connecting the real world with the virtual world

CONNECTING THE REAL WORLD WITH THE VIRTUAL WORLD

The Identity of Things

EIC May 15, 2014

Hans Zandbelt – CTO Office – Ping Identity

Copyright © 2014 Ping Identity Corp. All rights reserved. 1

Overview

1

• Internet- & Identity of Things

2• Infrastructure & Protocols

3• Now what?

• Remote tracking

• Controlling functions

• Routing functions

• enabled by smart sensor nodes and devices

Use case: Manufacturing

Copyright © 2014 Ping Identity Corp. All rights reserved. 3

• integration with real-time monitoring

• Health care providers (insurers)

Use case: Healthcare

Copyright © 2014 Ping Identity Corp. All rights reserved. 4

• Self-driving cars

• Monitoring & reporting (today)

Use case: Automotive

Copyright © 2014 Ping Identity Corp. All rights reserved. 5

• smart thermometers/heating

• audio/video between ALL devices with those capabilities (phone, mobile and fixed, iPad, front door cam, TV, stereo)

• integrating all electrical devices household/building

Use case: Home/Building Automation

Copyright © 2014 Ping Identity Corp. All rights reserved. 6

• Cloud / SaaS & Social

• Mobile Ubiquity

• Embedded, Wearable

• Smart Meters

• Industry Automation

• Home Automation

• Retail & Consumer Automation

Internet of Things

• Security Scalability

– Access & Account Mgmt

• Discovery, Identification & Authentication

– Devices & Clients

– Services & Servers

– Users

• Passwords … NOOO!!

Challenges

Ehm

Copyright © 2014 Ping Identity Corp. All rights reserved. 9

INFRASTRUCTUREBuilding the identity-enabled internet of everything

Consequence

Traditional firewall and enterprise domain-based security cannot deal with

Cloud, Mobile & IoT – Users, Applications or Devices.

IDENTITY IS THE NEW PERIMETER

FIREWALL

Network

Applications

IDENTITY

• Scalable Identification

• Scalable Security

– Authentication

– Privacy

– Confidentiality

– Integrity

• Scalable Trust

The Identity Layer

PROTOCOLSRealizing the Identiverse and IoT infrastructure

Today’s Identity Protocol Landscape

SAML

LDAP

X.509

Modern Identity Protocol Stack

OpenID Connect SCIM

OAuth 2.0

OAUTH 2.0A 30,000 feet overview

• 3rd party client store user passwords

• Teaches users to be indiscriminate with passwords

• No multi-factor or federated authentication

• No granularity

• No differentiation

• No revocation

Drawbacks

Password anti-pattern

OAuth 2.0 Drivers

LackOf

Standards

PasswordAnti

Pattern

NativeMobileApps

RESTCloudAPIs

OAuth 2.0

• Secure API authorization

– simple & standard, secure-enough (Bearer)

– for desktop, mobile, web, IoT

• Delegated access

– mitigates password anti-pattern

• Issue tokens for granular access

– Without divulging your credentials

Characteristics

OAuth 2.0 Protocol Framework

Open Redirect somewhere in RP website

+

RP website uses federated SSO for user login

+

SSO Token callback from IDP to website is configurable

=>

Assume the following

Intermezzo: Covert Redirect

Lesson: don’t forward messages thatwere meant for you to anyone else…

CONCLUSIONS

Emerging Business Landscape

Cloud Business

MobileUbiquity

SocialIntegration

Internet ofThings

Secure Identity Layer

1. Modern identity protocol adoption– OAuth 2.0 & OpenID

Connect– Bindings to IoT

2. Password reduction– Federation : default– Strong / multi-factor– Discrete > Continuous

3. Automation– Scale and ease of use– self-service as a

backup

Actions

• IoT

– Scale– Security– Standards

• Identity Platform

– Spanning Cloud and IoT

– Identity Function APIs– Multi-protocol

• Don’t Panic

– Let’s Start Moving Today

Summary

Thank You

http://www.pingidentity.com

Hans Zandbelthzandbelt@pingidentity.com

Twitter: @hanszandbelt

Ping Identity

Client

SOAP/REST API

• HTTP – basic/digest…

• SOAP - WS-Security/WS-Trust

• REST - ?

• Token-based– Obtain– Use– Validate

Methods

API Access

Token

• Separate protocols for SSO and API security

• Heavyweight - in payload and processing

• Complex – develop and manage

• Manual trust bootstrapping and certificate management

• SSO and API security in one

• Lightweight – mobile

• Simple – developer friendly

• Auto client registration and key management

SAML and OpenID Connect

SAML OpenID Connect