cis14: identity at scale: building from the ground up
DESCRIPTION
Anthony Randall, Monsanto A discussion of the concept of large-scale engineering of millions of customer identities combined with many applications and partners, identity information engineering, and thoughts about how to better to mesh the internal IT landscape to improve identity services, user support and user experience.TRANSCRIPT
Iden%ty@Scale
Angle on Iden%ty Data for scaling
Growth • Organiza%ons offering more consumer Web-‐ and mobile-‐based services
• 2.4 billion internet users on the planet • 1.75 billion smart phones • Six fold-‐growth in Mobile e-‐commerce thru 2017 • IoT 50 billion devices in 2020
IAM industry is catching up • IAM technologies con%nue to enable • Tools and technologies are improving • New standards for mobile, cloud + API economy • And new ways of doing things
Directories for Authen/ca/on -‐ Stores iden/ty
(And some authoriza%on)
Databases for authoriza/on -‐ Also stores iden/ty
= Hundreds = Few
Security Business IT
Iden%ty Data Management is lagging behind
Current state applica%on/Service Silos
Disconnected IT Roles created for each individual applica/on/service
New database for each applica/on containing iden/ty and applica/on roles
And we keep hearing about context
• XACML • OpenID Connect • UMA
Name Brand Informa%on Market Segment Billing Status Licensing & Cer%fica%on Role Contact informa%on Account Status Devices
Consent Loca%on Organiza%on Iden%fiers Interac%ons Agreements Product subscrip/ons Authorized Acct Rela%onships
But we have a lot of informa%on about our customers
We don’t use it!
Business context o]en remains in back-‐office systems
Front of house Back Office
Directory Services
-‐ Iden%ty -‐ Email Address -‐ Group
OIen no user context
-‐ Iden%ty -‐ authoriza%on
-‐ Iden%ty -‐ User context
Customer
CRM
Integra/on Services
Spend lots $$$ doing the same things over -‐ Iden%ty -‐ authoriza%on
Targets
“Killing IAM in order to save it” • Need to beder define and describe business rela%onships and
context for online ac%vity • Create single user views for mul%ple services
Parental Controls
Back to the Future • Directories store informa%on once for many applica%ons and services to use
• Business-‐oriented object based systems with security and distribu%on
X User Iden%ty / Authoriza%on
Build Namespace according to objects and func%ons – Not hierarchies
OU= En/tlements
OU= Devices
OU= Profiles
OU= Names
OU= Roles
OU= Users
OU= Products
OU= Configura/on
Mgt
OU= Preferences
OU= Apps
OU= Addr Books
Tie users to objects using GUIDs to create rela%onships
Adding it all up
=
+ Business Context Rela/onships
Scalable + contextual Iden/ty Data Model
Well designed informa%on sets provide business efficiency and scale
System Scale
Self-‐Managed CRM / Billing
Directory NameSpace(s)
Updates / Reads
Reflected in informa%on objects
Single user view VMs
VMs VMs VMs
Provides a ready-‐made recipe for cloud
Single user view -‐ with context
Iden%ty Bridge
Portable context
Beder prepared for paradigm shi] • An API-‐centric methodology relies on well managed and
described informa%on about users • Requires closer integra%on with data architecture
Services Services Services Services Services
Web Services
Updates Self-‐service
Self-‐subscribing Names Users Devices Products Profiles Roles
Addr. Books Apps Prefs Config.
Web
Making progress
= Hundreds of iden//es
We s%ll need to move away from this
DBs
Single Iden/ty
Towards this
CRM / Billing $$
Next Steps • Get a handle on the number of iden%%es out there • Use tools to discover, map and clean up duplicate iden%%es
• Use Tools to understand which applica%ons are using which iden%ty stores
VDS
• Create a taxonomy of applica%ons that require authen%ca%on/authoriza%on and the condi%ons for access (e.g., Gold subscriber, all users, certain users)
VDS
Next Steps
$$ • Use the context in the systems you own and build a richer set of user context • CRM/Billing systems don’t sign-‐in users
• Build systems that represents the business context of users and what they do • Needs to be scalable, distributed and secure
• Transi%on authen%ca%on to new tools • Work with app owners to lifecycle current apps • Use new tools to build new apps
VDS
When you get back to the office • Understand vision for customer centricity • Start cleaning up the iden%ty silos that cause a disconnected view of the customer
• Change legacy mindsets and look to beder combine iden%ty with data architecture
• Correlate insufficient technology investments to current problem sets
• Build the business case and understand dimensions
Ques%ons?
Anthony Randall Security Architect – IAM [email protected]
Back-‐Up Stuff
There is a lot of valuable context informa%on in billing systems and CRMs that can replace IT security groups
Name Brand Informa%on Market Segment Billing Status Licensing & Cer%fica%on Role Contact informa%on Account Status Devices
Consent Loca%on Organiza%on Iden%fiers Interac%ons Agreements Product subscrip%ons Authorized Acct Rela%onships
CRM / Billing
$$ Applica/on iden/ty silos
Graph databases offer another way to depict the same core problem
Is it a storage and scale problem… Or the method we use to represent informa/on?
VS
Requirements and Processes Business User Solu%on
Vision Goals and drivers Legal and Regulatory Use-‐cases Product Defini/on
Simple to use Fast Self-‐service Self-‐controlled Online trust Customer support Parental controls Privacy control Personaliza%on
Massive scale Millions of users Mobile Op/mized Cloud-‐based Ensure data privacy Secure Support social IDs Integrated Federated
Account crea%on/registra%on Product Management Provisioning
Processes Context-‐driven access Account Management User lifecycle Mgt
Configura%on Mgt Business/Decision Support Customer care
Model for Scale
Namespace, business objects that provide specific func%on and context; Can be scaled independently according to need
SaaS
CRM
3Rd Party
Billing
Administration Tools
Self-Service Tools
Identity Information Service
Provisioning
Self Service Admini
strati
on
Product Mgt Tool
Data Tools
Provisioning
Synchronization
Service Access/ Policy Information
Point
AuditAuthoritative Sources
People
Products
NameMgt
Devices
Servers
SaaS Satellite Information
SaaS
Profiles
RoleDef.
SF.com
NameMgt
Config.Mgt.
<new>@service.comSingle User
View
AddrBooks
Policies
Registration/Account Creation
Prefs
Registration/Account Creation
MDM
Business Context