entitlements: taking control of the big data gold rush
TRANSCRIPT
Copyright © Identity Summit 2015, all rights reserved.
EntitlementsTaking Control of the Big Data Gold Rush
Andy Forrest (@apforrest) [email protected]
Copyright © Identity Summit 2015, all rights reserved.
Let’s rewind a little...
Subject ResourceAction
Environment
• Authentication • Authorization
Copyright © Identity Summit 2015, all rights reserved.
What has a policy looked like?
Typically used to protect a web resource:
“Can Bob who is part of the admin group see the admin web page?”
Copyright © Identity Summit 2015, all rights reserved.
Policy solutions
• ACLs (access control lists) - focused on the subject
• RBAC (role based access control) - focused on the subject and resource - role explosion
Copyright © Identity Summit 2015, all rights reserved.
Policy characteristics
• Coarse grained • Allow / deny • Inflexible • Low volume • Minimal performance demand
Copyright © Identity Summit 2015, all rights reserved.
PEP
Common policy architecture
Protected resource
Bob
PDP
PAP
PIPs
Copyright © Identity Summit 2015, all rights reserved.
Common policy architecture
Policy agent
Protected resource
Bob
OpenAM
Copyright © Identity Summit 2015, all rights reserved.
What’s next for policy?
“Authorization is the new cool kid”
Copyright © Identity Summit 2015, all rights reserved.
IoT (Internet of Things)
• Not just web pages • Richer relationships • Descriptive demand
Copyright © Identity Summit 2015, all rights reserved.
UMA (User Managed Access)
• In the hands of the consumer • High scale • Decoupled • Distributed
Copyright © Identity Summit 2015, all rights reserved.
Some of the buzz
• ABAC (attribute based access control)
• XACML (extensible access control markup language)
Copyright © Identity Summit 2015, all rights reserved.
Future policy characteristics
• Attribute based • Fine grained • Entitlements • Unknown entities • High volume • Performance speed • Outward facing
Copyright © Identity Summit 2015, all rights reserved.
OpenAM policy
• Complete REST API • Intuitive UI • Organisational structure • Expressive rules • Contextual authz
• Rich entitlement decisions • Selective evaluation • Scaling and replication • XACML export/import
Copyright © Identity Summit 2015, all rights reserved.
Mobile Twitter Raspberry PI
OpenAM Device 1
Radio Tx
Radio Rx
Device 3
Radio Rx
Device 2
Radio Rx
Web App
Policy
Demo topology
Copyright © Identity Summit 2015, all rights reserved.
DJ 2
OpenAM 2
DJ 1
OpenAM 1
Replication
Cross talk
8 x 3.3GHz, 64GB 8 x 3.3GHz, 64GB
Performance topology
Copyright © Identity Summit 2015, all rights reserved.
How does OpenAM continue to lead?
• Continually looking to push performance • More fine grained through ABAC
- generic attribute model - application rules - nested applications
• Simplified UIs
Copyright © Identity Summit 2015, all rights reserved.
Thank you Q&A
Andy Forrest (@apforrest) [email protected]