Perimeter
8/28/2012
11:01 AM
Gunnar Peterson
Gunnar Peterson
Commentary
Connect Directly
RSS
E-Mail
50%
50%
Repost This

ID Don't Mean A Thing Unless It's Got That Integration Thing

Architecture astronauts talk identity strategy, but pros talk identity integration logistics

When embarking on identity and access management (IAM) architecture and development efforts, the initial phases often churn through finding the "right" standard or protocol to use. Should the project use OpenID or SAML or IWA or something else altogether? While its important to sort through the tradeoffs and design considerations (after all the Cloud Security Alliance alone mentions 27 different identity standards!), selecting Identity protocols and standards is the beginning not the end.

The critical next steps include a plan for integrating the selected identity protocol and standards into the overall application. This step causes way more stumbling than it should. By now, we should know that there are no silver bullets in infosec. But even today, enterprises write RFIs and RFPs that hone in on support for a specific standard and yet gloss over the importance of integration.

Identity has made tremendous progress over the past decade, in my view progress on standards like SAML and XACML has been the "quiet revolution" in delivering more efficacy to real world security. But the standards and products that support them are not enough by themselves if they cannot integrate to your application then we are left with yet another silo or worse yet --- shelfware.

How should IAM architects avoid integration traps? The first step is identifying the integration targets. Every protocol and standard is different but at a minimum there are likely to be two integration points -- First Mile integration and Last Mile integration.

The First Mile is responsible to find and package the claims about the user subject. First Mile integration generally means being able to communicate with data stores and processes such as user activity, logins, user authentication, user stores, directories, attribute stores, and account information. In SAML, this often occurs via the Identity provider communication with user directory such as Active Directory.

The Last Mile is responsible to make and enforce access control decisions based on the claims its sent via the identity provider. This process can be summed up as"you assert, we decide." The Last Mile must be integrated with the application, service provider, Web service interface, mobile service or Web app. The extent of this integration is pretty variable. Most of the time it's a fairly coarse-grained authorization check, but there's been movement towards finer-grained access control through attribute based access control and standards like XACML that enable deeper integration and more policy-based authorization.

In both the First Mile and Last Mile integration points, the IAM Architect's job is to define the breadth and depth of integration. The architecture must factor in the communication protocols, data formats, token types, and other hooks to applications and data stores required to get the job done.

There's an old military saying that amateurs discuss tactics, armchair generals discuss strategy, but professionals discuss logistics. There's plenty of tactics and strategy necessary to light up a new identity protocol in your company, but successful IAM pros must plan for integration logistics, too.

Gunnar Peterson is a Managing Principal at Arctec Group Gunnar Peterson (@oneraindrop) works on AppSec - Cloud, Mobile and Identity. He maintains a blog at http://1raindrop.typepad.com. View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Latest Comment: LOL.
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-6212
Published: 2014-04-19
Unspecified vulnerability in HP Database and Middleware Automation 10.0, 10.01, 10.10, and 10.20 before 10.20.100 allows remote authenticated users to obtain sensitive information via unknown vectors.

CVE-2013-6213
Published: 2014-04-19
Unspecified vulnerability in Virtual User Generator in HP LoadRunner before 11.52 Patch 1 allows remote attackers to execute arbitrary code via unknown vectors, aka ZDI-CAN-1833.

CVE-2013-6214
Published: 2014-04-19
Unspecified vulnerability in the Integration Service in HP Universal Configuration Management Database 9.05, 10.01, and 10.10 allows remote authenticated users to obtain sensitive information via unknown vectors, aka ZDI-CAN-2042.

CVE-2013-6215
Published: 2014-04-19
Unspecified vulnerability in the Integration Service in HP Universal Configuration Management Database 10.01 and 10.10 allows remote authenticated users to execute arbitrary code via unknown vectors, aka ZDI-CAN-1977.

CVE-2013-6218
Published: 2014-04-19
Unspecified vulnerability in HP Network Node Manager i (NNMi) 9.0x, 9.1x, and 9.2x allows remote attackers to execute arbitrary code via unknown vectors.

Best of the Web