Contenu connexe Similaire à Entitlements: Taking Control of the Big Data Gold Rush (20) Entitlements: Taking Control of the Big Data Gold Rush1. Copyright © Identity Summit 2015, all rights reserved.
Entitlements
Taking Control of the Big Data Gold Rush
Andy Forrest (@apforrest)
andrew.forrest@forgerock.com
3. Copyright © Identity Summit 2015, all rights reserved.
Let’s rewind a little...
Subject Resource
Action
Environment
• Authentication
• Authorization
4. Copyright © Identity Summit 2015, all rights reserved.
What has a policy looked like?
Typically used to protect a web resource:
“Can Bob who is part of the admin
group see the admin web page?”
5. Copyright © Identity Summit 2015, all rights reserved.
Policy solutions
• ACLs (access control lists)
- focused on the subject
• RBAC (role based access control)
- focused on the subject and resource
- role explosion
6. Copyright © Identity Summit 2015, all rights reserved.
Policy characteristics
• Coarse grained
• Allow / deny
• Inflexible
• Low volume
• Minimal performance demand
7. Copyright © Identity Summit 2015, all rights reserved.
PEP
Common policy architecture
Protected
resource
Bob
PDP
PAP
PIPs
8. Copyright © Identity Summit 2015, all rights reserved.
Common policy architecture
Policy
agent
Protected
resource
Bob
OpenAM
9. Copyright © Identity Summit 2015, all rights reserved.
What’s next for policy?
“Authorization is the new cool kid”
10. Copyright © Identity Summit 2015, all rights reserved.
IoT (Internet of Things)
• Not just web pages
• Richer relationships
• Descriptive demand
11. Copyright © Identity Summit 2015, all rights reserved.
UMA (User Managed Access)
• In the hands of the consumer
• High scale
• Decoupled
• Distributed
12. Copyright © Identity Summit 2015, all rights reserved.
Some of the buzz
• ABAC (attribute based
access control)
• XACML (extensible access
control markup language)
13. Copyright © Identity Summit 2015, all rights reserved.
Future policy characteristics
• Attribute based
• Fine grained
• Entitlements
• Unknown entities
• High volume
• Performance speed
• Outward facing
15. Copyright © Identity Summit 2015, all rights reserved.
OpenAM policy
• Complete REST API
• Intuitive UI
• Organisational structure
• Expressive rules
• Contextual authz
• Rich entitlement decisions
• Selective evaluation
• Scaling and replication
• XACML export/import
17. Copyright © Identity Summit 2015, all rights reserved.
Mobile Twitter Raspberry PI
OpenAM Device 1
Radio Tx
Radio Rx
Device 3
Radio Rx
Device 2
Radio Rx
Web App
Policy
Demo topology
18. Copyright © Identity Summit 2015, all rights reserved.
DJ 2
OpenAM 2
DJ 1
OpenAM 1
Replication
Cross talk
8 x 3.3GHz, 64GB 8 x 3.3GHz, 64GB
Performance topology
20. Copyright © Identity Summit 2015, all rights reserved.
How does OpenAM continue to lead?
• Continually looking to push performance
• More fine grained through ABAC
- generic attribute model
- application rules
- nested applications
• Simplified UIs
22. Copyright © Identity Summit 2015, all rights reserved.
Thank you
Q&A
Andy Forrest (@apforrest)
andrew.forrest@forgerock.com