Middleware, Ten Years In: Vapority into Reality into Virtuality

Similar documents
The Future of Indoor Plumbing. Dr Ken Klingenstein Director, Internet2 Middleware and Security

Potential for Technology Innovation within the Internet2 Community: A Five-Year View

Federated Access Management Futures

SAML-Based SSO Solution

Federated Services for Scientists Thursday, December 9, p.m. EST

Warm Up to Identity Protocol Soup

IBM SmartCloud Engage Security

SAML-Based SSO Solution

Major SAML 2.0 Changes. Nate Klingenstein Internet2 EuroCAMP 2007 Helsinki April 17, 2007

ISAO SO Product Outline

Identity Management (IdM) is a crosscutting focus area for DHS

Ramnish Singh IT Advisor Microsoft Corporation Session Code:

New trends in Identity Management

2018 Report The State of Securing Cloud Workloads

Grid Computing. MCSN - N. Tonellotto - Distributed Enabling Platforms

Trust and Identity Services an introduction

Strong Security Elements for IoT Manufacturing

Microsoft SharePoint Server 2013 Plan, Configure & Manage

Canadian Access Federation: Trust Assertion Document (TAD)

Inside Symantec O 3. Sergi Isasi. Senior Manager, Product Management. SR B30 - Inside Symantec O3 1

GDPR, PSD2, CIAM, and the Role of User-Managed Access 2.0

SAML Metadata Signing gpolicy and Aggregation Practice Statement

Prof. Christos Xenakis

Canadian Access Federation: Trust Assertion Document (TAD)

Moving Digital Identity to the Cloud, a Fundamental Shift in rethinking the enterprise collaborative model.

Prof. Christos Xenakis

BEYOND AUTHENTICATION IDENTITY AND ACCESS MANAGEMENT FOR THE MODERN ENTERPRISE

Mashing Up, Wiring Up, Gearing Up: Solving Multi-Protocol Problems in Identity

Gaps and Overlaps in Identity Management Solutions OASIS Pre-conference Workshop, EIC 2009

TRUST IDENTITY. Trusted Relationships for Access Management: AND. The InCommon Model

Kerberos for the Web Current State and Leverage Points

A RESTful Approach to Identity-based Web Services

5 OAuth EssEntiAls for APi AccEss control layer7.com

Sustainability in Federated Identity Services - Global and Local

Advanced Solutions of Microsoft SharePoint Server 2013 Course Contact Hours

Advanced Solutions of Microsoft SharePoint 2013

Dissecting NIST Digital Identity Guidelines

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

Canadian Access Federation: Trust Assertion Document (TAD)

Liberty Alliance Project

Single Sign-On Best Practices

What is peer to peer?

Advanced Solutions of Microsoft SharePoint Server 2013

REFEDS Minutes, 22 April 2012

SECURING AWS ACCESS WITH MODERN IDENTITY SOLUTIONS

Internet2 Overview, Services and Activities. Fall 2007 Council Briefings October 7, 2007

5 OAuth Essentials for API Access Control

Science-as-a-Service

Investing in a Better Storage Environment:

Data Virtualization Implementation Methodology and Best Practices

Direct, DirectTrust, and FHIR: A Value Proposition

National Strategy for Trusted Identities in Cyberspace

Your Auth is open! Oversharing with OpenAuth & SAML

Best Practices in Securing Your Customer Data in Salesforce, Force.com & Chatter

Canadian Access Federation: Trust Assertion Document (TAD)

Scaling Interoperable Trust through a Trustmark Marketplace

Building a Data Strategy for a Digital World

Canadian Access Federation: Trust Assertion Document (TAD)

FeduShare Update. AuthNZ the SAML way for VOs

LionShare: A Hybrid Secure Network for Academic Collaboration. Michael J. Halm, Marek Hatala, Derek Morr and Alex Valentine

Extending Services with Federated Identity Management

Overview SENTINET 3.1

Canadian Access Federation: Trust Assertion Document (TAD)

A Market Solution to Online Identity Trust. Trust Frameworks 101: An Introduction

Do I Really Need Another Account? External Identities for Campus Applications

Canadian Access Federation: Trust Assertion Document (TAD)

A guide for assembling your Jira Data Center team

ISSUES FOR RESPONSIBLE USER-CENTRIC IDENTITY

National R&E Networks: Engines for innovation in research

Canadian Access Federation: Trust Assertion Document (TAD)

