oasis

40
OASIS Andre Durand CEO, Ping Identity

Upload: maj

Post on 19-Jan-2016

32 views

Category:

Documents


0 download

DESCRIPTION

OASIS. Andre Durand CEO, Ping Identity. Yesterday’s Security Paradigm. Firewall this. Increasingly, users, apps & data are outside firewall. Supply Chain Partners. Joint Ventures. BPO. On-Demand. Off-Shore. Today’s Interoperability Mandate. Outsourcing Providers - PowerPoint PPT Presentation

TRANSCRIPT

Page 1: OASIS

OASIS

Andre DurandCEO, Ping Identity

Page 2: OASIS

Yesterday’s Security Paradigm

Page 3: OASIS

Firewall this.

Page 4: OASIS

Increasingly, users, apps & data are outside firewall

Supply Chain Partners

Joint Ventures

BPO

On-Demand

Off-Shore

Page 5: OASIS

Today’s Interoperability Mandate

• Outsourcing Providers• Software on Demand

Providers• Suppliers• Dealers• Industry Portals• Business Customers• Joint Venture Partners• Consumers

SiSi SiSi

INTERNETISP1 - CAT

INTERNETISP2 - LOXINFO

ProxyServer

WWWServer

VPNConcentrator

TACACSServer

IDSManagement

QUAD ArrayInternet Routers

MAINFIREWALL

SECUREFIREWALL

LANCORE

EXTPARTNERSERVERS

IDS

3rd PartyFIREWALL

3rd PARTYVPN

3rd PARTYETHERNET

3rd PARTYSERIALLINKS

DEMARKS

3rd PARTYROUTERCONNECTION

Page 6: OASIS

Evolution Towards Federation

Isolated

Centralized

Federated

Page 7: OASIS

“We do single sign-on

with 50 partners.

We have 50 different

ways of doing it.

Fortune 50 Company

Today’s Reality

Page 8: OASIS

Tomorrow Goal

Page 9: OASIS

What is Federated Identity?

federated identity: a collective term describing agreements, standards, and technologies that make identity and entitlements portable across autonomous domains

Burton Group

Page 10: OASIS

Federated Web Single Sign-On

Page 11: OASIS

But it doesn’t stop there

• Federated web services (web 2.0 mashup)

• Federated provisioning / deprovisioning

• Federated attributes

• Federated policy management

• etc.

• etc.

