SlideShare a Scribd company logo

Anil saldhana cloudidentitybestpractices

Anil Saldanha
Anil Saldanha

This document discusses best practices for cloud identity in a JavaEE enabled PaaS environment. It covers topics like user registration, identity management, authentication, authorization, identity providers, and API access. It also demonstrates an Aerogear TODO application deployed on OpenShift that implements some of these practices. Relevant standards like JSR 351 and work from Oasis on cloud identity and authorization are also mentioned.

1 of 36
Download to read offline
Best Practices for Cloud Identity In JavaEE Enabled PaaS Anil Saldhana Red Hat Inc.
Agenda •  Introduction To Cloud Identity –  Concept of Identity and Trust •  JavaEE Enabled PaaS –  OpenShift •  What Identity Standard should I adopt? –  SAML, OpenID, OAuth, WS-Trust,Kerberos –  NIST 800-63 Levels of Assurance 2
Agenda •  Best Practices –  User Registration –  Identity Management •  Cloud Directories and Corporate Directories –  Authentication –  Authorization –  Mobile Devices –  Identity Providers –  API Access 3
Agenda •  Demo •  Other Relevant Standards Work –  JSR 351 •  Resources 4
Concept of Identity and Trust 5
Concept of Trust •  Twitter Verified Accounts 6
Concept of Trust •  Twitter Verified Accounts –  President Obama (Identity) –  Blue Check Sign (Trust) 7
Concept of Trust •  Twitter Verified Accounts –  Tim Oreilly (Identity) –  Blue Check Sign (Trust) 8
JavaEE Enabled PaaS (OpenShift) http://openshift.com 9
OpenShift •  OpenShift by RedHat is a polyglot PaaS •  Run Java,Ruby,Perl,Python,PHP and Node.js in the Cloud •  JavaEE Full Profile support via JBoss Application Server v7.x as well as JBoss Enterprise Application Platform. •  Free 10
Which Identity Management Standard is relevant? (SAML, OpenID, OAuth,WS-Trust, Kerberos)? 11
Levels of Assurance •  NIST 800-63 Special Publication •  Four Levels of Assurance –  Level 1: •  Little or no confidence in asserted identity. •  OpenID, Oauth. –  Level 2: •  Some confidence in the asserted identity. •  Passwords and SAML Password Auth Mech. 12
Levels of Assurance •  Four Levels of Assurance –  Level 3: •  High Confidence. •  Soft/Hard Crypto Tokens and OTP. –  Level 4: •  Very High Confidence. •  PKI and Smart Cards. 13
Which standard is relevant? •  Community Type Environment –  Forums, Blogs etc. –  Level 1 Assurance. –  Decentralized setup; Internet Scale –  OpenID and Oauth. 14
Which standard is relevant? •  Enterprise Type Environment –  Need Level 2 assurance level. •  SAML Assertions (Password based authentication) –  Need Level 3 or 4 assurance of identity. •  SAML Assertions (PKI/x509 Certificates) 15
Best Practices 16
User Registration •  All Security Systems need users. •  Users can come from corporate identity stores or need to be dynamically registered. •  Dynamic Registration –  CAPTCHA technology. •  Password Strength Meters/Indicators. •  Important to understand Cloud Directories. 17
User Registration •  Password Management –  Salt and Hash each password –  Just hashing •  Susceptible to Dictionary or Brute Force Attacks. –  Password Reset •  Send 15 min validity single use tokens to user email. 18
Identity Management •  Directories of Users/Applications –  Cloud based. –  Corporate based. –  Hybrid (Both Cloud and Corporate). •  Synching Issues. •  Legal and Compliance Issues. 19
Identity Management 20
Authentication •  Classic Username/Password •  Two Factor Authentication –  Additional factor : One Time Password. •  Kerberos Based Login for API •  External Authentication –  Sign In using Facebook, Twitter, Google.. •  Eliminates Password Management Headaches. 21
Authorization •  Coarse Grained Authorization –  Role Based Access Control. •  Fine Grained Authorization –  ACL, XACML •  OAuth Style Authorization. 22
Mobile Devices •  Device Registration –  UDID, SIM ID, Chip ID can all be Identifiers for the same device. •  Mobile devices may need token based security. 23
Identity Providers •  Central Identity Provider for the entire PaaS system. –  Global directory service for all tenants. •  Identity Provider for the applications of a single tenant. –  Tenant deploys IDP application. •  Delegated Identity Providers to Corporate Identity Providers. –  Salesforce to corporate Identity services. 24
Identity Providers 25
Cloud API Access •  Majority of Cloud Access may be via API –  (Salesforce, Twitter, Facebook) 3rd party apps. •  Token based REST system –  OAuth2 is a good candidate. •  Various drafts and flavors in the industry. –  User has control over approval/revocation of access. 26
Cloud API Access •  OAuth2 Interactions –  Register Application with server •  Obtain Client Identifier and Client Secret –  Resource owner (User) authorizes application with server, for various scopes •  Obtain Authorization Code 27
Cloud API Access •  OAuth2 Interactions –  Application uses authorization code to obtain access token and refresh token •  Refresh token helps obtain new access token on expiry –  Application provides token to resource server •  Access to resource 28
Demo 29
Aerogear TODO Application •  Typical JavaEE6 application –  HTML5 –  CDI Application Programming –  Jax-RS Endpoints –  JPA 30
Aerogear TODO Application •  Deployed on OpenShift PaaS. –  Identity User Registration Pattern –  Identity Authentication Pattern •  Username/Password •  Facebook Authentication •  Google Authentication –  Role Based Authorization 31
Relevant Standards 32
JSR 351 •  Java Identity JSR •  http://jcp.org/en/jsr/detail?id=351 •  http://java.net/projects/identity-api-spec/ pages/Home •  Define API and identity interaction models for applications and in access control decisions. 33
Oasis IDCloud TC •  Oasis Identity In The Cloud TC –  Use Cases for Identity Management in the Cloud Ecosystem. –  http://docs.oasis-open.org/id-cloud/IDCloud- usecases/v1.0/cn01/IDCloud-usecases-v1.0- cn01.html –  Gap Analysis in existing standards 34
Oasis Cloud Authorization TC •  Oasis Cloud Authorization TC –  Brand new TC at Oasis. –  Build Profiles for Cloud Authorization using XACML and Oauth. •  SaaS, PaaS and IaaS models. –  Build Profiles for Cloud Entitlements. 35
Resources •  OpenShift PaaS. –  http://openshift.com •  Project PicketLink –  http://jboss.org/picketlink •  My Blog –  http://anil-identity.blogspot.com 36

