security & identity : from present to future
Post on 09-Jan-2016
19 Views
Preview:
DESCRIPTION
TRANSCRIPT
© 2008 by Matt Flaherty & Mary Ruddy; made available under the EPL v1.0
Security & Identity : From present to future
Matt Flaherty, IBMMary Ruddy, Meristic
Security & Identity | From present to future | © 2008 by Matt Flaherty & Mary Ruddy; made available under the EPL v1.0
Agenda
• Securing the platform... security features in 3.4 • Platform security... what's coming next• Beyond the platform.. Higgins identity framework 1.0• Higgins identity framework... what's coming next
Security & Identity | From present to future | © 2008 by Matt Flaherty & Mary Ruddy; made available under the EPL v1.0
Platform security... what's available and where
• The platform security goal: Protect the operating system, application code and user’s data
from each other and from malicious code packaged as bundles
• Security features to attain this span the software stack
Java Runtime Environment
OSGi Service Platform
Eclipse Platform
Security & Identity | From present to future | © 2008 by Matt Flaherty & Mary Ruddy; made available under the EPL v1.0
Platform security... what's available in the JRE
Java Runtime Environment
JCA JCE
JAAS JSSE
• Java Cryptography Architecture
• Java Cryptography Extensions
• Java Authentication and Authorization Service
• Java Secure Sockets Extensions
Security & Identity | From present to future | © 2008 by Matt Flaherty & Mary Ruddy; made available under the EPL v1.0
Platform security... what's available in OSGI
• Support for Java features: signing, permissions, etc• Strict classloading policies between bundles
Bundle “private classes”
• Administrative services for permissions org.osgi.service.PermissionAdmin org.osgi.service.condpermadmin.ConditionalPermissionAdmin
• User registry for managing users and roles org.osgi.service.UserAdmin
Security & Identity | From present to future | © 2008 by Matt Flaherty & Mary Ruddy; made available under the EPL v1.0
Platform security... what's available in Eclipse
• Signature checking during bundle provisioning• NEW! Signature checking during bundle loading• NEW! Certificate management UI• NEW! Secure storage via preferences API • NEW! JAAS enhancements - declarative wiring, events
Security & Identity | From present to future | © 2008 by Matt Flaherty & Mary Ruddy; made available under the EPL v1.0
Platform security... what's coming next!
• Manageable Java2 permission infrastructure Code sanitation for doPrivileged User interface, policy management
• Expose certificate management facilities Public APIs for label providers, viewers, wizards, etc Trust model integration with OSGi, P2, ECF
• Deeper JAAS integration Potential: RCP Lifecycle integration, Jobs integration
• Identity management support with Higgins
Security & Identity | From present to future | © 2008 by Matt Flaherty & Mary Ruddy; made available under the EPL v1.0
How do you bring security and identity to people?
The web of today isn’t people-centered
Security & Identity | From present to future | © 2008 by Matt Flaherty & Mary Ruddy; made available under the EPL v1.0
It’s silo-centered
Site ASite A Site BSite B Site CSite C
Type type type, click, click, click. Clickety-clack, clickety-clack.
Site BSite B
Security & Identity | From present to future | © 2008 by Matt Flaherty & Mary Ruddy; made available under the EPL v1.0
There is a better way
Security & Identity | From present to future | © 2008 by Matt Flaherty & Mary Ruddy; made available under the EPL v1.0
Automatic identity sharing
Identity Selector
The BIG IDEA for People
Site ASite A Site BSite B Site CSite C
Security & Identity | From present to future | © 2008 by Matt Flaherty & Mary Ruddy; made available under the EPL v1.0
Automatic identity sharing
Identity Selector
The BIG IDEA for People
Site ASite A Site BSite B Site CSite C
Security & Identity | From present to future | © 2008 by Matt Flaherty & Mary Ruddy; made available under the EPL v1.0
Automatic identity sharing
Identity Selector
The BIG IDEA for People
Site ASite A Site BSite B Site CSite C
Security & Identity | From present to future | © 2008 by Matt Flaherty & Mary Ruddy; made available under the EPL v1.0
Then you’d have Higgins
Security & Identity | From present to future | © 2008 by Matt Flaherty & Mary Ruddy; made available under the EPL v1.0
Higgins
Higgins1: a species of Tasmanian long-tailed mouse
2: an open source identity selector and interoperability framework being developed by
IBM, Novell, Oracle, CA, Google, Parity…
Security & Identity | From present to future | © 2008 by Matt Flaherty & Mary Ruddy; made available under the EPL v1.0
A consistent user experience across contexts (including Financial Services, healthcare, eCommerce) is the key to
convenience and adoption
Security & Identity | From present to future | © 2008 by Matt Flaherty & Mary Ruddy; made available under the EPL v1.0
i-cards
Managed
Personal (self-issued)
Security & Identity | From present to future | © 2008 by Matt Flaherty & Mary Ruddy; made available under the EPL v1.0
These i-cards are managed by an Identity Selector
Something that works on behalf of the user (citizen, patient, consumer). Really.
