oasis
DESCRIPTION
OASIS. Andre Durand CEO, Ping Identity. Yesterday’s Security Paradigm. Firewall this. Increasingly, users, apps & data are outside firewall. Supply Chain Partners. Joint Ventures. BPO. On-Demand. Off-Shore. Today’s Interoperability Mandate. Outsourcing Providers - PowerPoint PPT PresentationTRANSCRIPT
OASIS
Andre DurandCEO, Ping Identity
Yesterday’s Security Paradigm
Firewall this.
Increasingly, users, apps & data are outside firewall
Supply Chain Partners
Joint Ventures
BPO
On-Demand
Off-Shore
Today’s Interoperability Mandate
• Outsourcing Providers• Software on Demand
Providers• Suppliers• Dealers• Industry Portals• Business Customers• Joint Venture Partners• Consumers
SiSi SiSi
INTERNETISP1 - CAT
INTERNETISP2 - LOXINFO
ProxyServer
WWWServer
VPNConcentrator
TACACSServer
IDSManagement
QUAD ArrayInternet Routers
MAINFIREWALL
SECUREFIREWALL
LANCORE
EXTPARTNERSERVERS
IDS
3rd PartyFIREWALL
3rd PARTYVPN
3rd PARTYETHERNET
3rd PARTYSERIALLINKS
DEMARKS
3rd PARTYROUTERCONNECTION
Evolution Towards Federation
Isolated
Centralized
Federated
“We do single sign-on
with 50 partners.
We have 50 different
ways of doing it.
Fortune 50 Company
Today’s Reality
Tomorrow Goal
What is Federated Identity?
federated identity: a collective term describing agreements, standards, and technologies that make identity and entitlements portable across autonomous domains
Burton Group
Federated Web Single Sign-On
But it doesn’t stop there
• Federated web services (web 2.0 mashup)
• Federated provisioning / deprovisioning
• Federated attributes
• Federated policy management
• etc.
• etc.
• it’s about coupling users, data & apps at Internet-scale
How B2B Federation is Scaling
SpokeSpoke
Spoke
Hub
SpokeSpoke
Spoke
Hub
SpokeSpoke
Spoke
Hub
SpokeSpoke
Spoke
Hub
SpokeSpoke
Spoke
Hub
SpokeSpoke
Spoke
Hub
SpokeSpoke
Spoke
Hub
SpokeSpoke
Spoke
Hub
SpokeSpoke
Spoke
Hub
SpokeSpoke
Spoke
Hub
SpokeSpoke
Spoke
Hub
SpokeSpoke
Spoke
Hub
SpokeSpoke
Spoke
Hub
SpokeSpoke
Spoke
Hub
SpokeSpoke
Spoke
Hub
SpokePartner
SpokeSpoke
SpokeSpoke
Spoke
Spoke
Spoke
SpokeSpoke
SpokeSpokeSpokeSpokeSpoke
SpokePartnerSpoke
Spoke
SpokeSpokeSpokeSpoke
Hub
SpokePartner
SpokeSpoke
SpokeSpoke
Spoke
Spoke
Spoke
SpokeSpoke
SpokeSpokeSpokeSpokeSpoke
SpokePartnerSpoke
Spoke
SpokeSpokeSpokeSpoke
Hub
SpokePartner
SpokeSpoke
SpokeSpoke
Spoke
Spoke
Spoke
SpokeSpoke
SpokeSpokeSpokeSpokeSpoke
SpokePartnerSpoke
Spoke
SpokeSpokeSpokeSpoke
Hub
SpokePartner
SpokeSpoke
SpokeSpoke
Spoke
Spoke
Spoke
SpokeSpoke
SpokeSpokeSpokeSpokeSpoke
SpokePartnerSpoke
Spoke
SpokeSpokeSpokeSpoke
Hub
SpokePartner
SpokeSpoke
SpokeSpoke
Spoke
Spoke
Spoke
SpokeSpoke
SpokeSpokeSpokeSpokeSpoke
SpokePartnerSpoke
Spoke
SpokeSpokeSpokeSpoke
Hub
SpokePartner
SpokeSpoke
SpokeSpoke
Spoke
Spoke
Spoke
SpokeSpoke
SpokeSpokeSpokeSpokeSpoke
SpokePartnerSpoke
Spoke
SpokeSpokeSpokeSpoke
Hub
SpokePartner
SpokeSpoke
SpokeSpoke
Spoke
Spoke
Spoke
SpokeSpoke
SpokeSpokeSpokeSpokeSpoke
SpokePartnerSpoke
Spoke
SpokeSpokeSpokeSpoke
Hub
SpokePartner
SpokeSpoke
SpokeSpoke
Spoke
Spoke
Spoke
SpokeSpoke
SpokeSpokeSpokeSpokeSpoke
SpokePartnerSpoke
Spoke
SpokeSpokeSpokeSpoke
HubSpoke
Spoke
SpokeSpoke
PartnerSpokeSpoke
SpokePartner
SpokeSpoke
SpokeSpoke
Spoke
Spoke
Spoke
SpokeSpoke
SpokeSpokeSpokeSpokeSpoke
SpokePartnerSpoke
Spoke
SpokeSpokeSpokeSpoke
Hub
SpokePartner
SpokeSpoke
SpokeSpoke
Spoke
Spoke
Spoke
SpokeSpoke
SpokeSpokeSpokeSpokeSpoke
SpokePartnerSpoke
Spoke
SpokeSpokeSpokeSpoke
Hub
SpokePartner
SpokeSpoke
SpokeSpoke
Spoke
Spoke
Spoke
SpokeSpoke
SpokeSpokeSpokeSpokeSpoke
SpokePartnerSpoke
Spoke
SpokeSpokeSpokeSpoke
Hub
SpokePartner
SpokeSpoke
SpokeSpoke
Spoke
Spoke
Spoke
SpokeSpoke
SpokeSpokeSpokeSpokeSpoke
SpokePartnerSpoke
Spoke
SpokeSpokeSpokeSpoke
Hub
SpokePartner
SpokeSpoke
SpokeSpoke
Spoke
Spoke
Spoke
SpokeSpoke
SpokeSpokeSpokeSpokeSpoke
SpokePartnerSpoke
Spoke
SpokeSpokeSpokeSpoke
Hub
SpokePartner
SpokeSpoke
SpokeSpoke
Spoke
Spoke
Spoke
SpokeSpoke
SpokeSpokeSpokeSpokeSpoke
SpokePartnerSpoke
Spoke
SpokeSpokeSpokeSpoke
Hub
SpokePartner
SpokeSpoke
SpokeSpoke
Spoke
Spoke
Spoke
SpokeSpoke
