Cloud IAM Q & A w/ Mike Schwartz - PowerPoint PPT Presentation

About This Presentation
Title:

Cloud IAM Q & A w/ Mike Schwartz

Description:

This enables a person’s “user” information to be utilized at many different websites on the Internet, and information about a person can be shared with websites and apps on an “as needed” basis. Of course web site developers don’t want to learn a different authentication API for each IDP. – PowerPoint PPT presentation

Number of Views:95

less

Transcript and Presenter's Notes

Title: Cloud IAM Q & A w/ Mike Schwartz


1
 Cloud IAM Q A w/ Mike Schwartz
  • Mobile apps dont know how to authenticate you.
    Instead, they call the APIs of services offered
    by popular active directory single sign on or
    IDPs, like Google and Face book.
  •  
  • This enables a persons user information to be
    utilized at many different websites on the
    Internet, and information about a person can be
    shared with websites and apps on an as needed
    basis. Of course web site developers dont want
    to learn a different authentication API for each
    IDP. And many organizations dont trust a third
    party to authenticate its people. So the Internet
    has moved to standards. The most widely used
    standard for Web authentication wam software
    SAML. Perhaps the most promising standard for
    authentication is OpenID Connect, which is a
    profile of OAuth2.
  •  
  • The explosion of Two-Factor Authentication
    technology
  •  
  • One of the most important new technologies that
    are driving infrastructure changes is the
    explosion of strong factor authentication
    technology. There is a triangle of authentication
    consisting of price, usability and security. Not
    all triangles are equal. New technologies are
    arising that are more convenient, more secure and
    less expensive than passwords.

2
Once a company makes an investment in strong
authentication, they want to use that
authentication technology across the maximum
number of apps. For this reason, it makes sense
to support open standards, so all applications
can benefit from the availability of these new
organizational authentication capabilities.   Its
not only people that need to be authenticated
and authorized. There is a proliferation of
agents that act on behalf of the person, or are
independent entities. How are these authenticated
and authorized by the organization?   I think
the seismic shift is from WAM gt Federation, not
from LDAP gt Federation. LDAP is still entrenched
as a robust persistence infrastructure for user
claims and password credentials. The problem with
WAM products (i.e. Site minder, OAM, TAM) is
that the cost has been high, customers are locked
in (why else did CA buy Netgrity), and
integrations have been slow.   Companies realize
that whether they are integrating authentication
with internal apps, external apps, or
off-the-shelf products, open federation standards
enable consolidation, which saves money, and
improves security. In the large companies Ive
worked with, the security department did not have
control over the applications, so even though
they were internal, a top-down approach was
inefficient. Its better to publish your
standards, and let the internal app developers
help themselves than to push a WAM architecture
on them. In this sense, the fact that there are
external apps just provides further evidence to a
trend that had already clearly emerged.
3
Often times, clients and consultants put too much
emphasis on IDM, and not enough emphasis on
organizational trust management. Its not just
that I need to provision my users for external
websites, but I need to understand with which
websites I have shared which attributes. Also,
organizations need to trust users who
authenticated outside the organization. Most
large organizations participate in an ecosystem
of autonomous parties, and publish websites that
are used by many outside the organization. This
is the old problem of extranet user management.
Trust management, IMHO, is one of the biggest
challenges   If you talk to organizations,
youll find that the is no clear trend for
XACMLs adoption. Proprietary and custom
solutions are the rule in authorization right
now, with most authorization actually taking
place in the app. To what extent centralized
authorization will be achieved is totally
uncertain, and I would argue that this is the
adjacent possible, as described in Stephen
Johnsons book Where Good Ideas Come From you
cant have authorization before we have clear
standards for authentication.
4
In terms of adoption of technology, Im bullish
about UMA, and in fact I think UMA and XACML are
complimentary app developers want JSON/REST and
it would be more suitable for the PDP to form a
XACML request to a XACML PDP, then for the app
developer to learn XACML. In any case, Im a fan
of XACML as a standard for expressing
authorization rules, but I do think that the
technology is better suited for server side
developers.   I disagree with the common
assumption that the majority of IDaaS will be
outsourced. Perhaps for SMB market, this might be
true. But many large organizations maintain core
TCP/IP services, and AAA has traditionally been
managed within the organizational perimeter. In
fact, many organizations simply cannot outsource
this function for security reasons. With
standards, we will drive down the costs of the
single sign on authentication and the resources,
and AAA will be simply another Linux or windows
service that can be configured.   Article
resource-https//storify.com/gluu/cloud-iam-q-and
-a-w-mike-schwartz
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Cloud IAM Q & A w/ Mike Schwartz" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!