Webinar Recording

The Future of Federation


Log in and watch the full video!

Federated authentication is the bedrock of secure Cloud access control. It enables organisations to extend their business operations beyond their network boundaries and join identity repositories from multiple sources and access multiple service providers using the same authentication environment.

Log in and watch the full video!

Upgrade to the Professional or Specialist Subscription Packages to access the entire KuppingerCole video library.

I have an account
Log in  
Register your account to start 30 days of free trial access
Register  
Subscribe to become a client
Choose a package  
Good morning. Good afternoon. Good evening, ladies and gentleman, welcome to our webinar, the future of Federation experience from the field and what to expect in future. We have a number of speakers today. So we have with us, Andre Duran, who's CEO of ping identity. We have mark Goodell and Greg Gilmore of unified solutions. We have KRA Williamson, who's the managing director of Cola Asia Pacific. And we have me Martin Cooper, I, the founder and principal Analyst of keeping a call and the topic today, the title indicates will be talking about Federation about concrete road, track and experience for Beth as well as about where anti Federation is moving. And that's will be the part where we do some interview style conversation between Notre and me. So let's move forward. I over tore William Williamson, who will guide you through the first part of this webinar.
Thanks Martin. And welcome to each and every participant today. You'd the ubiquitous POL slide for those of you who aren't aware of the breadth of KAA Cole services, there's basically three legs to the stool there's research services. And I think it's fair to say that KAA Cole has probably the largest, most detailed research database in terms of the identity and access management products and services and interesting concepts on where the, where we are going with identity and access management and the futures that we need to be aware of, particularly important as we approach the cloud environment migration to the cloud and support for the external devices, advisory services, as the name suggests is Analyst services that are available either via like remotely via webinar or on site and Analyst, Analyst services go to helping our customers avoid mistakes, helping our customers make the most of their identity and access management environments to leverage those assets and just make sure that as projects proceed, they are done in a timely and managed fashion.
And finally, there's the events. The largest event has just happened. It's the European identity and cloud conference that's held every may in Munich. The next one, if you, if you missed it, the next one is May 12th, 2016. Again in Munich, if I could just have the next slide, please, Martin, cuz I do want to talk about the Asia Pacific event. We do have an event coming up in November the first week in November, it's at the R CV club in Melbourne and each and every one of you is invited to attend that it'll be two days of in depth seminars on a variety of identity and access management topics in terms of our agenda for today.
Sorry we better go through the guidelines. First. The participants are muted for the duration of the webinar, but we do encourage you to enter your questions in the question box in the management side of your, your webinar screen, the questions and answers are very important for us because it allows us to know whether we are connecting. It allows us to know, to know whether or not we are actually fulfilling and satisfying your requirements. So please enter your questions as we go along and we will have a Q and a period at the end, the webinar will be recorded and that will be made available to the participants in terms of the agenda we've we've, Martin's done the introductions. Thank you, Martin. We're now gonna go through a look at the, a use case, the Queensland department of education. Then following that there will be the, the main body of the webinar, which will be the discussion with Andre in terms of the future of Federation followed up at the end with a Q and a session where we can address your interests in a more direct fashion. So moving ahead then with the department of education, I'm very pleased to have with, with us here today, Craig Gilmore, who's the project manager for the activity, and he's going to be able to help us with the questions that we have to pose to him first. Craig, maybe you can just tell us a little bit about the installation itself, the size of the department of education in Queensland and a little bit about the challenges that you came up with, the challenges that needed to be solved as you looked at this deployment.
Okay. Thanks Graham. Hello everyone. The department of education and training in Queensland is one of the largest government departments in this state. They have a number of sections of the department, but the primary area with the largest number of users is the, the school department, which has under its coverage. Over 1300 schools spread across the entire state of Queensland. Some of these schools are quite geographically remote. There are approximately 100,000 staff and 530,000 school students ranging from preschool all the way through to year 12. Okay, so the department of education and training has a long history of being early adopters of identity and access management and understand the importance of managing users and access to systems for in order to deliver resources to the school students and also the tools in the hands of the teachers to deliver the educational requirements.
Very good. Thank you. And in terms of their requirement for Federation, what was the driving need that made them want to put in a Federation environment?
Okay, well, the department of education had a large, what most people refer to as identity one zero implementation, including some services around web access management, as well as provisioning over time, as they started to adjust to the new requirements with cloud-based services and really the large number of applications and services coming online, they needed to come up with a model that was a little bit less intensive in terms of overhead and support. And so they needed to come to a model that was more loosely coupled and allowed the application owners to build and develop somewhat independently and then integrate with the common set of services. And, and Federation really was, was the goal there. Some of the heavy duty network infrastructure involved in the current or the original suite vendor meant that troubleshooting access and, and managing the user experience was quite timely and, and difficult to, to do.
