oasis
DESCRIPTION
OASIS. Andre Durand CEO, Ping Identity. Yesterday’s Security Paradigm. Firewall this. Increasingly, users, apps & data are outside firewall. Supply Chain Partners. Joint Ventures. BPO. On-Demand. Off-Shore. Today’s Interoperability Mandate. Outsourcing Providers - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: OASIS](https://reader035.vdocuments.us/reader035/viewer/2022062322/56814e4f550346895dbbdf65/html5/thumbnails/1.jpg)
OASIS
Andre DurandCEO, Ping Identity
![Page 2: OASIS](https://reader035.vdocuments.us/reader035/viewer/2022062322/56814e4f550346895dbbdf65/html5/thumbnails/2.jpg)
Yesterday’s Security Paradigm
![Page 3: OASIS](https://reader035.vdocuments.us/reader035/viewer/2022062322/56814e4f550346895dbbdf65/html5/thumbnails/3.jpg)
Firewall this.
![Page 4: OASIS](https://reader035.vdocuments.us/reader035/viewer/2022062322/56814e4f550346895dbbdf65/html5/thumbnails/4.jpg)
Increasingly, users, apps & data are outside firewall
Supply Chain Partners
Joint Ventures
BPO
On-Demand
Off-Shore
![Page 5: OASIS](https://reader035.vdocuments.us/reader035/viewer/2022062322/56814e4f550346895dbbdf65/html5/thumbnails/5.jpg)
Today’s Interoperability Mandate
• Outsourcing Providers• Software on Demand
Providers• Suppliers• Dealers• Industry Portals• Business Customers• Joint Venture Partners• Consumers
SiSi SiSi
INTERNETISP1 - CAT
INTERNETISP2 - LOXINFO
ProxyServer
WWWServer
VPNConcentrator
TACACSServer
IDSManagement
QUAD ArrayInternet Routers
MAINFIREWALL
SECUREFIREWALL
LANCORE
EXTPARTNERSERVERS
IDS
3rd PartyFIREWALL
3rd PARTYVPN
3rd PARTYETHERNET
3rd PARTYSERIALLINKS
DEMARKS
3rd PARTYROUTERCONNECTION
![Page 6: OASIS](https://reader035.vdocuments.us/reader035/viewer/2022062322/56814e4f550346895dbbdf65/html5/thumbnails/6.jpg)
Evolution Towards Federation
Isolated
Centralized
Federated
![Page 7: OASIS](https://reader035.vdocuments.us/reader035/viewer/2022062322/56814e4f550346895dbbdf65/html5/thumbnails/7.jpg)
“We do single sign-on
with 50 partners.
We have 50 different
ways of doing it.
Fortune 50 Company
Today’s Reality
![Page 8: OASIS](https://reader035.vdocuments.us/reader035/viewer/2022062322/56814e4f550346895dbbdf65/html5/thumbnails/8.jpg)
Tomorrow Goal
![Page 9: OASIS](https://reader035.vdocuments.us/reader035/viewer/2022062322/56814e4f550346895dbbdf65/html5/thumbnails/9.jpg)
What is Federated Identity?
federated identity: a collective term describing agreements, standards, and technologies that make identity and entitlements portable across autonomous domains
Burton Group
![Page 10: OASIS](https://reader035.vdocuments.us/reader035/viewer/2022062322/56814e4f550346895dbbdf65/html5/thumbnails/10.jpg)
Federated Web Single Sign-On
![Page 11: OASIS](https://reader035.vdocuments.us/reader035/viewer/2022062322/56814e4f550346895dbbdf65/html5/thumbnails/11.jpg)
But it doesn’t stop there
• Federated web services (web 2.0 mashup)
• Federated provisioning / deprovisioning
• Federated attributes
• Federated policy management
• etc.
• etc.
