Skip to main content

The Future of Cloud Based Identity?

This week I was fortunate to spend some time with Mike Schwartz, CEO and founder of Gluu, the leading open source and on-demand cloud identity management provider.  Gluu is an Austin based start-up, that leverages open standards such as OpenID Connect, SAML 2.0, Shibboleth, and SCIM to make achieving single sign-on (SSO) secure and easy.

How has the concept of online identity management and federation services changed in the last few years?

Mike: Several fundamental changes are converging to the create the perfect storm of online identity: (1) Facebook Connect is bubbling up from the consumer space into the enterprise market, creating demand for instant connectivity based on user controlled decisions; (2) OpenID Connect is positioned to replace a plethora of other standards - SAML, OpenID versions 1 and 2, OAuth versions 1.0 and 1.1, WS-Fed and Information Cards;  (3) there has been a proliferation of authentication technologies - username / password is not the only option any more, and in fact we are being presented with many more easy to use, and more secure alternatives; (4) Email address has emerged as the definitive identifier for a person, and domain name the definitive identifier for an organization; (5) Due to the proliferation of mobile and cloud apps, the use cases for online identity needs to address not only the attributes or claims of a person,  but of the device or client to which the person is connected.

With the onset of OAuth 2.0 and OpenID Connect, does that mean the death of SAML?

Mike: Yes, it’s a “when” not an “if.” SAML does not support user authorization - trust is managed exclusively by the organization, and this model does not solve the use cases we are facing today. There are no organizational use cases which OpenID Connect cannot solve. With that said, online identity is about both “tools and rules.” SAML and OpenID Connect represent the tools. However the rules make the tools more useful. It will take time to replace all the rules and business agreements that have been implemented with SAML, which could be around for a number of years.

SAML is still quite well embedded in large scale telecoms and educational establishments.  Do you see continued deployment of such approaches?

Mike: Website support for SAML has been tepid at best. Primarily, large websites, such as Google or Salesforce support SAML. Integration of SAML into commercial products has also been slow—your average off-the-shelf or open source software product does not support it. So despite its success and utility, SAML has not seen the adoption necessary to provide a ubiquitous identity layer for the Internet. Higher Education and telecoms ultimately will adopt the identity technology that offers them the most content - access to apps and websites. Its premature to expect adoption in these two vertical markets care about one protocol over another - the important goal is access to content, and solving business before the standard is finalized. However, industry groups such as Internet2 and ASIS do not really problems. Its clear that OpenID Connect will solve some of the most pressing problems facing both industries.

The concept of online identity management, relies heavily on providers.  Is a standard only really as good as the providers signed up for it?  Does everyone wait for a Facebook or a Google to become involved?

Mike:  Adoption can be more important than standards. Support for a standard by large consumer IDPs is critical. In the US, Google-Microsoft-Yahoo have coverage of 99% of consumers (note: an email account is a requirement for Facebook). Support from large consumer IDPs will encourage web and app developers to create content… availability of content will drive organizations to run their own IDPs (rather than send their employees to a consumer IDP), to better control access to organizational resources (CMS-CRM…). So even though companies will not use the IDP services of consumer IDPs to identify employees, they do need to watch very closely what large consumer IDPs are doing.

Gluu and the OX Project, have significant attention in the last 12 months with great interest in organisations trying to managed federated authentication and distributed authorization.  What does the next 12 months hold for Gluu?

Mike:  Our primary goal is to write the best open source cloud identity software on the market. One of the many advantages of open source development is a fast release cycle. In the next few months we are integrating new features that go beyond the current OpenID Connect Standard: (1) Support for UMA—the User Managed Access - standard. UMA is an IETF standard that enables people or organizations to restrict access to APIs (URLs); (2) Based on our experience in SAML multi-party federations, we are proposing a new standard for OpenID Connect multi-party federations. Gluu has also proposed a new “OpenID Graph Working Group, ” which would leverage the OpenID Connect network to share data.

Are organisations becoming more interested in taking ownership of online identity management themselves (thinking inhouse development/managment) or will offerings like the Gluu appliance approach become the defacto standard?

Mike:  Identity is moving to the cloud, like many other important enterprise services. Gluu’s on-demand offering focuses on authentication and authorization. Other companies such as Centrify, Okta and SailPoint offer more comprehensive identity suites that include provisioning, governance, and role management. Hopefully some of these companies who offer one-stop-shopping for organizational identity will incorporate the open source Gluu software into their stack (why re-invent the wheel). But in general, I agree that organizations - especially SMB’s - will move identity services to the cloud for this simple reason: cost effectiveness, more functionality, and  more robustness - especially support for clustering and business continuity.

