Kim Cameron The cloud cadence is the fastest way to get users new capabilities – including on-premises State-of-the-art cloud architectures provide the highest availability and scale with good TCO Significant innovation occurring on the internet; ensure headroom for your solutions
Kim Cameron In some ways, nothing new here. Just more challenging… As predicted, growing need for access while crossing boundaries Still need to be able to provision, authenticate, and authorize Still need to track, manage, and report With high-availability, high-scale, great management, low TCO, … But increasingly organizations control less of the solution Applications and developers can be in other organizations and are probably on different or new platforms Identities and profiles can be external – and need to be “validated” And the regulatory complexity is growing
Kim Cameron “Hybrid” is the Norm Current systems and applications remain critical indefinitely And you need to be able to integrate with applications in other organizations and with SaaS solutions Want to be able to deliver applications that are accessible to any device running anywhere
Enterprise Enterprise’s Customers Enterprise’s Partners Example of Microsoft Services DS FIM ADFS Sync Consumer ID (Facebook, Google, Live) Consumer ID (Facebook, Google, Live) Office 365 Exchange SharePoint OCS Office 365 Exchange SharePoint OCS InTune (device management) Windows Azure Apps Windows Azure Apps App/Service management Verified ID (DMV, banks, credit agencies) Verified ID (DMV, banks, credit agencies) Markets Sync Dir ID (Potentially not AD) ID (Potentially not AD) Heath Vault Identity Management Fed Svc SQL Azure
Kim Cameron Claims-Based Identity Organizations like RBAC, entitlements, and other policy-driven approaches The claims model provides a comprehensive foundation to enable these solutions in a distributed, cloud-friendly manner – learn more at http://identityblog.com http://identityblog.com The technology generalizes the proven mechanisms found in Kerberos, PKI, SAML, ACLs, RBAC, Entitlements, … These technologies are embedded in products from MS, IBM, Oracle, Ping as well as many existing and emerging standards Enables cross-organization collaboration and new scenarios; e.g. distributed delegation; distributed groups and role management; high-scale, capability-based access control; …
OED Definitions: An assertion is a “confident and forceful statement of fact or belief”. A claim is “an assertion of the truth of something, typically one which is disputed or in doubt”. Better than: “To state as being the case, without being able to give proof” (TD 0910) A claim is always spoken by some entity, and the fact that a claim is signed by that entity does not in itself reduce that doubt. Essence is building an infrastructure in which relying parties can deal with doubt
Need-to-know Internet: Internet services operating on behalf of ALL actors assume other services may be rogue and defend themselves Identity information released is ONLY that required for transaction to complete (proportionality). Contextual linking should be opt-in by individuals in return for benefits – not done by services or behind their backs Compliance requirement: Profile information must be isolated from natural identity Audit requirements should be proportionate to context (e.g. financial transactions, youth sites, search engines) Audit information should be visible only to auditors and only as required – not weaken overall Internet security and privacy
Clarify how identifiers relate to minimal disclosure: Wrong: Generally, identifiers, and/or attributes will uniquely characterise an entity within a particular context. Right: Identity: A representation of an entity in the form of one or more attributes that allow the entity or entities to be sufficiently distinguished within a context.
Kim Cameron Cloud directory++ that Synchronizes with and synergizes with enterprise directory Shares a logical schema with enterprise and device directories Is multi-tenant Is secure (more than lip service!) Is based on “Privacy By Design” Privacy of individuals Privacy of enterprises Supports “hybrid applications” E.g. Sharepoint Shares and supports common policy system
Directory Service Synchronization Organization Data Models Organization Data Models Service Management Service Management Authentication, Claims Transformation Multi-tenant, Extensible, Secure Identity Store OpenID SAML WS-Fed OAuth LDAP PE Filter xForm WS-Trust
Kim Cameron Identity Fabric (Look at Windows Azure ACS V2) Loosely coupled approach built on interoperable protocols and claims-based architecture Integrated authentication and authorization spanning Servers, cloud hosting environments, private clouds, extranets, and clients Authorization that enables coordinated, cross-system policies Seamless Experiences Borderless collaboration – BYOI SSO, integrated connectivity Deep integration applications Integrated device management, group policy Core Identity Fabric
Kim Cameron Developer Ecosystem Standards-based protocols for integration Great developer assets - Visual Studio and Marketplace integration Integrated Management Common management on-premises and in the cloud Common experience across directories, applications and services Enhanced self-service Core Identity Fabric
Your consent to our cookies if you continue to use this website.