Thursday Jan 14, 2010

New Blog at SmokingMonkey.org


Today, I imported all entries from this blog into my new WordPress blog at smokingmonkey.org. I'm using GoDaddy to host and installed my own instance of Wordpress. I plan to double-post content to both sites for the forseeable future. Figured it was time to have my own space to blog so I could be more irreverent then ever!

Visit SmokingMonkey.org!

Tuesday Dec 22, 2009

IDM Buzz Podcast: ROA, OAuth, REST Services and OpenSSO


Last week I had the opportunity to record an IDM Buzz Podcast with Michael Cote of Redmonk and Jamie Nelson, Sun's Director of Engineering for OpenSSO.

In this episode we discuss the latest OpenSSO Express 9 launch and our new Fine-Grained Authorization (FGA) capabilities. We also explain why we chose a Resource Oriented Architecture when designing our FGA solution and did some therapy with Cote to help him deal with his exposure to a shaved, punk rock cat (we're hoping his health care covers the session).

Listen Now

Also, if you missed our webinar last week on the OpenSSO Fine-Grained Authorization capabilities check out the replay here. Enjoy!

Wednesday Oct 28, 2009

ABAC + RBAC = ARRRRR-BAC

Arrrr, me mateys!

I'm going to stand on my soap box for a few minutes to share my take on the ongoing dialogue around RBAC versus ABAC. The debate over which one is better seems to be as heated as the debate over which side of a black and white cookie tastes better (Seinfeld - Black & White Cookie Episode).

I'm constantly asked by customers about which approach I prefer. Analysts seem to enjoy this conversation as well. In fact, Kuppinger-Cole did a nice Q&A on the debate earlier this week and does a great job outlining the issues.

Critics of the RBAC model argue that RBAC is static and believe that taking an RBAC-only approach will lead to an excessive number of roles. They argue that policy decisions will need to leverage Roles plus attributes embedded within your application infrastructure.

Honestly, I think the debate here is somewhat self-created by framing it in terms of RBAC versus ABAC rather than simply acknowledging that a good policy engine needs to support both roles and dynamic attributes. It is very rare to come across customers that are able to contain all attributes within a role. I have yet to see a real-world organization with a clean RBAC implementation. Arguing for purely RBAC is a nirvana that casts a blind eye to the grey areas of the application infrastructure world.

The issue of RBAC v. ABAC is less a decision about choosing one over the other and more a decision around where one draws the line when defining roles. Todays organizations need to define a clear line between what attributes should be part of a role and what should remain application specific. The balance between how you define roles versus attributes is very use case driven and contextual to each customers environment. This boundry is often based more on business context, IT budget, perceived value of abstracting identity from apps, and a gazillion other factors that could influence what you should do.

From the perspective of entitlement enforcement, the basic jist is that any system that is going to work for a customer needs to support both ABAC and RBAC. Policy enforcement decisions need to take in to consideration role definitions and sometimes they also need to incorporate dynamic attributes from applications.

As we refine entitlement enforcement in OpenSSO (our Beta was made available in September 2009) we are looking at this from both perspectives and expecting real implementations to require a hybrid solution that is dynamic and can take in to consideration both roles and attributes. Our solution consumes roles, allows applications to push attributes to OpenSSO for policy evaluation, and allows OpenSSO to pull attributes for policy evaluation. In fact, OpenSSO also supports policy referrals or partial policy referrals to help make an "accept" or "deny" decision.

Thus, my solution is to stop arguing about RBAC versus ABAC and change the name to ARRRRRRRRR-BAC (use the best pirate voice you can muster). Thus, like the black and white cookie, we can all live together again in harmony.

Tuesday Sep 22, 2009

Announcing New OpenSSO Community Lead -- Hubert Le Van Gong

I wanted to update you on the news last week about Pat Patterson (aka SuperPat) moving on from Sun and our search for a new community lead.

As you all now know, Pat has moved on from Sun and thus has stepped down as the OpenSSO community lead. I want to wish Pat the best of luck in his future endeavors. He is not only an icon among the OpenSSO world, but he is also a great friend. I jokingly told Pat on his last day that he is "now dead to me," but the truth is I will miss him dearly and look forward to pestering him lots in the future.