Large enterprises are continuing (and will continue) to deploy highly robust telco-like identity services with data centers on multiple continents.  Other organizations like universities are pursuing a hybrid approach, where they are using “managed services” deployed on their private network, to make it clear that their PII (personally identifiable information) stays within the network perimeter.

The provisioning of users within a corporate network is in itself complex and time consuming.  Do you think managing identities in the cloud will benefit from mistakes made at the individual company level and how will SCIM help, if at all?

Mike:  Due to the variety of organizations, their missions, and the amount of technology they use, there is no one-size-fits-all solution for organizational identity management (IDM). While its true that many IDM projects have failed, it doesn't mean we can stop trying. Eric Sachs from Google says that the track record of consumer identity technology  has been 99% failure.  It sounds Darwinian, but there is no question that all of the cloud services that exist today have learned from these failures.

The SCIM protocol itself is a good example of learning from past mistakes.  SCIM is very useful. It is critical for services to be provisioned in a standard way. Why should Google, Saleforce, and others define their own API to ‘add a user” or add a “group” - well known entities in the organizational business process. The same holds true for the Identity service where people are authenticated and authorized, which is why we see the Gluu platform as an “endpoint” not the originator of the provisioning workflow.

The other interesting lesson of SCIM is that in order to achieve consensus, standards need to limit the scope. SCIM does a small subset of SPML, but it handles the most important use cases and was able to quickly gain consensus.

One confusion is about SCIM’s relationship to authentication / authorization and attribute exchange. This is not what SCIM was designed to do, and in fact the vendors don’t even think this is the use case it addresses… just because you can push passwords everywhere with SCIM, doesn’t mean it’s a good idea.

Thanks to Mike and the guys at Gluu for their time on providing some great insights in the cloud based identity market.



Popular posts from this blog

2020: Machine Learning, Post Quantum Crypto & Zero Trust

Welcome to a digital identity project in 2020! You'll be expected to have a plan for post-quantum cryptography.  Your network will be littered with "zero trust" buzz words, that will make you suspect everyone, everything and every transaction.  Add to that, “machines” will be learning everything, from how you like your coffee, through to every network, authentication and authorisation decision. OK, are you ready?

Machine Learning I'm not going to do an entire blog on machine learning (ML) and artificial intelligence (AI).  Firstly I'm not qualified enough on the topic and secondly I want to focus on the security implications.  Needless to say, within 3 years, most organisations will have relatively experienced teams who are handling big data capture from an and identity, access management and network perspective.

That data will be being fed into ML platforms, either on-premise, or via cloud services.  Leveraging either structured or unstructured learning, data fr…

Customer Data: Convenience versus Security

Organisations in both the public and private sector are initiating programmes of work to convert previously physical or offline services, into more digital, on line and automated offerings.  This could include things like automated car tax purchase, through to insurance policy management and electricity meter reading submission and reporting.

Digitization versus Security

This move towards a more on line user experience, brings together several differing forces.  Firstly the driver for end user convenience and service improvement, against the requirements of data security and privacy.  Which should win?  There clearly needs to be a balance of security against service improvement.  Excessive and prohibitive security controls would result in a complex and often poor user experience, ultimately resulting in fewer users.  On the other hand, poorly defined security architectures, lead to data loss, with the impact for personal exposure and brand damage.

Top 5 Security Predictions for 2016

It's that time of year again, when the retrospective and predictive blogs come out of the closet, just before the Christmas festivities begin.  This time last year, the 2015 predictions were an interesting selection of both consumer and enterprise challenges, with a focus on:

Customer Identity ManagementThe start of IoT security awarenessReduced Passwords on MobileConsumer PrivacyCloud Single Sign On
In retrospect, a pretty accurate and ongoing list.  Consumer related identity (cIAM) is hot on most organisation's lips, and whilst the password hasn't died (and probably never will) there are more people using things like swipe login and finger print authentication than ever before.

But what will 2016 bring?

Mobile Payments to be Default for Consumers

2015 has seen the rise in things like Apple Pay and Samsung Pay hitting the consumer high street with venom.  Many retail outlets now provide the ability to "tap and pay" using a mobile device, with many banks also offer…