• it’s about coupling users, data & apps at Internet-scale

Page 12: OASIS

How B2B Federation is Scaling

SpokeSpoke

Spoke

Hub

SpokeSpoke

Spoke

Hub

SpokeSpoke

Spoke

Hub

SpokeSpoke

Spoke

Hub

SpokeSpoke

Spoke

Hub

SpokeSpoke

Spoke

Hub

SpokeSpoke

Spoke

Hub

SpokeSpoke

Spoke

Hub

SpokeSpoke

Spoke

Hub

SpokeSpoke

Spoke

Hub

SpokeSpoke

Spoke

Hub

SpokeSpoke

Spoke

Hub

SpokeSpoke

Spoke

Hub

SpokeSpoke

Spoke

Hub

SpokeSpoke

Spoke

Hub

SpokePartner

SpokeSpoke

SpokeSpoke

Spoke

Spoke

Spoke

SpokeSpoke

SpokeSpokeSpokeSpokeSpoke

SpokePartnerSpoke

Spoke

SpokeSpokeSpokeSpoke

Hub

SpokePartner

SpokeSpoke

SpokeSpoke

Spoke

Spoke

Spoke

SpokeSpoke

SpokeSpokeSpokeSpokeSpoke

SpokePartnerSpoke

Spoke

SpokeSpokeSpokeSpoke

Hub

SpokePartner

SpokeSpoke

SpokeSpoke

Spoke

Spoke

Spoke

SpokeSpoke

SpokeSpokeSpokeSpokeSpoke

SpokePartnerSpoke

Spoke

SpokeSpokeSpokeSpoke

Hub

SpokePartner

SpokeSpoke

SpokeSpoke

Spoke

Spoke

Spoke

SpokeSpoke

SpokeSpokeSpokeSpokeSpoke

SpokePartnerSpoke

Spoke

SpokeSpokeSpokeSpoke

Hub

SpokePartner

SpokeSpoke

SpokeSpoke

Spoke

Spoke

Spoke

SpokeSpoke

SpokeSpokeSpokeSpokeSpoke

SpokePartnerSpoke

Spoke

SpokeSpokeSpokeSpoke

Hub

SpokePartner

SpokeSpoke

SpokeSpoke

Spoke

Spoke

Spoke

SpokeSpoke

SpokeSpokeSpokeSpokeSpoke

SpokePartnerSpoke

Spoke

SpokeSpokeSpokeSpoke

Hub

SpokePartner

SpokeSpoke

SpokeSpoke

Spoke

Spoke

Spoke

SpokeSpoke

SpokeSpokeSpokeSpokeSpoke

SpokePartnerSpoke

Spoke

SpokeSpokeSpokeSpoke

Hub

SpokePartner

SpokeSpoke

SpokeSpoke

Spoke

Spoke

Spoke

SpokeSpoke

SpokeSpokeSpokeSpokeSpoke

SpokePartnerSpoke

Spoke

SpokeSpokeSpokeSpoke

HubSpoke

Spoke

SpokeSpoke

PartnerSpokeSpoke

SpokePartner

SpokeSpoke

SpokeSpoke

Spoke

Spoke

Spoke

SpokeSpoke

SpokeSpokeSpokeSpokeSpoke

SpokePartnerSpoke

Spoke

SpokeSpokeSpokeSpoke

Hub

SpokePartner

SpokeSpoke

SpokeSpoke

Spoke

Spoke

Spoke

SpokeSpoke

SpokeSpokeSpokeSpokeSpoke

SpokePartnerSpoke

Spoke

SpokeSpokeSpokeSpoke

Hub

SpokePartner

SpokeSpoke

SpokeSpoke

Spoke

Spoke

Spoke

SpokeSpoke

SpokeSpokeSpokeSpokeSpoke

SpokePartnerSpoke

Spoke

SpokeSpokeSpokeSpoke

Hub

SpokePartner

SpokeSpoke

SpokeSpoke

Spoke

Spoke

Spoke

SpokeSpoke

SpokeSpokeSpokeSpokeSpoke

SpokePartnerSpoke

Spoke

SpokeSpokeSpokeSpoke

Hub

SpokePartner

SpokeSpoke

SpokeSpoke

Spoke

Spoke

Spoke

SpokeSpoke

SpokeSpokeSpokeSpokeSpoke

SpokePartnerSpoke

Spoke

SpokeSpokeSpokeSpoke

Hub

SpokePartner

SpokeSpoke

SpokeSpoke

Spoke

Spoke

Spoke

SpokeSpoke

SpokeSpokeSpokeSpokeSpoke

SpokePartnerSpoke

Spoke

SpokeSpokeSpokeSpoke

Hub

SpokePartner

SpokeSpoke

SpokeSpoke

Spoke

Spoke

Spoke

SpokeSpoke

SpokeSpokeSpokeSpokeSpoke

SpokePartnerSpoke

Spoke

SpokeSpokeSpokeSpoke

Hub

SpokePartner

SpokeSpoke

Spoke

Spoke

SpokeSpoke

SpokeSpokeSpokeSpokeSpoke

SpokeSpokeSpokeSpoke

Hub

MobileOperators

MajorISPs

FinancialServiceCo’sService Providers

(Relying Parties)

