Criticality of identity
•
1 j'aime•1,621 vues
Presentation by Hans Zandbelt from Ping Identity (pingidentity.com) from Nordic APIs (nordicapis.com) Stockholm March 2013 about the need of identity services when publishing an API.
Recommandé
Recommandé
Contenu connexe
Tendances
Tendances (20)
En vedette
En vedette (7)
Similaire à Criticality of identity
Similaire à Criticality of identity (20)
Plus de Nordic APIs
Plus de Nordic APIs (20)
Dernier
Dernier (20)
Criticality of identity
- 1. Criticality of Identity The Importance of Knowing Who Your API Consumer Is Hans Zandbelt CTO Office - Ping Identity 1 Copyright ©2012 Ping Identity Corporation. All rights reserved.
- 2. Overview 1 Cloud & APIs: The Trends - History, state-of-the-art, trends, 2 Identity and APIs - What, why, how 3 Recommendations - API strategy 2 Copyright ©2012 Ping Identity Corporation. All rights reserved.
- 3. [section lead-in] CLOUD & APIS: THE TRENDS 3 Copyright ©2012 Ping Identity Corporation. All rights reserved.
- 4. Cloud 1.0 FIREWALL SaaS database APP SaaS APP SaaS directory 4 Copyright ©2012 Ping Identity Corporation. All rights reserved.
- 5. Cloud Moves: 3 Dimensions of Change • Users – Workforce – Customers/cons umers Users – Partners • Devices – Mobile/fixed Devices – Browser/app – BYOD/E-owned • Location – Services – Users Location(s) 5 Copyright ©2012 Ping Identity Corporation. All rights reserved.
- 6. How it should be: Cloud 2.0 database SaaS firewall database APP SaaS directory SaaS APP 6 Copyright ©2012 Ping Identity Corporation. All rights reserved.
- 7. Consequences FIREWALL Traditional firewall and enterprise domain-based security cannot deal with Cloud Apps and Mobile devices and applications. IDENTITY IS THE NEW PERIMETER 7 Copyright ©2012 Ping Identity Corporation. All rights reserved.
- 8. IDENTITY & APIS 8 Copyright ©2012 Ping Identity Corporation. All rights reserved.
- 9. The Internet Scale Identity Concept • Identity Provider – Authoritative – Scale – Manageability verify • UNIFORM across Web SSO & API Access • Security AND Convenience • How to extend enterprise security policies to the cloud: a MUST have 9 Copyright ©2012 Ping Identity Corporation. All rights reserved.
- 10. Playfield User Provisioning Web SSO API Access 10 Copyright ©2012 Ping Identity Corporation. All rights reserved.
- 11. The API Economy Drivers • SaaS – API access to data/services vs. browser access – Cloud, Mobile/Big Data, BYOD – Salesforce.com > 60% • APIs of PaaS offerings – Expose own cloud services • Clear trend for APIs towards REST 11 Copyright ©2012 Ping Identity Corporation. All rights reserved.
- 12. API Access • HTTP • SOAP SERVICE – WS-Security/WS- Trust • REST –? SOAP / REST • TOKEN – Obtain – Use Token – Validate • Passwords?? CLIENT 12 Copyright ©2012 Ping Identity Corporation. All rights reserved.
- 13. Password anti-pattern • 3rd party client store user passwords • Teaches users to be indiscriminate with passwords • No multi-factor or federated authentication • No granularity • No differentiation • No revocation 13 Copyright ©2012 Ping Identity Corporation. All rights reserved.
- 14. Drivers Lack Password Of Anti Standards Pattern Native REST Mobile Cloud Apps APIs 14 Copyright ©2012 Ping Identity Corporation. All rights reserved.
- 15. OAuth 2.0 • Secure API authorization – simple & standard – desktop, mobile web • Auth & Authz for RESTful APIs • Delegated authorization – mitigates password anti-pattern • Issue tokens for granular access – Without divulging your credentials 15 Copyright ©2012 Ping Identity Corporation. All rights reserved.
- 16. OAuth 2.0 Benefits • Security & Usability • Revocation • Granularity • Use Cases* Scopes • Passwords vs. Oauth == creditcard vs. checks 16 Copyright ©2012 Ping Identity Corporation. All rights reserved.
- 17. SSO for Mobile Apps: Authorization Agent (AZA) • Aggregate OAuth flows and logins • Bootstrap through WebSSO with OpenID Connect or OAUTH SSO SAML • Oauth-as-a-Service + SAML-as-a- Service 17 Copyright ©2012 Ping Identity Corporation. All rights reserved.
- 18. [section lead-in] RECOMMENDATIONS 18 Copyright ©2012 Ping Identity Corporation. All rights reserved.
- 19. Something to think about: cloud IAM strategy • Multi-use case, multi-device, multi- channel, multi protocol… – Identity is the connector • Interoperability and standards • IAM not just an internal technical issue: also a strategic business enabler • Architect for agility 19 Copyright ©2012 Ping Identity Corporation. All rights reserved.
