Vail, Colo. – OpenID Connect is the new kid on the block that desires to do the right thing and live up to high hopes for its success, but it still has some growing up to do.
That was the message at the Cloud Identity Summit last week from Patrick Harding, CTO of Ping Identity.
That assessment was a dominant theme of Harding’s keynote where he outlined changing security needs of the enterprise in a new age of computing that includes clouds, connected apps and roaming users with devices.
“What we are seeing right now is that the enterprise is starting to become a platform,” said Harding.
He said the scale of that platform is its most striking feature, including applications that are increasingly connected via the Web and APIs, the mobility of users who can be anywhere, and the proliferation of devices among those users including smartphones, tablets and laptops.
“There needs to be changes in how the enterprise exposes data,” Harding said.
He explored the notion that a token economy is upon the enterprise where tokens are the currency used for access control, federation and single sign-on, creating sessions, and most important, replacing passwords.
He described the early iterations of OpenID as the nephew of the Security Assertion Markup Language (SAML), which he discussed against the backdrop of a photo of “The Most Interesting Man in the World” made popular in TV beer commercials.
Harding said SAML is mature and knows what it is good at and not so good at.
He said the OpenID nephew of 2007/2008 was fun and created buzz, “but let’s be honest, he lost focus, took some shortcuts and did not meet expectations.”
On the other hand, OpenID Connect brings promise of something tangible for the enterprise.
“It provides a single security protocol for B2C and B2B,” said Harding. And he listed a number of benefits such as limited exposure to attack, simplicity, the ability to handle multiple grades of authentication, and options for encryption and signing.
He added there are benefits for single sign-on and use with APIs, including an API client authentication for passing identity assertions and standardized user ID information. He also cited the ability to authenticate users and clients.
“OpenID Connect is also Web architecture friendly,” said Harding. And he added it supports a standardized user interface and capabilities he described as “DHCP for identity.”
The Dynamic Host Configuration Protocol (DHCP) is used to configure network devices to communicate on an IP network.
“Passwords are the ‘Achilles heel’ of cloud security,” Harding said. “It’s not good enough to reduce them to ‘one,’ it’s not good enough to ‘store’ them in a vault and use them as needed. It’s not good enough. Security at scale needs to be simple and fail safe.”
photo credit: © Brian Campbell