![Page 1: Webinar: "Entitlements: Taking Control of the Big Data Gold Rush"](https://reader031.vdocument.in/reader031/viewer/2022032514/55d6ef9ebb61eb7f2d8b4612/html5/thumbnails/1.jpg)
Copyright © 2015 ForgeRock, all rights reserved.
Entitlements:Taking Control of the Big Data Gold Rush
Markus WeberAndy Forrest
August 18th, 2015
![Page 2: Webinar: "Entitlements: Taking Control of the Big Data Gold Rush"](https://reader031.vdocument.in/reader031/viewer/2022032514/55d6ef9ebb61eb7f2d8b4612/html5/thumbnails/2.jpg)
Copyright © 2015 ForgeRock, all rights reserved.
Achieving the Holy Grail of Identity
Knowing Who's Who, What's What,and Who Gets Access to What
Source: Scott McNealy, Identity Summit 2015
![Page 3: Webinar: "Entitlements: Taking Control of the Big Data Gold Rush"](https://reader031.vdocument.in/reader031/viewer/2022032514/55d6ef9ebb61eb7f2d8b4612/html5/thumbnails/3.jpg)
Copyright © 2015 ForgeRock, all rights reserved.
ForgeRockFastest-growing Open Source Identity Security Software company in the world ■ Founded 2010 with high double digit growth every year since inception■ Over 200 full time employees■ Over 400 customers ■ Active in over 30 countries ■ Locations: San Francisco, Vancouver (US), Bristol (UK), London (UK), Grenoble (FR), Oslo, Singapor,
Düsseldorf
Award winning platform driving innovation worldwide■ Gold winner of the CEO World awards 2014■ Silver Winner in the 6th Annual Golden Bridge Award 2014■ Silver winner for the Fastest-Growing Company of the Year in Best in Biz Awards 2014Investors: Our Origins:
![Page 4: Webinar: "Entitlements: Taking Control of the Big Data Gold Rush"](https://reader031.vdocument.in/reader031/viewer/2022032514/55d6ef9ebb61eb7f2d8b4612/html5/thumbnails/4.jpg)
Copyright © 2015 ForgeRock, all rights reserved.
275 survey respondents
Research by
![Page 5: Webinar: "Entitlements: Taking Control of the Big Data Gold Rush"](https://reader031.vdocument.in/reader031/viewer/2022032514/55d6ef9ebb61eb7f2d8b4612/html5/thumbnails/5.jpg)
Copyright © 2015 ForgeRock, all rights reserved.Research by
71% using ForgeRock for THEIR customer identities (USA)
88% deploy in less than a year
65% deploy in less than 6 months
70% reach payback in less than 18 months
91% rate ForgeRock speed to deployment superior to competition
96% rate ForgeRock scalability superior to competition
92% rate ForgeRock reliability superior to competition
100% of government and financial services customers rate
ForgeRock scalability superior to the competition
![Page 6: Webinar: "Entitlements: Taking Control of the Big Data Gold Rush"](https://reader031.vdocument.in/reader031/viewer/2022032514/55d6ef9ebb61eb7f2d8b4612/html5/thumbnails/6.jpg)
Copyright © 2015 ForgeRock, all rights reserved.
The Platform
![Page 7: Webinar: "Entitlements: Taking Control of the Big Data Gold Rush"](https://reader031.vdocument.in/reader031/viewer/2022032514/55d6ef9ebb61eb7f2d8b4612/html5/thumbnails/7.jpg)
Copyright © 2015 ForgeRock, all rights reserved.
The ForgeRock Identity Platform
(Identity Management) (Access Management)
(Directory Services) (Identity Gateway)
![Page 8: Webinar: "Entitlements: Taking Control of the Big Data Gold Rush"](https://reader031.vdocument.in/reader031/viewer/2022032514/55d6ef9ebb61eb7f2d8b4612/html5/thumbnails/8.jpg)
Copyright © 2015 ForgeRock, all rights reserved.Copyright © Identity Summit 2015, all rights reserved.
