Nimble: Rethinking Enterprise Cloud Identity Mark Diodati Lean In: Enterprise Cloud Identity

@mark_diodati

Laura E. Hunter Zen and the Art of Enterprise Authentication

@adfskitteh

John Tolbert Is the Cloud Ready for Enterprise Identity and Security Requirements?

Lean In: Enterprise Cloud Identity

Mark Diodati Mon 14-07-21 mdiodati@pingidentity.com @mark_diodati

enterprises are leaning in to address cloud identity challenges

•  constituencies to applications problem

•  inability to provide identity services for most applications

4  

leaning in: cloud identity management

IDaaS

•  expansion and complexity

–  who

–  what

•  (im)maturity of cloud applications and platforms

5  

leaning in: cloud IGA

||who

what

CLOUD IDENTITY MANAGEMENT

7  

why cloud IAM?

•  IAM requirements for apps in the cloud •  corporate apps (email and office), CRM •  IAM services are not necessarily in the

cloud •  Desire for IDaaS (identity

management -aaS) •  SaaS application model is disrupting

IAM vendors •  Turnkey (faster time to value) •  Reduced costs (hardware and software) •  Elastic (pay as you grow)

8  

cloud identity components

•  bi-directional on-premises gateway

•  translates on-premises 1.0 identity protocols to cloud 2.0 protocols

•  essential for most enterprises

IDaaS

9  

to: identity bridge

hosted on-premises federation

IDP directory

sync Kerberos X.509

SaaS application

SS

O

LDAP

prov

isio

nin

g (R

ES

T)

application

from: identity bridge

hosted on-premises

SAML SP STS

application

partners partners

application

WAM cookie  

OAuth RS and AS

OpenID Provider

11  

cloud identity components

IDaaS •  Identity Management as a

Service •  externally-hosted, turnkey SaaS •  frequently used with an identity

bridge

12  

IDaaS market trends

•  More IaaS and PaaS vendors are moving into IDaaS •  Salesforce, Microsoft •  AWS - evolving towards

externalized identity

13  

IDaaS market trends

•  Mobile authentication vendors will be absorbed into IDaaS •  Completes IDaaS offering/ has

become/will be table stakes •  MFA has diminished value without

other identity services

Confidential  —  do  not  distribute  

IDaaS sub-market convergence

provisioning/ governance

SSO/ authentication

password vaulting

directory sync

federation

user management

Provisioning

access certification

multi-factor authn

sep of duties

self-service administrative scoping

& delegation

cloud directory

15  

in: IDaaS

hosted on-premises

SaaS applicati

on

provisioning

SSO authentication user

IDaaS

provisioning

SSO

16  

IDaaS: internal directory

hosted on-premises

SaaS applicati

on

authentication user

IDaaS

IDaaS: single directory (AD)

hosted on-premises

SaaS applicati

on

authentication

IDaaS

provisioning

SSO

directory sync Kerberos

IDaaS: single directory (Google)

directory sync/ runtime store

hosted on-premises

SaaS applicati

on

authentication

IDaaS provisioning

SSO

Sync or runtime

IDaaS: many-to-many directories

IDaaS partner

partner developer you

Central access policy

20  

enterprise grade IDaaS

hosted on-premises

IDaaS

identity bridge WAM

EC2`

SaaS application app

CLOUD IGA

22  

IGA: a wealth of talents

Provisioning self-service

access certification

separation of duties role management

entitlement management

An entitlement is a system object that can be granted to enable a user to

perform some set of actions in an application.

Burton Group, 2009

ENTITLEMENT

what

who

24  

expansion of who

employees contractors

constituency

identity stores

partners consumers

on-premises LDAP

Active

Directory HR

somewhere else LDAP

Active

Directory Facebook

25  

complexity of who

governance

complexity

“un-control” over identity stores

expansion of what

applications accessibility

good Active

Directory WAM SharePoint

ERP

maturing SaaS application IaaS

platform

27  

complexity of what

governance

complexity

“un-control” over applications

good ole days of IGA ;-)

IGA entitlement management

access certification SoD role management

hosted on-premises

prov

isio

nin

g (R

ES

T)

SS

O

reminder: to the cloud SSO

hosted on-premises federation IDP directory sync

Kerberos X.509

SaaS application

LDAP

cloud SSO: entitlement management

hosted on-premises

SaaS application

federation IDP

identity store

IGA entitlements

to the cloud SSO: entitlement view

CRM LDAP group IS_CRM_MGR LDAP

attribute

federation IDP

SaaS application

identity store

LDAP group and attribute(s) mapped to SaaS profile

CRM_MANAGER

CRM_MANAGER profile has access to SaaS and to specific transactions

Cou

rse

to fi

ne

CRM LDAP group get access to SaaS app with

IS_CRM_MGR attribute

32  

evolution of cloud IGA

quality of

governance

Component maturity

“distance” of identity store

AD/LDAP groups

federation IDP

entitlements

SaaS/IaaS entitlemen

ts federation/SaaSactivit

y logs

RECOMMENDATIONS the path forward

recommendations

• cloud IAM –  clarify your vision for modern IAM

–  monitor cloud IAM developments

•  holistic, SaaS-style integration

•  multi-constituency support

•  broader application management

34  

recommendations

• cloud IGA –  understand your IGA requirements before migrating

applications to the cloud

–  define a transitional IGA strategy for cloud applications •  Push your SaaS/IaaS vendors to add entitlement and activity

management capabilities