- 20. Identity for APIs strategy • Implement your API for: – externalized authentication and authorization – tokens instead of passwords – consumer identity AND enterprise identity • By leveraging identity we can: – address API access (server2server, mobile) in the same way as Web SSO – reuse existing security and identity policies – connect your existing identity store • Possibly implement this in a single system(!) 20 Copyright ©2012 Ping Identity Corporation. All rights reserved.
- 21. Expect More Change • Continued trend to SaaS, PaaS, IDaaS, leveraging APIs • Continued evolution and adoption of open standards such as OAuth 2.0 and OpenID Connect; 2013 is the year of Identity Standards 21 Copyright ©2012 Ping Identity Corporation. All rights reserved.
- 22. COME AND SEE US! Hans Zandbelt Twitter: @hanszandbelt www.pingidentity.com 22 Copyright ©2012 Ping Identity Corporation. All rights reserved.
Notes de l'éditeur
- Today: a mix of on-premise applications and SaaS or cloud applications, both web and mobile native apps.User authentication and access control based on app-specific accounts and credentials, some SSO to web apps, mostly internal.Firewall applies to some applications, hosted on the corporate network.
- The expansion of cloud usage brings along 3 dimensions of change:Users: different use cases, more and more inbound too. Consumer identity: 70% dropoff on registration.Devices: mobile, smaller screens, different capabilities, no longer exclusively owned by the enterprise.
- Applications reside both on-premises and in the cloud, but also directories and databases.Users can access these applications from anywhere, using a variety of devices.User accounts and Access control demand to be harmonized over cloud and on-premises for compliancy reasons, following the corporate IT security policy.The firewall can no longer be the center of the universe: access control needs to be handled on a different level.
- It is clear that a corporate firewall cannot meet the demands for cloud, mobile and hybrid use cases.Identity is the concept that is shared between all contexts, what binds everything together in IAM.We must concludethat identity is the new perimeter, or at least the new paradigm to leverage.
- What is the role that identity can play for APIs.
- Separate identity information from the application. Leverage the remote identity through the client accessing the application.Identity on internet scale leverages a 2rd or 3rd party that is well positioned to manage and publish identity information (concept holds for both enterprise and consumer scenario’s).We should strive to use identity across the web world (browser-based apps, Web SSO) and the native world (mobile and rich desktop clients): no need to do things twiceSSO is about convience for users, but more importantly: addressing a bunch of security issues. SSO using 3rd party asserted identity actually is a rare exampleWhere convenience and security go hand in hand.Applying this concept in a uniform way will allow enterprise businesses to extend their enterprise security policies to the cloud.That is a must have for compliancy reasons.
- APIs are becoming important rapidly especially because of the rise of mobile apps and big data.
- How would you secure web apis:SOAP: WS-SecurityREST: nothing there yet until recently. Only passwords.What we need is a token based method to access APIs: will explain in the next slide.
- Deprecated way of dealing with API access: hand out your password to a client or third party service.Bad: store pwd, indiscriminate, no multi-factor, no granularity, no differentation, no revocation.Need something better.
- Enter Oauth 2.0: a protocol for secure API authorization.Simple standard or framework, based on REST and JSON, meant for the mobile web world.Delegated authorization, tokens are issued, obtained and used to mitigate the anti-password pattern.Granular, revokable access to specified parties, without exposing your credentials.
- Framework, allows for a variety of use cases over enterprise and consumer domains.Balance between security and usablilty by using 2 types of tokens: access tokens and refresh tokens.Scopes: allow for fine grained granularity, of access control, much like entitlements.
- Recent development: leverageOauth to achieve SSO across native apps.Until now each app would do its own Oauth flow which may result in a user logging in and granting access to an app on an individual basis, repeatably.This shows how to leverage an existing Web SSO investment, eg. SAML or OpenID Connect for native mobile app SSO.
- In the new cloud world we need to be prepared with a variety of use cases, devices, channels and hence protocols.Identity however is a constant factor and really the constant connector between all. Interoperability and standards are important: cloud is about doing things across multi-domains: interoperability only comes with standards. Choose products that implement standards, if possibleMany standards at once!IAM as a business enabler: it can streamline the way in which you’re doing business, adding convenience and security for all parties you deal with (employees, customers, partners)Across devices preferred by your partners/users.Agility: cloud IT is meant to cope with ever changing demands, static infrastructure is legacy, have more flexibility, rapid changing IT environment; architect your IT for that
- Externalization of authentication and authorization: make your API use tokens, not passwords. Some of your APIs may eventually have to deal with both enterprise as well as consumer identity. Be sure that you can handle that.Design your API so that you can handle both the browser based, the server2server communication as well as native mobile applications inA unified way.Reuse your existing security and identity policies across the 3 worlds and use your existing identity store to do that. No need to build custom silosFor doing this.And best of all: you don’t need to implement that, you can use an existing server or implementation. Come and talk to Ping!
- Cloud will expand and change.2013 is the year of the Identity standards, OpenID Connect (ratitication) and OAuth 2.0 (large deployments and convergence)Ping will be at the forefront of these changes, actively developing and implementing the new standards.