IDENTITY MANAGEMENT
ProvisioningSelf-ServicePassword ManagementSynchronization/ReconciliationWorkflow EngineSaaS Connectors
ACCESS MANAGEMENT
AuthenticationEntitlements ManagementFederationSocial Sign-OnAdaptive RiskREST Security Token ServiceAPI & MOBILE GATEWAYAPI SecurityMobile SecurityLegacy Application SecurityWeb Services SecurityPassword Capture and Replay
DIRECTORY SERVICESPerformance & ScalabilityHigh AvailabilityPassword Policy Active Directory SynchronizationIdentity Data ReplicationLDAPv3 and REST2LDAP
CO
MM
ON
SER
VIC
ES
RES
T A
PI
Sta
nd
ard
sU
ser
Inte
rface
The ForgeRock Identity Platform
![Page 9: Webinar: "Entitlements: Taking Control of the Big Data Gold Rush"](https://reader031.vdocument.in/reader031/viewer/2022032514/55d6ef9ebb61eb7f2d8b4612/html5/thumbnails/9.jpg)
Copyright © 2015 ForgeRock, all rights reserved.
customldapv3
User Data Stores
AuthenticationCoarse Grained Authorization
Policies
SSO Session Management
Federation Hub
Adaptive Risk
ForgeRock UI Framework
Password management
Audit Logging
UI Layer
Access Layer
Business Logic Layer
Services Layer
Persistence layer
SIEM | Reporting Tools(3rd party)
Authentication Systems
(out-of-the-box & 3rd party)
Analytics tools(3rd party)
Fine Grained Authorization
Pluggable
Common REST OpenID Connect OAuth2 SAMLv2 WS-*
Protected Resources
Web Application
Mobile Application
Policy AgentFirewall
Reverse Proxy
REST Client
Stateful StatelessSession Layer
Load balancer
Chip | Thing
End-User UI
JATO basedAdmin UI
Policy Editor
Monitoring
![Page 10: Webinar: "Entitlements: Taking Control of the Big Data Gold Rush"](https://reader031.vdocument.in/reader031/viewer/2022032514/55d6ef9ebb61eb7f2d8b4612/html5/thumbnails/10.jpg)
Copyright © 2015 ForgeRock, all rights reserved.
The Near Future
![Page 11: Webinar: "Entitlements: Taking Control of the Big Data Gold Rush"](https://reader031.vdocument.in/reader031/viewer/2022032514/55d6ef9ebb61eb7f2d8b4612/html5/thumbnails/11.jpg)
Copyright © 2015 ForgeRock, all rights reserved.
Return on Identity
Platform Focus for Maximizing ROI
API Economy
IoTScale
IoT Ready
Privacy &Consent
Security DataEnrichment
Run Anywhere
![Page 12: Webinar: "Entitlements: Taking Control of the Big Data Gold Rush"](https://reader031.vdocument.in/reader031/viewer/2022032514/55d6ef9ebb61eb7f2d8b4612/html5/thumbnails/12.jpg)
Copyright © 2015 ForgeRock, all rights reserved.
Privacy & ConsentUser Managed Access (UMA)
• Standards based privacy and consent
• Giving people the right to control access to their data across providers
• Interoperable OAuth2-based protocol
• Shipping as an integrated feature of OpenAM and OpenIG
![Page 13: Webinar: "Entitlements: Taking Control of the Big Data Gold Rush"](https://reader031.vdocument.in/reader031/viewer/2022032514/55d6ef9ebb61eb7f2d8b4612/html5/thumbnails/13.jpg)
Copyright © 2015 ForgeRock, all rights reserved.
Internet of Things ScaleStateless Sessions
• Built on new stateless sessions
• JWT-based sessions• Per-Realm configuration• Enables true elastic
deployment• Massive horizontal scalability
12:00:00 AM
1:00:00 AM
2:00:00 AM
3:00:00 AM
4:00:00 AM
5:00:00 AM
6:00:00 AM
7:00:00 AM
8:00:00 AM
9:00:00 AM
10:00:00 AM
11:00:00 AM
11:59:59 AM
Demand
Clus
ter S
ize
Internet
Elastic Load Balancer
![Page 14: Webinar: "Entitlements: Taking Control of the Big Data Gold Rush"](https://reader031.vdocument.in/reader031/viewer/2022032514/55d6ef9ebb61eb7f2d8b4612/html5/thumbnails/14.jpg)
Copyright © 2015 ForgeRock, all rights reserved.
SecurityContinuous Authorization
OpenAM Session
Contextual Change
System Detects New Location
System detects change during session and
requests 1x password
• Context based authentication and authorization
• Includes the device print and request context in the policy evaluation
• Custom logic easily integrated into Policy decisions with JavaScript, Groovy, or Java
• REST-calls to external Policy Information Points
![Page 15: Webinar: "Entitlements: Taking Control of the Big Data Gold Rush"](https://reader031.vdocument.in/reader031/viewer/2022032514/55d6ef9ebb61eb7f2d8b4612/html5/thumbnails/15.jpg)
Copyright © 2015 ForgeRock, all rights reserved.