Okay. In terms of the selection of, of ping the ping federate product, were there any particular attributes of ping that they found attractive for the task that they had to undertake?
Yes. Well, there was a number of key drivers and first and foremost was to provide a platform that would support them for the future. As in, as this cloud wave continued, as more applications came online, as mobile became more prominent, would this platform be able to support them into the future? The second thing was they needed to be able to have something was that was reasonably easy to manage and support and a good relationship with a, a vendor. A, a third point was flexibility like any large organization. They had a large number of applications, some that were direct L app integrated, some that were legacy that needed a reverse proxy, some that supported Federation. So they needed something that could manage quite a homogenous non homogenous environment, I should say, with, with different platforms from Java to Microsoft and so on.
So the connectors that ping have was an attractive component of what the, of the offering,
Yes. Combined with the, the ping access, the reverse proxy component to deliver that light for light replacement of the, of the current suite technology that was in place.
Gotcha.
But one of the biggest drivers was supporting of office 365. There was a very large deployment of office 365 that was being planned and has now been completed and needed to be able to support authentication from the Azure platform back on premise. And in fact, a general strong Microsoft support was required in the department due to their relationship with that, the vendor, and to be able to support the rich client such as outlook and link and mobile authentication through office 365 ping was one of the few vendors that could tick all the boxes in that front. Right,
Right. Briefly what was unify role in the project?
Okay. We unify Unified's role as strategic advisors to the department was in this particular instance to run the deployment from project management all the way through to design and implementation.
And are there still some challenges there?
Most definitely, you know, when you're dealing with the large environment and probably the biggest challenge was the rapid deployment that was mandated by the department where we replaced close to 30 applications and supporting applications that had had over 600,000 users accessing them. And all this was done in approximately four to five months. So it required large engagement from the client themselves to carry out all of the normal change management processes and on-prem infrastructure requirements that were there. And, and so that was certainly a, a joint engagement with staff from UNFI and also staff from the department. And very ablely supported by ping themselves who assigned some technical resources for us to bounce our designs off. And even we had had someone fly out for several weeks during the tail end of the project to ensure that everything went smoothly.
Excellent. And, and what about future plans?
Well, yes, when we took a breath after we'd completed the first rollout, there was this pent up demand for, from a number of fronts for cloud based applications to come online, to support the, the schools as they started to want to engage with all of the vendors are out there putting up library services or online services. So it certainly hasn't stopped. And we're constantly looking at bringing new applications online and putting patents in place to make that simpler and can be run by the department predominantly by themselves.
Understood. Well, look, thanks very much, Craig. I really appreciate your, your comments there and helping us understand a little bit about the department of education implementation. I'll now transfer back to Martin and Martin then will look after the interview component with Andre.
Okay. Thank you, Han and thank you Craig, for that information from the field. So as Graham already said, we, right now we'll have more interview style conversational between me asking the questions, Andre answering the questions around where are these things moving in the Federation and probably touches more than, than purely Federation. And so the, the one thing I, I really want to start with is, so we, we hear a lot of people talking about including you and talking about identity as the new parameter. So, so is identity. The new parameter is one of many parameters and, and why, so why is identity identity, the new parameter? Why is it becoming so important? And, and if I go back, you know, if I go back some years, when I had to explain what I'm doing as an Analyst in the identity management field, it took me quite a while to explain it to someone particular, not from that small field right now, everyone has understood it. So that might be an indicator. That identity really is far more important than it has ever been before. So, Andrea, what's your point on that?
Well, good morning, Martin. So, you know, it's an interesting comment that in, in some respects might be a little bit overreaching to say that the perimeter is dead, that there is no insider outside and, you know, manifestations in the physical world and the virtual world often do say resemble one another and the physical world, while the concept of perimeter security and bastion security and walls, you know, historically have changed over the years. We still have plenty of examples today in a modern society where physical security and walls still do protect things. It's just become more granular in change. I think what's interesting about this comment is that let's assume we have lots of perimeters, but users are crossing those boundaries with every click of the browser. I think what we're really describing is the fact that enabling access to many security domains seamlessly requires that we create a new call, it logical perimeter. And I think maybe this quote captures the notion that identity now is redefining a logical perimeter of how we access things as we are crossing many boundaries with every click of a browser, you know, of a link in a browser or every click of an app on a mobile phone. And does that make sense?
