The OAuth Standards Stack: An Architectural Perspective
The OAuth standards stack is racing to keep up with the growing inter-connectedness of cloud, IOT, social networks, e-commerce, individuals, and enterprises on today’s Internet. The menu of new standards options can seem bewildering – especially since some are still… Continue reading
An Enterprise Authorization Framework Requires Identity and Context
We recently completed a consulting engagement to create an authorization framework for a large financial services organization. As illustrated, the framework has three dimensions: Runtime authorization patterns, policy models, and governance structures.
The “runtime authorization patterns” describe the components, interfaces,… Continue reading
April 12 Webinar: The CISO’s Guide to Planning for ABAC Success
ABAC, Attribute Based Access Control, is the new model for access control as identified by NIST and Gartner, to help organizations meet the needs of the evolving complexities of today’s business environments.
Security Architects Partners is partnering with Axiomatics to… Continue reading
Proposed OAuth 2.0 Assurance Session at IIW
As the morning dawns on the Mountain View Computer History Museum in California, the Internet Identity Workshop (IIW) will begin and I’ll propose an “unconference” session on OAuth assurance. As some of you know and others may see from the… Continue reading
Federated Identity: Broad or Strong?
Broad deployments of federated identity have arrived in the form of social login. But in 2013 we find federation on the horns of a dilemma; can it be both broad and strong?
Federated identity, especially in the form OAuth… Continue reading
Piling On OAuth
For those who’ve read my previous OAuth posts, the title for this article is a double entendre. I mean to convey both the idea that I’m piling on OAuth assurance AND that the entire industry seems to be piling on… Continue reading
Back to the Future (of Federation)
I recently developed a “history of federated identity” diagram and marveled at how it was similar, in many ways, to slides I created while working at Burton Group in 2004. Let’s take a look at a few diagrams and see… Continue reading
Mitigating OAuth 2.0 Security Issues with Good Profiling
While any alternative to the cross-service password sharing anti-pattern is goodness, OAuth 2.0 also introduces some insecure flows to accommodate a broad range of use cases and to be as developer-friendly as possible. A previous post explores these assurance issues,… Continue reading
Bob Blakley Saves Some of the Best for Last from CIS 2013
Bob Blakley, Global Head Information Security Innovation at Citigroup and my former colleague from Gartner and Burton Group has posted his Cloud Identity Summit (CIS) 2013 presentation in slideshare. It’s called “What if Identity Were Pass-By Reference” and it… Continue reading
REST Uneasy: Do we Need to Worry about OAuth 2.0?
Reading the IETF OAuth 2.0 authorization API specifications and generally investigating similar social login protocols over the past couple of months has been fascinating. While the journey is far from over, I’ve come far enough to gain perspective on the… Continue reading