Entitlements
Taking Control of the Big Data Gold Rush
Andy Forrest (@apforrest)[email protected]
![Page 16: Webinar: "Entitlements: Taking Control of the Big Data Gold Rush"](https://reader031.vdocument.in/reader031/viewer/2022032514/55d6ef9ebb61eb7f2d8b4612/html5/thumbnails/16.jpg)
Copyright © 2015 ForgeRock, all rights reserved.
“Information is the new currency”
![Page 17: Webinar: "Entitlements: Taking Control of the Big Data Gold Rush"](https://reader031.vdocument.in/reader031/viewer/2022032514/55d6ef9ebb61eb7f2d8b4612/html5/thumbnails/17.jpg)
Copyright © 2015 ForgeRock, all rights reserved.
Let’s rewind a little...
Subject ResourceAction
Environment
• Authentication• Authorization
![Page 18: Webinar: "Entitlements: Taking Control of the Big Data Gold Rush"](https://reader031.vdocument.in/reader031/viewer/2022032514/55d6ef9ebb61eb7f2d8b4612/html5/thumbnails/18.jpg)
Copyright © 2015 ForgeRock, all rights reserved.
What has a policy looked like?
Typically used to protect a web resource:
“Can Bob who is part of the admin group see the admin web page?”
![Page 19: Webinar: "Entitlements: Taking Control of the Big Data Gold Rush"](https://reader031.vdocument.in/reader031/viewer/2022032514/55d6ef9ebb61eb7f2d8b4612/html5/thumbnails/19.jpg)
Copyright © 2015 ForgeRock, all rights reserved.
Policy solutions
• ACLs (access control lists)- focused on the subject
• RBAC (role based access control)- focused on the subject and resource- role explosion
![Page 20: Webinar: "Entitlements: Taking Control of the Big Data Gold Rush"](https://reader031.vdocument.in/reader031/viewer/2022032514/55d6ef9ebb61eb7f2d8b4612/html5/thumbnails/20.jpg)
Copyright © 2015 ForgeRock, all rights reserved.
Policy characteristics
• Coarse grained• Allow / deny• Inflexible • Low volume• Minimal performance demand
![Page 21: Webinar: "Entitlements: Taking Control of the Big Data Gold Rush"](https://reader031.vdocument.in/reader031/viewer/2022032514/55d6ef9ebb61eb7f2d8b4612/html5/thumbnails/21.jpg)
Copyright © 2015 ForgeRock, all rights reserved.
PEP
Common policy architecture
Protected resource
Bob
PDP
PAP
PIPs
![Page 22: Webinar: "Entitlements: Taking Control of the Big Data Gold Rush"](https://reader031.vdocument.in/reader031/viewer/2022032514/55d6ef9ebb61eb7f2d8b4612/html5/thumbnails/22.jpg)
Copyright © 2015 ForgeRock, all rights reserved.
Common policy architecture
Policy agent
Protected resource
Bob
OpenAM
![Page 23: Webinar: "Entitlements: Taking Control of the Big Data Gold Rush"](https://reader031.vdocument.in/reader031/viewer/2022032514/55d6ef9ebb61eb7f2d8b4612/html5/thumbnails/23.jpg)
Copyright © 2015 ForgeRock, all rights reserved.
What’s next for policy?
“Authorization is the new cool kid”
![Page 24: Webinar: "Entitlements: Taking Control of the Big Data Gold Rush"](https://reader031.vdocument.in/reader031/viewer/2022032514/55d6ef9ebb61eb7f2d8b4612/html5/thumbnails/24.jpg)
Copyright © 2015 ForgeRock, all rights reserved.
IoT (Internet of Things)
• Not just web pages• Richer relationships• Descriptive demand
![Page 25: Webinar: "Entitlements: Taking Control of the Big Data Gold Rush"](https://reader031.vdocument.in/reader031/viewer/2022032514/55d6ef9ebb61eb7f2d8b4612/html5/thumbnails/25.jpg)
Copyright © 2015 ForgeRock, all rights reserved.
UMA (User Managed Access)
• In the hands of the consumer• High scale• Decoupled• Distributed
![Page 26: Webinar: "Entitlements: Taking Control of the Big Data Gold Rush"](https://reader031.vdocument.in/reader031/viewer/2022032514/55d6ef9ebb61eb7f2d8b4612/html5/thumbnails/26.jpg)
Copyright © 2015 ForgeRock, all rights reserved.
Some of the buzz
• ABAC (attribute based access control)
• XACML (extensible access control markup language)
![Page 27: Webinar: "Entitlements: Taking Control of the Big Data Gold Rush"](https://reader031.vdocument.in/reader031/viewer/2022032514/55d6ef9ebb61eb7f2d8b4612/html5/thumbnails/27.jpg)
Copyright © 2015 ForgeRock, all rights reserved.
