Dave Kearns, KuppingerCole
April 19, 2012 15:00
KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Dave Kearns, KuppingerCole
April 19, 2012 15:00
Dave Kearns, KuppingerCole
April 19, 2012 15:00
As the guys said, and now for something completely different, we are switching from virtual technology and security and virtualized environments over to a topic that should be familiar with. So most of you guys it's around Federation, but how it was synchronization. And I'm very happy to have Dave here up on stage to explain to us what Federation is really about and how this may differ from theory and practice. So year stage things and welcome day. Thank you very much, Sebastian. Welcome everybody.
Plenty of seats down front, we are talking about Federation versus synchronization this afternoon, and specifically in regards to cloud based computing and how identity is shared with the cloud service providers. I'd like to give you some basic definitions so that you understand what I'm talking about. When I say Federation and synchronization first synchronization, that means that the cloud service provider has a directory structure, a data store in which he stores user identities personas what have you, including attributes and so forth.
The regular directory structure and this directory structure is populated from your on-premise directory. Periodically changes are made back and forth. This has to be done fairly frequently in order to keep them in sync. Now not everything from your on premise directory is in the cloud directory. Just that information that's necessary for the cloud service provider under Federation.
However, the cloud provider still has his own directory structure where restoring user information and attributes and all of that. But the author authorization and the authentication rather is done on premise token is exchanged with the cloud carrying just enough information to identify who this particular person is. They get their account, they get their authorizations based on that, that is quicker to do than synchronization, of course, but may not be as complete. There are differences there.
And the panel that comes on after me will get into what those differences are and which may be better, which not for a particular situation. Now, today, I'm going to talk specifically about Federation my recent newsletter, and you can read it in my blog on kocha cole.com talked about synchronization for this subject, but I wanted today to concentrate on Federation because Federation is something we've talked about for many, many years, 45 years ago, when I was first getting into the computer business Federation was a topic that we talked about.
Yes, right back in the sixties, we were talking about Federation. And if I can figure out how the clicker works, okay, there we are. You got a better one there. Yes. 45 years ago, we talked about Federation, but we were talking about the United Federation of planets, captain Kirk and Mr. Spock were telling us all about Federation.
Actually, they didn't tell as much about Federation, but we could determine some things from it. Because if you watch, you realize that they take their spaceship to some new planet, park it in orbit and everybody beams down to the planet. They don't have to go through passport control or customs. They just show up there and do things. And then back on the ship and take off again, they don't need a pilot to get 'em into place. They don't need any sort of authorities checking their papers to make sure that they're not smuggling goods in.
I don't know how all of that worked, but it was the kind of Federation I think that we would all really like to have. Now, 30 years later, I was again, involved with Federation And something that we called the personal directory space. Okay. Now the idea here in the personal directory space was to federate directories. You had your own personal directory, you were node in the hierarchy of the directory tree. This contained all of your information, including all of your attributes. And so on. This could be amalgamated with those of other members of your household, into a branch of the tree.
Other households, other establishments then would be grouped together as a part of the tree. And what's called here level two. All of the Nodes then are gathered together in some sort of locality. It's probably done geographically. That's the way we were thinking about it back in the sixties and grouped together as a tree, as you can see there a, a very simple tree, but when you put together other localities into that tree, it becomes a little more complex. And this is perhaps something on a, on a provincial or a state level, even on a country level.
Eventually of course, it goes up to a worldwide level with these branches all over the tree. Now we talked, I said, it was your personal information that it was at the base of this. If we had known then what we discovered maybe five or six years later about virtualization for directory space and views of the directory, the sort of thing that, for example, say radiant logics server will do for you. We could rearrange this directory tree to look at it in various different ways.
We could look at our organization, enterprise company, call it, which you will and see how all of the people fit into that. We could look at groupings from a university. All of the students together could be then regrouped under that as a, as a branch of this tree and was really a wonderful, wonderful design. I think that we had to allow identity information to be shared with anyone we wanted to share it with at the same time, having control of that information so that it would not be leaked out inadvertently or would not be shared with people. We didn't want to see it.
It was, as I say, a good plan today, it's being rear resurrected in a way as part of the life management platforms that you may have attended some sessions on here. Something that both Martin and Craig were very big on. Doc SARS did a presentation earlier today on that. And hopefully you got to see it again. It's about having control over your personal data. And then in this case, federating out to other people, unfortunately, before we could get it off the ground, about 10 years ago, an event happened that changed life for us in the identity business forever.
It was on September 11th, 2000 1, 9 11. Now I'm not talking about any terrorist acts that happened that day. There was something else that happened that day. It was overshadowed in the news, perhaps, but that was the day the Liberty Alliance was born September 11th, 2001. It was announced they took the word Federation and changed it from what we had been using it for Federation now meant something else. They had big plans for this Federation using a concept. They called circles of trust. Here's a little look at their grandiose plan. You can take a look at it.
