CIS14: Identity at Scale: Building from the Ground Up
-
Upload
cloudidsummit -
Category
Technology
-
view
299 -
download
1
description
Transcript of CIS14: Identity at Scale: Building from the Ground Up
Iden%ty@Scale
Angle on Iden%ty Data for scaling
Growth • Organiza%ons offering more consumer Web-‐ and mobile-‐based services
• 2.4 billion internet users on the planet • 1.75 billion smart phones • Six fold-‐growth in Mobile e-‐commerce thru 2017 • IoT 50 billion devices in 2020
IAM industry is catching up • IAM technologies con%nue to enable • Tools and technologies are improving • New standards for mobile, cloud + API economy • And new ways of doing things
Directories for Authen/ca/on -‐ Stores iden/ty
(And some authoriza%on)
Databases for authoriza/on -‐ Also stores iden/ty
= Hundreds = Few
Security Business IT
Iden%ty Data Management is lagging behind
Current state applica%on/Service Silos
Disconnected IT Roles created for each individual applica/on/service
New database for each applica/on containing iden/ty and applica/on roles
And we keep hearing about context
• XACML • OpenID Connect • UMA
Name Brand Informa%on Market Segment Billing Status Licensing & Cer%fica%on Role Contact informa%on Account Status Devices
Consent Loca%on Organiza%on Iden%fiers Interac%ons Agreements Product subscrip/ons Authorized Acct Rela%onships
But we have a lot of informa%on about our customers
We don’t use it!
Business context o]en remains in back-‐office systems
Front of house Back Office
Directory Services
-‐ Iden%ty -‐ Email Address -‐ Group
OIen no user context
-‐ Iden%ty -‐ authoriza%on
-‐ Iden%ty -‐ User context
Customer
CRM
Integra/on Services
Spend lots $$$ doing the same things over -‐ Iden%ty -‐ authoriza%on
Targets
“Killing IAM in order to save it” • Need to beder define and describe business rela%onships and
context for online ac%vity • Create single user views for mul%ple services
Parental Controls
Back to the Future • Directories store informa%on once for many applica%ons and services to use
• Business-‐oriented object based systems with security and distribu%on
X User Iden%ty / Authoriza%on
Build Namespace according to objects and func%ons – Not hierarchies
OU= En/tlements
OU= Devices
OU= Profiles
OU= Names
OU= Roles
OU= Users
OU= Products
OU= Configura/on
Mgt
OU= Preferences
OU= Apps
OU= Addr Books
Tie users to objects using GUIDs to create rela%onships
Adding it all up
=
+ Business Context Rela/onships
Scalable + contextual Iden/ty Data Model
Well designed informa%on sets provide business efficiency and scale
System Scale
Self-‐Managed CRM / Billing
Directory NameSpace(s)
Updates / Reads
Reflected in informa%on objects
Single user view VMs
VMs VMs VMs
Provides a ready-‐made recipe for cloud
Single user view -‐ with context
Iden%ty Bridge
Portable context
Beder prepared for paradigm shi] • An API-‐centric methodology relies on well managed and
described informa%on about users • Requires closer integra%on with data architecture
Services Services Services Services Services
Web Services
Updates Self-‐service
Self-‐subscribing Names Users Devices Products Profiles Roles
Addr. Books Apps Prefs Config.
Web
Making progress
= Hundreds of iden//es
We s%ll need to move away from this
DBs
Single Iden/ty
Towards this
CRM / Billing $$
Next Steps • Get a handle on the number of iden%%es out there • Use tools to discover, map and clean up duplicate iden%%es
• Use Tools to understand which applica%ons are using which iden%ty stores
VDS
• Create a taxonomy of applica%ons that require authen%ca%on/authoriza%on and the condi%ons for access (e.g., Gold subscriber, all users, certain users)
VDS
Next Steps
$$ • Use the context in the systems you own and build a richer set of user context • CRM/Billing systems don’t sign-‐in users
• Build systems that represents the business context of users and what they do • Needs to be scalable, distributed and secure
• Transi%on authen%ca%on to new tools • Work with app owners to lifecycle current apps • Use new tools to build new apps
VDS
When you get back to the office • Understand vision for customer centricity • Start cleaning up the iden%ty silos that cause a disconnected view of the customer
• Change legacy mindsets and look to beder combine iden%ty with data architecture
• Correlate insufficient technology investments to current problem sets
• Build the business case and understand dimensions
Ques%ons?
Anthony Randall Security Architect – IAM [email protected]
Back-‐Up Stuff
There is a lot of valuable context informa%on in billing systems and CRMs that can replace IT security groups
Name Brand Informa%on Market Segment Billing Status Licensing & Cer%fica%on Role Contact informa%on Account Status Devices
Consent Loca%on Organiza%on Iden%fiers Interac%ons Agreements Product subscrip%ons Authorized Acct Rela%onships
CRM / Billing
$$ Applica/on iden/ty silos
Graph databases offer another way to depict the same core problem
Is it a storage and scale problem… Or the method we use to represent informa/on?
VS
Requirements and Processes Business User Solu%on
Vision Goals and drivers Legal and Regulatory Use-‐cases Product Defini/on
Simple to use Fast Self-‐service Self-‐controlled Online trust Customer support Parental controls Privacy control Personaliza%on
Massive scale Millions of users Mobile Op/mized Cloud-‐based Ensure data privacy Secure Support social IDs Integrated Federated
Account crea%on/registra%on Product Management Provisioning
Processes Context-‐driven access Account Management User lifecycle Mgt
Configura%on Mgt Business/Decision Support Customer care
Model for Scale
Namespace, business objects that provide specific func%on and context; Can be scaled independently according to need
SaaS
CRM
3Rd Party
Billing
Administration Tools
Self-Service Tools
Identity Information Service
Provisioning
Self Service Admini
strati
on
Product Mgt Tool
Data Tools
Provisioning
Synchronization
Service Access/ Policy Information
Point
AuditAuthoritative Sources
People
Products
NameMgt
Devices
Servers
SaaS Satellite Information
SaaS
Profiles
RoleDef.
SF.com
NameMgt
Config.Mgt.
<new>@service.comSingle User
View
AddrBooks
Policies
Registration/Account Creation
Prefs
Registration/Account Creation
MDM
Business Context