Monday, September 7, 2020

A rule of thumb for combining other federated resources such as identity:

 A rule of thumb for combining other federated resources such as identity: 

Certain functionalities are not core to the stream store in terms of data plane activities and can be offloaded to third party solutions. For example, Identity and Access management (IAM) solution can provide single-sign-on features across all stream stores when they are connected to the active directory. This ability does not have to be part of individual stream stores. Federated security therefore provides a mechanism with which a client needs to register only once and is then free to use any stream store within the federation. 


Even if there is no integrated Authentication, Authorization and Auditing (AAA) provided by the IAM solution, the client can merely expect a key-secret pair that can work with each and every stream store in the federation for a given identity. With a key-secret, a stream store can easily perform all permission grants to perform the data and control plane activities.  


The delegation of AAA also helps with key rotations. This is the case when an external key manger is involved.  A key manager generates a private key and certificate that can be used to secure the storage containers. They are helpful when the data containers have to be encrypted but they do not generally participate in identity.  


The point is that the form of identity representation is independent of its provisioning by an entity external to the key stores or their federation but provided by an identity federation service that sits within the realm. The forms can be username-passwords, key-secrets, X.509 certificate requests, one-time passcodes or other options and they are not mutually exclusive. Their operations can be exclusive to the stream store that refers to the procurement of the token to the identity federation service. With a form of valid representation of an identity, each and every participating stream store can then continue with the provisioning of container resources and data traffic. 


The federation of services and resources outside the stream store also promotes the functionality of a gateway which enables administrators to allow or deny certain access globally. 

No comments:

Post a Comment