It's somewhat similar to what we consider the three-part identity triangle today with a user and identity provider and a relying party, but different too. It was designed. Initially the concept was to be a business to consumer situation. This is what a circle of trust to them was going to look like you as a user would have an account with, let's say an airline or a rental car company or a hotel, let's say it was with an airline. Okay? You have an account with T li in turn would form partnerships with, let's say, Hertz rent a car and Dolche hotel.
And so by logging into your li account, you could also access Hertz and Dolche, and they would know who you are. The information would be federated, a token would be passed so that they know who you were, but it was limited to these particular little groups. If you wanted to talk to Hilton about their hotels, they might not be in that circle. You'd have to go to another circle to find that I thought it was a really dumb design at the time. And I was very upset because I, the personal directory space we were working on, of course we had called federated directories.
They now appropriated that name, taken it over for something else. But after reflecting for a couple of years, I realized that Federation and this circles of trust idea was actually something that we've, we've been doing as human beings for, for thousands of years. It started in pre-history. The first ones we know about were in the, within the Greek city states, there would be federations of two or more city states. And these took two forms under one form. Let's say the citizens of Athens, if they were visiting Sparta would have the same rights and privileges as Spartan citizens.
And another form. The Spartans when visiting Athens would have rights and privileges, which were not quite as complete as Athenians, but were much better than what they call barbarians. That is to say strangers from outside. And these relationships changed over time. It wasn't a permanent thing. Later during the middle ages, a group of city states around the Baltic formed the hetic league. This was a commercial Federation, essentially merchants from one haunts of town were able to go to another haunts of town.
And upon presenting their credentials upon being authenticated were given the rights and privileges of a merchant in that particular town. And it worked very well.
It, it increased trade tremendously and allowed people to move around much more freely. And also from our point of view included that authentication step of presenting credentials in the 18th century and what had been the English colonies in north America. And before they became the United States of America, they operated under what were called the articles of Confederation. This was a Federation of the 13 colonies. It meant that for example, a citizen of Pennsylvania could travel to New York and enjoy the rights and privileges of a citizen of New York.
A merchant from Virginia could travel to North Carolina and enjoy the rights and privileges of a merchant from North Carolina. Each of the states retained their sovereignty.
However, they did their own finance. They did their own foreign policy, everything else. It was just a, a way of dealing with individual people. That was what the Confederation was all about later then in the 19th century, the same thing happened to Germany, the German Federation, which was a way for those people in the various kingdoms Ducey, what have you, I think there might have been a Republic or two in there too. And some independent cities to move freely around within the Federation, enjoying the rights and responsibilities and duties and privileges of people from these other areas.
Eventually this group entered the German empire, of course, because, well, we won't talk about depressions or probably some in the audience finally coming into the 20th century and one, I don't have a slide for when the SSR broke up, they were facing the upcoming Olympic games, none of the newly independent countries who were busy, trying to organize governments and so forth had sports federations ready. So they came in under a Single flag called the Russian Federation. Now the Russian Federation at that time was only for this sport.
It allowed sports or athletes to share in the Olympic games. There were no other rights and privileges associated with it, but they federated for that reason. And it worked back to the Liberty Alliance and their circles of trust.
Well, you know, they never did catch on, as someone said in talking about it, that was the idea of business to consumer didn't work. But number of people adapted the protocols for business to business commerce circles of trust died, but SAML became king SAML security search and markup language was a way to exchange tokens for authentication, essentially between two different entities, one business and another business, or better still an employee of one business and another business. Now business to consumer type authentication.
Although it died here, came back with things like Facebook connect, which is totally about business to consumer authentication. That's beyond the scope of what we're talking about today. Using SAML. You don't have to have circles of trust. You just have to have an agreement between the two endpoints. This brought about the famous tripartite model that we see frequently when we're talking about these things that is to say a user in the middle, an identity provider and a service provider. When we're talking about cloud based services, these can actually be labeled in different ways.
There's always user, of course, the identity provider could be in the data center, could be in the cloud. The service provider is most likely in the cloud, but could be in the data center.
Yes, it's quite possible to have all of your IAM structure in the cloud with applications still running in the data center and to authenticate to the cloud, which then sends tokens down to the data center to give you access to those applications. We're just beginning to see some of that traditionally to this point. And traditionally means for the past year, the user has authenticated locally to the data center. The token is in exchange with the cloud service provider, allowing the user to access whatever cloud applications that is that they're going to have now as usually happens.
And these sorts of presentations, it all devolves back to the laws of identity from Kim Cameron. And in this case, it's law, number five, a universal identity meta system must channel and enable the interworking of multiple identity technologies run by multiple identity providers, which I interpreted to mean to be successful.
And identity system must be ubiquitous, pervasive, federated, and distributed Ubiquitous present everywhere, pervasive, always available, federated able to communicate according to rules and distribute it redundant for both speed and reliability, federated identity services for the cloud, give you all of this synchronization services. Don't if I had to pick one or the other, I come down in favor of Federation. Thank you.