SlideShare a Scribd company logo

CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - Matt Cochran

CloudIDSummit
CloudIDSummit

The document outlines a strategy for transitioning to a cloud access management platform, focusing on migrating from legacy systems while enhancing self-service and automation capabilities. Key components include cross-platform federation using OpenID Connect, API gateways for resource access, and a shift in responsibility to business app teams. The approach aims to create a standards-based, network-independent system that supports modern applications, including mobile and SaaS use cases.

Technology
1 of 17
Downloaded 28 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
Ma#  Cochran   Architect,  GE  Corporate   mdc@ge.com     Prac%cal  deployments   Enterprise  cloud  access  management  pla;orm    
Disclaimer   The  views  and  opinions  expressed  in  this   presentaAon  are  my  own  and  do  not  necessarily   represent  the  views  or  opinions  of  the  General   Electric  Company  or  any  of  its  subsidiaries.  
CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - Matt Cochran
CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - Matt Cochran
CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - Matt Cochran
CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - Matt Cochran
A changing IT landscape Close 32 datacenters & migrate 8000+ apps to cloud Enterprise WAM capability needs to grow with use cases Apps Legacy WAM Partners Customers Self service Improve services around B2B & B2C Mobile, SaaS & 3rd party use cases on the rise Focus on self service & enabling automation
Client   Cloud   Mobile   SaaS   API dev Risk  pla9orm   Legacy  AM   Biz  AuthZ  data   Extended  user  data   Biz  APIs   Corp  APIs   Admin App dev Developers Enterprise WAM – Legacy model End User Firewall   Internal  app   SM  agent   ü  Application logic ü  Consuming headers ü  Bolt on security at end ü  Agent support ü  Biz specific policy ü  Network dependent ü  Stateful Support teams Operations Data owners Platform teams
Federa%on   Trusted  ID  Ex   API  GW   Client   Cloud   Mobile   SaaS   API dev Risk  pla9orm   Legacy  AM   Biz  AuthZ  data   Extended  user  data   Biz  APIs   Corp  APIs   Admin App dev Developers Strategy – Cloud Access Management End User Standards based AM platform Network independent stateless Cross platform Federation: OpenID Connect Authentication Trusted ID Ex: Attributes for Authorization API Gateway: access to protected resources Platform components Support teams Operations Data owners Platform teams
Federa%on   Trusted  ID  Ex   API  GW   Client   Cloud   Mobile   SaaS   API dev Request   portal   Risk  pla9orm   Legacy  AM   Biz  AuthZ  data   Extended  user  data   Biz  APIs   Corp  APIs   Admin App dev Developers Strategy  –  Cloud  Access  Management End User Self  service   API   Standards based AM platform Self service portal Request portal: Self service workflows & documentation Self service API: Secured admin APIs for self service regi. Developer tools Support teams Operations Data owners Platform teams
Federa%on   Trusted  ID  Ex   API  GW   Client   Cloud   Mobile   SaaS   API dev Cloud  AM   portal   Risk  pla9orm   Legacy  AM   Biz  AuthZ  data   Extended  user  data   Biz  APIs   Corp  APIs   Admin App dev Developers Strategy  –  Cloud  Access  Management End User Self  service   API   Standards based AM platform Self service portal Transition responsibility App   BYO  auth   solu%on   Corporate owns platform Business owns auth approach & strategy Apps own implementation Responsibility Support teams Operations Data owners Platform teams
Federa%on   Trusted  ID  Ex   API  GW   BYO  auth   solu%on   Client   App   API dev Cloud  AM   portal   Risk  pla9orm   Legacy  AM   Biz  AuthZ  data   Extended  user  data   Biz  APIs   Corp  APIs   Admin App dev OpenID Connect REST / SCIMDevelopers ü  Seamless ü  It just works ü  Self service ü  Standards based ü  Cross platform ü  Improve platform ü  Focus on architecture ü  Refine solutions Cloud AM: Cross platform design pattern End User Self  service   API   Request Client_id: mattsApp Client_secret: wut Scopes: openid, profile, api1 Response { “id_token” : “abc.def.geh”, “access_token” : “abc123”, “refresh_token” : “1234567” } Support teams Operations Data owners Platform teams
Federa%on   Trusted  ID  Ex   API  GW   Client   OpenID Connect Cloud AM: Web applications Web  Server   Mod  auth  openidc   App  server   App  code   App   Deployment example •  mod auth openidc, written by Hans Zandbelt •  Open source apache plugin Features •  Fully implemented OpenID Connect OP •  Language agnostic (apache plugin) •  Easy setup – Chef •  Can write path specific attribute policy for AuthZ •  Can bind to virtual directory for biz specific attributes Other solutions •  Mod_ox from Gluu •  Apache Oltu •  Spring Security •  Forgerock OpenIG •  PingAccess
Federa%on   Trusted  ID  Ex   API  GW   Mobile  device   Cloud AM: Mobile applications Managed  app  1   (hybrid)   Mobile  device  –  Corporate  container     Deployment example Swift: https://github.com/p2/OAuth2 ObjC: https://github.com/nxtbgthng/OAuth2Client Hybrid: homegrown library Features •  Authenticate users via in-app OS browser using custom URL schemes, eg. Myapp://redirect_url •  Browser used as “NAPPS Light” for cross application SSO (apps reuse session stored in browser cookie) •  Refresh tokens can be stored in keychain, unlocked with touchID or pin (depending on use case) Other solutions •  NAPPS Authorization agents •  Auth0 •  CA API Management (Layer 7) SSO Managed  app  2   (na%ve)   Auth  lib   Auth  lib   Safari   SSO  session   OpenID Connect OAuth2access token
AuthorizaAon  –  fine  grain,  risk  based   Gen  2  API  Management  integraAon   B2B:  IDP  as  a  service,  3rd  party  in  use  cases  (IDaaS)   IdenAty  assurance   Next steps
Appendix  
Cloud AM: Strategy Push responsibility to business - App teams (not Corporate) own implementation & support Provide repeatable design patterns, documentation & guidance Create network independent, standards based, self service abstraction layer on top of legacy AM TrustednetworkExposed mobile   Cloud   SaaS   3rd  Party   Legacy  WAM   Directories   Federation: OpenID Connect Authentication Platform Components Federa%on   Trusted  ID  Ex   API  GW   Trusted ID Ex: Attributes for Authorization API Gateway: access to protected resources