Recommended

Workshop: Advanced Federation Use-Cases with PingFederate
Workshop: Advanced Federation Use-Cases with PingFederateWorkshop: Advanced Federation Use-Cases with PingFederate
Workshop: Advanced Federation Use-Cases with PingFederateCraig Wu
 
Secure API Services in Node with Basic Auth and OAuth2
Secure API Services in Node with Basic Auth and OAuth2Secure API Services in Node with Basic Auth and OAuth2
Secure API Services in Node with Basic Auth and OAuth2Stormpath
 
CIS 2012 - Going Mobile with PingFederate and OAuth 2
CIS 2012 - Going Mobile with PingFederate and OAuth 2CIS 2012 - Going Mobile with PingFederate and OAuth 2
CIS 2012 - Going Mobile with PingFederate and OAuth 2scotttomilson
 
How to integration DataPower with Zos
How to integration DataPower with ZosHow to integration DataPower with Zos
How to integration DataPower with ZosShiu-Fun Poon
 
Zero trust Architecture
Zero trust Architecture Zero trust Architecture
Zero trust Architecture AddWeb Solution Pvt. Ltd.
 
CIS14: Consolidating Authorization for API and Web SSO using OpenID Connect
CIS14: Consolidating Authorization for API and Web SSO using OpenID ConnectCIS14: Consolidating Authorization for API and Web SSO using OpenID Connect
CIS14: Consolidating Authorization for API and Web SSO using OpenID ConnectCloudIDSummit
 
WSO2Con USA 2017: Identity and Access Management in the Era of Digital Transf...
WSO2Con USA 2017: Identity and Access Management in the Era of Digital Transf...WSO2Con USA 2017: Identity and Access Management in the Era of Digital Transf...
WSO2Con USA 2017: Identity and Access Management in the Era of Digital Transf...WSO2
 
Cryptzone: The Software-Defined Perimeter
Cryptzone: The Software-Defined PerimeterCryptzone: The Software-Defined Perimeter
Cryptzone: The Software-Defined PerimeterCryptzone
 

Recommended

Workshop: Advanced Federation Use-Cases with PingFederate
Workshop: Advanced Federation Use-Cases with PingFederateWorkshop: Advanced Federation Use-Cases with PingFederate
Workshop: Advanced Federation Use-Cases with PingFederateCraig Wu
 
Secure API Services in Node with Basic Auth and OAuth2
Secure API Services in Node with Basic Auth and OAuth2Secure API Services in Node with Basic Auth and OAuth2
Secure API Services in Node with Basic Auth and OAuth2Stormpath
 
CIS 2012 - Going Mobile with PingFederate and OAuth 2
CIS 2012 - Going Mobile with PingFederate and OAuth 2CIS 2012 - Going Mobile with PingFederate and OAuth 2
CIS 2012 - Going Mobile with PingFederate and OAuth 2scotttomilson
 
How to integration DataPower with Zos
How to integration DataPower with ZosHow to integration DataPower with Zos
How to integration DataPower with ZosShiu-Fun Poon
 
Zero trust Architecture
Zero trust Architecture Zero trust Architecture
Zero trust Architecture AddWeb Solution Pvt. Ltd.
 
CIS14: Consolidating Authorization for API and Web SSO using OpenID Connect
CIS14: Consolidating Authorization for API and Web SSO using OpenID ConnectCIS14: Consolidating Authorization for API and Web SSO using OpenID Connect
CIS14: Consolidating Authorization for API and Web SSO using OpenID ConnectCloudIDSummit
 
WSO2Con USA 2017: Identity and Access Management in the Era of Digital Transf...
WSO2Con USA 2017: Identity and Access Management in the Era of Digital Transf...WSO2Con USA 2017: Identity and Access Management in the Era of Digital Transf...
WSO2Con USA 2017: Identity and Access Management in the Era of Digital Transf...WSO2
 
Cryptzone: The Software-Defined Perimeter
Cryptzone: The Software-Defined PerimeterCryptzone: The Software-Defined Perimeter
Cryptzone: The Software-Defined PerimeterCryptzone
 
CIS14: PingAccess 101
CIS14: PingAccess 101CIS14: PingAccess 101
CIS14: PingAccess 101CloudIDSummit
 
