DIRK KRAFZIG MANAS DEB MARTIN FRICK DIGITAL COOKBOOK ESSENTIAL RECIPES FOR THE DIGITAL JOURNEY OF ENTERPRISES For more details visit: https://digital-cookbook.com/ GRAPHIC DESIGN BY KNUT JUNKER AND DIETMAR GRUBERT
332 Chapter 11: Executing the Digital Transformation What if unauthorised guests show up? No way. Only authorised personnel would pass the iris scan. Digital Identity Decouple digital identity and access control policies from your business logic and services Create and govern a catalogue of roles, data sensitivity levels and usage contexts Provide the greatest level of flexibility for consumers by enabling popular standards
Chapter 11: Executing the Digital Transformation 333 11.7 Digital Identity M. Yunus Identity is the most fundamental tenet of establishing digital trust. As a producer of digital assets, you have to know who is interested in using your assets. A passenger has to present a passport to an officer who verifies their identity before letting them board a plane. Similarly, in the digital world, a consumer of your digital assets or services has to provide digital identities such as a username and password, which the producer of the service has to verify before letting the consumer access the digital asset. In the era of legacy mainframe systems, the burden of managing identity was low given the closed nature of such systems. As mainframes evolved into open distributed systems communicating over the Internet, identity management across internal systems and corporate boundaries became necessary. Identity stores such as LDAP 268 servers became a central system of record for identities with a variety of standards such as Kerberos, SAML and OAuth enabling the sharing of identity information. With corporations rapidly adopting public cloud services with their own set of identity requirements and users moving to mobile devices, handling a large variety of digital identities is now a critical issue for companies. Layered on top of the efficient handling of identities is building mechanisms that prevent identity theft 269 an issue that continues to plague our society with profound political, financial and social impacts. Multifactor authentication that requires additional factors (e.g. biometrics or SMS validation) beyond a simple username and password is now becoming a norm for most organisations. 270 Email systems, such as Gmail from Google and many online bank applications, now provide such multifactor capabilities. So, what are the challenges for large corporations? Establishing identity (authentication): In a highly distributed ecosystem of IoT, cloud, mobile, enterprise systems and humans, each consumer of a service, human or machine, has to let the service know who is trying to invoke it. With artificial intelligence (AI) driven devices, such as Amazon Echo, iphone Siri, autonomous drones and vehicles replacing human functions, the 268 Lightweight Directory Access Protocol. 269 Puscual, A., Marchini, K., Miller, S.: 2017 Identity Fraud Study: Securing the Connected Life, Javelin Strategy & Research, 2017. 270 Ackerman, P.: Impediments to Adoption of Two-Factor Authentication by Home End-Users, white paper, SANS Institute InfoSec Reading Room, 2017.
334 Chapter 11: Executing the Digital Transformation number of non-human services interacting with each other will inevitability surpass human-todevice interaction. These services have to consume digital identity tokens and then make a decision on whether to allow the consumer, human or non-human, to use it. Once the service has properly interpreted the identity provided by a consumer, it then has to go to a central identity store, most likely an LDAP server, and check if the consumer is on the list of known users. In a rapidly scaling digital API economy, a service consumer may quickly face the challenge that a producer service may only know how to interpret a single type of identity, such as OAuth. 271 So it then becomes the responsibility of the consumer to provide the token in the correct format in order to invoke the service. This is, of course, neither user-friendly nor a policy that can be kept up to cover a global market. Establishing access rights (authorisation): Who gets to see or use what is a simple exercise for a single application. However, opening up hundreds or thousands of applications is a different story. Once a consumer s identity is validated by checking against an identity store, the next step is to decide whether or not the consumer should be given access to the requested service. Such digital access policies have to be established based on the value and sensitivity of the digital assets and intended actions requested by the consumer. Managing authorisation involves understanding the business value of the digital asset, who should be allowed to use this asset and for what purpose, when it should be accessible and from where a user can request the digital asset. Context is everything: As we just described, with a well-established digital identity, the next decision of whether or not to authorise the consumer to invoke a service usually involves a significant number of attributes, such as consumer location, membership level (e.g. TOP SECRET) and, most importantly, the content sent by and returned to the consumer. Without deep business-level understanding of corporate data, user profiles and roles, service invocation patterns and the business partnership ecosystem, effective context-based access policies are impossible to implement. Once a corporate-level understanding is established, the next step is to use this knowledge to deploy an access control gateway. All identity policies and actions should be consistently enforced across an enterprise. 271 OAuth (Open Authorization) is an open standard for token-based authentication and authorisation on the Internet.
Chapter 11: Executing the Digital Transformation 335 They should be actively managed and audited for compliance with corporate governance directives. Letting API service producers and consumers code their own identity policies right into the business service components should be avoided at all costs since it results in an inconsistent and nonauditable infrastructure with a high-risk profile. We therefore recommend establishing a centralised and dedicated identity layer, which decouples business logic and services. This layer can be implemented by an API security gateway, which brings authentication, authorisation and contextbased access control all together in a centralised gateway model for strong governance. It provides deep, fine-grained content-based access control in a decoupled manner by sitting between the consumer and the producer services. Through centralised access control policies, API security gateways enable rapid deployment of business services. This level of agility is crucial in an era of accelerating digital transformation. Consumer Access Layer Consumer Consumer Governance Authentication Authorisation Token Management Auditing Identity Store Integration Hybrid cloud environments with mobile end-user devices will continue to be the norm for most corporations. To succeed in a fast-moving, complex and heterogeneous environment, where flexibility and cooperation are expected by all partners, digital identity management is crucial. The digital economy is inherently entropic: more APIs continue to be produced and consumed, new data and identity standards continue to emerge, and the enterprise boundaries and functions continue to blur. To flourish in this digital economy, it is imperative for everyone to build a scalable, flexible and agile architecture that adapts rapidly in an ever-changing environment without compromising security.
382 Guest Authors Mamoon Yunus is visionary in API, cloud and XML-based technologies. As the founder of Forum Systems, Yunus pioneered API Security Gateways and Firewalls with the only granted patent for XML network appliances. For over 15 years, he has spearheaded award-winning API and XML security products. Yunus holds two graduate degrees in engineering from MIT and a BSME from Georgia Institute of Technology. Yunus enjoys playing squash and running computations on GPUs.