The Case For Next Generation IAM

GARTNER IAM 2014 THE CASE FOR NEXT GENERATION IAM Patrick Harding, CTO @patrickharding

100214.01.02 Copyright © 2014 Ping Identity Corp. All rights reserved. 2

“Big 3” Trends Driving Industry Change

Copyright © 2014 Ping Identity Corp. All rights reserved. 3

Increasing data breach and fraud

SaaS, IaaS/PaaS & Private Clouds

Mobile Devices and Things

Changing Application Mediums

Changing Consumption Mediums

Changing Risk Mediums

2013: Another Year of Stolen Credentials


2,164 security breaches

822M records exposed

48% of the time passwords

were exposed (top data type exposed)

2 out of 3 involve stolen

or misused credentials

Sources: 2014 Verizon DBIR and Data Breach Quickview 2014


12 PASSWORDS PER SECOND

Confidential — do not distribute Copyright © 2014 Ping Identity Corp. All rights reserved. 6

Future State: ‘Coffee Shop IT’


User



User

Many more

Public Cloud

Private Cloud

APIs

WEBSITES

APIs

WEBSITES

SaaS



User

Many more

Public Cloud

Private Cloud

APIs

WEBSITES

APIs

WEBSITES

SaaS

Cloud Rail



User

Many more

Public Cloud

Private Cloud

APIs

WEBSITES

APIs

WEBSITES

SaaS

Cloud Rail




•  All enterprises will ‘connect’ with their customers

•  Products will have an identity and collect data

•  Mobile device becomes the control hub

•  Users access product data via web and native apps •  Protect customer and product data from unauthorized use

•  New authentication processes

•  Different access privileges


Future State: Smart, Connected Products

The Paradigm Shift driven by cloud and mobile

Identity is the new perimeter – Dan Headrick, GE

76% of Network Intrusions Exploited Weak or Stolen Passwords

Traditional IDENTITY MANAGEMENT not working

How To Design Access to Resources?

Getting users to their resources is a product of standards and scale

What emerging trends will change the way

this is done?

Yesterday’s IAM

• Single domain • Web-only • On-premises software • Stack of products • Proprietary technology • Complex integration


•  Federated Architecture

•  Built on Standards

•  Web, Mobile & API

•  All Identities

•  Internet Scale

•  IDaaS + Software


Next Generation IAM | SIX PILLARS

A Basic Web SSO Architecture

IdentityRepository

AuthenticationService(s)

FederationServices

Your Web Apps

Third Party Apps

SAML

Integration or

SAML

Base Architecture: Big Fat Pipes

Courtesy Mixhail Serbin https://flic.kr/p/8DjoPz

SAML: Big, Trusted, Web Browser Centric

<saml:Assertion Issuer=”YourBank" ID="iTbhngStGlagG.TpT"> <saml:Conditions NotBefore="2014-04-30"/> <saml:Subject>pharding</saml:Subject> <saml:AuthenticationStatement AuthenticationMethod=

"urn:oasis:names:tc:SAML:1.0:am:password"/> <saml:AttributeStatement> <saml:Attribute name=”FirstName"> Patrick </saml:Attribute> <saml:Attribute name=”LastName"> Harding </saml:Attribute> </saml:AttributeStatement> <ds:Signature>…crypto…</ds:Signature>

</saml:Assertion>

SAML ROI

•  Introduction Service –  Sends structured, signed, XML documents to applications –  Includes a subject

•  Security/Validation –  Issuer –  Audience –  Validity Window –  Signatures

•  Visibility –  Nobody visits an app unless central infrastructure approves

If you only need Web SSO, Stop Here

•  Well known design pattern

•  You can buy the whole thing as IDaaS with very little technical know-how

•  Scale up, go crazy Courtesy https://flic.kr/p/4Btadi

Some Folks Need More

Courtesy Matt Morgan https://flic.kr/p/6Thyod

•  API’s and Mobile •  Massive Scale •  Customer &

Workforce •  Lower Overhead •  Self-Service

Why are Mobile/API Different?

•  Web SSO –  the user is present, manipulating a “passive” client – the browser

•  Mobile and API –  A piece of active software (client) is executing, even if the user is not

around –  This active client may not be in a position to validate signatures or parse

XML

YOUR IAM SYSTEM MUST KNOW THE DIFFERENCE BETWEEN THESE TWO USE CASES

Next Gen: Small but Self-Sustaining

Courtesy Daniele Oberti https://flic.kr/p/8FY8v5

OpenID Connect: Small, Not just Browser

{ "iss": "https://yourbank.example.com", "sub": "pharding", "aud": "s6BhdRkqt3", "nonce": "n-0S6_WzA2Mj", "exp": 1311281970, "iat": 1311280970, "auth_time": 1311280969, "acr": "urn:mace:incommon:iap:silver" }

OpenID Connect: Delegated Missions

•  Built on OAuth 2.0

•  OAuth 2.0 gives you Access Tokens –  Delegated authorization tokens –  Made for active clients to access APIs

•  OpenID Connect gives you ID Tokens –  Assertions similar to SAML –  Works as initial introduction so client can validate the

authentication moment associated to an access token

•  Next Gen Identity Protocol Stack –  OAuth 2.0, OpenID Connect, SCIM

•  Consistent architecture –  For workforce, partners and customers

–  For web, devices, apps and things

•  BONUS: Federated architecture allows for migration away from passwords

Future Of IAM

THANKYOU

The Case For Next Generation IAM

Technology

ping identity

mobile identity

industry change copyright

second confidential

user future state

coffee shop

data mobile device

standards web