, 20113 “Introducing The Customer Authentication Assessment Framework” Forrester report

PARTICULARLY IN CONSUMER-FACING SERVICES


Authentication schemes have different characteristics

15

Source: June 12, 20113 “Introducing The Customer Authentication Assessment Framework” Forrester report, based on “The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes”

� �

?�

�

�

�

�

�

�

�

�

�

�

�

�

�

�

�

�

�

�

�

�

�

�

�

*

*S2 is an affordance of passwords for “consensual impersonation”


Think in terms of “responsive design” for authentication

16

LEVERAGE STRENGTHS AND MITIGATE RISKS – ONCE YOU KNOW THEM

User identification

based on something

they…

Know

Have

Are

Do


Transparent: time-to-live strategies EXPIRATION HAS OUTSIZED VALUE VS. EXPLICIT REVOCATION OF ACCESS IN ZERO-TRUST ENVIRONMENTS


Summary of the T4

18

Less well noticed Well noticed

Transparent: Time-to-live strategies

Transient: XACML

Trends: Webdevification of IT Cloud x IAM

Trope: “Passwords are dead”

Clo

ser t

o tru

thin

ess

Clo

ser t

o es

sent

ial t

ruth

Thank you Eve Maler +1 617.613.8820 [email protected] @xmlgrrl

Modern IAM Trends and Themes by Eve Maler, Forrester

Technology

forrester research

reproduction prohibitedissue

reproduction prohibitedsource

reproduction prohibited4

reproduction prohibited5

reproduction prohibited6

reproduction prohibited9

reproduction prohibited11