More Related Content

What's hot (20)

PPTX
Gartner IAM London 2017 Session - Security, Standards & User Experience: The ...
Ping Identity
 
PPTX
Security As A Service
George Fares
 
PPTX
Architect secure cloud services.
Moshe Ferber
 
PPTX
Identity's Role in a Zero Trust Strategy
Okta-Inc
 
PPTX
Transforming cloud security into an advantage
Moshe Ferber
 
PDF
Session 2017 CASB: the Swiss army knife that wants to be a magic wand - en re...
Jean-François LOMBARDO
 
PPTX
Cloud security innovation - Cloud Security Alliance East Europe Congress 2013
Moshe Ferber
 
PPTX
Cloud security what to expect (introduction to cloud security)
Moshe Ferber
 
PPTX
Security As A Service In Cloud(SECaaS)
أحلام انصارى
 
PPTX
Ten security product categories you've (probably) never heard of
Adrian Sanabria
 
PDF
Strategy Cloud and Security as a Service
Aberla
 
PPTX
Cloud security, Cloud security Access broker, CSAB's 4 pillar, deployment mode
Himani Singh
 
PPTX
Cloud Access Security Brokers - CASB
Samrat Das
 
PDF
Enterprise Microservices
Dony Riyanto
 
PPTX
C-Level tools for Cloud security
Vladimir Jirasek
 
PPTX
Jamie Bowser - A Touch(ID) of iOS Security
centralohioissa
 
PPTX
Security and governance in the cloud
Julian Knight
 
PPTX
The Notorious 9 Cloud Computing Threats - CSA Congress, San Jose
Moshe Ferber
 
PPTX
What is Zero Trust
Okta-Inc
 
PPTX
2012 10 cloud security architecture
Vladimir Jirasek
 
Gartner IAM London 2017 Session - Security, Standards & User Experience: The ...
Ping Identity
 