Self-Service x Hashicorp Vault
Self-Service x Hashicorp VaultSelf-Service x Hashicorp Vault
Self-Service x Hashicorp VaultMartin Conraux
 
API IN(SECURITY)
API IN(SECURITY)API IN(SECURITY)
API IN(SECURITY)OWASP Khartoum
 
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...CA API Management
 
Simplifying User Access with NetScaler SDX and CA Single Sign-on
Simplifying User Access with NetScaler SDX and CA Single Sign-on Simplifying User Access with NetScaler SDX and CA Single Sign-on
Simplifying User Access with NetScaler SDX and CA Single Sign-onCA Technologies
 
API Security In Cloud Native Era
API Security In Cloud Native EraAPI Security In Cloud Native Era
API Security In Cloud Native EraWSO2
 
Web API 2 Token Based Authentication
Web API 2 Token Based AuthenticationWeb API 2 Token Based Authentication
Web API 2 Token Based Authenticationjeremysbrown
 
Api security
Api security Api security
Api security teodorcotruta
 
Building secure applications with keycloak
Building secure applications with keycloak Building secure applications with keycloak
Building secure applications with keycloak Abhishek Koserwal
 
REST API Security: OAuth 2.0, JWTs, and More!
REST API Security: OAuth 2.0, JWTs, and More!REST API Security: OAuth 2.0, JWTs, and More!
REST API Security: OAuth 2.0, JWTs, and More!Stormpath
 
Token, token... From SAML to OIDC
Token, token... From SAML to OIDCToken, token... From SAML to OIDC
Token, token... From SAML to OIDCShiu-Fun Poon
 
OpenAM: An Introduction
OpenAM: An IntroductionOpenAM: An Introduction
OpenAM: An IntroductionForgeRock
 
Webinar: Access Management with the ForgeRock Identity Platform - So What’s N...
Webinar: Access Management with the ForgeRock Identity Platform - So What’s N...Webinar: Access Management with the ForgeRock Identity Platform - So What’s N...
Webinar: Access Management with the ForgeRock Identity Platform - So What’s N...ForgeRock
 
OpenID Connect and Single Sign-On for Beginners
OpenID Connect and Single Sign-On for BeginnersOpenID Connect and Single Sign-On for Beginners
OpenID Connect and Single Sign-On for BeginnersSalesforce Developers
 
JWTs for CSRF and Microservices
JWTs for CSRF and MicroservicesJWTs for CSRF and Microservices
JWTs for CSRF and MicroservicesStormpath
 
Deep thoughts from the real world of azure
Deep thoughts from the real world of azureDeep thoughts from the real world of azure
Deep thoughts from the real world of azureMichele Leroux Bustamante
 
Five Things You Gotta Know About Modern Identity
Five Things You Gotta Know About Modern IdentityFive Things You Gotta Know About Modern Identity
Five Things You Gotta Know About Modern IdentityMark Diodati
 
OpenId Connect Protocol
OpenId Connect ProtocolOpenId Connect Protocol
OpenId Connect ProtocolMichael Furman
 
WSO2Con USA 2017: Building a Secure Enterprise
WSO2Con USA 2017: Building a Secure EnterpriseWSO2Con USA 2017: Building a Secure Enterprise
WSO2Con USA 2017: Building a Secure EnterpriseWSO2
 
Gateway/APIC security
Gateway/APIC securityGateway/APIC security
Gateway/APIC securityShiu-Fun Poon
 
Anil saldhana securityassurancewithj_bosseap
Anil saldhana securityassurancewithj_bosseapAnil saldhana securityassurancewithj_bosseap
Anil saldhana securityassurancewithj_bosseapAnil Saldanha
 
Anil saldhana identitycloud
Anil saldhana identitycloudAnil saldhana identitycloud
Anil saldhana identitycloudAnil Saldanha
 

More Related Content

What's hot

CIS14: PingAccess 101
CIS14: PingAccess 101CIS14: PingAccess 101
CIS14: PingAccess 101CloudIDSummit
 
Self-Service x Hashicorp Vault
Self-Service x Hashicorp VaultSelf-Service x Hashicorp Vault
Self-Service x Hashicorp VaultMartin Conraux
 
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...CA API Management
 
Simplifying User Access with NetScaler SDX and CA Single Sign-on
Simplifying User Access with NetScaler SDX and CA Single Sign-on Simplifying User Access with NetScaler SDX and CA Single Sign-on
Simplifying User Access with NetScaler SDX and CA Single Sign-onCA Technologies
 
API Security In Cloud Native Era
API Security In Cloud Native EraAPI Security In Cloud Native Era
API Security In Cloud Native EraWSO2
 
Web API 2 Token Based Authentication
Web API 2 Token Based AuthenticationWeb API 2 Token Based Authentication
Web API 2 Token Based Authenticationjeremysbrown
 
Building secure applications with keycloak
Building secure applications with keycloak Building secure applications with keycloak
Building secure applications with keycloak Abhishek Koserwal
 
REST API Security: OAuth 2.0, JWTs, and More!
REST API Security: OAuth 2.0, JWTs, and More!REST API Security: OAuth 2.0, JWTs, and More!
REST API Security: OAuth 2.0, JWTs, and More!Stormpath
 
Token, token... From SAML to OIDC
Token, token... From SAML to OIDCToken, token... From SAML to OIDC
Token, token... From SAML to OIDCShiu-Fun Poon
 
OpenAM: An Introduction
OpenAM: An IntroductionOpenAM: An Introduction
OpenAM: An IntroductionForgeRock
 