Security & Identity | From present to future | © 2008 by Matt Flaherty & Mary Ruddy; made available under the EPL v1.0
Click on a card
Security & Identity | From present to future | © 2008 by Matt Flaherty & Mary Ruddy; made available under the EPL v1.0
…you’re signed in.
(No password required)
Security & Identity | From present to future | © 2008 by Matt Flaherty & Mary Ruddy; made available under the EPL v1.0
The Identity selector is powered by an interoperability framework
Security & Identity | From present to future | © 2008 by Matt Flaherty & Mary Ruddy; made available under the EPL v1.0
Interoperability framework
Higgins FrameworkHiggins Framework
Higgins Browser Extension
Higgins Browser Extension AppsApps Identity
ProvidersIdentity
ProvidersApps and Services
CardSpaceCardSpaceProtocol Providers implement protocols for interacting with Relying Parties
OpenIDOpenID
CardSpace Managed (WS-Trust)
CardSpace Managed(WS-Trust)
RSS/AtomRSS/Atom
I-Card Providers implement identity protocols and card types
CardSpace PersonalCardSpace Personal
SAMLSAML X509X509
Higgins Relationship
Higgins Relationship
KerberosKerberos
JNDI / LDAPJNDI / LDAP
Enterprise Apps
Enterprise Apps
Token Providers implement different kinds of security tokens
IdAS Context Providers connect to different identity data sources
SAMLSAML
UN/PSUN/PS IdemixIdemix
RDF OWLRDF OWL
Active Directory
Active Directory
Comms ClientsComms Clients
Relying PartiesRelying Parties
Plug-ins
Common data model
Security & Identity | From present to future | © 2008 by Matt Flaherty & Mary Ruddy; made available under the EPL v1.0
Higgins 1.0 has just been released
7 Solutions now available Three Identity Selectors 2 Identity Providers (WS-Trust and SAML2) A Relying Parity Identity Attribute Service (interoperability framework)
Coming in Higgins 1.1 Additional Identity Selectors More Identity Protocols…. More i-card types
Security & Identity | From present to future | © 2008 by Matt Flaherty & Mary Ruddy; made available under the EPL v1.0
Legal informationIBM and the IBM logo are trademarks or registered trademarks of IBM Corporation, in the United States, other
countries or both.
Java and all Java-based marks, among others, are trademarks or registered trademarks of Sun Microsystems in the United States, other countries or both.
Eclipse and the Eclipse logo are trademarks of Eclipse Foundation, Inc.
Other company, product and service names may be trademarks or service marks of others.
THE INFORMATION DISCUSSED IN THIS PRESENTATION IS PROVIDED FOR INFORMATIONAL PURPOSES ONLY. WHILE EFFORTS WERE MADE TO VERIFY THE COMPLETENESS AND ACCURACY OF THE INFORMATION, IT IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, AND IBM SHALL NOT BE RESPONSIBLE FOR ANY DAMAGES ARISING OUT OF THE USE OF, OR OTHERWISE RELATED TO, SUCH INFORMATION. ANY INFORMATION CONCERNING IBM'S PRODUCT PLANS OR STRATEGY IS SUBJECT TO CHANGE BY IBM WITHOUT NOTICE.
top related