Security As A Service
George Fares
 
Architect secure cloud services.
Moshe Ferber
 
Identity's Role in a Zero Trust Strategy
Okta-Inc
 
Transforming cloud security into an advantage
Moshe Ferber
 
Session 2017 CASB: the Swiss army knife that wants to be a magic wand - en re...
Jean-François LOMBARDO
 
Cloud security innovation - Cloud Security Alliance East Europe Congress 2013
Moshe Ferber
 
Cloud security what to expect (introduction to cloud security)
Moshe Ferber
 
Security As A Service In Cloud(SECaaS)
أحلام انصارى
 
Ten security product categories you've (probably) never heard of
Adrian Sanabria
 
Strategy Cloud and Security as a Service
Aberla
 
Cloud security, Cloud security Access broker, CSAB's 4 pillar, deployment mode
Himani Singh
 
Cloud Access Security Brokers - CASB
Samrat Das
 
Enterprise Microservices
Dony Riyanto
 
C-Level tools for Cloud security
Vladimir Jirasek
 
Jamie Bowser - A Touch(ID) of iOS Security
centralohioissa
 
Security and governance in the cloud
Julian Knight
 
The Notorious 9 Cloud Computing Threats - CSA Congress, San Jose
Moshe Ferber
 
What is Zero Trust
Okta-Inc
 
2012 10 cloud security architecture
Vladimir Jirasek
 

Viewers also liked (20)

PDF
Cloud Protection Manager Overview Presentation
N2W Software
 
PPT
Virtual identity
Kim Tairi
 
PPT
Virtual Identity
Clive McGoun
 
PPTX
TEDx Rhein-Main Michael Altendorf February 2011 - Virtual Identity and the en...
Michael Altendorf
 
PDF
CIS 2015-API's & Identity: Enabling the Business to Become the Cloud- Carlos ...
CloudIDSummit
 
PDF
CIS14: Identity Souffle: Creating a Well-baked Identity Lifecycle
CloudIDSummit
 
PPT
Kuali Identity Management - Introduction And Implementation Options
Eric Westfall
 
PDF
DevOps Unleashed: Strategies that Speed Deployments
ForgeRock
 
PPT
SSO Strategy Implementation Considerations
John Bauer
 
PDF
CIS14: PingAccess 101
CloudIDSummit
 
PPTX
The New Governance - Scott Morrison CTO Layer 7 Technologies
CA API Management
 
PDF
CIS14: PingAccess in Action
CloudIDSummit
 
PDF
ForgeRock Platform Release - Summer 2016
ForgeRock
 
PPTX
Da Vida Caminando con Raymond Arrieta
Vocxy Consulting
 
PPTX
Identity Access Management 101
OneLogin
 
PPTX
Identity and Access Management (IAM)
Identacor
 
PPTX
IAM Methods 2.0 Presentation Michael Nielsen Deloitte
IBM Sverige
 
PPT
The Gartner IAM Program Maturity Model
Sarah Moore
 
PPTX
Identity and Access Management Introduction
Aidy Tificate
 
PPT
Identity and Access Management Reference Architecture for Cloud Computing
John Bauer
 
Cloud Protection Manager Overview Presentation
N2W Software
 
Virtual identity
Kim Tairi
 
Virtual Identity
Clive McGoun
 
TEDx Rhein-Main Michael Altendorf February 2011 - Virtual Identity and the en...
Michael Altendorf
 
CIS 2015-API's & Identity: Enabling the Business to Become the Cloud- Carlos ...
CloudIDSummit
 
CIS14: Identity Souffle: Creating a Well-baked Identity Lifecycle
CloudIDSummit
 
Kuali Identity Management - Introduction And Implementation Options
Eric Westfall
 
DevOps Unleashed: Strategies that Speed Deployments
ForgeRock
 
SSO Strategy Implementation Considerations
John Bauer
 
CIS14: PingAccess 101
CloudIDSummit
 
The New Governance - Scott Morrison CTO Layer 7 Technologies
CA API Management
 
CIS14: PingAccess in Action
CloudIDSummit
 
ForgeRock Platform Release - Summer 2016
ForgeRock
 
Da Vida Caminando con Raymond Arrieta
Vocxy Consulting
 
Identity Access Management 101
OneLogin
 
Identity and Access Management (IAM)
Identacor
 
IAM Methods 2.0 Presentation Michael Nielsen Deloitte
IBM Sverige
 
The Gartner IAM Program Maturity Model
Sarah Moore
 
Identity and Access Management Introduction
Aidy Tificate
 
Identity and Access Management Reference Architecture for Cloud Computing
John Bauer
 
