Post on 01-Nov-2014
description
Trusted Tokens: An Iden/ty Game Changer
Steven Lewis
What we learned: Trusted Iden//es
2
• Trust starts with the user • Trust must con1nue thru service chaining • Context for run 1me access control • Fully supported standards and interoperability • Web SSO, SAML2, Oauth2, OpenID Connect, WS-‐Trust, JWT • Support for both RESTful and SOAP services
Every Web Service Client and Provider create/use non-‐standard “Trust” tokens
STS Handles All Security Token Processing
Without STS With STS
STS
Extending use of Secure Token Services (STS)
• Significant flexibility to our web applica1ons – Separates the authen1ca1on from the applica1on/services
• Provides the ability to support single or mul1-‐factor authen1ca1on external to the applica1on
– Acts as an authen1ca1on bridge between applica1ons that require dual hos1ng in public and internal facing
• Provides federated aPributes to our enterprise directories for use within desktop – Connects our provisioning services to the token services
• Needed for authoriza1on services – Enables authoriza1on services to derive a complete context of the person and
non-‐person en11es, and services reques1ng data 3
4
The Data Challenge
The IdAM Challenge
5
Securing Access to Data
6 Governance Governance
Access Control: A Top Ten List of Red Herrings
Copyright (c) 2014 by nMed LLC. All Rights Reserved. 7
1. Discover the Silver Bullet
Copyright (c) 2014 by nMed LLC. All Rights Reserved. 8
We’ll Never “Arrive”
2. Add More Un/l Finally Secure
Copyright (c) 2014 by nMed LLC. All Rights Reserved. 9
3. Solve at the Point of Vulnerability
8/4/14 Copyright (c) 2014 by nMed LLC. All Rights Reserved. 10
4. Let IT Manage Security
8/4/14 Copyright (c) 2014 by nMed LLC. All Rights Reserved. 11
1. Mission ascends 2. Heat rises 3. Wax melts 4. Feathers detach 5. Opera1on aborts 6. World watches
5. A Friendly GUI is Nice to Have
8/4/14 Copyright (c) 2014 by nMed LLC. All Rights Reserved. 12
“Dude! It’s ALL about the Interface!”
6. “Policy is SoYware. Not my bag!”
Copyright (c) 2014 by nMed LLC. All Rights Reserved. 13
• Informa/on Security Officer
• Privacy Officer • Risk Management Officer
• Privacy Manager • Security Analyst • Compliance & Risk
7. Policy = SoYware
Copyright (c) 2014 by nMed LLC. All Rights Reserved. 14
Doré’s Confusio Linguarum* * “I dunno. Ask the Legal Department.”
. . . and moreover, we believe, Natural Language
8. Access Control = Subject + Resource + Ac/on.
Copyright (c) 2014 by nMed LLC. All Rights Reserved. 15
9. ABAC Product is The Answer
Copyright (c) 2014 by nMed LLC. All Rights Reserved. 16
10. Oh yeah. Goha think about Audit.
Copyright (c) 2014 by nMed LLC. All Rights Reserved. 17
Overall Use Case
18
Internal Applica1on
External Applica1on
External STS
Internal STS
File Services
External Trust IWA
PKI
Kerberos
APributes Providers
External APribute
Provisioning Desktop DAC
External
Internal
Use Case 1: Externalize Authen1ca1on
• Standup an external applica1on that can support the use of an External STS
• Provide the ability for future integra1on to support service chaining
19
External Applica1on
External STS
SAML
APributes Providers
Other Applica1on Partners
Data
Exchanges
Use Case 2: Re-‐pladorming of Applica1on
• Rehost “External Applica1on” suppor1ng IWA Authen1ca1on but also s1ll provide aPributes that were required from External Network
• Prepare for future integra1on to receive data from “External Applica1on”
20
Internal Applica1on
External STS
Internal STS
External Trust
APributes Providers
X.509 APribute Sharing Profile
SAML
Use Case 2b: Data Exchanges • Enable “Internal” and “External” applica1on interconnect services via service chaining
21
Internal Applica1on
External STS
Internal STS
External Trust
APributes Providers
X.509 APribute Sharing Profile
SAML
External Applica1on
SAML
Other Applica1on Partners
Data
Exchanges
Data Exchanges
Use Case 3: Provisioning
• Standup External APribute Provisioning Service to retrieve External Network APribute Provider data for use on Internal Network
22
External STS
Internal STS
External Trust
APributes Providers
External APribute
Provisioning
X.509 APribute Sharing Profile
Use Case 4: Desktop Claims
• Leverage the external aPributes provided for authoriza1on services on desktop
23
File Services
Kerberos
Desktop
DAC
Thank you