the new venn of access control in the api-mobile-iot era
DESCRIPTION
Presentation from the 2014 IRM Summit in Phoenix, Arizona by Eve Maler, Principal Analyst Serving Security & Risk Professionals at Forrester.TRANSCRIPT
![Page 1: The New Venn of Access Control in the API-Mobile-IOT Era](https://reader038.vdocument.in/reader038/viewer/2022110118/554e657fb4c905ad178b55cd/html5/thumbnails/1.jpg)
The New Venn Of Access ControlIn The API-Mobile-IoT EraEve Maler, Principal Analyst, Security & Risk
June 4, 2014
@xmlgrrl
![Page 2: The New Venn of Access Control in the API-Mobile-IOT Era](https://reader038.vdocument.in/reader038/viewer/2022110118/554e657fb4c905ad178b55cd/html5/thumbnails/2.jpg)
The business tech landscape is handing us hard IAM problems.Traditional solutions don’t “work less well”…they don’t work at all.
![Page 3: The New Venn of Access Control in the API-Mobile-IOT Era](https://reader038.vdocument.in/reader038/viewer/2022110118/554e657fb4c905ad178b55cd/html5/thumbnails/3.jpg)
3© 2012 Forrester Research, Inc. Reproduction Prohibited
Agenda
What are the implications of “BYO”?
Emerging technologies help you achieve a Zero Trust posture
What remains to be done?
![Page 4: The New Venn of Access Control in the API-Mobile-IOT Era](https://reader038.vdocument.in/reader038/viewer/2022110118/554e657fb4c905ad178b55cd/html5/thumbnails/4.jpg)
© 2012 Forrester Research, Inc. Reproduction Prohibited
The extended enterprise forces IT to handle bring-your-own-everything
4
Source: April 7, 2014, “Navigate The Future Of Identity And Access Management” Forrester report
![Page 5: The New Venn of Access Control in the API-Mobile-IOT Era](https://reader038.vdocument.in/reader038/viewer/2022110118/554e657fb4c905ad178b55cd/html5/thumbnails/5.jpg)
5© 2012 Forrester Research, Inc. Reproduction Prohibited
You can’t trust everything + everyone inside your crunchy perimeter anyway
Source: November 15, 2012, “No More Chewy Centers: Introducing The Zero Trust Model Of Information Security” Forrester report
…so stop trying
Start with Zero TrustElevate trust selectively
![Page 6: The New Venn of Access Control in the API-Mobile-IOT Era](https://reader038.vdocument.in/reader038/viewer/2022110118/554e657fb4c905ad178b55cd/html5/thumbnails/6.jpg)
6© 2012 Forrester Research, Inc. Reproduction Prohibited
Many APIs have acquired business models, driven by mobile
![Page 7: The New Venn of Access Control in the API-Mobile-IOT Era](https://reader038.vdocument.in/reader038/viewer/2022110118/554e657fb4c905ad178b55cd/html5/thumbnails/7.jpg)
7© 2012 Forrester Research, Inc. Reproduction Prohibited
IT now confronts webdevification
value X
friction Y
![Page 8: The New Venn of Access Control in the API-Mobile-IOT Era](https://reader038.vdocument.in/reader038/viewer/2022110118/554e657fb4c905ad178b55cd/html5/thumbnails/8.jpg)
8© 2012 Forrester Research, Inc. Reproduction Prohibited
Our worlds are collidingUNIFY YOUR STANCE AND PREPARE FOR ANYTHING
B2C
B2E
B2B
the identity singularity
B2D
![Page 9: The New Venn of Access Control in the API-Mobile-IOT Era](https://reader038.vdocument.in/reader038/viewer/2022110118/554e657fb4c905ad178b55cd/html5/thumbnails/9.jpg)
9© 2012 Forrester Research, Inc. Reproduction Prohibited
Agenda
What are the implications of “BYO”?
Emerging technologies help you achieve a Zero Trust posture
What remains to be done?
