Perimeter
8/28/2012
11:01 AM
Gunnar Peterson
Gunnar Peterson
Commentary
Connect Directly
RSS
E-Mail
50%
50%

ID Don't Mean A Thing Unless It's Got That Integration Thing

Architecture astronauts talk identity strategy, but pros talk identity integration logistics

When embarking on identity and access management (IAM) architecture and development efforts, the initial phases often churn through finding the "right" standard or protocol to use. Should the project use OpenID or SAML or IWA or something else altogether? While its important to sort through the tradeoffs and design considerations (after all the Cloud Security Alliance alone mentions 27 different identity standards!), selecting Identity protocols and standards is the beginning not the end.

The critical next steps include a plan for integrating the selected identity protocol and standards into the overall application. This step causes way more stumbling than it should. By now, we should know that there are no silver bullets in infosec. But even today, enterprises write RFIs and RFPs that hone in on support for a specific standard and yet gloss over the importance of integration.

Identity has made tremendous progress over the past decade, in my view progress on standards like SAML and XACML has been the "quiet revolution" in delivering more efficacy to real world security. But the standards and products that support them are not enough by themselves if they cannot integrate to your application then we are left with yet another silo or worse yet --- shelfware.

How should IAM architects avoid integration traps? The first step is identifying the integration targets. Every protocol and standard is different but at a minimum there are likely to be two integration points -- First Mile integration and Last Mile integration.

The First Mile is responsible to find and package the claims about the user subject. First Mile integration generally means being able to communicate with data stores and processes such as user activity, logins, user authentication, user stores, directories, attribute stores, and account information. In SAML, this often occurs via the Identity provider communication with user directory such as Active Directory.

The Last Mile is responsible to make and enforce access control decisions based on the claims its sent via the identity provider. This process can be summed up as"you assert, we decide." The Last Mile must be integrated with the application, service provider, Web service interface, mobile service or Web app. The extent of this integration is pretty variable. Most of the time it's a fairly coarse-grained authorization check, but there's been movement towards finer-grained access control through attribute based access control and standards like XACML that enable deeper integration and more policy-based authorization.

In both the First Mile and Last Mile integration points, the IAM Architect's job is to define the breadth and depth of integration. The architecture must factor in the communication protocols, data formats, token types, and other hooks to applications and data stores required to get the job done.

There's an old military saying that amateurs discuss tactics, armchair generals discuss strategy, but professionals discuss logistics. There's plenty of tactics and strategy necessary to light up a new identity protocol in your company, but successful IAM pros must plan for integration logistics, too.

Gunnar Peterson is a Managing Principal at Arctec Group Gunnar Peterson (@oneraindrop) works on AppSec - Cloud, Mobile and Identity. He maintains a blog at http://1raindrop.typepad.com. View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3352
Published: 2014-08-30
Cisco Intelligent Automation for Cloud (aka Cisco Cloud Portal) 2008.3_SP9 and earlier does not properly consider whether a session is a problematic NULL session, which allows remote attackers to obtain sensitive information via crafted packets, related to an "iFrame vulnerability," aka Bug ID CSCuh...

CVE-2014-3908
Published: 2014-08-30
The Amazon.com Kindle application before 4.5.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2010-5110
Published: 2014-08-29
DCTStream.cc in Poppler before 0.13.3 allows remote attackers to cause a denial of service (crash) via a crafted PDF file.

CVE-2012-1503
Published: 2014-08-29
Cross-site scripting (XSS) vulnerability in Six Apart (formerly Six Apart KK) Movable Type (MT) Pro 5.13 allows remote attackers to inject arbitrary web script or HTML via the comment section.

CVE-2013-5467
Published: 2014-08-29
Monitoring Agent for UNIX Logs 6.2.0 through FP03, 6.2.1 through FP04, 6.2.2 through FP09, and 6.2.3 through FP04 and Monitoring Server (ms) and Shared Libraries (ax) 6.2.0 through FP03, 6.2.1 through FP04, 6.2.2 through FP08, 6.2.3 through FP01, and 6.3.0 through FP01 in IBM Tivoli Monitoring (ITM)...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
This episode of Dark Reading Radio looks at infosec security from the big enterprise POV with interviews featuring Ron Plesco, Cyber Investigations, Intelligence & Analytics at KPMG; and Chris Inglis & Chris Bell of Securonix.