Cloud IAM Q&A with Mike Schwartz

1
Cloud IAM QA with Mike Schwartz

• What exactly is Identity Federation?
•  
• These days, most websites and mobile apps dont
  know how to authenticate you. Instead, they call
  the APIs of services offered by popular Identity
  Providers or IDPs, like Google and Face book.
• This enables a persons user information to be
  utilized at many different websites on the
  Internet, and information about a person can be
  shared with websites and apps on an as needed
  basis. Of course web site developers dont want
  to learn a different authentication API for each
  IDP. And many organizations dont trust a third
  party to authenticate its people. So the Internet
  has moved to standards. The most widely used
  standard for Web authentication is SAML. Perhaps
  the most promising standard for sso
  authentication is OpenID Connect, which is a
  profile of OAuth2.
•  
• The explosion of Two-Factor Authentication
  technology
•  
• One of the most important new technologies that
  are driving infrastructure changes is the
  explosion of strong factor authentication
  technology. There is a triangle of authentication
  consisting of price, usability and security. Not
  all triangles are equal. New technologies are
  arising that are more convenient, more secure and
  less expensive than passwords.

2
Once a company makes an investment in strong
authentication, they want to use that
authentication technology across the maximum
number of apps. For this reason, it makes sense
to support open standards, so all applications
can benefit from the availability of these new
organizational authentication capabilities.   The
Problem of Client Management   Its not only
people that need to be authenticated and
authorized. There is a proliferation of agents
that act on behalf of the person, or are
independent entities. How are these authenticated
and authorized by the organization?   Seismic
Shift LDAP or WAM?   I think the seismic shift
is from WAM (web access management) gt
Federation, not from LDAP gt Federation. LDAP is
still entrenched as a robust persistence
infrastructure for user claims and password
credentials. The problem with WAM products (i.e.
Site minder, OAM, TAM) is that the cost has been
high, customers are locked in (why else did CA
buy Integrity), and integrations have been
slow. Companies realize that whether they are
integrating authentication with internal apps,
external apps, or off-the-shelf products, open
federation standards enable consolidation, which
saves money, and improves security.
3
In the large companies Ive worked with, the
security department did not have control over the
applications, so even though they were
internal, a top-down approach was inefficient.
Its better to publish your standards, and let
the internal app developers help themselves
than to push a WAM architecture on them. In this
sense, the fact that there are external apps just
provides further evidence to a trend that had
already clearly emerged.   IAM, not IDM   Often
times, clients and consultants put too much
emphasis on IDM, and not enough emphasis on
organizational trust management. Its not just
that I need to provision my users for external
websites, but I need to understand with which
websites I have shared which attributes. Also,
organizations need to trust users who
authenticated outside the organization. Most
large organizations participate in an ecosystem
of autonomous parties, and publish websites that
are used by many outside the organization. This
is the old problem of extranet user management.
Trust management, IMHO, is one of the biggest
challenges   Where does XACML fit?   If you talk
to organizations, youll find that the is no
clear trend for XACMLs adoption. Proprietary and
custom solutions are the rule in authorization
right now, with most authorization actually
taking place in the app.
4
To what extent centralized authorization will be
achieved is totally uncertain, and I would argue
that this is the adjacent possible, as
described in Stephen Johnsons book Where Good
Ideas Come From you cant have authorization
before we have clear standards for
authentication. In terms of adoption of
technology, Im bullish about UMA, and in fact I
think UMA and XACML are complimentary app
developers want JSON/REST and it would be more
suitable for the PDP to form a XACML request to a
XACML PDP, then for the app developer to learn
XACML. In any case, Im a fan of XACML as a
standard for expressing authorization rules, but
I do think that the technology is better suited
for server side developers.   Who will Outsource
IDaaS?   I disagree with the common assumption
that the majority of IDaaS will be outsourced.
Perhaps for SMB market, this might be true. But
many large organizations maintain core TCP/IP
services, and AAA has traditionally been managed
within the organizational perimeter. In fact,
many organizations simply cannot outsource this
function for security reasons. With standards, we
will drive down the costs of the wam software and
the resources, and AAA will be simply another
Linux or windows service that can be
configured.   Article resource
http//thegluuserver.livejournal.com/4561.html