SpokeSpokeSpokeSpokeSpoke
SpokePartnerSpoke
Spoke
SpokeSpokeSpokeSpoke
Hub
SpokePartner
SpokeSpoke
Spoke
Spoke
SpokeSpoke
SpokeSpokeSpokeSpokeSpoke
SpokeSpokeSpokeSpoke
Hub
MobileOperators
MajorISPs
FinancialServiceCo’sService Providers
(Relying Parties)
EnterprisesMajorPortals
TodayTodayPhase 1Phase 1Phase 2Phase 2Phase 3Phase 3
Federal
Transportation
ShippingAuto
SaaS
FiServ
InsuranceOil & Gas
BenefitsEducation
1,500 Universities
But even B2B scale is tough
B2B
And B2C scale needs work
Stepping back…
B2B B2C
Opportunities come in Sets
Identity is coming at us in waves
Each wave bigger than the priorEach wave bigger than the prior
B2BB2B
B2EB2E
B2CB2C
InternalInternal
ExternalExternal
Consumer-FacingConsumer-Facing
But with each wave, we’re introducing new tools…
Different Business Needs
But User Experience is Crucial
Discontinuous Evolution is Normal
B2B
B2C
Challenge: Simple & Secure Don’t Mix
Enterprise Scale Federation
Internet-Scale Identity
Scale & Trust Breakthrough
Continuity
An Industry-Wide Imperative: CONTINUITY
But we also need a network effect…
* Selected New PingFederate Customers from 1/1/07 - 9/1/07
Metcalf’s Law
Dynamic FederationShibb Multilateral
Point-to-Point Federation
Time
Federation Hubs
PKI’d
But what about OpenID?
For Internal Use Only! Do Not Distribute!
We can make it more secure• Use a trusted IdP list • Disable “No Encryption” association session• Require SSL • Create a unique request id for each request and
make each assertion one-time use.• Measures to prevent phishing attacks [IdP]
– CardSpace– Certificate authentication
For Internal Use Only! Do Not Distribute!
business + IT
And what about SAML?
We can make it more dynamic
SP
SP
SPIdP
IdP
IdP
CA1(e.g. Entrust)
CA2(e.g. Verisign)
CA(e.g. Verisign)
• Trust anchored via common list of root CA certificates
• No out of band certificate exchange between IdP’s and SP’s
• Partner certificate in message or via meta-data
31
Get rid of ‘connections’
Identity ProviderService Provider
Target Resource
Browser
1
2
3
Metadata Retrieval
5 6
8
Authentication
7
9
WhiteList
WhiteList
FederationServers
10
4
11
Enterprise Scale Federation
Internet-Scale Identity
Scale & Trust Breakthrough
Continuity
An Industry-Wide Imperative: CONTINUITY
We should try to cooperate
Identity Provider Service Provider
But in the end, balance will prevail
End-User
Balanced Ecosystem
Federation at Scale
Privacy & Convenience
Security & Control Administrative Ease
ranting aside, people are federating
And we’ve interviewed many of them
• 20 customers and partners• 60-90 minute discussions
– 1/3 face-to-face– Some follow-ups with SP Product Management
• Customer breakdown by type:– 1/3 IdP’s– 1/3 SP’s– 1/3 Hybrids & Partners
Lessons Learned – Business Drivers
#1 Driver: Outsourcing to drive down costs
Identity Providers
– IdP requirement is “SSO” not “SAML”
– IdP questions are “How long does this take?” and “What does this cost?” – not “What technology?”
Service Providers
– SP’s compete on price = pre-disposed to build
– SP’s want their costs to align with their revenue
Lessons Learned – Organizational Issues
• Understand the roles involved on both sides
• The “proxies” to IT and the Business control the implementation queue
• The SP Business Development Manager and Project Manager are focused on driving revenue – very interested in reducing implementation timelines
What is Ping Identity doing about this?
• Experimenting between the seems– SAML & OpenID– OpenID & Cardspace– SAML & Cardspace
• Partnering with federation hubs (e.g. Covisint & Exostar)• Building methodology to drive the mystery of connecting
out of the equation• Leading one effort to make SAML more dynamic. Working
with Sun, Shibb & others• Working with the Shibb community
Summary1. Networking of security (identity) is inevitable2. Identity coming in waves3. Different tools are ok, BUT
1. Continuity is crucial2. And user experience is crucial3. And, we’ve got to find the balance of simple &
security4. Different approaches will due for now5. Ultimately, we owe it to ourselves to get this
right