Architecting a Cloud-Scale Identity Fabric by Eric Olden

Execution Environments for Distributed ComputingBy João Rosa, Mário Almeida and Alex 'El Baron'

Barcelona 23 April 2012

Outline (1/2)Introduction● Cloud benefits● Identity problem Identity stack● Authorization● Authentication● User account management● Auditing● Cloud Plattaform Architecture

Outline (2/2)

Identity properties● Integration● Network effect● Abstraction Identity as a service Conclusion

Introduction

Cloud benefits

Access to a shared pool of configurable computing resources. Elastic scalability Reliability, availability and flexibility.

1

Identity problem (1/3)

It's young! Not fully thrustable!

2

Identity problem (2/3) There isn't a strategy to handle the enormous volume of users identities.

3

Identity problem (3/3) Identity management is a key bottleneck to cloud adoption!

4

Identity stack

Authorization The problem: Authorization must envolve to a distributed model to support users outside the network firewall The solution: Authorization in Depth, Grouping Access, Distributed Federated Model

5

Authentication The problem: SAML adoption is not famous in the enterprise apps world The solution: HTTP authentication standard

6

User Account Management The problem: every app performs a user management differently The solution: standarlization of user management APIs

7

Auditing The problem: overcome the lack of visibility in user access The solution: framework to understand the global jurisdictional rules

8

Cloud Platform Architectural The problem: virtualized platforms have a huge decrease in performance with high utilization rates The solution: proxy-base approach

9

Identity properties

Integration (1/2)One-to-many federated identity model

10

Integration (2/2)Example:● 10,000 users that access 15 apps. ● In a one-to-one model, this requires 150,000

credentials (passwords). ● Resetting a credential once a year via a $30

help desk results inl $4.5 million expense. If licensing, deployment, integration, and maintenance costs are $50,000 p/connection (15 apps), the total expense would be $750,000.

11

Network effect

As more users and apps are integrated in the identity network, these benefits extend to other network members simply by virtue of their being connected.

12

Abstraction

Enterprises must be able to use more than one type of authentication depending on the level of risk associated with an app.

13

Abstraction

Externalize identity functions for Web apps in public or private clouds. Focus on improving apps. Enterprises can manage identity across multiple apps more efficiently.

14

Identity as a service

Identity as a service

Think less about identity technology and focus on service-level agreements and service management. Move from a company-owned to a service-provider-owned and operated identity management approach.

15

Consumerization Consumer-based web apps

16

Consumerization

Unexpected viral adoption or porting an app server to the cloud. Each identity integration point becomes a stress point, and each credential creates a broader attack surface and potential help desk expense.

16

Conclusions

Conclusions

Facebook has exploded in popularity, with more than 550 million users. The support for identity sharing via OpenID, made hundreds of millions of people suddenly have OpenID credentials.

117

Conclusions

An identity access fabric linking enterprises to the cloud is not only relevant but also necessary.

118

ConclusionsAn identity fabric:

● provides secure linkage between the enterprise and the cloud.

● reduces the number of identities and scales better.

● enables full-scale cloud adoption.● provides an infrastructure service with on-

demand dial-tone quality. ● benefits users, administrators, vendors, and

service providers in dramatic ways. 119

Questions

References- Architecting a Cloud-Scale Identity Fabric, Eric Olden, Symplified Images (CC rights):http://www.flickr.com/photos/mobilestreetlife/4278659537/

1