That said, I am very happy to announce that our new OpenSSO community lead is Hubert Le Van Gong. Hubert has a long history with OpenSSO. He is an identity architect at Sun with strong expertise in IdM protocols as well as RESTful web services. He started working with OpenSSO in the context of interoperability with the Microsoft-backed web services stack. True to Sun's tradition of eating its own dog food, he then helped deploy OpenSSO and its OpenID extension as an Identity Provider for Sun employees. More recently Hubert has been working on new OpenSSO extensions like OAuth and OpenID 2.0. Check out Hubert's blog to read about OpenSSO community activity and feel free to ping him via IRC. His IRC handle is hubertlvg.

In addition to Hubert, you can always contact me directly at daniel.raskin@sun.com or Jamie Nelson, the Director of OpenSSO Engineering, at jamie.nelson@sun.com. We are also on IRC and our handles are draskin and jamiefnelson, respectively.

Please join me in welcoming Hubert to his new role and start pinging away with questions!

Tuesday Sep 15, 2009

OpenSSO: Simple Integration with Microsoft AD

Our Sun identity heroine, SuperPat, recently wrote a nice blog on a new feature in OpenSSO Express 8 -- Simple Microsoft Active Directory configuration. Download Express 8 to test it out. We've removed a few steps to make using AD as an identity store reaaaaaaaaaally easy. Have fun.

Thursday Aug 20, 2009

OpenSSO Express for Improved SSO

Have you heard colleagues talking about OAuth, but don't understand how it can be used in the real world? Are you looking for lightweight solutions to federate with Java and .NET apps? Would you like to offer multi-factor authentication without having to purchase token hardware for all your employees?

Watch this FREE webinar and learn how Sun Microsystems, Inc. is innovating in these areas and many more to provide simple, pragmatic solutions in a single product. You'll learn how the latest release of OpenSSO can help you secure all your core resources with a single product regardless of whether your resources are internal, external or in the cloud.

Tuesday Aug 18, 2009

OpenSSO Express for Improved SSO

If you have a spare hour tomorrow (Wednesday August 18th 2009) morning, join me as I will be presenting a webinar titled OpenSSO Express for Improved SSO. The webinar is at 10am PDT/1pm EDT/7pm CET for an update on the very latest features in OpenSSO Express 8 and beyond, such as mobile one-time passwords, the Fedlet for .Net, and SalesForce.com integration. We will also be previewing our OAuth Token Service.

Monday Aug 03, 2009

OpenSSO Part of Nationwide Health Information Network CONNECT Architecture

OpenSSO is now part of the Nationwide Health Information Network (NHIN) CONNECT Architecture. CONNECT implements a flexible, open-source gateway solution that enables healthcare entities – Federal agencies or private-sector health organizations or networks – to connect their existing health information systems to the NHIN.

As part of CONNECT, OpenSSO acts as the:

1) Authentication Service for citizen registration
2) Policy Enforcement Point
3) and one of two choices for a pluggable Policy Decision Point

Read about OpenSSO and the CONNECT Reference Architecture here!

Monday Jul 27, 2009

OpenSSO Express 8 & OpenDS SE 2.0 Arrive!

Theeeeeeeey're heeeeeeeeere . . .

Thursday Jul 16, 2009

Technology Preview: OpenSSO OAuth Token Service

Check out the preview of our new OAuth Token Service. You can now use REST and the OAuth Token Service for securing your apps. It's a nice, light-weight alternative to WS\*.

Wednesday Jul 15, 2009

OpenSSO Enterprise: Fedlet for .NET in Action

Building on the now classic "Fedlet for Java / Guns N' Roses Video," we now have a video for the newly released Fedlet for .NET. BTW, thanks to Giuseppe Gennaro, engineering rock star extraordinaire, for helping to pull this together. Also, to experience the Fedlet download OpenSSO Enterprise Update 1. Enjoy!

Tuesday May 26, 2009

Nailing Down the Definition of "Entitlement Management" with OpenSSO

Ian Glazer from the Burton Group wrote a nice blog on having a meaningful conversation around the definition of entitlement management. Ian was responding to a blog by Ian Yip and basically states we need more specificity around entitlements in the context of access controls. I agree with Ian's sentiment and thought I'd take some time to discuss how Sun thinks about entitlement management when it comes to access controls.

