sydney identity summit: addressing the new threat landscape with continuous security

© 2016 ForgeRock. All rights reserved.

Continuous Security

Andrew Latham Director, Customer Engineering

Sydney Identity Summit

© 2016 ForgeRock. All rights reserved.

© 2016 ForgeRock. All rights reserved.

© 2016 ForgeRock. All rights reserved.

© 2016 ForgeRock. All rights reserved.

© 2016 ForgeRock. All rights reserved.

Context

© 2016 ForgeRock. All rights reserved.

Dynamic

© 2016 ForgeRock. All rights reserved.

•  Iden0tyA2ributes•  Trusted

Creden0als•  Knowledge•  Variables•  PerceivedRisk•  Incen0ve

© 2016 ForgeRock. All rights reserved.

Digital

© 2016 ForgeRock. All rights reserved.

© 2016 ForgeRock. All rights reserved.

© 2016 ForgeRock. All rights reserved.

© 2016 ForgeRock. All rights reserved.

© 2016 ForgeRock. All rights reserved.

© 2016 ForgeRock. All rights reserved.

© 2016 ForgeRock. All rights reserved.

© 2016 ForgeRock. All rights reserved.

Iden0ty’sUniqueRole

UserExperience Security

© 2016 ForgeRock. All rights reserved.

Iden0ty’sUniqueRole

© 2016 ForgeRock. All rights reserved.

Func0onExperience

Efficiency

PrivacyIntegrity

Availability

UserExperience Security

© 2016 ForgeRock. All rights reserved.

AvailabilityExperience

Func0on

Efficiency

Privacy

Integrity

IntegrityAvailability

Privacy

Func0on

Experience

Efficiency

UserExperience Security

© 2016 ForgeRock. All rights reserved.

TheThingaboutThings…

© 2016 ForgeRock. All rights reserved.

GartnerStrategicPlanningAssump0on

Enterprises to employ mobile biometric authentication methods

Organizations to use contextual, adaptive techniques with multi-factor authentication

35%

30%

5%

5% Today

Today

End 2016

End 2017

© 2016 ForgeRock. All rights reserved.

Connec0ngtheDots

© 2016 ForgeRock. All rights reserved.

© 2016 ForgeRock. All rights reserved.

StrongAuthen0ca0on

© 2016 ForgeRock. All rights reserved.

MobileBiometrics

•  Plugs directly into OpenAM

•  Can be used with Adaptive Risk module

© 2016 ForgeRock. All rights reserved.

Adap0veRisk

•  Assesses risk based on pre-configured parameters

•  Requires additional authentication factors depending on risk score

•  Includes over 20 parameters including IP address, IP history, cookie value, login history, Geo location etc.

© 2016 ForgeRock. All rights reserved.

Authen0ca0on:ModulesandChains

•  20+ out-of-box modules including device ID, OTP, adaptive risk, Google, Facebook, MS

•  Authentication methods can be chained together for enforcing different levels or strength of security

•  Scripted AuthN modules extend functionality on client side and server side using Groovy and Javascript

© 2016 ForgeRock. All rights reserved.

© 2016 ForgeRock. All rights reserved.

ForgeRock DevOps / Cloud Strategy

Warren Strange Director, Cloud / DevOps Engineering

Sydney Summit 2016

© 2016 ForgeRock. All rights reserved.

Why DevOps?

Expectations for time to value are changing •  Months -> Weeks -> Days The rise of “12 factor” apps & Continuous Integration •  Before: Deploy new features yearly •  Now: Deploy new features weekly / daily

Shift towards cloud deployments and containers •  AWS, Azure, Google, OpenStack, etc. •  Docker / Kubernetes

31

© 2016 ForgeRock. All rights reserved.

ForgeRock DevOps Goal The agility of an IDaaS, with the flexibility of a custom solution

Flexibility / Power

Spee

d of

Dep

loym

ent

IDaaS

Legacy

IDaaS in a box

32

© 2016 ForgeRock. All rights reserved.

What is “DevOps” Friendly?

•  Installation / management is easily automated • Products self tuning / self configuring •  Infrastructure as code

•  Repeatable and automated deployments •  Configurations versioned. Code reviews / PRs for configuration

• Useful configuration file formats •  Toolable / templatable •  Human friendly (not a dump of an internal data structure)

• Don’t just automate, eliminate complexity

33

© 2016 ForgeRock. All rights reserved.

ForgeRock DevOps Focus

• Core engineering work required to make products more “12Factor” like

•  Requires deep & intimate knowledge of internals of OpenAM / OpenDJ / OpenIDM / OpenIG

•  Where ForgeRock can have the most impact

• Container friendly •  Reduced file system dependencies •  Externalize state •  More “cattle” like

34

© 2016 ForgeRock. All rights reserved.

Containers

• Phase 1 • ForgeRock will support customers deploying with

Docker • Provide sample Dockerfiles / Kubernetes

Manifests • Phase 2

• Provide reference Docker images • Distribution mechanism TBD

35

© 2016 ForgeRock. All rights reserved.

Feedback Wanted!

• What are your biggest challenges in deployment / management? •  Help us prioritize our efforts

• What is your application AuthN / AuthZ strategy? •  Reverse proxy + HTTP headers - AuthZ at proxy •  Policy Agents (Java EE or .Net) •  OpenID Connect / SAML

•  Directly consume OIDC tokens •  AuthZ - use scopes plus custom logic?

•  Application landscape •  Java, .Net, NodeJS, Ruby, other?

36

© 2016 ForgeRock. All rights reserved.

Container Questions

• What are your plans for Docker? • Orchestration frameworks such as Mesos /

Kubernetes / Docker Swarm / Amazon ? • What is your desired Docker support model? • Would you run ForgeRock curated & tested Docker

images, or is your preference to create your own Docker images?

37

© 2016 ForgeRock. All rights reserved.

Resources Links to ForgeRock Dockerfiles, Kubernetes manifests, etc. https://wikis.forgerock.org/confluence/display/DC/ForgeRock+DevOps+and+Cloud+Resources Short version of above: https://goo.gl/DOD9pv Pull Requests are Welcome! Email me: warren.strange@forgerock.com

38

© 2016 ForgeRock. All rights reserved.