Ad

Similar to CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - Matt Cochran (20)

PPTX
Identity Management: Using OIDC to Empower the Next-Generation Apps
Tom Freestone
 
PDF
[2021 Somos Summit] - Rethinking Identity Access Management and The Rise of t...
WSO2
 
PDF
Navigating Identity and Access Management in the Modern Enterprise
WSO2
 
PDF
Enterprise Applications on AWS
Amazon Web Services LATAM
 
PDF
Anil saldhana cloudidentitybestpractices
Anil Saldanha
 
PPTX
The Future of Enterprise Identity Management
OneLogin
 
PPTX
17h30 aws enterprise_app_jvaria
Luiz Gustavo Santos
 
PPTX
Terremark Intro
martyburks
 
PDF
Mobile SSO: Give App Users a Break from Typing Passwords
CA API Management
 
PPTX
Building Secure Architectures on AWS
ManojAccTest
 
PDF
Message based microservices architectures driven with docker
Docker, Inc.
 
PPTX
Enterprise Access Control Patterns for REST and Web APIs Gluecon 2011, Franco...
CA API Management
 
PDF
Melbourne API Management Seminar
CA API Management
 
PPTX
Building a Secure Cloud with Identity Management
OracleIDM
 
PDF
Hybrid IAM: Fuelling Agility in the Cloud Transformation Journey | Gartner IA...
Ping Identity
 
PPTX
Let’s roll with amazon web services
Sudeep Hazra
 
PDF
Securing your Cloud Application using StratosLive
WSO2
 
PDF
VMware Zimbra vs. Novell Groupwise
Mike K
 
PDF
A Different Approach to Securing Your Cloud Journey
Cloudflare
 
PDF
[OWASP Poland Day] Web App Security Architectures
OWASP
 
Identity Management: Using OIDC to Empower the Next-Generation Apps
Tom Freestone
 
[2021 Somos Summit] - Rethinking Identity Access Management and The Rise of t...
WSO2
 
Navigating Identity and Access Management in the Modern Enterprise
WSO2
 
Enterprise Applications on AWS
Amazon Web Services LATAM
 
Anil saldhana cloudidentitybestpractices
Anil Saldanha
 
The Future of Enterprise Identity Management
OneLogin
 
17h30 aws enterprise_app_jvaria
Luiz Gustavo Santos
 
Terremark Intro
martyburks
 
Mobile SSO: Give App Users a Break from Typing Passwords
CA API Management
 
Building Secure Architectures on AWS
ManojAccTest
 
Message based microservices architectures driven with docker
Docker, Inc.
 
Enterprise Access Control Patterns for REST and Web APIs Gluecon 2011, Franco...
CA API Management
 
Melbourne API Management Seminar
CA API Management
 
Building a Secure Cloud with Identity Management
OracleIDM
 
Hybrid IAM: Fuelling Agility in the Cloud Transformation Journey | Gartner IA...
Ping Identity
 
Let’s roll with amazon web services
Sudeep Hazra
 
Securing your Cloud Application using StratosLive
WSO2
 
VMware Zimbra vs. Novell Groupwise
Mike K
 
A Different Approach to Securing Your Cloud Journey
Cloudflare
 
[OWASP Poland Day] Web App Security Architectures
OWASP
 
Ad

More from CloudIDSummit (20)

PPTX
CIS 2016 Content Highlights
CloudIDSummit
 
PPTX
Top 6 Reasons You Should Attend Cloud Identity Summit 2016
CloudIDSummit
 
PDF
CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...
CloudIDSummit
 
PDF
Mobile security, identity & authentication reasons for optimism 20150607 v2
CloudIDSummit
 
PDF
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...
CloudIDSummit
 
PDF
CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...
CloudIDSummit
 
PDF
CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...
CloudIDSummit
 
PDF
CIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian Puhl
CloudIDSummit
 
PDF
CIS 2015 IoT and IDM in your Mobile Enterprise - Brian Katz
CloudIDSummit
 
PDF
CIS 2015 What I Learned From Pitching IAM To My CIO - Steve Tout
CloudIDSummit
 
