cis14: are the enterprises ready for identity of everything?
DESCRIPTION
Ranjan Jain, Cisco Systems A NextGen architectural approach which enterprise IT architects and management need to consider if they plan to ride the IoT wave.TRANSCRIPT
Are the Enterprises Ready for Identity of Everything?
Ranjan Jain
Enterprise IT Architect
Cisco Systems Inc.
July 2014
Cisco Confidential 2 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential 3 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Agenda
Iden%ty and Not-‐so-‐Fun facts
Trends & Impact on Iden%ty
IT Architecture Requirements
Iden%ty of Everything & Framework
Q & A
Cisco Confidential 4 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Iden%ty and Not-‐so-‐Fun facts
Cisco Confidential 5 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Identity De!ned
• Digital Identity is defined as a set of data that uniquely describes a person or thing.
• Identity Types: Human Devices Applications (APIs) and many more
• Identity is core to trust model and security principles of confidentiality, integrity, and availability.
Cisco Confidential 6 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Identity – Not So Fun Facts
Identities frequently targeted for attack: Executives Administrators Outsourced vendors
Unable to quantify loss due to lack of visibility
Trend in targeted attacks are many occurrences over an extended period of time
Cyber-attackers need to be right once. Enterprise security need to be right every time.
Cisco Confidential 7 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Security Incident Examples
Impacted 148 million users
Cisco Confidential 8 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Security Incident Examples
Impacted 110 million users
Cisco Confidential 9 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Security Incident Examples
Refrigerator got hacked & more to come Courtesy: www.readwrite.com
Cisco Confidential 10 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Trends & Impact on Iden%ty
Cisco Confidential 11 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Trends Elevating the Importance of Identity
Enabling New Business Models
Security
User Experience
Ease of Doing Business
Operational Expense
Reduction
50
Business
Source: http://share.cisco.com/internet-of-things.html
Cisco Confidential 12 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Trends Elevating the Importance of Identity
Enabling New Business Models
Security
User Experience
Ease of Doing Business
Operational Expense
Reduction
50
Business Technology
Internet of Everything
Mobile / Cloud
Externalizing Data via API’s
Collaboration / Social / Data
Analytics
Advanced Threats
XaaS / Automation Source: http://share.cisco.com/internet-of-things.html
Cisco Confidential 13 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Iden%ty of Everything & Framework
Cisco Confidential 14 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
IDentity of Everything (IDoE) Vision
Location
IT Managed
Un-managed
Device
IT Managed
Personal
Any Device
“Enable secure access from any client, on any device, to any service, located anywhere.”
From Anywhere Any Resource
(Anyone, Anything, Anywhere – For Right Business Outcome)
Identities depicted are only representative, and not the comprehensive list
Identity
Human
Device
Application
API
Resource
Web Apps
Mobile Apps
API
Devices
SaaS
Service Providers
Cisco Confidential 15 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Everything Will Have an Identity
Identity Each user, device, and resource has a unique identity. These identities must be non-overlapping
Any
On Any
Accessing Any
User
Device
Resource
Network On Any
To Enable “Internet of Everything”
Human / Non-human identity
Cisco Confidential 16 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Getting GRIP on Identity
Each user, device, and resource has a unique identity.
Any
On Any
Accessing Any
User
Device
Resource
Network On Any
To Enable “Right Authorization”
Identity
GRoups A set of users, devices, or resources are grouped together to create a composite identity (Group) based on one or more sets of attributes.
Human / Non-human identity
Cisco Confidential 17 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Getting GRIP on Identity
Each user, device, and resource has a unique identity.
Any
On Any
Accessing Any
User
Device
Resource
Network On Any
To Enable “Right Authorization”
A set of identities are grouped together to create a composite identity (Group) based on one or more sets of attributes.
Identity
GRoups
Policy One or more policies are created and applied. It binds the entitlement of an identity to the required resources.
Auditing Identity Policy Enforcement Groups Right Authorization ++ =
Human / Non-human identity
Cisco Confidential 18 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Data Model to Encompass All Types of Identities
Badged Non-Badged
FTE Outsourced
Regular New Acq’stn
Guest
User Device Resource Location
Partner
Customer
End User Server
IT Asset BYOD
Host
Network
PC
Mac
Linux
iOS
Android
IT Mn’gd Un-Mn’gd
DMZ Internal
Protected
Partner Sites
Public Internet
Default
SimDMZ
IT Hosted Ext Hosted
Service Asset
Data Application
- Each User, Device, and Resource has a unique Identity.
• Campus / FSO • Data Center • Bandwidth • …
Additional Attributes • Data Classification • Regulatory Comp. • Access Protocol • …
Additional Attributes • OS • Version • Display Size • …
Additional Attributes
- Each Identity has several attributes that describe its type and their attributes. - One or more of these attributes can then be combined to create a composite identity.
Additional Attributes
• First Name • Last Name • Email • …
Cisco Confidential 19 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Identity Framework Auditing of Policies & Data Analytics
Authentication
Coarse Grain Authorization
Fine Grain Authorization
SSO Access Service
Registration
Provisioning De-provisioning
Identity Service
Data Stores
Federation
And Various Lifecycles
Identity
Human
Device
Application
API Identity Policy Attributes
APIs & Web Services
User Apps
Devices
Authc Authz
Entitlement Attestation
Resource
Web Apps
Mobile Apps
API
Devices
SaaS
Service Providers
Cisco Confidential 20 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
IT Architecture Requirements
Cisco Confidential 21 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
IDoE Vision Realization Factors The 4 Must-Haves
Federa&on and API Will be Ubiquitous
Iden&ty for Everything -‐Human -‐Device -‐App, API etc.
Mul&-‐factor Authen&ca&on -‐ It will be a Must -‐ Context will be new dimension
Standards Driven P2P, M2M, P2M
Cisco Confidential 22 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
IT Architecture for IDoE The 4 Must-Haves
Security Scalable for Billions
Elas&c BYoT
Cisco Confidential 23 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
In Closing
• IoT will Connect the Un-connected • Identity will be the core for IoT to happen
• Securing IAM will be more important than ever
• Open Standards (OAuth, SCIM, OpenID Connect and more to come) will provide the federation grid for NextGen IAM to work
• We need to work more closely and openly to ride the IoT wave
Cisco Confidential 24 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Q&A
Thank you.