Yeah, that, that definitely makes sense. It, it also means we are not talking at only about identities of humans anymore.
Yeah. And so, you know, in the grand scheme of what I would call the mission of all of us involved in the identity world, I would simply say our mission is to connect everything, to everything securely while enabling convenience for the end users and control for those that rightfully need control. And so say control for it as an example. And
So that, that means we have to understand the identity of everything and control the access of everything and everyone to each other things or other persons. Correct.
Yeah. I mean, certainly I don't have to have access to everything, but when you really add up the aggregate mandate for the identity infrastructure, it is to enable secure connectivity, vis Avi, where I came up with the statement, we're connecting everything to everything. I think to your earlier question, what's interesting step in, in, in how we will do this is we will create an identity infrastructure capable of identifying users, apps, services, API endpoints devices. And then we will build the, the additional software management capabilities to define the relationships between those identities. And as really, as I think about identity management, it is the combination of those two things help identify everything that needs to be secured and then help define the appropriate relationship.
Okay. So, so that this also leads us to what you originally called an identity identity defined security platform. So, so from what you said, I think that the first of the questions we see on the slide already is a little bit answered. So there can't be security without identity awareness. Nevertheless, I think we still see a lot of security components, which, which do not act in the context of security. So do we need to change it? And, and if you go for an approach of such an identity defined security platform, what does this approach consist of? More concretely, more specifically,
You know, the, the rationale behind the introduction of the term identity defined security is a purposeful attempt at taking the conversation of traditional security and the conversation of identity and melding them together. Because ultimately the goal of both of, of individuals involved in either side traditional security or identity management, we're both trying to ultimately achieve the same thing. We are both ultimately attempting to protect assets and enable the right people to access the right things. The approach is different. The traditional security approach was to put the assets. We were looking to protect in a place to create a green zone and then to create a barrier between the malicious and unknown and those protected assets in the green zone. The goal of identity is to do the exact same thing, but we pivot the entire infrastructure upon the concept of knowing the user and knowing where the user's going and creating a call it a secure tunnel between the two. And so the goal of the two industries is very similar. The approaches are very different and all we're doing in highlighting that is that we're bringing these two things together, which frankly are being brought together anyway with adoption of cloud and mobile. It's forcing a redefinition of what, where we put the perimeter and how we think of the boundary. And it's putting a spotlight on the one construct that holds the promise or say that the, the key to a secure world that's highly distributed and, and, and that key is identity.
Okay. So what you're, what you're really saying is with the shift to cloud computing, to mobile computing, we have no other option then to move to what you call an identified security platform to really put identity at the center. And again, identity in the broader sense of not only humans, but more
Yeah, certainly is not just humans. It's every, it's everything that we attempt to secure the humans on the one side, the apps and services and data on the other, and the devices in the middle that enable access each one of those have an identity and have a relationship to one another. They need to ultimately get defined. But your point about cloud and mobile driving, the importance of identity is, is kind of captured in what you know, at the EIC conference. I, I denoted, it's a, one of my, it's a CTO office term called aha coffee, shop it. And it's the notion that anytime any place, anywhere, any device work has actually been enabled now, what, and that's the user accessing cloud apps on their cell phone. Okay.
We will touch the coffee, shop it later. So let us a little time before we go into the coffee, shop it thing. It's one of the items I have on my list for this conversation already. But, but I think we, we are fully on the same page. Maybe you can touch when we talk about this, this type of communication and, and saying, okay, there, there's far broader variety, maybe one topic, if we can touch, I, I'm not, not a big friend of the term API because it's a little bit too technical. So this application programming interface, but maybe you can quickly touch with role APIs and identities and access and control of access through APIs play in that entire conversation. Because from what I see and, and what I know and people it's an increasingly important aspect here.
So there's lots of ways in which humans and apps and services interact with one another APIs are the loosely coupled construct two different systems, having a conversation and knowing what that, how that conversation is formatted. I think in my view of the world, whether it's a user on a mobile phone requesting information of a service through APIs or a user on their mobile phone with their browser accessing the same information, the concept that we need to secure who the user is making the request is universal. Irrespective of those two channels, one being a web services channel and the other being a user in front of browser channel.
I, I think that the point behind is really what you're saying. We, we not only have to, to concentrate on the traditional approach where we assume someone is sitting in front of the pro browser and accessing a service, we have far more complex world where someone can sit in front of his phone, which uses an app to connect to a variety of services. And we still have to understand this is the whatever Martin Kuppinger who is doing it even while there's something happening in the background, using APIs, et cetera.