The Changing Face/Fate of Identity

Secure Technology Alliance Response: NIST IoT Security and Privacy Risk Considerations Questions

CIAM: Need for Identity Governance & Assurance. Yash Prakash VP of Products

FREEDOM ACCESS CONTROL

IDENTITY MANAGEMENT AND FEDERATION BC.Net Conference April 25, 2006

Course : Planning and Administering SharePoint 2016

Integrating Identity Management Aspirations and Issues

Vortex Whitepaper. Simplifying Real-time Information Integration in Industrial Internet of Things (IIoT) Control Systems

Peer-to-Peer Provisioning

Canadian Access Federation: Trust Assertion Document (TAD)

Security as a Service (Implementation Guides) Research Sponsorship

Deliverable D3.5 Harmonised e-authentication architecture in collaboration with STORK platform (M40) ATTPS. Achieving The Trust Paradigm Shift

Computer Information Systems (CIS) CIS 105 Current Operating Systems/Security CIS 101 Introduction to Computers

Extranet Identity Management and Authentication for SharePoint On Premise, Office 365 and Beyond

Canadian Access Federation: Trust Assertion Document (TAD)

Sentinet for BizTalk Server SENTINET

Introduction to Identity Management Systems

Government IT Modernization and the Adoption of Hybrid Cloud

Now SAML takes it all:

Computer Information Systems (CIS) CIS 105 Current Operating Systems/Security CIS 101 Introduction to Computers

Securing Cloud Applications with a Distributed Web Application Firewall Riverbed Technology

Cybersecurity ecosystem and TDL Antonio F. Skarmeta

COURSE OUTLINE MOC : PLANNING AND ADMINISTERING SHAREPOINT 2016

Identity-Enabled Web Services

Report for the GGF 15 Community Activity: Leveraging Site Infrastructure for Multi-Site Grids

Unleash the Power of Secure, Real-Time Collaboration

Federated Authentication for E-Infrastructures

The Monetisation of Portability and Verification in an A2P SMS World

EUDAT - Open Data Services for Research

Liferay Security Features Overview. How Liferay Approaches Security

Transcription:

Middleware, Ten Years In: Vapority into Reality into Virtuality Dr. Ken Klingenstein, Senior Director, Middleware and Security, Internet2 Technologist, University of Colorado at Boulder

Topics Middleware, Ten Years In From Vapor to Reality Some of the successes Some of the failures Middleware, Ten Years Forward From Reality to Virtuality Organizations Resources Communities From Virtuality back to Reality

Before there was middleware apps

First Vapors When end-user PKI was months away When the big application houses didn t care about middleware We knew it was something about authentication and authorization We couldn t agree about much payloads or protocols or spelling

In the beginning apps Directories Authentication

Dealing with the apps apps Directories Authentication

Filling out the portfolio Directories Authentication Groups Privileges Authorization

Federation Directories Authentication Federation Federation Authentication Directories Directories Authentication

COmanage Directories Authentication Federation Federation Authentication Directories Directories Authentication

Vapors become Reality When end-user PKI was months away When the big application houses care so much they have to own it Middleware as the new lock-in point Federation as identity infrastructure and attributes as the payloads IdM not a local industry anymore

Some of the successes Building a fundamental new layer of Internet infrastructure Engaging a broad and growing international group of expertise Crafting a larger world that works for the R&E needs Proving that security and privacy can work together

More successes Focusing on the schema early on Coming together around SAML, and getting the rest of the world to come along Working towards scaling (rough consensus and running code) Seeing parts of other worlds

Some of the failures The directory of directories End-to-end end-user PKI Establish resources to support the infrastructure Diagnostics The rest of the middleware stack

Middleware, Ten Years Forward Working on Attributes and Federation Growing our federations Interfederation and Soup The Attribute Ecosystem Learning the Tao of Attributes Building and Managing the Virtual Integration, Integration, Integration

Growing our Federations Deciding on the services Core services identity/attributes for access controls Value added services content aggregation, roaming, PKI and SSL services, collaboration platforms, Silver Finding the business models Finding the governance structures Making a marketplace

Interfederation and Soup Interfederation essential to scale Across vertical sectors Internationally To the consumer marketplace Confederation and Overlays will also exist Soup Institutional groups that cut across segments geography, shared business purpose, etc Mix of special purpose and infrastructure federations tangled