• it’s about coupling users, data & apps at Internet-scale
![Page 12: OASIS](https://reader035.vdocuments.us/reader035/viewer/2022062322/56814e4f550346895dbbdf65/html5/thumbnails/12.jpg)
How B2B Federation is Scaling
SpokeSpoke
Spoke
Hub
SpokeSpoke
Spoke
Hub
SpokeSpoke
Spoke
Hub
SpokeSpoke
Spoke
Hub
SpokeSpoke
Spoke
Hub
SpokeSpoke
Spoke
Hub
SpokeSpoke
Spoke
Hub
SpokeSpoke
Spoke
Hub
SpokeSpoke
Spoke
Hub
SpokeSpoke
Spoke
Hub
SpokeSpoke
Spoke
Hub
SpokeSpoke
Spoke
Hub
SpokeSpoke
Spoke
Hub
SpokeSpoke
Spoke
Hub
SpokeSpoke
Spoke
Hub
SpokePartner
SpokeSpoke
SpokeSpoke
Spoke
Spoke
Spoke
SpokeSpoke
SpokeSpokeSpokeSpokeSpoke
SpokePartnerSpoke
Spoke
SpokeSpokeSpokeSpoke
Hub
SpokePartner
SpokeSpoke
SpokeSpoke
Spoke
Spoke
Spoke
SpokeSpoke
SpokeSpokeSpokeSpokeSpoke
SpokePartnerSpoke
Spoke
SpokeSpokeSpokeSpoke
Hub
SpokePartner
SpokeSpoke
SpokeSpoke
Spoke
Spoke
Spoke
SpokeSpoke
SpokeSpokeSpokeSpokeSpoke
SpokePartnerSpoke
Spoke
SpokeSpokeSpokeSpoke
Hub
SpokePartner
SpokeSpoke
SpokeSpoke
Spoke
Spoke
Spoke
SpokeSpoke
SpokeSpokeSpokeSpokeSpoke
SpokePartnerSpoke
Spoke
SpokeSpokeSpokeSpoke
Hub
SpokePartner
SpokeSpoke
SpokeSpoke
Spoke
Spoke
Spoke
SpokeSpoke
SpokeSpokeSpokeSpokeSpoke
SpokePartnerSpoke
Spoke
SpokeSpokeSpokeSpoke
Hub
SpokePartner
SpokeSpoke
SpokeSpoke
Spoke
Spoke
Spoke
SpokeSpoke
SpokeSpokeSpokeSpokeSpoke
SpokePartnerSpoke
Spoke
SpokeSpokeSpokeSpoke
Hub
SpokePartner
SpokeSpoke
SpokeSpoke
Spoke
Spoke
Spoke
SpokeSpoke
SpokeSpokeSpokeSpokeSpoke
SpokePartnerSpoke
Spoke
SpokeSpokeSpokeSpoke
Hub
SpokePartner
SpokeSpoke
SpokeSpoke
Spoke
Spoke
Spoke
SpokeSpoke
SpokeSpokeSpokeSpokeSpoke
SpokePartnerSpoke
Spoke
SpokeSpokeSpokeSpoke
HubSpoke
Spoke
SpokeSpoke
PartnerSpokeSpoke
SpokePartner
SpokeSpoke
SpokeSpoke
Spoke
Spoke
Spoke
SpokeSpoke
SpokeSpokeSpokeSpokeSpoke
SpokePartnerSpoke
Spoke
SpokeSpokeSpokeSpoke
Hub
SpokePartner
SpokeSpoke
SpokeSpoke
Spoke
Spoke
Spoke
SpokeSpoke
SpokeSpokeSpokeSpokeSpoke
SpokePartnerSpoke
Spoke
SpokeSpokeSpokeSpoke
Hub
SpokePartner
SpokeSpoke
SpokeSpoke
Spoke
Spoke
Spoke
SpokeSpoke
SpokeSpokeSpokeSpokeSpoke
SpokePartnerSpoke
Spoke
SpokeSpokeSpokeSpoke
Hub
SpokePartner
SpokeSpoke
SpokeSpoke
Spoke
Spoke
Spoke
SpokeSpoke
SpokeSpokeSpokeSpokeSpoke
SpokePartnerSpoke
Spoke
SpokeSpokeSpokeSpoke
Hub
SpokePartner
SpokeSpoke
SpokeSpoke
Spoke
Spoke
Spoke
SpokeSpoke
SpokeSpokeSpokeSpokeSpoke
SpokePartnerSpoke
Spoke
SpokeSpokeSpokeSpoke
Hub
SpokePartner
SpokeSpoke
SpokeSpoke
Spoke
Spoke
Spoke
SpokeSpoke
SpokeSpokeSpokeSpokeSpoke
SpokePartnerSpoke
Spoke
SpokeSpokeSpokeSpoke
Hub
SpokePartner
SpokeSpoke
SpokeSpoke
Spoke
Spoke
Spoke
SpokeSpoke
SpokeSpokeSpokeSpokeSpoke
SpokePartnerSpoke
Spoke
SpokeSpokeSpokeSpoke
Hub
SpokePartner
SpokeSpoke
Spoke
Spoke
SpokeSpoke
SpokeSpokeSpokeSpokeSpoke
SpokeSpokeSpokeSpoke
Hub
MobileOperators
MajorISPs
FinancialServiceCo’sService Providers
(Relying Parties)
EnterprisesMajorPortals
TodayTodayPhase 1Phase 1Phase 2Phase 2Phase 3Phase 3
![Page 13: OASIS](https://reader035.vdocuments.us/reader035/viewer/2022062322/56814e4f550346895dbbdf65/html5/thumbnails/13.jpg)
Federal
Transportation
ShippingAuto
SaaS
FiServ
InsuranceOil & Gas
BenefitsEducation
1,500 Universities
![Page 14: OASIS](https://reader035.vdocuments.us/reader035/viewer/2022062322/56814e4f550346895dbbdf65/html5/thumbnails/14.jpg)
But even B2B scale is tough
B2B
![Page 15: OASIS](https://reader035.vdocuments.us/reader035/viewer/2022062322/56814e4f550346895dbbdf65/html5/thumbnails/15.jpg)
And B2C scale needs work
![Page 16: OASIS](https://reader035.vdocuments.us/reader035/viewer/2022062322/56814e4f550346895dbbdf65/html5/thumbnails/16.jpg)
Stepping back…
B2B B2C
![Page 17: OASIS](https://reader035.vdocuments.us/reader035/viewer/2022062322/56814e4f550346895dbbdf65/html5/thumbnails/17.jpg)
Opportunities come in Sets
Identity is coming at us in waves
![Page 18: OASIS](https://reader035.vdocuments.us/reader035/viewer/2022062322/56814e4f550346895dbbdf65/html5/thumbnails/18.jpg)
Each wave bigger than the priorEach wave bigger than the prior
B2BB2B
B2EB2E
B2CB2C
InternalInternal
ExternalExternal
Consumer-FacingConsumer-Facing
![Page 19: OASIS](https://reader035.vdocuments.us/reader035/viewer/2022062322/56814e4f550346895dbbdf65/html5/thumbnails/19.jpg)
But with each wave, we’re introducing new tools…
![Page 20: OASIS](https://reader035.vdocuments.us/reader035/viewer/2022062322/56814e4f550346895dbbdf65/html5/thumbnails/20.jpg)
Different Business Needs
![Page 21: OASIS](https://reader035.vdocuments.us/reader035/viewer/2022062322/56814e4f550346895dbbdf65/html5/thumbnails/21.jpg)
But User Experience is Crucial
![Page 22: OASIS](https://reader035.vdocuments.us/reader035/viewer/2022062322/56814e4f550346895dbbdf65/html5/thumbnails/22.jpg)
Discontinuous Evolution is Normal
B2B
B2C
![Page 23: OASIS](https://reader035.vdocuments.us/reader035/viewer/2022062322/56814e4f550346895dbbdf65/html5/thumbnails/23.jpg)
Challenge: Simple & Secure Don’t Mix
![Page 24: OASIS](https://reader035.vdocuments.us/reader035/viewer/2022062322/56814e4f550346895dbbdf65/html5/thumbnails/24.jpg)
Enterprise Scale Federation
Internet-Scale Identity
Scale & Trust Breakthrough
Continuity
An Industry-Wide Imperative: CONTINUITY
![Page 25: OASIS](https://reader035.vdocuments.us/reader035/viewer/2022062322/56814e4f550346895dbbdf65/html5/thumbnails/25.jpg)
But we also need a network effect…
* Selected New PingFederate Customers from 1/1/07 - 9/1/07
Metcalf’s Law
![Page 26: OASIS](https://reader035.vdocuments.us/reader035/viewer/2022062322/56814e4f550346895dbbdf65/html5/thumbnails/26.jpg)
Dynamic FederationShibb Multilateral
Point-to-Point Federation
Time
Federation Hubs
PKI’d
![Page 27: OASIS](https://reader035.vdocuments.us/reader035/viewer/2022062322/56814e4f550346895dbbdf65/html5/thumbnails/27.jpg)
But what about OpenID?
For Internal Use Only! Do Not Distribute!
![Page 28: OASIS](https://reader035.vdocuments.us/reader035/viewer/2022062322/56814e4f550346895dbbdf65/html5/thumbnails/28.jpg)
We can make it more secure• Use a trusted IdP list • Disable “No Encryption” association session• Require SSL • Create a unique request id for each request and
make each assertion one-time use.• Measures to prevent phishing attacks [IdP]
– CardSpace– Certificate authentication
For Internal Use Only! Do Not Distribute!