Yeah. It's still Andre Duran accessing information. How do I authorize it? Irrespective of whether or not it came in through an API or a web browser request.
Okay. And let's move to another aspect. And also one of those things, which I think are concern people to some degree. So we have to do more around security. We have to become better because the threat landscape is changing with more and more threats and also more complex and really dangerous threats. So we have to work on securities. So will, or even mass user experience decline of security increases. Well, I think it's still the, the, the perception of many people or can't. We have both,
You know, traditionally there's been a lot of compromise in user experience. As stronger forms of security were deployed. It doesn't have to be the case. And I would argue that single sign on is a use case of identity is one of the few security technologies which actually improves the user experience. Doesn't make it worse. A lot of the mechanisms of authentication that go beyond passwords have also historically made the user experience, worse, clicking a button on an OTP, and then typing in a number didn't make the experience better to add a second factor of authentication, but I don't think it has to be the case. And I would say that the enabler for seamless yet stronger security is for, you know, in our whole world of authentication is enabled by the mobile phone. And I would, I would argue that there are two categories of security slash authentication.
One that I think will make the user experience worse. And one that can make the user experience not necessarily better, but let's say no worse and stronger at the same time. And so I just call this passive versus active. An active mechanism of authentication requires a user to do something, a behavioral change that's different in order for them to enact stronger security, a passive factor of authentication, for example, might be simply leveraging the location of the device, right? The mobile phone as a factor of authentication. And when the device and the user holding that device is in a known location. That's one level of risk. And when they're in an unknown location, it's different level, I'll say a higher level of risk. That's an example of passive authentication that strengthens the binding of the user in charge of that session, that didn't change the user behavior. And I'm a huge fan of all the mechanisms of passively strengthening user authentication. And like I said, I think the key to that is leveraging the capabilities of the connected device that's in our pocket.
So, so you're talking the word of adaptive authentication authorization here as well, and bringing in the concept of context and risk saying, so we can do a lot of things where we improved the strengths of our security by, by understanding the context and not having sort of a black and white security where we say either you're authenticated that you're good, or you're not authenticated that you're bad, but you might be authenticated. And depending on your context, we decide about risk. It let you do more or less. Is it that?
Yeah, I think, think that that's, you know, call it, call it smart identity. I just, I think that, you know, we've been bringing a mallet to kill a mosquito for a long time and users haven't been appreciating it and the cost of doing so was also wasn't. Wasn't great. And I just think we're, we live in a world where much smarter platforms will make the security stronger. Won't make the user experience any worse. And a big part of that is just being adaptive as you wanna call it or contextual and mapping mapping strengths of authentication and authorization, mapping that to the sensitivity of, of the assets we're trying to protect. And we can do that all in real time in a fairly fashion.
Yeah, we can do. And I think there for what I see in the market, there is far more we could do than done today, honestly. So I think there's a far bigger potential from what we already have in technology and understanding context and being smart, like user, like the term smarter D than, than most organizations use. So I'm, I'm, I'm fully on your side page here. I think this is definitely one of the areas where we, where we have a strong potential to, to get, as you said, to, to increase user experience and increase security in a, in a smart and smooth way. Nevertheless, I think we, we, we, we frequently are facing or situations where security does not work as expected. So, so what has been your experiences, organizations having difficulty with their security, how to help them deal with these challenges?
You know, I think where this originally came from, or at least I think the question that is that makes you pause and reconsider all of the, say traditional thought processes here is the question you would ask yourself is assume your traditional security is not working. And, or another way of saying that is assume the bad guys are already on the inside. And if they are on the inside, what are, what harm are they able to do? And if you, and the answer to that question, if you assume it's a true statement, I think is very telling about the role and importance of identity. We have companies who are looking to take the notion of a user identity and carry that concept really into the bowels of their, of their enterprise infrastructure. So it's, it's already on the inside. They really want to know every transaction that's being serviced by different layers of their enterprise infrastructure.
They want to carry the, the notion of who the user is all the way back. So it doesn't just stop at the front door. And then all of a sudden it's a trusted environment request can go without user identity or authentication. They're wanting to carry that authenticated user concept everywhere behind the firewall. And I think that that's on the right track. I think another manifestation of this, when we talk about there's no inside and outside, you're, you know, Google well wall street journal recently published an article since last week. And it was, it was talking about a white paper that was describing a Google initiative in essence, to get read of the notion of inside and outside. And they postulated that in the future, you have to presume that the bad people are behind the wall, so to speak and what to do. And part of their answer was to say, let's build a system in architecture where everything is available on the internet. And the only thing that is required to access it is appropriate user credentials and an appropriate device,
