Hitchhikers know everything exciting happens outside the lines, like cloud, mobile, social, big data and the internet of things. The challenge of navigating today’s universe is lack of portable, automated, discoverable and scalable identity management. DON’T PANIC. This presentation from Ping Identity CTO Patrick Harding explains how a next-generation identity and access management layer encompassing the identity of people and things, passive analytics, active feedback and automated connections to partners, customers, and apps is the modern Hitchhiker’s Guide to the Identiverse. Presented at Gartner Catalyst 2013.
7. Trove of medical devices found to have password
problems. Surgical devices, ventilators,
defibrillators, and monitors are among the
equipment at risk
The Industrial Control Systems Cyber Emergency Response
Team (ICS-CERT) at the Department of Homeland Security and
the Food and Drug Administration (FDA) are warning that the
vulnerability could allow attackers to change critical settings
and modify firmware.
ZDNet – 17 June 2013
http://zd.net/17j5RGY
HEADLINES WE DON’T WANT TO SEE
9. Identiverse (i-ˈden-tə-vərs) noun
The Identiverse is a more perfect digital world of people, applications, and devices that all
recognize and interact with each other.
When everything is identity-aware and access is ubiquitous, the Identiverse will provide
superior security and freedom to realize the full potential of digital economy.
10. 1. Everything has an identity (apps, devices, people)
2. Authentication is multifactor (and rarely passwords)
3. APIs are Ubiquitous
4. Standards are Everywhere
5. Access is Federated
6. Privacy is Possible
SIX FUNDAMENTAL PILLARS OFTHE IDENTIVERSE
19. FUNDAMENTAL TENETS TO SCALE
• No more passwords
• Automate as much as possible
– Eliminate IT Administrative overhead
– Application registration is dynamic
• Ease of use
– Effortless self service
– Developer-friendly
– IT-friendly
– User-friendly
26. Security for APIs
User Authentication API User Management API
API’S FOR IDENTITY
(Not identity-enabled APIs)
27. WHAT IS ACTIONABLE?
• Apps and devices need a modern identity protocol
stack
– Starts with Oauth 2.0, OpenID Connect and SCIM
• No more passwords
– Federated access by default
• Ease of use means automate everything
– Or enable self-service as a backup
Hitchhikers know everything exciting happens outside the lines, like cloud, mobile, social, big data and the internet of things.The challenge of navigating today’s universe is lack of portable, automated, discoverable and scalable identity management.DON’T PANIC. I’ll explain how a next-generation identity and access management layer encompassing the identity of:people and thingspassive analyticsactive feedbackand automated connections to partners, customers, and apps is the modern Hitchhiker’s Guide to the Identiverse.
As the collision of cloud-mobile-social grows to it’s inevitable conclusion, we are facing a massive explosion of internet endpoints, and a desperate future problem of securing and coordinating them.
Today we are at the “craftsman” stage of identity. Carefully constructed connections allow a small number of endpoints and users to be secured.
The future isexponential growth of
VINT CERF PUNTNEEDS TO BE HYBRID
This will be true of enterprise applications as well as (and more importantly) consumer applications. This is the path that Ping has started upon, and continues down. Consumerization of IT will likely drive consumer identity protocols into the enterprise – OpenID Connect being an example.
Highly dsitrbiuted nature of business – mobile, cloud, SaaS, outsorcing, PaaS, IaaSetcIdentity must become portable to drive ease of useInternet of Things - every thing has a unique identifier
Highly dsitrbiuted nature of business – mobile, cloud, SaaS, outsorcing, PaaS, IaaSetcInternet of Things
Highly dsitrbiuted nature of business – mobile, cloud, SaaS, outsorcing, PaaS, IaaSetcInternet of Things
Highly dsitrbiuted nature of business – mobile, cloud, SaaS, outsorcing, PaaS, IaaSetcInternet of Things
Highly dsitrbiuted nature of business – mobile, cloud, SaaS, outsorcing, PaaS, IaaSetcInternet of Things
Highly dsitrbiuted nature of business – mobile, cloud, SaaS, outsorcing, PaaS, IaaSetcInternet of Things
Highly dsitrbiuted nature of business – mobile, cloud, SaaS, outsorcing, PaaS, IaaSetcInternet of Things
Modern Identity LandscapeTargeted at Application developersLearnt from previous attempts
Two pillars of scalable modern identity: SCIM and OIDCOIDC is crucial for modern identity IdP discovery – important as number of IdPS increase in the modern identity era.Applicaton registration. Provides a mechanism ernidetntiy. Scale: to enable applications (be they on mobile devices or web applications) to act on behalf of the user to do things.Finally delivers SSO via ID token for native devices (pivot to OAuth).SCIMAuthorization and SSO isn’t possible without a provisioning event. aaS vendors have service level agreements that preclude the use of the enterprise identity store. The current insanity vis-à-vis proprietary provisioning won’t scale. SCIM is modern (REST-based) and is our last best hope at scalable provisioning because it delivers a standards-based approach.
OpenID ConnectAuthentication API (also enables SSO)Developer calls GetUserInfo API EndpointReplace Login.jsp and the Password DBFederated Domain, Single Domains, whateverSCIMUser Management APICreate, Read, Update, DeleteDeveloper exposes API to Add, Change & Delete user accounts
OpenID ConnectAuthentication API (also enables SSO)Developer calls GetUserInfo API EndpointReplace Login.jsp and the Password DBFederated Domain, Single Domains, whateverSCIMUser Management APICreate, Read, Update, DeleteDeveloper exposes API to Add, Change & Delete user accounts
OpenID ConnectAuthentication API (also enables SSO)Developer calls GetUserInfo API EndpointReplace Login.jsp and the Password DBFederated Domain, Single Domains, whateverSCIMUser Management APICreate, Read, Update, DeleteDeveloper exposes API to Add, Change & Delete user accounts
Two pillars of scalable modern identity: SCIM and OIDCNot Identity Enabled API’sSCIMAuthorization and SSO isn’t possible without a provisioning event. aaS vendors have service level agreements that preclude the use of the enterprise identity store. The current insanity vis-à-vis proprietary provisioning won’t scale. SCIM is modern (REST-based) and is our last best hope at scalable provisioning because it delivers a standards-based approach.OIDC is crucial for modIdP discovery – important as number of IdpS increase in the modern identity era.Client registration. Provides a mechanism ernidetntiy. Scale:to enable applications (be they on mobile devices or web applications) to act on behalf of the user to do things.Finally delivers SSO via ID token for native devices (pivot to OAuth).Interesting crossover and linkage b/w SCIM SP and OIDC user info endpoint. Different. I’ll be working in the IETF group on this (with John’s guidance). I’ll have diagrams for CIS.