Date post: | 15-Jan-2015 |
Category: |
Technology |
Upload: | forgerock |
View: | 636 times |
Download: | 1 times |
Making Leaders Successful Every Day
Trends, Transients, Tropes, and Transparents
Eve Maler, Principal Analyst, Security & Risk
ForgeRock Open Identity Stack Summit
October 15, 2013
© 2012 Forrester Research, Inc. Reproduction Prohibited
What are the T4 all about?
3
Less well noticed Well noticed
Transparents
Transients
Trends
Tropes
Clo
ser t
o tru
thin
ess
Clo
ser t
o es
sent
ial t
ruth
• What are they? • What is the evidence? • What should you do about them?
© 2012 Forrester Research, Inc. Reproduction Prohibited
Trend: webdevification of IT
4
Source: John Musser (formerly) of ProgrammableWeb.com
IN THE FUTURE, EVERY ENTERPRISE WILL OPEN AN API CHANNEL TO ITS DIGITAL PLATFORM
© 2012 Forrester Research, Inc. Reproduction Prohibited
Confront the changes in your power relationship
5
value X
friction Y
ACCESS CONTROL IS ABOUT PROTECTION AND MONETIZATION
© 2012 Forrester Research, Inc. Reproduction Prohibited 6
Source: April 5, 2013 Forrester report “API Management For Security Pros”
A lot of identities float around an API ecosystem
© 2012 Forrester Research, Inc. Reproduction Prohibited
Open Web APIs are, fortunately, friendly to the Zero Trust model of security
7
Initially treat all access requesters as untrusted. Require opt-in access. Apply
identity federation through APIs.
Source: November 15, 2012, Forrester report “No More Chewy Centers: Introducing The Zero Trust Model Of Information Security”
© 2012 Forrester Research, Inc. Reproduction Prohibited
Trend: IAM x cloud
8
ZERO TRUST CALLS FOR DISTRIBUTED SINGLE SOURCES OF TRUTH
Prefer these
choices when
crossing domains Provision just
in time through SSO
Bind to a user store and replay credentials
Synchronize accounts
periodically
Issue and manage a
disconnected account
© 2012 Forrester Research, Inc. Reproduction Prohibited
Identity plays only an infrastructural role in most cloud platforms
9
cloud services
IAM functions user base and attributes
cloud identity product with an actual SKU
DISRUPTION IS COMING FROM THE CLOUD IDENTITY SERVICES DARK HORSES
© 2012 Forrester Research, Inc. Reproduction Prohibited
Transient: XACML
Adoption has government/compliance drivers, few accelerators, and many inhibitors It’s critical to open up the market for long-tail policy evaluation engines Webdevified and mobile-friendly scenarios demand different patterns of outsourced authorization
XACML 3 IS STUCK AT MODERATE SUCCESS AND IS HEADING FOR DECLINE
© 2012 Forrester Research, Inc. Reproduction Prohibited
Authz grain needs to get…finer-grained
11
policy input
resource accessed
roles groups
attributes
field-level entitlements
domain URL path sets of API calls
field
XACML etc.
scope- grained
authz
WAM
© 2012 Forrester Research, Inc. Reproduction Prohibited
Plan for a new “Venn” of access control
12
AN “XACML LITE” WOULD HAVE A POTENTIALLY VALUABLE ROLE TO PLAY
© 2012 Forrester Research, Inc. Reproduction Prohibited
Trope: “Passwords are dead” OH, YEAH?
correct horse battery staple
© 2012 Forrester Research, Inc. Reproduction Prohibited
We struggle to maximize authentication quality
14
Source: June 12, 20113 “Introducing The Customer Authentication Assessment Framework” Forrester report
PARTICULARLY IN CONSUMER-FACING SERVICES
© 2012 Forrester Research, Inc. Reproduction Prohibited
Authentication schemes have different characteristics
15
Source: June 12, 20113 “Introducing The Customer Authentication Assessment Framework” Forrester report, based on “The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes”
� �
?�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
*
*S2 is an affordance of passwords for “consensual impersonation”
© 2012 Forrester Research, Inc. Reproduction Prohibited
Think in terms of “responsive design” for authentication
16
LEVERAGE STRENGTHS AND MITIGATE RISKS – ONCE YOU KNOW THEM
User identification
based on something
they…
Know
Have
Are
Do
© 2012 Forrester Research, Inc. Reproduction Prohibited
Transparent: time-to-live strategies EXPIRATION HAS OUTSIZED VALUE VS. EXPLICIT REVOCATION OF ACCESS IN ZERO-TRUST ENVIRONMENTS
© 2012 Forrester Research, Inc. Reproduction Prohibited
Summary of the T4
18
Less well noticed Well noticed
Transparent: Time-to-live strategies
Transient: XACML
Trends: Webdevification of IT Cloud x IAM
Trope: “Passwords are dead”
Clo
ser t
o tru
thin
ess
Clo
ser t
o es
sent
ial t
ruth
Thank you Eve Maler +1 617.613.8820 [email protected] @xmlgrrl