connecting the real world with the virtual world
TRANSCRIPT
CONNECTING THE REAL WORLD WITH THE VIRTUAL WORLD
The Identity of Things
EIC May 15, 2014
Hans Zandbelt – CTO Office – Ping Identity
Copyright © 2014 Ping Identity Corp. All rights reserved. 1
Overview
1
• Internet- & Identity of Things
2• Infrastructure & Protocols
3• Now what?
• Remote tracking
• Controlling functions
• Routing functions
• enabled by smart sensor nodes and devices
Use case: Manufacturing
Copyright © 2014 Ping Identity Corp. All rights reserved. 3
• integration with real-time monitoring
• Health care providers (insurers)
Use case: Healthcare
Copyright © 2014 Ping Identity Corp. All rights reserved. 4
• Self-driving cars
• Monitoring & reporting (today)
Use case: Automotive
Copyright © 2014 Ping Identity Corp. All rights reserved. 5
• smart thermometers/heating
• audio/video between ALL devices with those capabilities (phone, mobile and fixed, iPad, front door cam, TV, stereo)
• integrating all electrical devices household/building
Use case: Home/Building Automation
Copyright © 2014 Ping Identity Corp. All rights reserved. 6
• Cloud / SaaS & Social
• Mobile Ubiquity
• Embedded, Wearable
• Smart Meters
• Industry Automation
• Home Automation
• Retail & Consumer Automation
Internet of Things
• Security Scalability
– Access & Account Mgmt
• Discovery, Identification & Authentication
– Devices & Clients
– Services & Servers
– Users
• Passwords … NOOO!!
Challenges
Ehm
Copyright © 2014 Ping Identity Corp. All rights reserved. 9
INFRASTRUCTUREBuilding the identity-enabled internet of everything
Consequence
Traditional firewall and enterprise domain-based security cannot deal with
Cloud, Mobile & IoT – Users, Applications or Devices.
IDENTITY IS THE NEW PERIMETER
FIREWALL
Network
Applications
IDENTITY
• Scalable Identification
• Scalable Security
– Authentication
– Privacy
– Confidentiality
– Integrity
• Scalable Trust
The Identity Layer
PROTOCOLSRealizing the Identiverse and IoT infrastructure
Today’s Identity Protocol Landscape
SAML
LDAP
X.509
Modern Identity Protocol Stack
OpenID Connect SCIM
OAuth 2.0
OAUTH 2.0A 30,000 feet overview
• 3rd party client store user passwords
• Teaches users to be indiscriminate with passwords
• No multi-factor or federated authentication
• No granularity
• No differentiation
• No revocation
Drawbacks
Password anti-pattern
OAuth 2.0 Drivers
LackOf
Standards
PasswordAnti
Pattern
NativeMobileApps
RESTCloudAPIs
OAuth 2.0
• Secure API authorization
– simple & standard, secure-enough (Bearer)
– for desktop, mobile, web, IoT
• Delegated access
– mitigates password anti-pattern
• Issue tokens for granular access
– Without divulging your credentials
Characteristics
OAuth 2.0 Protocol Framework
Open Redirect somewhere in RP website
+
RP website uses federated SSO for user login
+
SSO Token callback from IDP to website is configurable
=>
Assume the following
Intermezzo: Covert Redirect
Lesson: don’t forward messages thatwere meant for you to anyone else…
CONCLUSIONS
Emerging Business Landscape
Cloud Business
MobileUbiquity
SocialIntegration
Internet ofThings
Secure Identity Layer
1. Modern identity protocol adoption– OAuth 2.0 & OpenID
Connect– Bindings to IoT
2. Password reduction– Federation : default– Strong / multi-factor– Discrete > Continuous
3. Automation– Scale and ease of use– self-service as a
backup
Actions
• IoT
– Scale– Security– Standards
• Identity Platform
– Spanning Cloud and IoT
– Identity Function APIs– Multi-protocol
• Don’t Panic
– Let’s Start Moving Today
Summary
Client
SOAP/REST API
• HTTP – basic/digest…
• SOAP - WS-Security/WS-Trust
• REST - ?
• Token-based– Obtain– Use– Validate
Methods
API Access
Token
• Separate protocols for SSO and API security
• Heavyweight - in payload and processing
• Complex – develop and manage
• Manual trust bootstrapping and certificate management
• SSO and API security in one
• Lightweight – mobile
• Simple – developer friendly
• Auto client registration and key management
SAML and OpenID Connect
SAML OpenID Connect