PDF
CIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CloudIDSummit
 
PDF
CIS 2015 SSO for Mobile and Web Apps Ashish Jain
CloudIDSummit
 
PDF
The Industrial Internet, the Identity of Everything and the Industrial Enterp...
CloudIDSummit
 
PDF
CIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John Dasilva
CloudIDSummit
 
PDF
CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid Khosravian
CloudIDSummit
 
PDF
CIS 2015 Identity Relationship Management in the Internet of Things
CloudIDSummit
 
PDF
CIS 2015 The Ethics of Personal Data - Robin Wilton
CloudIDSummit
 
PDF
CIS 2015 What’s next? Discovery, Dynamic Registration, Mobile Connect and mor...
CloudIDSummit
 
PDF
CIS 2015 OpenID Connect and Mobile Applications - David Chase
CloudIDSummit
 
PDF
CIS 2015 OpenID Connect Workshop Part 1: Challenges for mobile - B. Allyn Fay
CloudIDSummit
 
CIS 2016 Content Highlights
CloudIDSummit
 
Top 6 Reasons You Should Attend Cloud Identity Summit 2016
CloudIDSummit
 
CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...
CloudIDSummit
 
Mobile security, identity & authentication reasons for optimism 20150607 v2
CloudIDSummit
 
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...
CloudIDSummit
 
CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...
CloudIDSummit
 
CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...
CloudIDSummit
 
CIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian Puhl
CloudIDSummit
 
CIS 2015 IoT and IDM in your Mobile Enterprise - Brian Katz
CloudIDSummit
 
CIS 2015 What I Learned From Pitching IAM To My CIO - Steve Tout
CloudIDSummit
 
CIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CloudIDSummit
 
CIS 2015 SSO for Mobile and Web Apps Ashish Jain
CloudIDSummit
 
The Industrial Internet, the Identity of Everything and the Industrial Enterp...
CloudIDSummit
 
CIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John Dasilva
CloudIDSummit
 
CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid Khosravian
CloudIDSummit
 
CIS 2015 Identity Relationship Management in the Internet of Things
CloudIDSummit
 
CIS 2015 The Ethics of Personal Data - Robin Wilton
CloudIDSummit
 
CIS 2015 What’s next? Discovery, Dynamic Registration, Mobile Connect and mor...
CloudIDSummit
 
CIS 2015 OpenID Connect and Mobile Applications - David Chase
CloudIDSummit
 
CIS 2015 OpenID Connect Workshop Part 1: Challenges for mobile - B. Allyn Fay
CloudIDSummit
 

Recently uploaded (20)

PPTX
Building Search Using OpenSearch: Limitations and Workarounds
Sease
 
PDF
HCIP-Data Center Facility Deployment V2.0 Training Material (Without Remarks ...
mcastillo49
 
PPTX
MSP360 Backup Scheduling and Retention Best Practices.pptx
MSP360
 
PDF
Achieving Consistent and Reliable AI Code Generation - Medusa AI
medusaaico
 
PDF
[Newgen] NewgenONE Marvin Brochure 1.pdf
darshakparmar
 
PPTX
OpenID AuthZEN - Analyst Briefing July 2025
David Brossard
 
PPTX
"Autonomy of LLM Agents: Current State and Future Prospects", Oles` Petriv
Fwdays
 
PPTX
WooCommerce Workshop: Bring Your Laptop
Laura Hartwig
 
PDF
Timothy Rottach - Ramp up on AI Use Cases, from Vector Search to AI Agents wi...
AWS Chicago
 
PDF
Jak MŚP w Europie Środkowo-Wschodniej odnajdują się w świecie AI
dominikamizerska1
 
PPTX
✨Unleashing Collaboration: Salesforce Channels & Community Power in Patna!✨
SanjeetMishra29
 
PDF
Using FME to Develop Self-Service CAD Applications for a Major UK Police Force
Safe Software
 
PDF
Bitcoin for Millennials podcast with Bram, Power Laws of Bitcoin
Stephen Perrenod
 
PDF
New from BookNet Canada for 2025: BNC BiblioShare - Tech Forum 2025
BookNet Canada
 