Which, which by the way, is something I recently had. One of our advisory customers, we were talking about very down to earth topic, which are processes for identity access management. And we, we came to the, the, the processes around external users and what a customer said and fully with the customer here is shouldn't we just treat everyone the same. Yes. So in fact, you know, the external or internal, these are sort of just specific want to white term roles, but just different types, which are allowed to do something different. But if we treat everyone as an attitude has access our, all of our approaches, all of our approaches will become far easier then by trying to say, okay, we have the employee, then we have a business partner is a type connection. One is a loosely couple connection. We have our customer, we have our leads and we have all the others here. So basically I think this is, this aligns quite well. We, we start thinking here, you brought up,
Oh, there's no question about it. We're, we're normalizing the entire world of access control across a new dimension. We call identity and I've had my own team internally, maybe not fully. And, and this is months ago, you know, before this Google article, which I think is fairly seminal, but they're not the only ones Coca-Cola, there's been articles written about what Coca-Cola intends to do. We talk about companies wanting to reengineer their own dev processes to treat all their internal applications as if they were SAS apps consumable anywhere in their data center or on Amazon, right. Or in, you know, private cloud instances. So they can move them around and have that flexibility. And we wanna start getting away from one way to do thing, if it's internal and another way to do thing, if it's external, we had our own engineers, they use, you know, they use JIRA ticketing, like so many companies do. And the engineers had to come in through a VPN to access JIRA. Instead they put our ping access, you know, proxy, web access proxy in front of it. And they enabled our, you know, ping ID, mobile, strong authentication, and now all the engineers can gain access without the VPN. And that's okay.
Which, which might have led to some of these discussions. I recently saw in a number of organizations, which then, but we are not as secure as we have been. So what I currently see is frequently that that things happen, which I, I would wear it and say, okay, you know, having sort of 80% security is better than 0% security. So situations where, where there's a discussion starting saying, oh, for, for our mobile users, we can't move to, let's say a soft certificate instead of what we internally use a standard classical smart card form factor, because the soft certificate approach might be less secure ending up this situation where they don't have a strong authentication at all in their mobile devices. So we ending up at 0% because they can G 500%. And I, I, person, I think what we need to say is we need adequate security and it's always better to have some security and then going to all this adaptiveness or smart identity and saying, okay, if it's not a hundred percent, what are someone allowed to do? But I think this goes basically also in the same direction. So this discussions around, if we had leveraging the same, what will we allow someone to do in which situation? And my personal point is we have to understand them, not everything will be sort of the hundred percent security, but we also don't need to give everyone a hundred percent access.
Well, we'll certainly never be at hundred percent security. That would be
Side Seth.
We can make it more difficult than it's today. You, you take that statistic. 73% of network intrusions were done through lost or stolen credential ask you. So what does that really mean? And how does that relate to investments we've historically made in stronger forms of authentication before Federation? Well, before Federation, you would de you would decide which assets are worthy of more expensive protection, and you would put stronger forms of authentication on those assets. The reason we didn't have a more centralized notion of strong authentication was because we couldn't federate the authentication everywhere we wanted to use it. So Federation is a kind of a key enabler for the investment made in strong authentication. Cuz now if you do the strong authentication and it's contextual and you can federate that authentication anywhere now, all of a, a sudden your investment and strong authentication, the ROI is much different when you divide by N apps versus if you divide by one app.
And so I do view Federation as kind of a breakthrough in our ability to invest in stronger and smarter forms of authentication. And to your point, when you get the architecture of identity, right, for an inherently federated world where their insight and outside is irrelevant, it is simply do we enable the right access to the right things. And all of this infrastructure is connected. A lot of, a lot of things that I would consider to be redundant or, or, you know, inefficient go away. We can now start to normalize our security pox posture. If you will, with, you know, more universal notions of how we're gonna make identity, the center of security, it starts with stronger forms of authentication, combined with Federation, the ability to use that authentication anywhere combined with new new ways to do access control and new ways. I mean, smart, new ways to do access control, where we're connecting, you know, the traditional scene market with identity and access management, you take the behavior and the intelligence and analytics of what's actually occurring. And you use that to modify the access control in real time. That's our vision is that
Which brings us to the coffee, shop it stuff. Also, I would say, or isn't it you, you mentioned before. So, so having something which is easy to use and very common to use helps us in overcoming what you call coffee, shop it problem. So maybe you can dive deep, a little deeper into this quickly. So what is the, the, the coffee shop IP it problem. And, and how can we overcome this challenge?
