Aliases and robots:
Usernames and passwords became a representation of the user. With the use of cryptography and X509, we now have public keys and private keys as representations of identity. These can be used to generate the equivalent of username and password as keys and secrets which can then be used to authorize http requests.
HTTP requests generated with keys and secrets are generally used by applications. Since there is no user involvement in creating these, they can also be called programmatic or robot usages. Moreover, the key and secrets can be generated dynamically for a limited lifetime, scope and purpose. These then constitute a set of credentials to be managed with expiration policies.
Identity therefore is no longer for humans alone. It is a notion shared with every accessor of system resources. By giving identities to accessors, we can assign roles for proper authentication and authorization. There is very little difference to the system in identities for users and machine. The notion of identity can change even for the same end user when the credentials change. Old names or identifiers may be closed in favor of new. Machines just make use of short lived identities. They take it to the next level where identities are frequently rotated preventing and reducing any risk or compromise. The number of times an identity is generated makes no difference as long as the set of active identities are finite and manageable.
Identity as a resource for management has evolved into specialized and general purpose Identity and Access Management products and solutions. They are setup to consolidate identities for members of entire organization with the use of a member directory. They provide different mechanisms for authentication. They provide the option to authenticate via federated, chained or standalone modes. Identity providers enable single sign on, token generation and API integration.
Usernames and passwords became a representation of the user. With the use of cryptography and X509, we now have public keys and private keys as representations of identity. These can be used to generate the equivalent of username and password as keys and secrets which can then be used to authorize http requests.
HTTP requests generated with keys and secrets are generally used by applications. Since there is no user involvement in creating these, they can also be called programmatic or robot usages. Moreover, the key and secrets can be generated dynamically for a limited lifetime, scope and purpose. These then constitute a set of credentials to be managed with expiration policies.
Identity therefore is no longer for humans alone. It is a notion shared with every accessor of system resources. By giving identities to accessors, we can assign roles for proper authentication and authorization. There is very little difference to the system in identities for users and machine. The notion of identity can change even for the same end user when the credentials change. Old names or identifiers may be closed in favor of new. Machines just make use of short lived identities. They take it to the next level where identities are frequently rotated preventing and reducing any risk or compromise. The number of times an identity is generated makes no difference as long as the set of active identities are finite and manageable.
Identity as a resource for management has evolved into specialized and general purpose Identity and Access Management products and solutions. They are setup to consolidate identities for members of entire organization with the use of a member directory. They provide different mechanisms for authentication. They provide the option to authenticate via federated, chained or standalone modes. Identity providers enable single sign on, token generation and API integration.
No comments:
Post a Comment