![Page 10: The New Venn of Access Control in the API-Mobile-IOT Era](https://reader038.vdocument.in/reader038/viewer/2022110118/554e657fb4c905ad178b55cd/html5/thumbnails/10.jpg)
10© 2012 Forrester Research, Inc. Reproduction Prohibited
A tour through some previous Venns
vintage 2007
![Page 11: The New Venn of Access Control in the API-Mobile-IOT Era](https://reader038.vdocument.in/reader038/viewer/2022110118/554e657fb4c905ad178b55cd/html5/thumbnails/11.jpg)
11© 2012 Forrester Research, Inc. Reproduction Prohibited
A tour through some previous Venns
vintage 2007
![Page 12: The New Venn of Access Control in the API-Mobile-IOT Era](https://reader038.vdocument.in/reader038/viewer/2022110118/554e657fb4c905ad178b55cd/html5/thumbnails/12.jpg)
12© 2012 Forrester Research, Inc. Reproduction Prohibited
vintage 2009
A tour through some previous Venns
![Page 13: The New Venn of Access Control in the API-Mobile-IOT Era](https://reader038.vdocument.in/reader038/viewer/2022110118/554e657fb4c905ad178b55cd/html5/thumbnails/13.jpg)
13© 2012 Forrester Research, Inc. Reproduction Prohibited
vintage 2009
A tour through some previous Venns
![Page 14: The New Venn of Access Control in the API-Mobile-IOT Era](https://reader038.vdocument.in/reader038/viewer/2022110118/554e657fb4c905ad178b55cd/html5/thumbnails/14.jpg)
14© 2012 Forrester Research, Inc. Reproduction Prohibited Source: October 2012 “TechRadar™ For Security Pros: Zero Trust Identity Standards, Q3 2012”
Emerging standards have an edge over traditional ones for Zero Trust
Key features:• Governance• Hubris
Key features:• “Solving the right problem”• Enterprise-only scope
Key features:• Agility• Mobile/cloud friendliness• Robustness
![Page 15: The New Venn of Access Control in the API-Mobile-IOT Era](https://reader038.vdocument.in/reader038/viewer/2022110118/554e657fb4c905ad178b55cd/html5/thumbnails/15.jpg)
15© 2012 Forrester Research, Inc. Reproduction Prohibited
A new Venn for “access management 2.0”JUST WHAT THE API-MOBILE-IOT AXIS NEEDS*
![Page 16: The New Venn of Access Control in the API-Mobile-IOT Era](https://reader038.vdocument.in/reader038/viewer/2022110118/554e657fb4c905ad178b55cd/html5/thumbnails/16.jpg)
16© 2012 Forrester Research, Inc. Reproduction Prohibited
IT LETS A RESOURCE OWNER DELEGATE CONSTRAINED ACCESS
OAuth is about more than the “password anti-pattern”
![Page 17: The New Venn of Access Control in the API-Mobile-IOT Era](https://reader038.vdocument.in/reader038/viewer/2022110118/554e657fb4c905ad178b55cd/html5/thumbnails/17.jpg)
17© 2012 Forrester Research, Inc. Reproduction Prohibited
OpenID Connect turns SSO into a standard OAuth-protected identity API
SAML 2.0, OpenID 2.0 OAuth 2.0 OpenID Connect
X
Initiating user’s login session
Not responsible for collecting user consent
High-security identity tokens (SAML only)
Distributed and aggregated claims
Session timeout
X
X
Dynamic introduction (OpenID only)
X Not responsible for session initiation
Collecting user’s consent to share attributes
No identity tokensper seX
Client onboarding is staticX
No claims per se; protects arbitrary APIsX
Initiating user’s login session
Collecting user’s consent to share attributesHigh-security identity tokens (using JSON Web Tokens)
Distributed and aggregated claims
Session timeout (in the works)
Dynamic introduction
No sessions per seX
![Page 18: The New Venn of Access Control in the API-Mobile-IOT Era](https://reader038.vdocument.in/reader038/viewer/2022110118/554e657fb4c905ad178b55cd/html5/thumbnails/18.jpg)
18© 2012 Forrester Research, Inc. Reproduction Prohibited
UMA enables authorization that’s friendly to OAuth, APIs, PbD, and (it appears) IoT
Standardized APIs enable Internet-scale authz-as-a-service
Outsources protection to a centralized “digital footprint control console” for Alice or an IT admin
The “user” in User-Managed Access (UMA) – can be an organization (“headless”)
Some guy not accounted for in OAuth…
![Page 19: The New Venn of Access Control in the API-Mobile-IOT Era](https://reader038.vdocument.in/reader038/viewer/2022110118/554e657fb4c905ad178b55cd/html5/thumbnails/19.jpg)
19© 2012 Forrester Research, Inc. Reproduction Prohibited
