Perimeter
8/28/2012
11:01 AM
Gunnar Peterson
Gunnar Peterson
Commentary
Connect Directly
RSS
E-Mail
50%
50%

ID Don't Mean A Thing Unless It's Got That Integration Thing

Architecture astronauts talk identity strategy, but pros talk identity integration logistics

When embarking on identity and access management (IAM) architecture and development efforts, the initial phases often churn through finding the "right" standard or protocol to use. Should the project use OpenID or SAML or IWA or something else altogether? While its important to sort through the tradeoffs and design considerations (after all the Cloud Security Alliance alone mentions 27 different identity standards!), selecting Identity protocols and standards is the beginning not the end.

The critical next steps include a plan for integrating the selected identity protocol and standards into the overall application. This step causes way more stumbling than it should. By now, we should know that there are no silver bullets in infosec. But even today, enterprises write RFIs and RFPs that hone in on support for a specific standard and yet gloss over the importance of integration.

Identity has made tremendous progress over the past decade, in my view progress on standards like SAML and XACML has been the "quiet revolution" in delivering more efficacy to real world security. But the standards and products that support them are not enough by themselves if they cannot integrate to your application then we are left with yet another silo or worse yet --- shelfware.

How should IAM architects avoid integration traps? The first step is identifying the integration targets. Every protocol and standard is different but at a minimum there are likely to be two integration points -- First Mile integration and Last Mile integration.

The First Mile is responsible to find and package the claims about the user subject. First Mile integration generally means being able to communicate with data stores and processes such as user activity, logins, user authentication, user stores, directories, attribute stores, and account information. In SAML, this often occurs via the Identity provider communication with user directory such as Active Directory.

The Last Mile is responsible to make and enforce access control decisions based on the claims its sent via the identity provider. This process can be summed up as"you assert, we decide." The Last Mile must be integrated with the application, service provider, Web service interface, mobile service or Web app. The extent of this integration is pretty variable. Most of the time it's a fairly coarse-grained authorization check, but there's been movement towards finer-grained access control through attribute based access control and standards like XACML that enable deeper integration and more policy-based authorization.

In both the First Mile and Last Mile integration points, the IAM Architect's job is to define the breadth and depth of integration. The architecture must factor in the communication protocols, data formats, token types, and other hooks to applications and data stores required to get the job done.

There's an old military saying that amateurs discuss tactics, armchair generals discuss strategy, but professionals discuss logistics. There's plenty of tactics and strategy necessary to light up a new identity protocol in your company, but successful IAM pros must plan for integration logistics, too.

Gunnar Peterson is a Managing Principal at Arctec Group Gunnar Peterson (@oneraindrop) works on AppSec - Cloud, Mobile and Identity. He maintains a blog at http://1raindrop.typepad.com. View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-4988
Published: 2014-07-09
Heap-based buffer overflow in the xjpegls.dll (aka JLS, JPEG-LS, or JPEG lossless) format plugin in XnView 1.99 and 1.99.1 allows remote attackers to execute arbitrary code via a crafted JLS image file.

CVE-2014-0207
Published: 2014-07-09
The cdf_read_short_sector function in cdf.c in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14, allows remote attackers to cause a denial of service (assertion failure and application exit) via a crafted CDF file.

CVE-2014-0537
Published: 2014-07-09
Adobe Flash Player before 13.0.0.231 and 14.x before 14.0.0.145 on Windows and OS X and before 11.2.202.394 on Linux, Adobe AIR before 14.0.0.137 on Android, Adobe AIR SDK before 14.0.0.137, and Adobe AIR SDK & Compiler before 14.0.0.137 allow attackers to bypass intended access restrictions via uns...

CVE-2014-0539
Published: 2014-07-09
Adobe Flash Player before 13.0.0.231 and 14.x before 14.0.0.145 on Windows and OS X and before 11.2.202.394 on Linux, Adobe AIR before 14.0.0.137 on Android, Adobe AIR SDK before 14.0.0.137, and Adobe AIR SDK & Compiler before 14.0.0.137 allow attackers to bypass intended access restrictions via uns...

CVE-2014-3309
Published: 2014-07-09
The NTP implementation in Cisco IOS and IOS XE does not properly support use of the access-group command for a "deny all" configuration, which allows remote attackers to bypass intended restrictions on time synchronization via a standard query, aka Bug ID CSCuj66318.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Marilyn Cohodas and her guests look at the evolving nature of the relationship between CIO and CSO.