Webinar: Access Management with the ForgeRock Identity Platform - So What’s N...
Webinar: Access Management with the ForgeRock Identity Platform - So What’s N...Webinar: Access Management with the ForgeRock Identity Platform - So What’s N...
Webinar: Access Management with the ForgeRock Identity Platform - So What’s N...ForgeRock
 
OpenID Connect and Single Sign-On for Beginners
OpenID Connect and Single Sign-On for BeginnersOpenID Connect and Single Sign-On for Beginners
OpenID Connect and Single Sign-On for BeginnersSalesforce Developers
 
JWTs for CSRF and Microservices
JWTs for CSRF and MicroservicesJWTs for CSRF and Microservices
JWTs for CSRF and MicroservicesStormpath
 
Five Things You Gotta Know About Modern Identity
Five Things You Gotta Know About Modern IdentityFive Things You Gotta Know About Modern Identity
Five Things You Gotta Know About Modern IdentityMark Diodati
 
OpenId Connect Protocol
OpenId Connect ProtocolOpenId Connect Protocol
OpenId Connect ProtocolMichael Furman
 
WSO2Con USA 2017: Building a Secure Enterprise
WSO2Con USA 2017: Building a Secure EnterpriseWSO2Con USA 2017: Building a Secure Enterprise
WSO2Con USA 2017: Building a Secure EnterpriseWSO2
 
Gateway/APIC security
Gateway/APIC securityGateway/APIC security
Gateway/APIC securityShiu-Fun Poon
 

What's hot (20)

CIS14: PingAccess 101
CIS14: PingAccess 101CIS14: PingAccess 101
CIS14: PingAccess 101
 
Self-Service x Hashicorp Vault
Self-Service x Hashicorp VaultSelf-Service x Hashicorp Vault
Self-Service x Hashicorp Vault
 
API IN(SECURITY)
API IN(SECURITY)API IN(SECURITY)
API IN(SECURITY)
 
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
 
Simplifying User Access with NetScaler SDX and CA Single Sign-on
Simplifying User Access with NetScaler SDX and CA Single Sign-on Simplifying User Access with NetScaler SDX and CA Single Sign-on
Simplifying User Access with NetScaler SDX and CA Single Sign-on
 
API Security In Cloud Native Era
API Security In Cloud Native EraAPI Security In Cloud Native Era
API Security In Cloud Native Era
 
Web API 2 Token Based Authentication
Web API 2 Token Based AuthenticationWeb API 2 Token Based Authentication
Web API 2 Token Based Authentication
 
Api security
Api security Api security
Api security
 
Building secure applications with keycloak
Building secure applications with keycloak Building secure applications with keycloak
Building secure applications with keycloak
 
REST API Security: OAuth 2.0, JWTs, and More!
REST API Security: OAuth 2.0, JWTs, and More!REST API Security: OAuth 2.0, JWTs, and More!
REST API Security: OAuth 2.0, JWTs, and More!
 
Token, token... From SAML to OIDC
Token, token... From SAML to OIDCToken, token... From SAML to OIDC
Token, token... From SAML to OIDC
 
OpenAM: An Introduction
OpenAM: An IntroductionOpenAM: An Introduction
OpenAM: An Introduction
 
Webinar: Access Management with the ForgeRock Identity Platform - So What’s N...
Webinar: Access Management with the ForgeRock Identity Platform - So What’s N...Webinar: Access Management with the ForgeRock Identity Platform - So What’s N...
Webinar: Access Management with the ForgeRock Identity Platform - So What’s N...
 
OpenID Connect and Single Sign-On for Beginners
OpenID Connect and Single Sign-On for BeginnersOpenID Connect and Single Sign-On for Beginners
OpenID Connect and Single Sign-On for Beginners
 
JWTs for CSRF and Microservices
JWTs for CSRF and MicroservicesJWTs for CSRF and Microservices
JWTs for CSRF and Microservices
 
Deep thoughts from the real world of azure
Deep thoughts from the real world of azureDeep thoughts from the real world of azure
Deep thoughts from the real world of azure
 
Five Things You Gotta Know About Modern Identity
Five Things You Gotta Know About Modern IdentityFive Things You Gotta Know About Modern Identity
Five Things You Gotta Know About Modern Identity
 
OpenId Connect Protocol
OpenId Connect ProtocolOpenId Connect Protocol
OpenId Connect Protocol
 
WSO2Con USA 2017: Building a Secure Enterprise
WSO2Con USA 2017: Building a Secure EnterpriseWSO2Con USA 2017: Building a Secure Enterprise
WSO2Con USA 2017: Building a Secure Enterprise
 
Gateway/APIC security
Gateway/APIC securityGateway/APIC security
Gateway/APIC security
 

Viewers also liked

Anil saldhana securityassurancewithj_bosseap
Anil saldhana securityassurancewithj_bosseapAnil saldhana securityassurancewithj_bosseap
Anil saldhana securityassurancewithj_bosseapAnil Saldanha
 
Anil saldhana identitycloud
Anil saldhana identitycloudAnil saldhana identitycloud
Anil saldhana identitycloudAnil Saldanha
 
Secure Middleware with JBoss AS 5
Secure Middleware with JBoss AS 5Secure Middleware with JBoss AS 5
Secure Middleware with JBoss AS 5Anil Saldanha
 
Oasis Identity In The Cloud Technical Committee
Oasis Identity In The Cloud Technical CommitteeOasis Identity In The Cloud Technical Committee
Oasis Identity In The Cloud Technical CommitteeAnil Saldanha
 