PPTX
UiPath Academic Alliance Educator Panels: Session 2 - Business Analyst Content
DianaGray10
 
PDF
How Startups Are Growing Faster with App Developers in Australia.pdf
India App Developer
 
PDF
Blockchain Transactions Explained For Everyone
CIFDAQ
 
PDF
SFWelly Summer 25 Release Highlights July 2025
Anna Loughnan Colquhoun
 
PDF
DevBcn - Building 10x Organizations Using Modern Productivity Metrics
Justin Reock
 
PDF
CIFDAQ Market Insights for July 7th 2025
CIFDAQ
 
Building Search Using OpenSearch: Limitations and Workarounds
Sease
 
HCIP-Data Center Facility Deployment V2.0 Training Material (Without Remarks ...
mcastillo49
 
MSP360 Backup Scheduling and Retention Best Practices.pptx
MSP360
 
Achieving Consistent and Reliable AI Code Generation - Medusa AI
medusaaico
 
[Newgen] NewgenONE Marvin Brochure 1.pdf
darshakparmar
 
OpenID AuthZEN - Analyst Briefing July 2025
David Brossard
 
"Autonomy of LLM Agents: Current State and Future Prospects", Oles` Petriv
Fwdays
 
WooCommerce Workshop: Bring Your Laptop
Laura Hartwig
 
Timothy Rottach - Ramp up on AI Use Cases, from Vector Search to AI Agents wi...
AWS Chicago
 
Jak MŚP w Europie Środkowo-Wschodniej odnajdują się w świecie AI
dominikamizerska1
 
✨Unleashing Collaboration: Salesforce Channels & Community Power in Patna!✨
SanjeetMishra29
 
Using FME to Develop Self-Service CAD Applications for a Major UK Police Force
Safe Software
 
Bitcoin for Millennials podcast with Bram, Power Laws of Bitcoin
Stephen Perrenod
 
New from BookNet Canada for 2025: BNC BiblioShare - Tech Forum 2025
BookNet Canada
 
UiPath Academic Alliance Educator Panels: Session 2 - Business Analyst Content
DianaGray10
 
How Startups Are Growing Faster with App Developers in Australia.pdf
India App Developer
 
Blockchain Transactions Explained For Everyone
CIFDAQ
 
SFWelly Summer 25 Release Highlights July 2025
Anna Loughnan Colquhoun
 
DevBcn - Building 10x Organizations Using Modern Productivity Metrics
Justin Reock
 