Mapping UMA to classic authorization architecture
~PDP~PEP
Deliberately prepared for n:n relationships
Implicitly a PAP and PIP, or a client to them
Together,~requester
Claims and context gathered at run time
Policymaker (no std policy expression or evaluation)
![Page 20: The New Venn of Access Control in the API-Mobile-IOT Era](https://reader038.vdocument.in/reader038/viewer/2022110118/554e657fb4c905ad178b55cd/html5/thumbnails/20.jpg)
20© 2012 Forrester Research, Inc. Reproduction Prohibited
The RS exposes whatever value-add API it wants, protected by an AS
App-specific API
UM
A-enabled
client
RPTrequesting party token
(can be profiled to move the PDP/PEP line)
![Page 21: The New Venn of Access Control in the API-Mobile-IOT Era](https://reader038.vdocument.in/reader038/viewer/2022110118/554e657fb4c905ad178b55cd/html5/thumbnails/21.jpg)
21© 2012 Forrester Research, Inc. Reproduction Prohibited
The AS exposes an UMA-standardized protection API to the RS
Protection A
PI
Pro
tect
ion
clie
nt
PAT
protection API token
includes resource registration API and token
introspection API
![Page 22: The New Venn of Access Control in the API-Mobile-IOT Era](https://reader038.vdocument.in/reader038/viewer/2022110118/554e657fb4c905ad178b55cd/html5/thumbnails/22.jpg)
22© 2012 Forrester Research, Inc. Reproduction Prohibited
The AS exposes an UMA-standardized authorization API to the client
Authorization API
Authorization client
AATauthorization API token
supports OpenID Connect-based claims-
gathering for authz
![Page 23: The New Venn of Access Control in the API-Mobile-IOT Era](https://reader038.vdocument.in/reader038/viewer/2022110118/554e657fb4c905ad178b55cd/html5/thumbnails/23.jpg)
© 2012 Forrester Research, Inc. Reproduction Prohibited
Detailed summary
![Page 24: The New Venn of Access Control in the API-Mobile-IOT Era](https://reader038.vdocument.in/reader038/viewer/2022110118/554e657fb4c905ad178b55cd/html5/thumbnails/24.jpg)
24© 2012 Forrester Research, Inc. Reproduction Prohibited
Agenda
What are the implications of “BYO”?
Emerging technologies help you achieve a Zero Trust posture
What remains to be done?
![Page 25: The New Venn of Access Control in the API-Mobile-IOT Era](https://reader038.vdocument.in/reader038/viewer/2022110118/554e657fb4c905ad178b55cd/html5/thumbnails/25.jpg)
25© 2012 Forrester Research, Inc. Reproduction Prohibited
After the REST maturity ladder must come “scope design best practices”
actors(“subjects”)
resources accessed (“objects”) and operations (“verbs”)
rolesgroups
arbitrary otherauthz context
domain URL path HTTPmethod
field
Classicfine-
grained
Emergingscope-
grained
Classiccoarse-grained
authncontext
attributes/claims
![Page 26: The New Venn of Access Control in the API-Mobile-IOT Era](https://reader038.vdocument.in/reader038/viewer/2022110118/554e657fb4c905ad178b55cd/html5/thumbnails/26.jpg)
© 2012 Forrester Research, Inc. Reproduction Prohibited
Webdevs and IoT demand the right appsec design center and footprint
![Page 27: The New Venn of Access Control in the API-Mobile-IOT Era](https://reader038.vdocument.in/reader038/viewer/2022110118/554e657fb4c905ad178b55cd/html5/thumbnails/27.jpg)
27© 2012 Forrester Research, Inc. Reproduction Prohibited
Federations must grow to accommodate outsourced access
I promise to Adhere-to-Terms once I get access using a valid RPT with the right authz data!
I promise to Adhere-to-Terms once the AS adds authz data to your RPT!
![Page 28: The New Venn of Access Control in the API-Mobile-IOT Era](https://reader038.vdocument.in/reader038/viewer/2022110118/554e657fb4c905ad178b55cd/html5/thumbnails/28.jpg)
28© 2012 Forrester Research, Inc. Reproduction Prohibited
IRM for healthcare requires serious security, privacy, and discoverability
AS AS AS
RS RS RS RS
C C C C C C
C C
• Likely EHR operators in the US
• Healthcare providers• Wearables and other
quantified-self apps
• “Mint for patients and caregivers”
Benefits• Proactive, trackable consent
directives• Blue Button+-friendly data delivery
Challenges• Sclerotic IT practices• Nth-degree security, privacy, and
discoverability requirements
RS RS