Anil saldhana cloud identity
Anil saldhana cloud identityAnil saldhana cloud identity
Anil saldhana cloud identityAnil Saldanha
 
Oasis IDCloud TC - Anil Saldhana
Oasis IDCloud TC - Anil SaldhanaOasis IDCloud TC - Anil Saldhana
Oasis IDCloud TC - Anil SaldhanaAnil Saldanha
 
Advances inbrowsersecurity
Advances inbrowsersecurityAdvances inbrowsersecurity
Advances inbrowsersecurityAnil Saldanha
 
Securing Applications With Picketlink
Securing Applications With PicketlinkSecuring Applications With Picketlink
Securing Applications With PicketlinkAnil Saldanha
 
Saml vs Oauth : Which one should I use?
Saml vs Oauth : Which one should I use?Saml vs Oauth : Which one should I use?
Saml vs Oauth : Which one should I use?Anil Saldanha
 
Briforum 2011 Chicago
Briforum 2011 ChicagoBriforum 2011 Chicago
Briforum 2011 ChicagoDan Brinkmann
 
DaaS/IaaS Forum Moscow - Ivo Murris
DaaS/IaaS Forum Moscow - Ivo MurrisDaaS/IaaS Forum Moscow - Ivo Murris
DaaS/IaaS Forum Moscow - Ivo MurrisDenis Gundarev
 
Cloud Identity: A Recipe for Higher Education
Cloud Identity: A Recipe for Higher EducationCloud Identity: A Recipe for Higher Education
Cloud Identity: A Recipe for Higher EducationMike Schwartz
 
RUCUG: 9. Sergey Khalyapin: Представляем XenDesktop 5
RUCUG: 9. Sergey Khalyapin: Представляем XenDesktop 5RUCUG: 9. Sergey Khalyapin: Представляем XenDesktop 5
RUCUG: 9. Sergey Khalyapin: Представляем XenDesktop 5Denis Gundarev
 
BriForum 2013 Chicago - Citrix Troubleshooting - Denis Gundarev
BriForum 2013 Chicago - Citrix Troubleshooting - Denis GundarevBriForum 2013 Chicago - Citrix Troubleshooting - Denis Gundarev
BriForum 2013 Chicago - Citrix Troubleshooting - Denis GundarevDenis Gundarev
 
ID Next 2013 Keynote Slides by Mike Schwartz
ID Next 2013 Keynote Slides by Mike SchwartzID Next 2013 Keynote Slides by Mike Schwartz
ID Next 2013 Keynote Slides by Mike SchwartzMike Schwartz
 
Mule security - saml
Mule security - samlMule security - saml
Mule security - samlcharan teja R
 
RSA Europe: Future of Cloud Identity
RSA Europe: Future of Cloud IdentityRSA Europe: Future of Cloud Identity
RSA Europe: Future of Cloud IdentityMike Schwartz
 
DaaS/IaaS Forum Moscow - Chris Rogers
DaaS/IaaS Forum Moscow - Chris RogersDaaS/IaaS Forum Moscow - Chris Rogers
DaaS/IaaS Forum Moscow - Chris RogersDenis Gundarev
 
DaaS/IaaS Forum Moscow - Najat Messaoud
DaaS/IaaS Forum Moscow - Najat MessaoudDaaS/IaaS Forum Moscow - Najat Messaoud
DaaS/IaaS Forum Moscow - Najat MessaoudDenis Gundarev
 

Viewers also liked (20)

Anil saldhana securityassurancewithj_bosseap
Anil saldhana securityassurancewithj_bosseapAnil saldhana securityassurancewithj_bosseap
Anil saldhana securityassurancewithj_bosseap
 
Anil saldhana identitycloud
Anil saldhana identitycloudAnil saldhana identitycloud
Anil saldhana identitycloud
 
Secure Middleware with JBoss AS 5
Secure Middleware with JBoss AS 5Secure Middleware with JBoss AS 5
Secure Middleware with JBoss AS 5
 
Oasis Identity In The Cloud Technical Committee
Oasis Identity In The Cloud Technical CommitteeOasis Identity In The Cloud Technical Committee
Oasis Identity In The Cloud Technical Committee
 
Anil saldhana cloud identity
Anil saldhana cloud identityAnil saldhana cloud identity
Anil saldhana cloud identity
 
Oasis IDCloud TC - Anil Saldhana
Oasis IDCloud TC - Anil SaldhanaOasis IDCloud TC - Anil Saldhana
Oasis IDCloud TC - Anil Saldhana
 
Advances inbrowsersecurity
Advances inbrowsersecurityAdvances inbrowsersecurity
Advances inbrowsersecurity
 
Securing Applications With Picketlink
Securing Applications With PicketlinkSecuring Applications With Picketlink
Securing Applications With Picketlink
 
Saml vs Oauth : Which one should I use?
Saml vs Oauth : Which one should I use?Saml vs Oauth : Which one should I use?
Saml vs Oauth : Which one should I use?
 