CIFDAQ Market Insights for July 7th 2025
CIFDAQ
 

CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - Matt Cochran

  • 1. Ma#  Cochran   Architect,  GE  Corporate   [email protected]     Prac%cal  deployments   Enterprise  cloud  access  management  pla;orm    
  • 2. Disclaimer   The  views  and  opinions  expressed  in  this   presentaAon  are  my  own  and  do  not  necessarily   represent  the  views  or  opinions  of  the  General   Electric  Company  or  any  of  its  subsidiaries.  
  • 7. A changing IT landscape Close 32 datacenters & migrate 8000+ apps to cloud Enterprise WAM capability needs to grow with use cases Apps Legacy WAM Partners Customers Self service Improve services around B2B & B2C Mobile, SaaS & 3rd party use cases on the rise Focus on self service & enabling automation
  • 8. Client   Cloud   Mobile   SaaS   API dev Risk  pla9orm   Legacy  AM   Biz  AuthZ  data   Extended  user  data   Biz  APIs   Corp  APIs   Admin App dev Developers Enterprise WAM – Legacy model End User Firewall   Internal  app   SM  agent   ü  Application logic ü  Consuming headers ü  Bolt on security at end ü  Agent support ü  Biz specific policy ü  Network dependent ü  Stateful Support teams Operations Data owners Platform teams
  • 9. Federa%on   Trusted  ID  Ex   API  GW   Client   Cloud   Mobile   SaaS   API dev Risk  pla9orm   Legacy  AM   Biz  AuthZ  data   Extended  user  data   Biz  APIs   Corp  APIs   Admin App dev Developers Strategy – Cloud Access Management End User Standards based AM platform Network independent stateless Cross platform Federation: OpenID Connect Authentication Trusted ID Ex: Attributes for Authorization API Gateway: access to protected resources Platform components Support teams Operations Data owners Platform teams
  • 10. Federa%on   Trusted  ID  Ex   API  GW   Client   Cloud   Mobile   SaaS   API dev Request   portal   Risk  pla9orm   Legacy  AM   Biz  AuthZ  data   Extended  user  data   Biz  APIs   Corp  APIs   Admin App dev Developers Strategy  –  Cloud  Access  Management End User Self  service   API   Standards based AM platform Self service portal Request portal: Self service workflows & documentation Self service API: Secured admin APIs for self service regi. Developer tools Support teams Operations Data owners Platform teams
  • 11. Federa%on   Trusted  ID  Ex   API  GW   Client   Cloud   Mobile   SaaS   API dev Cloud  AM   portal   Risk  pla9orm   Legacy  AM   Biz  AuthZ  data   Extended  user  data   Biz  APIs   Corp  APIs   Admin App dev Developers Strategy  –  Cloud  Access  Management End User Self  service   API   Standards based AM platform Self service portal Transition responsibility App   BYO  auth   solu%on   Corporate owns platform Business owns auth approach & strategy Apps own implementation Responsibility Support teams Operations Data owners Platform teams
  • 12. Federa%on   Trusted  ID  Ex   API  GW   BYO  auth   solu%on   Client   App   API dev Cloud  AM   portal   Risk  pla9orm   Legacy  AM   Biz  AuthZ  data   Extended  user  data   Biz  APIs   Corp  APIs   Admin App dev OpenID Connect REST / SCIMDevelopers ü  Seamless ü  It just works ü  Self service ü  Standards based ü  Cross platform ü  Improve platform ü  Focus on architecture ü  Refine solutions Cloud AM: Cross platform design pattern End User Self  service   API   Request Client_id: mattsApp Client_secret: wut Scopes: openid, profile, api1 Response { “id_token” : “abc.def.geh”, “access_token” : “abc123”, “refresh_token” : “1234567” } Support teams Operations Data owners Platform teams
  • 13. Federa%on   Trusted  ID  Ex   API  GW   Client   OpenID Connect Cloud AM: Web applications Web  Server   Mod  auth  openidc   App  server   App  code   App   Deployment example •  mod auth openidc, written by Hans Zandbelt •  Open source apache plugin Features •  Fully implemented OpenID Connect OP •  Language agnostic (apache plugin) •  Easy setup – Chef •  Can write path specific attribute policy for AuthZ •  Can bind to virtual directory for biz specific attributes Other solutions •  Mod_ox from Gluu •  Apache Oltu •  Spring Security •  Forgerock OpenIG •  PingAccess
  • 14. Federa%on   Trusted  ID  Ex   API  GW   Mobile  device   Cloud AM: Mobile applications Managed  app  1   (hybrid)   Mobile  device  –  Corporate  container     Deployment example Swift: https://github.com/p2/OAuth2 ObjC: https://github.com/nxtbgthng/OAuth2Client Hybrid: homegrown library Features •  Authenticate users via in-app OS browser using custom URL schemes, eg. Myapp://redirect_url •  Browser used as “NAPPS Light” for cross application SSO (apps reuse session stored in browser cookie) •  Refresh tokens can be stored in keychain, unlocked with touchID or pin (depending on use case) Other solutions •  NAPPS Authorization agents •  Auth0 •  CA API Management (Layer 7) SSO Managed  app  2   (na%ve)   Auth  lib   Auth  lib   Safari   SSO  session   OpenID Connect OAuth2access token
  • 15. AuthorizaAon  –  fine  grain,  risk  based   Gen  2  API  Management  integraAon   B2B:  IDP  as  a  service,  3rd  party  in  use  cases  (IDaaS)   IdenAty  assurance   Next steps
  • 17. Cloud AM: Strategy Push responsibility to business - App teams (not Corporate) own implementation & support Provide repeatable design patterns, documentation & guidance Create network independent, standards based, self service abstraction layer on top of legacy AM TrustednetworkExposed mobile   Cloud   SaaS   3rd  Party   Legacy  WAM   Directories   Federation: OpenID Connect Authentication Platform Components Federa%on   Trusted  ID  Ex   API  GW   Trusted ID Ex: Attributes for Authorization API Gateway: access to protected resources