synergies of cloud identity: putting it all together
DESCRIPTION
Synergisticly using digital identity to securely adopt cloud computing, mobile, and social. Introduction to the "Neo Security Stack" of digital identity standards, namely OpenID Connect, OAuth, JWT, and SCIM and how to use them together.TRANSCRIPT
Synergies of Cloud Identity: Putting it All
Together
By Travis Spencer, CEO
Agenda
• Impact of mobile and cloud on business
• Central role of identity in coping with these
changes
• Using the different identity specs together to
this end
Copyright (C) 2012 Twobo Technologies AB
Mobile is Changing Business
• 75% of mobiles in Scandinavia
are smartphones; 50% in rest of
Europe & US
• BYOD is a foregone conclusion
for most
– 90% of orgs will support corporate
apps on personal devices by 2014
• 80% of orgs will use tablets by
next year
Copyright (C) 2012 Twobo Technologies AB
• Workflows are a business’s
circulatory system
• Automation and efficiency
are critical
• Mobile helps optimizes
these processes
Mobilizing Business Processes
Copyright (C) 2012 Twobo Technologies AB
Reusing Existing Technology
• Prior technology
investments will remain on
the books for years
• Existing data/systems
must be available to mobile
users and cloud services
• IT organizations need to
bridge the old and new
technologies
Copyright (C) 2012 Twobo Technologies AB
Seamless Access to Cloud Apps
• Giving employees new passwords for each
cloud app is not secure or scalable
• 123456 is not a secure password, but cloud
providers allows it!
• Existing OTP tokens are not supported
• Seamless cloud access is required
Copyright (C) 2012 Twobo Technologies AB
Crucial Security Concerns
Copyright (C) 2012 Twobo Technologies AB
Enterprise Security
API Security
Mobile Security
Identity is Central
Copyright (C) 2012 Twobo Technologies AB
MDM MAM
AuthZ
Mobile
Security
API
Security
Enterprise
Security
Identity
Venn diagram by Gunnar Peterson
Neo-security Stack
• SCIM, SAML, OAuth, and JWT are the new
standards-based cloud security stack
• OAuth 2 is the new meta-protocol defining
how tokens are handled
• These address old requirements, solves
new problems & are composed
in useful ways
Grandpa SAML
& junior
• WS- again?
OpenID Connect
Copyright (C) 2012 Twobo Technologies AB
SAML + OAuth
• Relay OAuth token in SAML
messages
• Use SAML tokens to authenticate
OAuth clients or as the AS’s output
token format
• Use SAML SSO to authenticate
users to AS
Copyright (C) 2012 Twobo Technologies AB
SCIM + OAuth
• Use OAuth to secure
SCIM API calls
• Use SCIM to create
accounts needed to
access APIs secured
using OAuth
Copyright (C) 2012 Twobo Technologies AB
Push Tokens & Pull Identities
IdP/SCIM Server SP / SCIM Client
Browser
Access token in
federation message
Get User
User Data
Copyright (C) 2012 Twobo Technologies AB
SCIM + SAML/OIC
• Carry SCIM attributes in SAML assertions
(bindings for SCIM)
– Enables JIT provisioning
– Supplements SCIM API & schema
• Provisioning accounts using SCIM API to
updated before/after logon
Copyright (C) 2012 Twobo Technologies AB
OpenID Connect
• Builds on OAuth for profile sharing
• Uses the flows optimized for user-consent
scenarios
• Adds identity-based inputs/outputs to core
OAuth messages
• Tokens are JWTs
Copyright (C) 2012 Twobo Technologies AB
User Managed Access
• Also extends OAuth 2
• Allows users to centrally
control distribution of
their identity data
• Used with Personal Data
Stores (PDS) to create
“identity data lockers”
Copyright (C) 2012 Twobo Technologies AB
Questions & Thanks
@2botech
@travisspencer
www.2botech.com
www.travisspencer.com
Copyright (C) 2012 Twobo Technologies AB