Briforum 2011 Chicago
Briforum 2011 ChicagoBriforum 2011 Chicago
Briforum 2011 Chicago
 
DaaS/IaaS Forum Moscow - Ivo Murris
DaaS/IaaS Forum Moscow - Ivo MurrisDaaS/IaaS Forum Moscow - Ivo Murris
DaaS/IaaS Forum Moscow - Ivo Murris
 
Cloud Identity: A Recipe for Higher Education
Cloud Identity: A Recipe for Higher EducationCloud Identity: A Recipe for Higher Education
Cloud Identity: A Recipe for Higher Education
 
RUCUG: 9. Sergey Khalyapin: Представляем XenDesktop 5
RUCUG: 9. Sergey Khalyapin: Представляем XenDesktop 5RUCUG: 9. Sergey Khalyapin: Представляем XenDesktop 5
RUCUG: 9. Sergey Khalyapin: Представляем XenDesktop 5
 
BriForum 2013 Chicago - Citrix Troubleshooting - Denis Gundarev
BriForum 2013 Chicago - Citrix Troubleshooting - Denis GundarevBriForum 2013 Chicago - Citrix Troubleshooting - Denis Gundarev
BriForum 2013 Chicago - Citrix Troubleshooting - Denis Gundarev
 
ID Next 2013 Keynote Slides by Mike Schwartz
ID Next 2013 Keynote Slides by Mike SchwartzID Next 2013 Keynote Slides by Mike Schwartz
ID Next 2013 Keynote Slides by Mike Schwartz
 
The Tools I Use
The Tools I UseThe Tools I Use
The Tools I Use
 
Mule security - saml
Mule security - samlMule security - saml
Mule security - saml
 
RSA Europe: Future of Cloud Identity
RSA Europe: Future of Cloud IdentityRSA Europe: Future of Cloud Identity
RSA Europe: Future of Cloud Identity
 
DaaS/IaaS Forum Moscow - Chris Rogers
DaaS/IaaS Forum Moscow - Chris RogersDaaS/IaaS Forum Moscow - Chris Rogers
DaaS/IaaS Forum Moscow - Chris Rogers
 
DaaS/IaaS Forum Moscow - Najat Messaoud
DaaS/IaaS Forum Moscow - Najat MessaoudDaaS/IaaS Forum Moscow - Najat Messaoud
DaaS/IaaS Forum Moscow - Najat Messaoud
 

Similar to Anil saldhana cloudidentitybestpractices

Shifting security left simplifying security for k8s open shift environments
Shifting security left simplifying security for k8s open shift environmentsShifting security left simplifying security for k8s open shift environments
Shifting security left simplifying security for k8s open shift environmentsLibbySchulze
 
AWS Summit 2013 | India - Extend your Datacenter in the Cloud and achieve Hig...
AWS Summit 2013 | India - Extend your Datacenter in the Cloud and achieve Hig...AWS Summit 2013 | India - Extend your Datacenter in the Cloud and achieve Hig...
AWS Summit 2013 | India - Extend your Datacenter in the Cloud and achieve Hig...Amazon Web Services
 
Exploring Advanced Authentication Methods in Novell Access Manager
Exploring Advanced Authentication Methods in Novell Access ManagerExploring Advanced Authentication Methods in Novell Access Manager
Exploring Advanced Authentication Methods in Novell Access ManagerNovell
 
Building an Effective Architecture for Identity and Access Management.pdf
Building an Effective Architecture for Identity and Access Management.pdfBuilding an Effective Architecture for Identity and Access Management.pdf
Building an Effective Architecture for Identity and Access Management.pdfJorge Alvarez
 
unit 1 Federated Identity Management_4.pptx
unit 1 Federated Identity Management_4.pptxunit 1 Federated Identity Management_4.pptx
unit 1 Federated Identity Management_4.pptxzmulani8
 
FIWARE Tech Summit - Complete Framework for Identity, Access Control and API ...
FIWARE Tech Summit - Complete Framework for Identity, Access Control and API ...FIWARE Tech Summit - Complete Framework for Identity, Access Control and API ...
FIWARE Tech Summit - Complete Framework for Identity, Access Control and API ...FIWARE
 
Mobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patternsMobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patternsPieter Ennes
 
Identity Management Standardization in the cloud computing
Identity Management Standardization in the cloud computingIdentity Management Standardization in the cloud computing
Identity Management Standardization in the cloud computingOmerZia11
 
Securing SharePoint Apps with OAuth
Securing SharePoint Apps with OAuthSecuring SharePoint Apps with OAuth
Securing SharePoint Apps with OAuthKashif Imran
 
API Security in a Microservice Architecture
API Security in a Microservice ArchitectureAPI Security in a Microservice Architecture
API Security in a Microservice ArchitectureMatt McLarty
 
NUS-ISS Learning Day 2019-Software Platforms - Welcoming Unknown Enemies?
NUS-ISS Learning Day 2019-Software Platforms - Welcoming Unknown Enemies?NUS-ISS Learning Day 2019-Software Platforms - Welcoming Unknown Enemies?
NUS-ISS Learning Day 2019-Software Platforms - Welcoming Unknown Enemies?NUS-ISS
 
How to write secure code
How to write secure codeHow to write secure code
How to write secure codeFlaskdata.io
 
OpenAM as Flexible Integration Component
OpenAM as Flexible Integration ComponentOpenAM as Flexible Integration Component
OpenAM as Flexible Integration ComponentForgeRock
 
ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2Rodrigo Cândido da Silva
 
Securing ap is oauth and fine grained access control
Securing ap is oauth and fine grained access controlSecuring ap is oauth and fine grained access control
Securing ap is oauth and fine grained access controlAaronLieberman5
 
Building open source identity infrastructures
Building open source identity infrastructuresBuilding open source identity infrastructures
Building open source identity infrastructuresFrancesco Chicchiriccò
 