![Page 29: OASIS](https://reader035.vdocuments.us/reader035/viewer/2022062322/56814e4f550346895dbbdf65/html5/thumbnails/29.jpg)
business + IT
And what about SAML?
![Page 30: OASIS](https://reader035.vdocuments.us/reader035/viewer/2022062322/56814e4f550346895dbbdf65/html5/thumbnails/30.jpg)
We can make it more dynamic
SP
SP
SPIdP
IdP
IdP
CA1(e.g. Entrust)
CA2(e.g. Verisign)
CA(e.g. Verisign)
• Trust anchored via common list of root CA certificates
• No out of band certificate exchange between IdP’s and SP’s
• Partner certificate in message or via meta-data
![Page 31: OASIS](https://reader035.vdocuments.us/reader035/viewer/2022062322/56814e4f550346895dbbdf65/html5/thumbnails/31.jpg)
31
Get rid of ‘connections’
Identity ProviderService Provider
Target Resource
Browser
1
2
3
Metadata Retrieval
5 6
8
Authentication
7
9
WhiteList
WhiteList
FederationServers
10
4
11
![Page 32: OASIS](https://reader035.vdocuments.us/reader035/viewer/2022062322/56814e4f550346895dbbdf65/html5/thumbnails/32.jpg)
Enterprise Scale Federation
Internet-Scale Identity
Scale & Trust Breakthrough
Continuity
An Industry-Wide Imperative: CONTINUITY
![Page 33: OASIS](https://reader035.vdocuments.us/reader035/viewer/2022062322/56814e4f550346895dbbdf65/html5/thumbnails/33.jpg)
We should try to cooperate
![Page 34: OASIS](https://reader035.vdocuments.us/reader035/viewer/2022062322/56814e4f550346895dbbdf65/html5/thumbnails/34.jpg)
Identity Provider Service Provider
But in the end, balance will prevail
End-User
Balanced Ecosystem
Federation at Scale
Privacy & Convenience
Security & Control Administrative Ease
![Page 35: OASIS](https://reader035.vdocuments.us/reader035/viewer/2022062322/56814e4f550346895dbbdf65/html5/thumbnails/35.jpg)
ranting aside, people are federating
![Page 36: OASIS](https://reader035.vdocuments.us/reader035/viewer/2022062322/56814e4f550346895dbbdf65/html5/thumbnails/36.jpg)
And we’ve interviewed many of them
• 20 customers and partners• 60-90 minute discussions
– 1/3 face-to-face– Some follow-ups with SP Product Management
• Customer breakdown by type:– 1/3 IdP’s– 1/3 SP’s– 1/3 Hybrids & Partners
![Page 37: OASIS](https://reader035.vdocuments.us/reader035/viewer/2022062322/56814e4f550346895dbbdf65/html5/thumbnails/37.jpg)
Lessons Learned – Business Drivers
#1 Driver: Outsourcing to drive down costs
Identity Providers
– IdP requirement is “SSO” not “SAML”
– IdP questions are “How long does this take?” and “What does this cost?” – not “What technology?”
Service Providers
– SP’s compete on price = pre-disposed to build
– SP’s want their costs to align with their revenue
![Page 38: OASIS](https://reader035.vdocuments.us/reader035/viewer/2022062322/56814e4f550346895dbbdf65/html5/thumbnails/38.jpg)
Lessons Learned – Organizational Issues
• Understand the roles involved on both sides
• The “proxies” to IT and the Business control the implementation queue
• The SP Business Development Manager and Project Manager are focused on driving revenue – very interested in reducing implementation timelines
![Page 39: OASIS](https://reader035.vdocuments.us/reader035/viewer/2022062322/56814e4f550346895dbbdf65/html5/thumbnails/39.jpg)
What is Ping Identity doing about this?
• Experimenting between the seems– SAML & OpenID– OpenID & Cardspace– SAML & Cardspace
• Partnering with federation hubs (e.g. Covisint & Exostar)• Building methodology to drive the mystery of connecting
out of the equation• Leading one effort to make SAML more dynamic. Working
with Sun, Shibb & others• Working with the Shibb community
![Page 40: OASIS](https://reader035.vdocuments.us/reader035/viewer/2022062322/56814e4f550346895dbbdf65/html5/thumbnails/40.jpg)
Summary1. Networking of security (identity) is inevitable2. Identity coming in waves3. Different tools are ok, BUT
1. Continuity is crucial2. And user experience is crucial3. And, we’ve got to find the balance of simple &
security4. Different approaches will due for now5. Ultimately, we owe it to ourselves to get this
right