Future policy characteristics
• Attribute based• Fine grained• Entitlements• Unknown entities• High volume• Performance speed• Outward facing
![Page 28: Webinar: "Entitlements: Taking Control of the Big Data Gold Rush"](https://reader031.vdocument.in/reader031/viewer/2022032514/55d6ef9ebb61eb7f2d8b4612/html5/thumbnails/28.jpg)
Copyright © 2015 ForgeRock, all rights reserved.
What about OpenAM?
“We’re the real deal”
![Page 29: Webinar: "Entitlements: Taking Control of the Big Data Gold Rush"](https://reader031.vdocument.in/reader031/viewer/2022032514/55d6ef9ebb61eb7f2d8b4612/html5/thumbnails/29.jpg)
Copyright © 2015 ForgeRock, all rights reserved.
OpenAM policy
• Complete REST API• Intuitive UI• Organisational structure• Expressive rules• Contextual authz
• Rich entitlement decisions
• Selective evaluation• Scaling and replication• XACML export/import
![Page 30: Webinar: "Entitlements: Taking Control of the Big Data Gold Rush"](https://reader031.vdocument.in/reader031/viewer/2022032514/55d6ef9ebb61eb7f2d8b4612/html5/thumbnails/30.jpg)
Copyright © 2015 ForgeRock, all rights reserved.
Demo
![Page 31: Webinar: "Entitlements: Taking Control of the Big Data Gold Rush"](https://reader031.vdocument.in/reader031/viewer/2022032514/55d6ef9ebb61eb7f2d8b4612/html5/thumbnails/31.jpg)
Copyright © 2015 ForgeRock, all rights reserved.
Mobile Twitter Raspberry PI
OpenAM Device 1
Radio Tx
Radio Rx
Device 3
Radio Rx
Device 2
Radio Rx
Web App
Policy
Demo topology
![Page 32: Webinar: "Entitlements: Taking Control of the Big Data Gold Rush"](https://reader031.vdocument.in/reader031/viewer/2022032514/55d6ef9ebb61eb7f2d8b4612/html5/thumbnails/32.jpg)
Copyright © 2015 ForgeRock, all rights reserved.
Demo topology
![Page 33: Webinar: "Entitlements: Taking Control of the Big Data Gold Rush"](https://reader031.vdocument.in/reader031/viewer/2022032514/55d6ef9ebb61eb7f2d8b4612/html5/thumbnails/33.jpg)
Copyright © 2015 ForgeRock, all rights reserved.
DJ 2
OpenAM 2
DJ 1
OpenAM 1
Replication
Cross talk
8 x 3.3GHz, 64GB 8 x 3.3GHz, 64GB
Performance topology
![Page 34: Webinar: "Entitlements: Taking Control of the Big Data Gold Rush"](https://reader031.vdocument.in/reader031/viewer/2022032514/55d6ef9ebb61eb7f2d8b4612/html5/thumbnails/34.jpg)
Copyright © 2015 ForgeRock, all rights reserved.
![Page 35: Webinar: "Entitlements: Taking Control of the Big Data Gold Rush"](https://reader031.vdocument.in/reader031/viewer/2022032514/55d6ef9ebb61eb7f2d8b4612/html5/thumbnails/35.jpg)
Copyright © 2015 ForgeRock, all rights reserved.
How does OpenAM continue to lead?
• Continually looking to push performance• More fine grained through ABAC
- generic attribute model- application rules- nested applications
• Simplified UIs
![Page 36: Webinar: "Entitlements: Taking Control of the Big Data Gold Rush"](https://reader031.vdocument.in/reader031/viewer/2022032514/55d6ef9ebb61eb7f2d8b4612/html5/thumbnails/36.jpg)
Copyright © 2015 ForgeRock, all rights reserved.
“Information is the new currency”
![Page 37: Webinar: "Entitlements: Taking Control of the Big Data Gold Rush"](https://reader031.vdocument.in/reader031/viewer/2022032514/55d6ef9ebb61eb7f2d8b4612/html5/thumbnails/37.jpg)
Copyright © 2015 ForgeRock, all rights reserved.
IDENTITY SUMMIT SERIES 2015: EUROPE
8 OctoberLondon
5 NovemberAmsterdam
10 November Düsseldorf
Visit summits.forgerock.com
![Page 38: Webinar: "Entitlements: Taking Control of the Big Data Gold Rush"](https://reader031.vdocument.in/reader031/viewer/2022032514/55d6ef9ebb61eb7f2d8b4612/html5/thumbnails/38.jpg)
Copyright © 2015 ForgeRock, all rights reserved.
Q & A