SE Radio 593: Eric Olden on Identity Orchestration

Eric Olden talks with host Giovanni Asproni about identity orchestration, a software approach for managing distributed identity and access management (IAM) and integrating multiple identity systems or providers (IDPs) to make them look like a single system from a user perspective. The episode starts with a refresher in identity and access management, then introduces identity orchestration and some of the challenges it helps to address, such as integrating disparate identity management systems after company mergers or acquisitions; managing identities in situations where some of the IAM systems are unreachable; and implementing more secure identity management in legacy applications. Brought to you by IEEE Computer Society and IEEE Software magazine.

Eric Olden talks with host Giovanni Asproni about identity orchestration, a software approach for managing distributed identity and access management (IAM) and integrating multiple identity systems or providers (IDPs) to make them look like a single system from a user perspective. The episode starts with a refresher in identity and access management, then introduces identity orchestration and some of the challenges it helps to address, such as integrating disparate identity management systems after company mergers or acquisitions; managing identities in situations where some of the IAM systems are unreachable; and implementing more secure identity management in legacy applications. Brought to you by IEEE Computer Society and IEEE Software magazine.

Show Notes

Related Episodes

• SE Radio 578: Ori Mankali on Secrets Management using Distributed Fragments Cryptography

• SE Radio 571: Jeroen Mulder on Multi-Cloud Governance

• SE Radio 547: Nicholas Manson on Identity Management for Cloud Applications

• SE Radio 376: Justin Richer on API Security with OAuth2

Links

• What is Identity Orchestration?

• What is an Identity Fabric?

• Cloud Native Computing Foundation

• Hexa and IDQL

• OpenID

• OAuth 2.0

• Book: “Learning Digital Identity”

Transcript

Transcript brought to you by IEEE Software magazine and IEEE Computer Society. This transcript was automatically generated. To suggest improvements in the text, please contact [email protected] and include the episode number.

Giovanni Asproni 00:00:18 Welcome to Software Engineering Radio. I’m your host, Giovanni Asproni. And today we’ll be discussing Identity Orchestration with Eric Olden. Eric founded and scaled Secure and Clear Trust and Simplified. Simplified was the first identity as a service company. He served as a senior vice president and general manager at Oracle where he ran the identity and security business worldwide and he was also a coauthor of the SAML standard. He created the first pre-integrated single sign on platform and identity fabric. Eric, welcome to Software Engineering Radio. Is there anything I missed that you’d like to add?

Eric Olden 00:00:55 No, that was a great introduction Giovanni. Thanks for having me.

Giovanni Asproni 00:00:58 Let’s start with a refresher about identity management. So today we’ll be talking about identity orchestration, which is about identity management. So it is a good idea to start with a refresher about what identity orchestration is and maybe give also an example, a practical example. So how our listeners will have a good mental model in their heads.

Eric Olden 00:01:18 So when you think about identity management first, and it’s a simple concept of how do you manage what users can access and what they can do inside of an application. And that is the gist of identity management. Now, when you go further into the details, there’s a good model I think of – the six As. So the first one is authentication. So how do you manage how you know a user is who they represent themselves? Are they using passwords or tokens? The second one is access control, and this determines whether a user can get to an application or to data that they’re trying to. And the third one is authorization. And most often this is for instance, within an application, can a user do a transaction? Can they do a transaction for a certain amount of money or something like that? A fourth one is the attributes, and the attributes about a user that are used in these policy decisions is sensitive.

Eric Olden 00:02:25 So you need to make sure that those attributes are secure. The fifth one is administration or governance and how you manage those user accounts, who has membership in various groups and so forth. And then the last one or the sixth one is audit. And so you need to be able to see a log of what users did over time. And so taken together, these six As represent identity management. So now the question of what is identity orchestration? And identity orchestration is a new way to think about identity. If you have multiple clouds, if you have multiple environments and you’re running in a distributed world. And so what we do with orchestration is similar to what the infrastructure world has done for some time. For instance, like using Terraform to automate and go do things in a particular sequence or Kubernetes, which is another way to orchestrate your compute. So what we did with identity orchestration was say, well, why don’t we apply some of those same concepts of abstraction and automation to the identity so we can make these distributed multi-vendor, multi-cloud worlds work in a more seamless way. So some people talk about identity orchestration as Kubernetes or Terraform for identity. So that might be a good way to think about what identity orchestration can do.

Giovanni Asproni 00:03:59 So here we are talking about situations where we have different identity management systems and identity orchestration is a way of actually making all these disparate identity management systems as if they were one somehow.

Eric Olden 00:04:12 That’s exactly right. And that we do through abstraction. So absolutely normalize the different APIs that the identity systems, the IDPs or the identity providers that they expose created a layer that integrates across all of those so that when you build a new application, it doesn’t have to be tightly coupled to any one of those identity systems. Instead it talks to the abstraction layer and through the decoupling of the application from the identity provider, it allows you to switch out different providers without changing the application. So you can go from an old to a new identity system behind the abstraction layer and not have to refactor or do anything to your application.

Giovanni Asproni 00:05:03 Okay. From a business point of view, what are the key challenges that identity orchestration helps to address? So from a non-technical perspective, more of a business perspective?

Eric Olden 00:05:15 Yeah, I think one of the most common two use cases for orchestration is modernization. So taking your applications and moving them to the cloud. And in that world you need to switch the legacy on-premises identity system with a cloud-based one. So modernization is a big important use case because in the absence of an abstraction layer, you’re gonna have to rewrite your application and that’s very expensive, takes a lot of time. The second maybe business scenario is with mergers and acquisitions. So when you think about one company acquiring another one, very often you’ll find one company has a different technology stack than the other. And so you need to have a way to have these two worlds coexist. For instance, you may have one company that’s a Microsoft shop, they use everything from Azure including the Entra identity provider, and then they acquire a company that has been using Okta for years.

[...]

Original source