You know, it postulates that scenario where a user, like I said, is on their own device on, at, and T's network, accessing cloud services, and also wanting to gain access back to internal applications, you know, within the enterprise. And how do they do that without VPNs and wholesale of other things? How do they just make it convenient? And it basically, I, I think the answer to that, you know, Patrick has his own terms. Patrick's our CTO. He says, you need this notion of a cloud rail and a cloud rail. The backbone of the cloud rail are these next gen identity services that, that take the user in that scenario, bring them back to the enterprise to authenticate. And then based upon that authentication allows them to go back out into the wild and gain appropriate access to corporate resources, irrespective of where they're located. It turns out that, you know, the identity infrastructure is a core component of this cloud rail.
This identity is the control plane. There are other services that are also required. So it's not as if identity is the only piece, but, but it is probably the backbone. You need services for DLP. There's probably some cloud access control capabilities that you're gonna be looking for. So there are two or three, probably other components you're gonna be looking for. We need to understand the device and have some control over the device and the posture of the devices if we're going to trust them in certain scenarios. But, but again, it just kind of comes back to, if you could back haul the identity and control that piece as a piece of it, you are, you are in now a where there is a possibility that you can control access irrespective of where those applications reside and that's the whole concept.
Okay. So before moving to the Q and a session, one final question looking really into the future. So from your perspective, what is the sort of the next big thing to happen supporting business agility while achieving security? Or is this more a continuum we are facing here?
Well, I don't know that we've, you're talking about the next thing and I'm, I'm still trying to enable the thing.
Okay, fair enough.
You know, we are, we do not yet have a universally deployed federated identity infrastructure for us all to take advantage of managing the life cycle of identity in a federated world. We don't have that yet. And so we need that as a precursor to all of this stuff, we need to be able to provision and deprovision enable federated SSO, dynamically control access, whether it's in the cloud or to our on-prem apps and do so in a loosely coupled standards based way. And we are on our way to achieving that different organizations are at different levels of this maturity scale, if you will, to enabling the future. But we are no by no means ubiquitous in the enablement of these standards. And until we get to a certain amount of ubiquity of the deployment, as I said, of these standards and loosely coupled identity architectures, we are, we are, we will still be shy of achieving security in a distributed world and doing so with a certain amount of business agility that says we're free to leverage different clouds. We're free to connect our, you know, existing on-prem apps and integrate them with cloud apps. You see what I'm getting at. So we still have a lot of enabling the vision of Federation vis Avi, you know, these, the standards of identity in order to achieve that bullet point.
Okay. Thank youre for that insight. So back to the agenda, I think Andrea already provided a lot of insight. We have the first question already here. So right now it's time for all the attendees to enter their questions into the question section of the go to webinar tool so that we can pick the questions and answer them. And so I, I just wanna directly pick the first of these questions, probably one, which I best direct to Andre. So, so when looking at at Federation and all these types of technologies, so one of the common fears are, are attacks such as men in the middle attacks. So, so how to prevent men in the middle attacks in such federated scenarios, or isn't that an issue here?
I knew the first question would go would, would go deep, right outta the gate. I think that the, you know,
This would be a great question directed to my CTO, but I'll, I'll just say this. Yeah. I've been involved in plenty of conversations where conversations around the integrity of the standards that we're developing are specifically looking at the opportunity for man in the middle attacks to expose the underlying identity infrastructure, the security architectures that we're tempting to create. And so it's not uncommon for me to hear in this scenario with this protocol, a man in the middle attack is possible and therefore implementing the protocol in this manner is the way Tolbert that possible risk. And so do know this, if the goal is to take our best and brightest and to create security protocols that allow us to talk identity between one another and do so in a secure way, it's our best and brightest that are looking for the vulnerabilities of man in the middle and attempting to denote the best practices, and also just embed those best practices in the baseline of these protocols to, you know, eliminate as best we can, the possibility for man in the middle tax. I know that's a very generic as answer, but the truth is if you look across the entire protocol stack that we're developing in identity, there's lots of different places in which the concept of man in the middle could be inserted, not just even in the classic sense. And as I said, it's really up to the industry. That's developing this, you know, just close the loop of those possibilities.
Yeah. Maybe I can add. So when looking at these, these standards, I think one of the, the advantages is that Federation standards are compared to many other standards are still new. So, so when, when people started thinking about that type of standards, they did it with in particular, when it was around Federation Federation, always was standards, always were designed with security in mind. So when I look at the people and I know many of them personally, who are, are involved and were involved in the definition of standards, they always had an notion of that type of attack standard understood what could happen. And they designed really the standards with security in mind, far more than many, most other standards we see in it. I think this is a really a strength of, of the Federation standards where particular people like, like Patrick Harding from P identity and, and many others really were deeply involved and, and, and put a lot of work in. So I, I rather to say that, you know, you, you always can do do mistakes in deploying technology, but I, I really don't see. And I also, haven't heard I'm very carefully listening to it that we ended up with with anything, which is, is a, is a security and inherent security risk within these standards. I think you can do things wrong in, in applying them, but it's not about a standards. So
