CIS14: Trusted Tokens: An Identity Game Changer

Trusted Tokens: An Iden/ty Game Changer

Steven Lewis

What we learned: Trusted Iden//es

2

•  Trust starts with the user •  Trust must con1nue thru service chaining •  Context for run 1me access control •  Fully supported standards and interoperability •  Web SSO, SAML2, Oauth2, OpenID Connect, WS-‐Trust, JWT •  Support for both RESTful and SOAP services

Every Web Service Client and Provider create/use non-‐standard “Trust” tokens

STS Handles All Security Token Processing

Without STS With STS

STS

Extending use of Secure Token Services (STS)

•  Significant flexibility to our web applica1ons –  Separates the authen1ca1on from the applica1on/services

•  Provides the ability to support single or mul1-‐factor authen1ca1on external to the applica1on

–  Acts as an authen1ca1on bridge between applica1ons that require dual hos1ng in public and internal facing

•  Provides federated aPributes to our enterprise directories for use within desktop –  Connects our provisioning services to the token services

•  Needed for authoriza1on services –  Enables authoriza1on services to derive a complete context of the person and

non-‐person en11es, and services reques1ng data 3

4

The Data Challenge

The IdAM Challenge

5

Securing Access to Data

6 Governance Governance

Access Control: A Top Ten List of Red Herrings

Copyright (c) 2014 by nMed LLC. All Rights Reserved. 7

1. Discover the Silver Bullet


We’ll Never “Arrive”

2. Add More Un/l Finally Secure


3. Solve at the Point of Vulnerability

8/4/14 Copyright (c) 2014 by nMed LLC. All Rights Reserved. 10

4. Let IT Manage Security


1. Mission ascends 2.  Heat rises 3. Wax melts 4.  Feathers detach 5.  Opera1on aborts 6. World watches

5. A Friendly GUI is Nice to Have


“Dude! It’s ALL about the Interface!”

6. “Policy is SoYware. Not my bag!”


•  Informa/on Security Officer

•  Privacy Officer •  Risk Management Officer

•  Privacy Manager •  Security Analyst •  Compliance & Risk

7. Policy = SoYware


Doré’s Confusio Linguarum* * “I dunno. Ask the Legal Department.”

. . . and moreover, we believe, Natural Language

8. Access Control = Subject + Resource + Ac/on.


9. ABAC Product is The Answer


10. Oh yeah. Goha think about Audit.


Overall Use Case

18

Internal Applica1on

External Applica1on

External STS

Internal STS

File Services

External Trust IWA

PKI

Kerberos

APributes Providers

External APribute

Provisioning Desktop DAC

External

Internal

Use Case 1: Externalize Authen1ca1on

•  Standup an external applica1on that can support the use of an External STS

•  Provide the ability for future integra1on to support service chaining

19

External Applica1on

External STS

SAML

APributes Providers

Other Applica1on Partners

Data

Exchanges

Use Case 2: Re-‐pladorming of Applica1on

•  Rehost “External Applica1on” suppor1ng IWA Authen1ca1on but also s1ll provide aPributes that were required from External Network

•  Prepare for future integra1on to receive data from “External Applica1on”

20

Internal Applica1on

External STS

Internal STS

External Trust

APributes Providers

X.509 APribute Sharing Profile

SAML

Use Case 2b: Data Exchanges •  Enable “Internal” and “External” applica1on interconnect services via service chaining

21

Internal Applica1on

External STS

Internal STS

External Trust

APributes Providers


SAML

External Applica1on

SAML

Other Applica1on Partners

Data

Exchanges

Data Exchanges

Use Case 3: Provisioning

•  Standup External APribute Provisioning Service to retrieve External Network APribute Provider data for use on Internal Network

22

External STS

Internal STS

External Trust

APributes Providers

External APribute

Provisioning


Use Case 4: Desktop Claims

•  Leverage the external aPributes provided for authoriza1on services on desktop

23

File Services

Kerberos

Desktop

DAC

Thank you

CIS14: Trusted Tokens: An Identity Game Changer

Technology

Transcript of CIS14: Trusted Tokens: An Identity Game Changer