IoT mobile app device cloud identity and security architecture
IoT mobile app device cloud identity and security architectureIoT mobile app device cloud identity and security architecture
IoT mobile app device cloud identity and security architectureVinod Wilson
 
Securing .NET Core, ASP.NET Core applications
Securing .NET Core, ASP.NET Core applicationsSecuring .NET Core, ASP.NET Core applications
Securing .NET Core, ASP.NET Core applicationsNETUserGroupBern
 

Similar to Anil saldhana cloudidentitybestpractices (20)

Shifting security left simplifying security for k8s open shift environments
Shifting security left simplifying security for k8s open shift environmentsShifting security left simplifying security for k8s open shift environments
Shifting security left simplifying security for k8s open shift environments
 
AWS Summit 2013 | India - Extend your Datacenter in the Cloud and achieve Hig...
AWS Summit 2013 | India - Extend your Datacenter in the Cloud and achieve Hig...AWS Summit 2013 | India - Extend your Datacenter in the Cloud and achieve Hig...
AWS Summit 2013 | India - Extend your Datacenter in the Cloud and achieve Hig...
 
Exploring Advanced Authentication Methods in Novell Access Manager
Exploring Advanced Authentication Methods in Novell Access ManagerExploring Advanced Authentication Methods in Novell Access Manager
Exploring Advanced Authentication Methods in Novell Access Manager
 
Building an Effective Architecture for Identity and Access Management.pdf
Building an Effective Architecture for Identity and Access Management.pdfBuilding an Effective Architecture for Identity and Access Management.pdf
Building an Effective Architecture for Identity and Access Management.pdf
 
unit 1 Federated Identity Management_4.pptx
unit 1 Federated Identity Management_4.pptxunit 1 Federated Identity Management_4.pptx
unit 1 Federated Identity Management_4.pptx
 
FIWARE Tech Summit - Complete Framework for Identity, Access Control and API ...
FIWARE Tech Summit - Complete Framework for Identity, Access Control and API ...FIWARE Tech Summit - Complete Framework for Identity, Access Control and API ...
FIWARE Tech Summit - Complete Framework for Identity, Access Control and API ...
 
Mobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patternsMobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patterns
 
Identity Management Standardization in the cloud computing
Identity Management Standardization in the cloud computingIdentity Management Standardization in the cloud computing
Identity Management Standardization in the cloud computing
 
Securing SharePoint Apps with OAuth
Securing SharePoint Apps with OAuthSecuring SharePoint Apps with OAuth
Securing SharePoint Apps with OAuth
 
API Security in a Microservice Architecture
API Security in a Microservice ArchitectureAPI Security in a Microservice Architecture
API Security in a Microservice Architecture
 
20190404 Blockchain GIG #2 Oracle Mark発表資料
20190404 Blockchain GIG #2 Oracle Mark発表資料 20190404 Blockchain GIG #2 Oracle Mark発表資料
20190404 Blockchain GIG #2 Oracle Mark発表資料
 
NUS-ISS Learning Day 2019-Software Platforms - Welcoming Unknown Enemies?
NUS-ISS Learning Day 2019-Software Platforms - Welcoming Unknown Enemies?NUS-ISS Learning Day 2019-Software Platforms - Welcoming Unknown Enemies?
NUS-ISS Learning Day 2019-Software Platforms - Welcoming Unknown Enemies?
 
How to write secure code
How to write secure codeHow to write secure code
How to write secure code
 
OpenAM as Flexible Integration Component
OpenAM as Flexible Integration ComponentOpenAM as Flexible Integration Component
OpenAM as Flexible Integration Component
 
ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2
 
Securing ap is oauth and fine grained access control
Securing ap is oauth and fine grained access controlSecuring ap is oauth and fine grained access control
Securing ap is oauth and fine grained access control
 
Building open source identity infrastructures
Building open source identity infrastructuresBuilding open source identity infrastructures
Building open source identity infrastructures
 
Security & Compliance (Part 2)
Security & Compliance (Part 2)Security & Compliance (Part 2)
Security & Compliance (Part 2)
 
IoT mobile app device cloud identity and security architecture
IoT mobile app device cloud identity and security architectureIoT mobile app device cloud identity and security architecture
IoT mobile app device cloud identity and security architecture
 
Securing .NET Core, ASP.NET Core applications
Securing .NET Core, ASP.NET Core applicationsSecuring .NET Core, ASP.NET Core applications
Securing .NET Core, ASP.NET Core applications
 