First, as Ian points out in his blog we agree that entitlement management is to vague a term and cuts across many facets of identity management including roles, provisioning, access controls and reporting. When it comes to access controls we've decided to refer to it as "entitlement enforcement" so that it's clear that we are talking about the run-time enforcement of access entitlements.

Second, when we refer to entitlement enforcement we believe that we are discussing the fine-grained access controls around resources. That is, rather than protecting "doorways" or coarse-grained access we provide authorization decisions around all the "objects" within an application or resource (often referred to as fine-grained authorization). For example, a common scenario we see is in the financial services area and the need to provide entitlement enforcement around specific fields within a banking portal. For instance, a banking portal may want to provide access controls that limit the amount of money that subjects such as individuals, roles or groups can transfer. I may have the ability to transfer $1 million dollars and Ian may have the ability to transfer $5. Note that the access controls I'm talking about are not only specific to urls, but also other resources such as fields, calendars, etc.

Third, entitlement enforcement requires policy enforcement points that are easy to deploy and scalable. Sun is approaching this in two ways. 1) OpenSSO can be deployed as a policy enforcement point or 2) we will be offering a Fedlet policy enforcement point, a lightweight method for embedding policy enforcement points within applications. The key to this effort is making it lightweight and performant at the same time. Basic jist is if you have all the capabilities to implement entitlement enforcement but it isn't repeatable and scalable in terms of deployment then it won't be practical to implement and could hinder adoption.

Four, Sun believes that all aspects of an entitlement enforcement solution imply scale. Your policy store needs to scale. The user interface needs to scale to allow people to manage lots o' policies and the entitlement enforcement solution needs to be performant to ensure it can handle lots and lots of authorization transactions.

Five, auditability and simulation of policies is important as well. Entitlement enforcement needs to fit in to the development process so that administrators and developers can work together to define applications, develop policies and test policies throughout development, QA, staging and production. Providing tools to do this and ensuring that admins can export policies from the entitlement solution so that they can develop error free scripts as they move from environment to environment is critical.

Six, identity services are key to entitlement enforcement. The fine-grained nature of entitlements means there is a much larger burden on developers to tie policy to a centralized system. There needs to be several options that developers can use to handle embedding entitlements in the application or container. This includes lightweight identity web services such as OAUTH/REST, standard protocols such as SAML/XACML and complete abstraction via agents. Depending on the customer, we believe you need to support multiple options. Whereas a Web 2.0 company may be very excited about REST a financial services company may be more focused on agents and completely abstracting authorization from the developer. As Gerry points out, there are many ways to do this whether it be using XACML, WS\*, OAUTH, etc, etc, etc.

Finally, Sun has a unique belief that entitlement enforcement should be part of your web access management solution. This is not specific to the definition of entitlement enforcement, but rather our belief around how to pragmatically implement it. Deploying separate WAM solution and entitlement enforcement solution adds unnecessary complexity to your identity infrastructure and vastly increases the TCO. It means that organizations have multiple products to maintain and upgrade. It also means that customers will likely have multiple policy stores within their organization. From our perspective, WAM solutions were built to handle entitlement enforcement and it is a natural extension of web access management that is more likely to lead to customer adoption rather then requiring someone to license and deploy a separate component in their environment.

Our entitlement solution is currently under construction at OpenSSO.org. It will be 100% XACML based and is focused on delivering everything I've described above. You can currently view it via the OpenSSO source code, but we will be providing more details shortly for you to test it out. We will also be showing the new capabilities at OpenSSO Community Day 3.0 in San Francisco this weekend. Make sure to attend so you can see it and provide feedback.

Monday May 18, 2009

IDM and Virtual Desktop Infrastructure

Nice video by resident slacker / sales engineer Paul Walker on how the Sun Identity Management suite can complement Sun's Virtual Desktop Infrastructure (VDI). The demo shows how Sun can provide the whole stack from the operating system, smartcards, SunRay thin client device, desktop delivery mechanism and Identity Management (IdM) to offer a complete and secure VDI solution. The products used in this demo include the following (in no particular order) . . .

\* Sun OpenSSO Enteprise
\* Sun Identity Manager
\* Sun Directory Server Enterprise Edition
\* SunRay Server
\* Sun Secure Global Desktop
\* Sun VirtualBox
\* Sun VDI
\* OpenSolaris 2008.11

About

Read my extraordinary thoughts about the world of identity and access management. As an identity child prodigy, I have much to say about these subjects.

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today