© 2016 ForgeRock. All rights reserved.
Continuous Security
Andrew Latham Director, Customer Engineering
Sydney Identity Summit
© 2016 ForgeRock. All rights reserved.
© 2016 ForgeRock. All rights reserved.
© 2016 ForgeRock. All rights reserved.
© 2016 ForgeRock. All rights reserved.
© 2016 ForgeRock. All rights reserved.
Context
© 2016 ForgeRock. All rights reserved.
Dynamic
© 2016 ForgeRock. All rights reserved.
• Iden0tyA2ributes• Trusted
Creden0als• Knowledge• Variables• PerceivedRisk• Incen0ve
© 2016 ForgeRock. All rights reserved.
Digital
© 2016 ForgeRock. All rights reserved.
© 2016 ForgeRock. All rights reserved.
© 2016 ForgeRock. All rights reserved.
© 2016 ForgeRock. All rights reserved.
© 2016 ForgeRock. All rights reserved.
© 2016 ForgeRock. All rights reserved.
© 2016 ForgeRock. All rights reserved.
© 2016 ForgeRock. All rights reserved.
Iden0ty’sUniqueRole
UserExperience Security
© 2016 ForgeRock. All rights reserved.
Iden0ty’sUniqueRole
© 2016 ForgeRock. All rights reserved.
Func0onExperience
Efficiency
PrivacyIntegrity
Availability
UserExperience Security
© 2016 ForgeRock. All rights reserved.
AvailabilityExperience
Func0on
Efficiency
Privacy
Integrity
IntegrityAvailability
Privacy
Func0on
Experience
Efficiency
UserExperience Security
© 2016 ForgeRock. All rights reserved.
TheThingaboutThings…
© 2016 ForgeRock. All rights reserved.
GartnerStrategicPlanningAssump0on
Enterprises to employ mobile biometric authentication methods
Organizations to use contextual, adaptive techniques with multi-factor authentication
35%
30%
5%
5% Today
Today
End 2016
End 2017
© 2016 ForgeRock. All rights reserved.
Connec0ngtheDots
© 2016 ForgeRock. All rights reserved.
© 2016 ForgeRock. All rights reserved.
StrongAuthen0ca0on
© 2016 ForgeRock. All rights reserved.
MobileBiometrics
• Plugs directly into OpenAM
• Can be used with Adaptive Risk module
© 2016 ForgeRock. All rights reserved.
Adap0veRisk
• Assesses risk based on pre-configured parameters
• Requires additional authentication factors depending on risk score
• Includes over 20 parameters including IP address, IP history, cookie value, login history, Geo location etc.
© 2016 ForgeRock. All rights reserved.
Authen0ca0on:ModulesandChains
• 20+ out-of-box modules including device ID, OTP, adaptive risk, Google, Facebook, MS
• Authentication methods can be chained together for enforcing different levels or strength of security
• Scripted AuthN modules extend functionality on client side and server side using Groovy and Javascript
© 2016 ForgeRock. All rights reserved.
© 2016 ForgeRock. All rights reserved.
ForgeRock DevOps / Cloud Strategy
Warren Strange Director, Cloud / DevOps Engineering
Sydney Summit 2016
© 2016 ForgeRock. All rights reserved.
Why DevOps?
Expectations for time to value are changing • Months -> Weeks -> Days The rise of “12 factor” apps & Continuous Integration • Before: Deploy new features yearly • Now: Deploy new features weekly / daily
Shift towards cloud deployments and containers • AWS, Azure, Google, OpenStack, etc. • Docker / Kubernetes
31
© 2016 ForgeRock. All rights reserved.
ForgeRock DevOps Goal The agility of an IDaaS, with the flexibility of a custom solution
Flexibility / Power
Spee
d of
Dep
loym
ent
IDaaS
Legacy
IDaaS in a box
32
© 2016 ForgeRock. All rights reserved.
What is “DevOps” Friendly?
• Installation / management is easily automated • Products self tuning / self configuring • Infrastructure as code
• Repeatable and automated deployments • Configurations versioned. Code reviews / PRs for configuration
• Useful configuration file formats • Toolable / templatable • Human friendly (not a dump of an internal data structure)
• Don’t just automate, eliminate complexity
33
© 2016 ForgeRock. All rights reserved.
ForgeRock DevOps Focus
• Core engineering work required to make products more “12Factor” like
• Requires deep & intimate knowledge of internals of OpenAM / OpenDJ / OpenIDM / OpenIG
• Where ForgeRock can have the most impact
• Container friendly • Reduced file system dependencies • Externalize state • More “cattle” like
34
© 2016 ForgeRock. All rights reserved.
Containers
• Phase 1 • ForgeRock will support customers deploying with
Docker • Provide sample Dockerfiles / Kubernetes
Manifests • Phase 2
• Provide reference Docker images • Distribution mechanism TBD
35
© 2016 ForgeRock. All rights reserved.
Feedback Wanted!
• What are your biggest challenges in deployment / management? • Help us prioritize our efforts
• What is your application AuthN / AuthZ strategy? • Reverse proxy + HTTP headers - AuthZ at proxy • Policy Agents (Java EE or .Net) • OpenID Connect / SAML
• Directly consume OIDC tokens • AuthZ - use scopes plus custom logic?
• Application landscape • Java, .Net, NodeJS, Ruby, other?
36
© 2016 ForgeRock. All rights reserved.
Container Questions
• What are your plans for Docker? • Orchestration frameworks such as Mesos /
Kubernetes / Docker Swarm / Amazon ? • What is your desired Docker support model? • Would you run ForgeRock curated & tested Docker
images, or is your preference to create your own Docker images?
37
© 2016 ForgeRock. All rights reserved.
Resources Links to ForgeRock Dockerfiles, Kubernetes manifests, etc. https://wikis.forgerock.org/confluence/display/DC/ForgeRock+DevOps+and+Cloud+Resources Short version of above: https://goo.gl/DOD9pv Pull Requests are Welcome! Email me: [email protected]
38
© 2016 ForgeRock. All rights reserved.