1 / 40

OASIS

OASIS. Andre Durand CEO, Ping Identity. Yesterday’s Security Paradigm. Firewall this. Increasingly, users, apps & data are outside firewall. Supply Chain Partners. Joint Ventures. BPO. On-Demand. Off-Shore. Today’s Interoperability Mandate. Outsourcing Providers

maj
Download Presentation

OASIS

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. OASIS Andre DurandCEO, Ping Identity

  2. Yesterday’s Security Paradigm

  3. Firewall this.

  4. Increasingly, users, apps & data are outside firewall Supply Chain Partners Joint Ventures BPO On-Demand Off-Shore

  5. Today’s Interoperability Mandate Outsourcing Providers Software on Demand Providers Suppliers Dealers Industry Portals Business Customers Joint Venture Partners Consumers INTERNET ISP2 - LOXINFO INTERNET ISP1 - CAT 3rd PARTY SERIAL LINKS QUAD Array Internet Routers 3rd PARTY ROUTER CONNECTION 3rd PARTY ETHERNET Proxy Server WWW Server VPN Concentrator 3rd PARTY VPN MAIN FIREWALL IDS EXTPARTNER SERVERS SECURE FIREWALL 3rd PartyFIREWALL DEMARKS TACACS Server IDS Management LAN CORE

  6. Evolution Towards Federation Federated Centralized Isolated

  7. Today’s Reality “We do single sign-on with 50 partners. We have 50 different ways of doing it. Fortune 50 Company

  8. Tomorrow Goal

  9. What is Federated Identity? federated identity: a collective term describing agreements, standards, and technologies that make identity and entitlements portable across autonomous domains Burton Group

  10. Federated Web Single Sign-On

  11. But it doesn’t stop there • Federated web services (web 2.0 mashup) • Federated provisioning / deprovisioning • Federated attributes • Federated policy management • etc. • etc. • it’s about coupling users, data & apps at Internet-scale

  12. How B2B Federation is Scaling Spoke Spoke Spoke Spoke Spoke Spoke Partner Partner Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Partner Partner Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Hub Hub Spoke Spoke Spoke Spoke Spoke Spoke Hub Hub Spoke Spoke Spoke Spoke Spoke Spoke Financial Service Co’s Spoke Spoke Spoke Spoke Partner Partner Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Partner Partner Spoke Spoke Partner Partner Spoke Spoke Partner Partner Spoke Spoke Spoke Spoke Service Providers (Relying Parties) Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Mobile Operators Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Hub Hub Spoke Spoke Spoke Spoke Hub Hub Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Partner Partner Partner Partner Spoke Spoke Partner Partner Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Major ISPs Partner Partner Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Hub Hub Hub Hub Hub Hub Hub Hub Hub Hub Hub Hub Hub Hub Hub Spoke Spoke Hub Hub Spoke Spoke Spoke Spoke Spoke Spoke Hub Hub Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Partner Partner Spoke Spoke Spoke Spoke Spoke Spoke Partner Partner Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Partner Partner Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Partner Partner Spoke Spoke Spoke Spoke Spoke Spoke Major Portals Spoke Spoke Spoke Spoke Spoke Spoke Enterprises Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Hub Hub Spoke Spoke Spoke Spoke Spoke Spoke Hub Hub Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Partner Partner Spoke Spoke Spoke Spoke Spoke Spoke Partner Partner Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Spoke Today Phase 2 Phase 1 Phase 3

  13. Federal Insurance Oil & Gas Transportation FiServ Auto Shipping SaaS 1,500 Universities Education Benefits

  14. But even B2B scale is tough B2B

  15. And B2C scale needs work

  16. Stepping back… B2B B2C

  17. Opportunities come in Sets Identity is coming at us in waves

  18. Each wave bigger than the prior B2C Consumer-Facing B2B External B2E Internal

  19. But with each wave, we’re introducing new tools…

  20. Different Business Needs

  21. But User Experience is Crucial

  22. Discontinuous Evolution is Normal B2C B2B

  23. Challenge: Simple & Secure Don’t Mix

  24. An Industry-Wide Imperative: CONTINUITY Internet-Scale Identity Continuity Scale & Trust Breakthrough Enterprise Scale Federation

  25. But we also need a network effect… Metcalf’s Law * Selected New PingFederate Customers from 1/1/07 - 9/1/07

  26. Shibb Multilateral Federation Hubs Dynamic Federation PKI’d Point-to-Point Federation Time

  27. But what about OpenID? For Internal Use Only! Do Not Distribute!

  28. We can make it more secure Use a trusted IdP list Disable “No Encryption” association session Require SSL Create a unique request id for each request and make each assertion one-time use. Measures to prevent phishing attacks [IdP] CardSpace Certificate authentication For Internal Use Only! Do Not Distribute!

  29. And what about SAML? business + IT

  30. We can make it more dynamic CA1 (e.g. Entrust) CA2 (e.g. Verisign) CA (e.g. Verisign) • Trust anchored via common list of root CA certificates • No out of band certificate exchange between IdP’s and SP’s • Partner certificate in message or via meta-data IdP SP IdP SP SP IdP

  31. Get rid of ‘connections’ Service Provider Identity Provider Metadata Retrieval‏ Authentication Email 4 2 7 8 Federation Servers 3 5 6 Target Resource WhiteList WhiteList 1 9 11 10 Browser

  32. An Industry-Wide Imperative: CONTINUITY Internet-Scale Identity Continuity Scale & Trust Breakthrough Enterprise Scale Federation

  33. We should try to cooperate

  34. But in the end, balance will prevail Privacy & Convenience End-User Federation at Scale Balanced Ecosystem Identity Provider Service Provider Security & Control Administrative Ease

  35. ranting aside, people are federating

  36. And we’ve interviewed many of them 20 customers and partners 60-90 minute discussions 1/3 face-to-face Some follow-ups with SP Product Management Customer breakdown by type: 1/3 IdP’s 1/3 SP’s 1/3 Hybrids & Partners

  37. Lessons Learned – Business Drivers #1 Driver: Outsourcing to drive down costs Identity Providers IdP requirement is “SSO” not “SAML” IdP questions are “How long does this take?” and “What does this cost?” – not “What technology?” Service Providers SP’s compete on price = pre-disposed to build SP’s want their costs to align with their revenue

  38. Lessons Learned – Organizational Issues Understand the roles involved on both sides The “proxies” to IT and the Business control the implementation queue The SP Business Development Manager and Project Manager are focused on driving revenue – very interested in reducing implementation timelines

  39. What is Ping Identity doing about this? Experimenting between the seems SAML & OpenID OpenID & Cardspace SAML & Cardspace Partnering with federation hubs (e.g. Covisint & Exostar) Building methodology to drive the mystery of connecting out of the equation Leading one effort to make SAML more dynamic. Working with Sun, Shibb & others Working with the Shibb community

  40. Summary Networking of security (identity) is inevitable Identity coming in waves Different tools are ok, BUT Continuity is crucial And user experience is crucial And, we’ve got to find the balance of simple & security Different approaches will due for now Ultimately, we owe it to ourselves to get this right

More Related