Attribute ecosystem use cases Obtaining student consent for information release FEMA needing first responders attributes and qualifications dynamically High-confidence attributes Access-ability use cases AAMC step-up authentication possibilities Public input processes Grid relying parties aggregating VO and campus The IEEE problem The over legal age and the difference in legal ages use cases Self-asserted attributes friend, interests, preferences, etc

Attribute Ecosystem Key Issues Attribute Aggregation Attribute Metadata Sources of authority and delegation Schema management, mapping, etc User interface Privacy and legal issues

Attribute aggregation Gathering attributes from multiple sources From IdP or several IdP From other sources of authority From intermediaries such as portals Static and dynamic acquisition Many linking strategies Will require a variety of standardized mechanisms Bulk feeds, user activated links, triggers

Attribute metadata Federated attributes need common meaning Representation of meaning At a system level At a user level LOA associated with the value assigned Code+data equals programs LOA itself faces re-interpretations Separation of components of LOA Use of step-up authentication

Sources of authority Who gets to assign semantics (and syntax) to an area? How can they delegate assignment of value? What needs to be retained for audit/ diagnostic

Schema management, mappings Registries for schema Role of national level schema How to avoid mappings How to handle mappings

User Interface It s the attributes, urn:mace:incommon:entitlement:clue:zero, deprecated Needs include translation of oid to english, to inform of the consequences of release decision, recording consent and getting the defaults right so that this is seldom used Metaphors such as Infocard are useful, but will need extensions and utiization

Privacy management Two approaches emerging uapprove http://www.switch.ch/aai/support/tools/ uapprove.html InfoCard/Higgins Who sets attribute release policies? Who overrides the settings? What logs are kept?

GSA Workshop: The Tao of Attributes Begin exploring the attribute issues Using federal use cases, including Citizenship, voting residency Access-abilities First responder capabilities PI-person Motivate the larger requirements, drive privacy policies Explore rich query languages, etc. All-star cast at the end of September at NIH

Virtuality Virtual Communities Virtual Machine Appliances Virtual Services Internet protocols with trust and identity

Virtual Communities A virtual enterprise that wants to play real well with real enterprises. Needs coordinated identity management for collaboration and domain tools

Virtual Machine Appliances Allows clueless groups and other VO s to handle collaborations Brilliant way to handle peak load requirements Vexing issues of application updates, coordination of configuration among apps, etc. Must fit fully in the attribute ecosystem and reshape themselves on need

Virtual Services Clouds as low-start-up, largely scalable cyber infrastructure Cycles, storage, collaboration Fits into the domestication paradigm Clouds as legally tangled, non-standard,confusion Location and ownership of data Ability to adapt to new protocols Proprietary cloud internals

Integration, Integration and Integration Of types of Internet identity Of identity with protocols Domestication of applications

Internet identity Federated identity Enterprise centric, exponentially growing, privacy preserving, rich attribute mechanisms Requires lawyers, infrastructure, etc User centric identity P2P, rapidly growing, light-weight Marketplace is fractured; products are getting heavier to deal with privacy, attributes, etc. Unifying layers emerging Cardspace, Higgins, OAuth

Integration Different forms of Internet identity will exist, serving different purposes, arising from different constituencies The trick is the intelligent integration of the technologies, at user and application level Cross-overs are happening Shib and Openid SAML and high assurance PKI holder of key Infocard/Higgins as an overarching user experience Federation and portal integration

Integration of identity and protocols Trust, Identity and the Internet - ISOC initiative to introduce trust and identity-leveraged capabilities to many RFC s and protocols Acknowledges the assumptions of the original protocols about the fine nature of our friends on the Internet and the subsequent realities http://www.isoc.org/isoc/mission/initiative/trust.shtml First target area is DKIM; subsequent targets include federated calendaring and sharing, firewall traversal

Domestication of Applications Identity, groups, roles, privileges What else to integrate? At what layers to specify the integration? How to integrate across the layered domestication specifications How much domestication is too much?

Virtuality back into Reality Our use cases continue to lead the corporate sector Our needs are more urgent than they are different Our students become the new consumers The shared vision is more powerful than the individuals who share it

We ve Lost Some Along the Way

We ve Picked Up Some New Ones

Final Thoughts Important, if somewhat invisible, work has been done There are significant opportunities ahead Its been a ride

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback