Presentation on theme: "This presentation, including any supporting materials, is owned by Gartner, Inc. and/or its affiliates and is for the sole use of the intended Gartner."— Presentation transcript:
Except Both hub and spoke, as well as, network of peers faced challenges scaling. -Some of these issues were technical. -Some of these issues were value-related. Communities of interest formed to address both challenges.
Enterprise federation today Majority of enterprises do not participate in federations per se. However, enterprises do use federation technologies to connect to externally-provided services. Federation found its enterprise stride via SaaS adoption.
Except The business isn’t involved. Lawyers are involved. -Appropriate use of attributes and other information is a legal agreement. Business expectations are assumed to be met but inherent value of the service.
Telekinesis Want to effect the authorizations in a remote system Provisioning local objects to effect remote authorization state But this is a hoax -Provision remote objects too
Spray old data everywhere Lots of attributes being pushed But now with less visibility! -RPs don’t know the quality of the data -RPs don’t know the data’s “Sell By” date -Information sources don’t always know where the data went
Federation = Way to attach SaaS to the enterprise = SSO
Variety of techniques exist Broad spectrum of federated provisioning techniques -Manual one-off -“Traditional” -Creative Service providers lack consistency
Service Provider User Management Tools User management console: -Allows administrator to manually create and manage user accounts and privileges Bulk load operations: -Most support.csv file uploads Integration tools: -Proprietary user management APIs -Directory Synchronization -Support for IAM standards such as LDAP, SAML, SPML, etc.
User management console -Allows administrator to manually create and manage user accounts and privileges Bulk load operations -Most support.csv file uploads Integration tools -Proprietary user management APIs -Directory Synchronization -Support for IAM standards such as LDAP, SAML, SPML, etc. Majority Service Provider User Management Tools The select few
Except All of these approaches only solve a portion of the problem: -Administrative authorization -SSO What happens with attributes and entitlements that get pushed to the federation partner/service? The enterprise fixation with federated authentication is blinding it from the larger issues – federated authorization 40
Each type of policy is maintained by separate teams with separate change management processes Neither kind of policy is aware of the other The teams maintained these policies are usually disconnected as well A Part and Yet Apart
To completely answer who can do what, both administrative and runtime environments must be examined Lack of awareness and linkage of both environments prevents complete answers Disconnected policies inhibit traceability We do not know if we are faithfully fulfilling business controls The Problem
Things don’t get better in a federated scenario
Brain surgery with Buckaroo Banzai 56 No, no! Don’t tug on that. You never know what it is attached to.
Manipulating attributes has unknown and unknowable consequences
Things don’t get better in a federated scenario Policy coherence is harder to achieve -Administrative policies are typically tribal in nature -Runtime policies are tribal in nature… and maintained by a different tribe! -Examining both sets of policies together is nearly impossible Federated SSO is not hard to establish -What happens after sign-on is crucial… and it is often well out of sight of the IdP 58
Problems with our administrative tools Traditional on-premise administrative IAM tools are push-oriented. -These tools are “copy” not “reference” in nature. Policies should be provisioned, not attributed -Attributes should be referenced not copied. Authorization policies are increasingly split between administrative and run-time environments.
Problems with our runtime tools Runtime authorization environments often have opaque policies. -Hard to execute compliance-related activities. Attribute and entitlement meaning is inferred and codified in varying ways. What is acceptable use doesn’t always make it into the authorization policies. 73
Problems with federated services There are inconsistent ways of discovering entitlements -And on-premise tools (especially IAG) don’t know to deal with that Authorization policies is: -Sometimes managed by the enterprise -Sometimes by the RP -Sometimes both -And not rationalized against administrative policies 74
The problems beneath the problems Our models are insufficient -IAM tools do not model relationships well. -IAM tools do not model context well. Authorization is a problem of relationship and context. -Federated authorization is more so We push attributes instead of pull them. We lack mechanisms to share, distributed, and link authorization policy. 75
What you should do: Know and Map Know your entitlements -An entitlement catalog transforms tribal knowledge into institutional knowledge Know your authorization policies -Document authorization policies -Try to close the gap between administrative and runtime authorization policies Map attribute dependencies -First step to addressing authorization policy coherence is knowing where shared attribute dependencies exist. 77
What can you do: Demand more Enterprises often lag higher education and federal governments in federation sophistication Vendors primarily selling to private enterprise will thus lag as well. Bulk load interface ≠ acceptable federation solution 78
What we must do: Hasten evolution The industry needs to move from pushing attributes to pushing authorization policies. Relationships and context must become first- class citizens in the IAM world and its tools. The enterprise notion of federation as glorified SSO must evolve. 79
Federation ≠ Way to attach SaaS to the enterprise ≠ SSO
Recommended Gartner Reading Achieving Greater Control Over Authorization Ian Glazer Combating Policy Sprawl: Identity and Access Governance and Externalized Authorization Management Systems Ian Glazer Upcoming - The Brave New World of Federation Robin Wilton Upcoming - Combating Policy Sprawl: Identity and Access Governance and Externalized Authorization Management Systems Mark Diodati 82