EnterprisesMajorPortals

TodayTodayPhase 1Phase 1Phase 2Phase 2Phase 3Phase 3

Page 13: OASIS

Federal

Transportation

ShippingAuto

SaaS

FiServ

InsuranceOil & Gas

BenefitsEducation

1,500 Universities

Page 14: OASIS

But even B2B scale is tough

B2B

Page 15: OASIS

And B2C scale needs work

Page 16: OASIS

Stepping back…

B2B B2C

Page 17: OASIS

Opportunities come in Sets

Identity is coming at us in waves

Page 18: OASIS

Each wave bigger than the priorEach wave bigger than the prior

B2BB2B

B2EB2E

B2CB2C

InternalInternal

ExternalExternal

Consumer-FacingConsumer-Facing

Page 19: OASIS

But with each wave, we’re introducing new tools…

Page 20: OASIS

Different Business Needs

Page 21: OASIS

But User Experience is Crucial

Page 22: OASIS

Discontinuous Evolution is Normal

B2B

B2C

Page 23: OASIS

Challenge: Simple & Secure Don’t Mix

Page 24: OASIS

Enterprise Scale Federation

Internet-Scale Identity

Scale & Trust Breakthrough

Continuity

An Industry-Wide Imperative: CONTINUITY

Page 25: OASIS

But we also need a network effect…

* Selected New PingFederate Customers from 1/1/07 - 9/1/07

Metcalf’s Law

Page 26: OASIS

Dynamic FederationShibb Multilateral

Point-to-Point Federation

Time

Federation Hubs

PKI’d

Page 27: OASIS

But what about OpenID?

For Internal Use Only! Do Not Distribute!

Page 28: OASIS

We can make it more secure• Use a trusted IdP list • Disable “No Encryption” association session• Require SSL • Create a unique request id for each request and

make each assertion one-time use.• Measures to prevent phishing attacks [IdP]

– CardSpace– Certificate authentication

For Internal Use Only! Do Not Distribute!

Page 29: OASIS

business + IT

And what about SAML?

Page 30: OASIS

We can make it more dynamic

SP

SP

SPIdP

IdP

IdP

CA1(e.g. Entrust)

CA2(e.g. Verisign)

CA(e.g. Verisign)

• Trust anchored via common list of root CA certificates

• No out of band certificate exchange between IdP’s and SP’s

• Partner certificate in message or via meta-data

Page 31: OASIS

31

Get rid of ‘connections’

Identity ProviderService Provider

Target Resource

Browser

1

Email

2

3

Metadata Retrieval

5 6

8

Authentication

7

9

WhiteList

WhiteList

FederationServers

10

4

11

Page 32: OASIS

Enterprise Scale Federation

Internet-Scale Identity

Scale & Trust Breakthrough

Continuity

An Industry-Wide Imperative: CONTINUITY

Page 33: OASIS

We should try to cooperate

Page 34: OASIS

Identity Provider Service Provider

But in the end, balance will prevail

End-User

Balanced Ecosystem

Federation at Scale

Privacy & Convenience

Security & Control Administrative Ease

Page 36: OASIS

And we’ve interviewed many of them

• 20 customers and partners• 60-90 minute discussions

– 1/3 face-to-face– Some follow-ups with SP Product Management

• Customer breakdown by type:– 1/3 IdP’s– 1/3 SP’s– 1/3 Hybrids & Partners

Page 37: OASIS

Lessons Learned – Business Drivers

#1 Driver: Outsourcing to drive down costs

Identity Providers

– IdP requirement is “SSO” not “SAML”

– IdP questions are “How long does this take?” and “What does this cost?” – not “What technology?”

Service Providers

– SP’s compete on price = pre-disposed to build

– SP’s want their costs to align with their revenue

Page 38: OASIS

Lessons Learned – Organizational Issues

• Understand the roles involved on both sides

• The “proxies” to IT and the Business control the implementation queue

• The SP Business Development Manager and Project Manager are focused on driving revenue – very interested in reducing implementation timelines

Page 39: OASIS

What is Ping Identity doing about this?

• Experimenting between the seems– SAML & OpenID– OpenID & Cardspace– SAML & Cardspace

• Partnering with federation hubs (e.g. Covisint & Exostar)• Building methodology to drive the mystery of connecting

out of the equation• Leading one effort to make SAML more dynamic. Working

with Sun, Shibb & others• Working with the Shibb community

Page 40: OASIS

Summary1. Networking of security (identity) is inevitable2. Identity coming in waves3. Different tools are ok, BUT

1. Continuity is crucial2. And user experience is crucial3. And, we’ve got to find the balance of simple &

security4. Different approaches will due for now5. Ultimately, we owe it to ourselves to get this

right