Anil saldhana cloudidentitybestpractices

  • 1. Best Practices for Cloud Identity In JavaEE Enabled PaaS Anil Saldhana Red Hat Inc.
  • 2. Agenda •  Introduction To Cloud Identity –  Concept of Identity and Trust •  JavaEE Enabled PaaS –  OpenShift •  What Identity Standard should I adopt? –  SAML, OpenID, OAuth, WS-Trust,Kerberos –  NIST 800-63 Levels of Assurance 2
  • 3. Agenda •  Best Practices –  User Registration –  Identity Management •  Cloud Directories and Corporate Directories –  Authentication –  Authorization –  Mobile Devices –  Identity Providers –  API Access 3
  • 4. Agenda •  Demo •  Other Relevant Standards Work –  JSR 351 •  Resources 4
  • 5. Concept of Identity and Trust 5
  • 6. Concept of Trust •  Twitter Verified Accounts 6
  • 7. Concept of Trust •  Twitter Verified Accounts –  President Obama (Identity) –  Blue Check Sign (Trust) 7
  • 8. Concept of Trust •  Twitter Verified Accounts –  Tim Oreilly (Identity) –  Blue Check Sign (Trust) 8
  • 9. JavaEE Enabled PaaS (OpenShift) http://openshift.com 9
  • 10. OpenShift •  OpenShift by RedHat is a polyglot PaaS •  Run Java,Ruby,Perl,Python,PHP and Node.js in the Cloud •  JavaEE Full Profile support via JBoss Application Server v7.x as well as JBoss Enterprise Application Platform. •  Free 10
  • 11. Which Identity Management Standard is relevant? (SAML, OpenID, OAuth,WS-Trust, Kerberos)? 11
  • 12. Levels of Assurance •  NIST 800-63 Special Publication •  Four Levels of Assurance –  Level 1: •  Little or no confidence in asserted identity. •  OpenID, Oauth. –  Level 2: •  Some confidence in the asserted identity. •  Passwords and SAML Password Auth Mech. 12
  • 13. Levels of Assurance •  Four Levels of Assurance –  Level 3: •  High Confidence. •  Soft/Hard Crypto Tokens and OTP. –  Level 4: •  Very High Confidence. •  PKI and Smart Cards. 13
  • 14. Which standard is relevant? •  Community Type Environment –  Forums, Blogs etc. –  Level 1 Assurance. –  Decentralized setup; Internet Scale –  OpenID and Oauth. 14
  • 15. Which standard is relevant? •  Enterprise Type Environment –  Need Level 2 assurance level. •  SAML Assertions (Password based authentication) –  Need Level 3 or 4 assurance of identity. •  SAML Assertions (PKI/x509 Certificates) 15
  • 17. User Registration •  All Security Systems need users. •  Users can come from corporate identity stores or need to be dynamically registered. •  Dynamic Registration –  CAPTCHA technology. •  Password Strength Meters/Indicators. •  Important to understand Cloud Directories. 17
  • 18. User Registration •  Password Management –  Salt and Hash each password –  Just hashing •  Susceptible to Dictionary or Brute Force Attacks. –  Password Reset •  Send 15 min validity single use tokens to user email. 18
  • 19. Identity Management •  Directories of Users/Applications –  Cloud based. –  Corporate based. –  Hybrid (Both Cloud and Corporate). •  Synching Issues. •  Legal and Compliance Issues. 19
  • 21. Authentication •  Classic Username/Password •  Two Factor Authentication –  Additional factor : One Time Password. •  Kerberos Based Login for API •  External Authentication –  Sign In using Facebook, Twitter, Google.. •  Eliminates Password Management Headaches. 21
  • 22. Authorization •  Coarse Grained Authorization –  Role Based Access Control. •  Fine Grained Authorization –  ACL, XACML •  OAuth Style Authorization. 22
  • 23. Mobile Devices •  Device Registration –  UDID, SIM ID, Chip ID can all be Identifiers for the same device. •  Mobile devices may need token based security. 23
  • 24. Identity Providers •  Central Identity Provider for the entire PaaS system. –  Global directory service for all tenants. •  Identity Provider for the applications of a single tenant. –  Tenant deploys IDP application. •  Delegated Identity Providers to Corporate Identity Providers. –  Salesforce to corporate Identity services. 24
  • 26. Cloud API Access •  Majority of Cloud Access may be via API –  (Salesforce, Twitter, Facebook) 3rd party apps. •  Token based REST system –  OAuth2 is a good candidate. •  Various drafts and flavors in the industry. –  User has control over approval/revocation of access. 26
  • 27. Cloud API Access •  OAuth2 Interactions –  Register Application with server •  Obtain Client Identifier and Client Secret –  Resource owner (User) authorizes application with server, for various scopes •  Obtain Authorization Code 27
  • 28. Cloud API Access •  OAuth2 Interactions –  Application uses authorization code to obtain access token and refresh token •  Refresh token helps obtain new access token on expiry –  Application provides token to resource server •  Access to resource 28
  • 30. Aerogear TODO Application •  Typical JavaEE6 application –  HTML5 –  CDI Application Programming –  Jax-RS Endpoints –  JPA 30
  • 31. Aerogear TODO Application •  Deployed on OpenShift PaaS. –  Identity User Registration Pattern –  Identity Authentication Pattern •  Username/Password •  Facebook Authentication •  Google Authentication –  Role Based Authorization 31
  • 33. JSR 351 •  Java Identity JSR •  http://jcp.org/en/jsr/detail?id=351 •  http://java.net/projects/identity-api-spec/ pages/Home •  Define API and identity interaction models for applications and in access control decisions. 33
  • 34. Oasis IDCloud TC •  Oasis Identity In The Cloud TC –  Use Cases for Identity Management in the Cloud Ecosystem. –  http://docs.oasis-open.org/id-cloud/IDCloud- usecases/v1.0/cn01/IDCloud-usecases-v1.0- cn01.html –  Gap Analysis in existing standards 34
  • 35. Oasis Cloud Authorization TC •  Oasis Cloud Authorization TC –  Brand new TC at Oasis. –  Build Profiles for Cloud Authorization using XACML and Oauth. •  SaaS, PaaS and IaaS models. –  Build Profiles for Cloud Entitlements. 35
  • 36. Resources •  OpenShift PaaS. –  http://openshift.com •  Project PicketLink –  http://jboss.org/picketlink •  My Blog –  http://anil-identity.blogspot.com 36