webinar: "entitlements: taking control of the big data gold rush"

Copyright © 2015 ForgeRock, all rights reserved.

Entitlements:Taking Control of the Big Data Gold Rush

Markus WeberAndy Forrest

August 18th, 2015


Achieving the Holy Grail of Identity

Knowing Who's Who, What's What,and Who Gets Access to What

Source: Scott McNealy, Identity Summit 2015


ForgeRockFastest-growing Open Source Identity Security Software company in the world ■ Founded 2010 with high double digit growth every year since inception■ Over 200 full time employees■ Over 400 customers ■ Active in over 30 countries ■ Locations: San Francisco, Vancouver (US), Bristol (UK), London (UK), Grenoble (FR), Oslo, Singapor,

Düsseldorf

Award winning platform driving innovation worldwide■ Gold winner of the CEO World awards 2014■ Silver Winner in the 6th Annual Golden Bridge Award 2014■ Silver winner for the Fastest-Growing Company of the Year in Best in Biz Awards 2014Investors: Our Origins:


275 survey respondents

Research by

Copyright © 2015 ForgeRock, all rights reserved.Research by

71% using ForgeRock for THEIR customer identities (USA)

88% deploy in less than a year

65% deploy in less than 6 months

70% reach payback in less than 18 months

91% rate ForgeRock speed to deployment superior to competition

96% rate ForgeRock scalability superior to competition

92% rate ForgeRock reliability superior to competition

100% of government and financial services customers rate

ForgeRock scalability superior to the competition


The Platform


The ForgeRock Identity Platform

(Identity Management) (Access Management)

(Directory Services) (Identity Gateway)

Copyright © 2015 ForgeRock, all rights reserved.Copyright © Identity Summit 2015, all rights reserved.

IDENTITY MANAGEMENT

ProvisioningSelf-ServicePassword ManagementSynchronization/ReconciliationWorkflow EngineSaaS Connectors

ACCESS MANAGEMENT

AuthenticationEntitlements ManagementFederationSocial Sign-OnAdaptive RiskREST Security Token ServiceAPI & MOBILE GATEWAYAPI SecurityMobile SecurityLegacy Application SecurityWeb Services SecurityPassword Capture and Replay

DIRECTORY SERVICESPerformance & ScalabilityHigh AvailabilityPassword Policy Active Directory SynchronizationIdentity Data ReplicationLDAPv3 and REST2LDAP

CO

MM

ON

SER

VIC

ES

RES

T A

PI

Sta

nd

ard

sU

ser

Inte

rface

The ForgeRock Identity Platform


customldapv3

User Data Stores

AuthenticationCoarse Grained Authorization

Policies

SSO Session Management

Federation Hub

Adaptive Risk

ForgeRock UI Framework

Password management

Audit Logging

UI Layer

Access Layer

Business Logic Layer

Services Layer

Persistence layer

SIEM | Reporting Tools(3rd party)

Authentication Systems

(out-of-the-box & 3rd party)

Analytics tools(3rd party)

Fine Grained Authorization

Pluggable

Common REST OpenID Connect OAuth2 SAMLv2 WS-*

Protected Resources

Web Application

Mobile Application

Policy AgentFirewall

Reverse Proxy

REST Client

Stateful StatelessSession Layer

Load balancer

Chip | Thing

End-User UI

JATO basedAdmin UI

Policy Editor

Monitoring


The Near Future


Return on Identity

Platform Focus for Maximizing ROI

API Economy

IoTScale

IoT Ready

Privacy &Consent

Security DataEnrichment

Run Anywhere


Privacy & ConsentUser Managed Access (UMA)

• Standards based privacy and consent

• Giving people the right to control access to their data across providers

• Interoperable OAuth2-based protocol

• Shipping as an integrated feature of OpenAM and OpenIG


Internet of Things ScaleStateless Sessions

• Built on new stateless sessions

• JWT-based sessions• Per-Realm configuration• Enables true elastic

deployment• Massive horizontal scalability

12:00:00 AM

1:00:00 AM

2:00:00 AM

3:00:00 AM

4:00:00 AM

5:00:00 AM

6:00:00 AM

7:00:00 AM

8:00:00 AM

9:00:00 AM

10:00:00 AM

11:00:00 AM

11:59:59 AM

Demand

Clus

ter S

ize

Internet

Elastic Load Balancer


SecurityContinuous Authorization

OpenAM Session

Contextual Change

System Detects New Location

System detects change during session and

requests 1x password

• Context based authentication and authorization

• Includes the device print and request context in the policy evaluation

• Custom logic easily integrated into Policy decisions with JavaScript, Groovy, or Java

• REST-calls to external Policy Information Points


Entitlements

Taking Control of the Big Data Gold Rush

Andy Forrest (@apforrest)[email protected]


“Information is the new currency”


Let’s rewind a little...

Subject ResourceAction

Environment

• Authentication• Authorization


What has a policy looked like?

Typically used to protect a web resource:

“Can Bob who is part of the admin group see the admin web page?”


Policy solutions

• ACLs (access control lists)- focused on the subject

• RBAC (role based access control)- focused on the subject and resource- role explosion


Policy characteristics

• Coarse grained• Allow / deny• Inflexible • Low volume• Minimal performance demand


PEP

Common policy architecture

Protected resource

Bob

PDP

PAP

PIPs


Common policy architecture

Policy agent

Protected resource

Bob

OpenAM


What’s next for policy?

“Authorization is the new cool kid”


IoT (Internet of Things)

• Not just web pages• Richer relationships• Descriptive demand


UMA (User Managed Access)

• In the hands of the consumer• High scale• Decoupled• Distributed


Some of the buzz

• ABAC (attribute based access control)

• XACML (extensible access control markup language)


Future policy characteristics

• Attribute based• Fine grained• Entitlements• Unknown entities• High volume• Performance speed• Outward facing


What about OpenAM?

“We’re the real deal”


OpenAM policy

• Complete REST API• Intuitive UI• Organisational structure• Expressive rules• Contextual authz

• Rich entitlement decisions

• Selective evaluation• Scaling and replication• XACML export/import


Demo


Mobile Twitter Raspberry PI

OpenAM Device 1

Radio Tx

Radio Rx

Device 3

Radio Rx

Device 2

Radio Rx

Web App

Policy

Demo topology


Demo topology


DJ 2

OpenAM 2

DJ 1

OpenAM 1

Replication

Cross talk

8 x 3.3GHz, 64GB 8 x 3.3GHz, 64GB

Performance topology


How does OpenAM continue to lead?

• Continually looking to push performance• More fine grained through ABAC

- generic attribute model- application rules- nested applications

• Simplified UIs


“Information is the new currency”


IDENTITY SUMMIT SERIES 2015: EUROPE

8 OctoberLondon

5 NovemberAmsterdam

10 November Düsseldorf

Visit summits.forgerock.com


Q & A