I think that's basically I, more of the possible vulner vulnerabilities exist. And yeah, and fact of the matter is most of the people developing these standards do sit at the intersection of a very traditional security, grounded education and background now augmented by their understanding of what we're trying to accomplish an identity. And it's a unique blend of skills that are coming together to design these protocols in the implementation. So that things are kind of say, for example, encrypted end to end, and where the exposures of man in the middle, you know, attacks could occur are being minimized at that protocol level. But again, probably more of the mistakes will come down to the implementation right. Of how all of this happens rather than the underlying protocols themselves.
Exactly. So Andrea, another question which, which we have here is, is around standards. So, so as of now we have have two major standards here. One is SAML. So the security search market language, the, the other one is S which comes from a little different angle. So from, from the market perspective, so not diving into the technologies of these standards, but from the market perspective, where do you see the bigger trend, more towards SAML or more towards O or is it booze for, for different use cases?
I think that there is a short list of standards that matter for identity and accommodating all the use cases. I think SAML for web single sign on SAML two, oh, is very well entrenched and instantiated and highly successful for the original scope of its intended use. I think similarly OAuth does the same for, you know, knowing who the user is making API calls. I would say that emerging protocols that, that covered either different pieces of the identity management landscape use case, if you will, one is skim, which is looking to standardize provisioning and deprovisioning between directories. Another one is open ID connect, which is attempts to solve the web single sign on use case based upon OAuth and accommodate some of the shortfalls that SAML didn't quite get to things like how we automate the trust and certificate management of the SAML connections. It's more automated in the open ID connect scenario or what we call the IDP discovery challenge.
How do you discover who to re redirect the user to, in order to identify themselves to authenticate? It's also kind of accommodated in the baseline spec. So I think open ID connect shows a tremendous amount of promise and legs for, for having closed those pretty important gaps of Federation at scale, I think emerging is a standard called naps, native mobile apps. It's how do we do single sign on, on iOS and Android between apps? If you log into one app, are you automatically, can you log into a second app and, and get the single sign on experience that is emerging, but it's a huge pain point. And there's a lot of, a lot of companies in a position of making a difference, you know, behind that standard. And then maybe also one of the last ones to emerge as a standard around user authentication called Fido, and that attempts to standardize the conversation between servers and devices on what methods of authentication are available on the device, querying those methods of authentication and being able to request a certain authentication, you know, take place and do so in a device and mechanism independent way. So we don't have proprietary mechanisms of authenticating that could can't be called upon by servers. So that's kind of the landscape, as you mentioned, Samil and oof are most certainly over the line, open ID connect is coming. I think skim is coming. Naps is coming and Fido is coming.
Yes. And I think when I look at all the standards from my Analyst perspective altogether, we, we are that in a position that we really have a good set of standards for the broad variety of use cases organizations are facing. And, and I think this is what really helps us then applying Federation as a standard mechanism and what I trust can say from an Analyst perspective. So I frequently have this discussion around what should do as strategy. And so starting with S versus single traditional things, Analyst set here, I say, if it's about strategy, then it's about Federation because it's the only standard based way which allows us to connect every single everyone. And so when we talk about strategy, we clearly talk about Federation. As you said, entre, the standards are here. We are really ready to go. And the thing is mature right enough right now, really mature to deploy it on large scale. So I think we are running out of time. So I, first of all, from my perspective, and I will hand over tore for his closing words, then thank you to all the attendees and all the speakers cram. So it's your turn
Cheer. Yeah. Thanks. Thanks Martin. I appreciate that. It's been a stimulating discussion and I think there'll be a number of questions coming out of that. So for participants here, please do get back to us, let us know whether the webinar has done what you would like it to do. Let us know if there's additional questions and we can get back to you individually on that. I would very much like to thank Andre for his participation. I wish him well in the balance of his Australian tour, I trust is going to be interesting and, and stimulating. And I'd like to, to thank unify solutions for hosting this today, here in Brisbane, and allowing us to, to make use of the room here and for your input, Craig, in terms of the ping installation at the department of education. Thank you too, Martin. I do appreciate you getting up so early to help us with this webinar and back to you.
Okay. So thank you to all and hope to see you soon. Another, copy a call webinar, or have you as attend this in the upcoming call event in Australia and November. Thank you, bye. And try the rest of your day.
Yes.

