Episode 547: Nicholas Manson on Identity Management for Cloud Applications

Nicholas Manson, a SaaS Architect with more than 2 decades of experience building cloud applications, speaks with host Kanchan Shringi about identity and access management requirements for cloud applications. They begin by examining what a digital...

Nicholas Manson, a SaaS Architect with more than 2 decades of experience building cloud applications, speaks with host Kanchan Shringi about identity and access management requirements for cloud applications. They begin by examining what a digital identity is and then consider the technologies and tools that support identity management in cloud applications. The discussion then focuses on new developments in identity management and Identity-as-a-Service. The show ends with a review of processes that DevOps teams building and supporting cloud applications must incorporate to manage digital identities securely.

Show Notes

• Episode 492: Sam Scott on Building a Consistent and Global Authorization Service

• Episode 376: Justin Richer On API Security with OAuth 2

• Episode 383: Neil Madden On Securing Your API

Other References

• www.linkedin.com/in/nicholasmanson

• Moving the U.S. Government Toward Zero Trust Cybersecurity Principles

• FedRAMP Compliance: A QuickStart Guide – Hyperproof

• FIDO2 – FIDO Alliance

Transcript

Transcript brought to you by IEEE Software magazine.

This transcript was automatically generated. To suggest improvements in the text, please contact [email protected] and include the episode number and URL.

Kanchan Shringi 00:00:17 Hi all, this is your host Kanchan Shringi. Welcome to this episode of Software Engineering Radio. We’re going to be talking with Nick Manson on identity management systems. Nick is an SaaS architect with over two decades of experience in building sales, service, and marketing applications. His projects have included big data and analytics, data science, mobile, customer relationship management, enterprise resource planning, commerce, call center, and content integration. Nicholas loves working with teams and staying on top of industry trends to build valuable services. This episode is from the perspective of Nick’s study and experience with identity management systems to architect several of Oracle’s cloud and mobile products. Nick, welcome to the show. Great to have you here. Is there anything else you’d like to add to your bio?

Nicholas Manson 00:01:09 No, you did an absolutely excellent job of that, Kanchan. Thanks a lot, and thanks for inviting me to Software Engineering Radio.

Kanchan Shringi 00:01:16 You’re welcome. Before we start, I’d like to mention a few related episodes we’ve done in the past. Episode 492, Sam Scott on Building a Consistent and Global Authorization Service; Episode 376, Justin Richer on API Security with OAuth2; and Episode 383, Neil Madden on Securing your API. So Nick, we work together over a decade ago on Siebel CRM On Demand, and I still remember your statement from then that the design of the system started with the user. So, I’d like to first jump into basic definitions. What is a digital identity, and what is identity management? And then I’ll have a follow up about how we actually use these technologies every day with what identities.

Nicholas Manson 00:02:09 Sure. A digital identity is an entity within a computer system that represents an external agent for the system. So that’s a two-part definition. For the entity, just think of a record and a data store. Most typical example, the digital identity will be a user record. So, we often just refer to digital identities within our systems as the users. For the external agent, think of a caller for your services. That might be a REST client or web browser that’s operated directly by the end user. When the external agent is manually operated, we often just skip it when we talk about it and just think of the user as being the agent. So digital identity, typical case a user has a digital identity that is a user record as mediated by a web browser agent. If we go on to identity management, identity management system, it’s just the part of your computer system that deals with establishing and managing digital identities. So, any application that knows something about individual users has some form of identity management in it, and some applications they’ll build that directly in without thinking about it, some are going to use embedded services, and many cloud applications will integrate an independent identity as a service provider.

Kanchan Shringi 00:03:43 So what are the different types of identities that we probably assume every day and use identity management technologies? Maybe starting with that will help with some of the follow-up questions.

Nicholas Manson 00:03:58 Sure. So most common case is cloud users. We encounter identity management, digital identity, whenever we establish an account for an online service. So, in that case the identity management system, it’s collecting that basic information about who we are. It’s allowing us to securely set a password, and it’s handling the login page. Those are the parts that we see. If you are looking at it from a developer perspective, just to flip the coin, we’ll encounter identity management when we wrap our webpages in a filter and have it redirect to a login page in order to get force to sign on before they can see what the server that’s providing. We’ll also run into it when we’re checking for authentication before running a service. So that might be checking a bearer token on a REST request or it might be looking at a session identifier on a webpage request.

Nicholas Manson 00:05:00 And then the last place we might run into it, once you’ve got authentication, once you have that identity off the bear token or the session, you might make a call out to an identity service to get further information about the user that you’re dealing with. So that’s the most common case. Now there’s a few others simpler but less common, organizations or business flows. They can have digital identities. So that case there’s normally a public-private key pair associated with some named, it’s often a business flow, but we’ll call it a partner organization. And the identity management system handles managing the public key to go with the private key so that when the organization’s agent sends a REST call to us, we can use that credential to check that the source is from the organization that we think it is. Another case, you can use identity management to track applications and devices.

Nicholas Manson 00:06:07 So bring your own device registration, it’s identity to management for devices. That’s one way to think of it. There are other things involved there, but it has a digital identity. It works a lot like the organization. Additionally, there can be a lot more complexity in the flow. Workforce identity management allows one of the registered people, one of the identities that you pick up, to serve as the manager for a group of employees and control the registration of the rest of the digital identities in their group. Banking systems use a digital identity in the banking system. There’s often a point where it says, well you’ve gone this far but you can’t go further until you come into the bank and show a teller your driver’s license, maybe a passport or your last hydro bill. So, there’s an actual know-your-customer component to that with a human workflow attached to the identity management in that onboarding process. And it’s very common for the identity management flow to be set up in complicated arrangements so that they’re federated, especially with enterprise computing, and in an enterprise computing situation, the enterprise will have an identity management system, you’ll have an identity management system, and your system will trust their system for identifying particular users.

[...]

Original source