Stay Connected

KuppingerCole on social media

Related Videos

Webinar Recording

The Evolution of Identity Governance: From Basic Compliance to Federated Security Assurance

As the number of business applications across different platforms and environments is rapidly growing, the resulting complexity and heterogeneous nature of modern corporate IT infrastructures makes storing, analyzing and protecting this critical business information an incredibly…

Webinar Recording

Identity Relationship Management: Kommunikation und Kollaboration mit Partnern und Kunden sicher steuern

Mit der steigenden Nachfrage von Unternehmen nach engerer Kommunikation und Kollaboration mit externen Partnern und Kunden wächst auch der Bedarf an professionellem Web Access Management und Identity Federation. Geeignete Lösungen ermöglichen sichere Zugänge von und auf externe Systeme, auch…

Webinar Recording

Universal SSO: Strategies & Standards for Single Sign-On Across Web and Native Applications

Many organizations have had some form of Web Access Management solution deployed for years. Whether this is pure-play Web Access Management, providing Web Single Sign-On capabilities and coarse-grain Access Management, or more advanced technology including Web Application Firewall…

Webinar Recording

Im Mittelpunkt steht das Kundenerlebnis: Consumer Focused Identity Management

In den letzten fünf Jahren haben sich die Bedürfnisse von Unternehmen, was den Zugriff auf kritische Anwendungen oder die Sicherheit von Kundenidentitäten betrifft, deutlich geändert. Zunehmend vernetzte Kunden, die auf neue Art und Weise über verschiedene Kanäle aktiv werden, lassen die…

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00