Tag Archives: WSO2 Identity Server

Ask an Expert: Catching up with IAM Guru, Prabath Siriwardena

Prabath Siriwardena, WSO2’s senior director of security architecture, has a lot to be proud of. He’s an accomplished author, speaks at conferences such as Qcon, ApacheCon, WSO2Con, EIC, IDentity Next, OSCON and OSDC, and has over a decade of experience working with Fortune 100 companies.

We caught up with Prabath recently to get his take on the significance of GDPR, the future of open source IAM solutions, his personal journey at WSO2, and why he believes the world always needs fresh ideas.

1. What has your journey at WSO2 been like, Prabath?

I completed 10 years at WSO2 last year, having joined on the 1st of November 2007. It’s been a great journey with an awesome set of people around me – both the colleagues at work and the customers.

The joy of working at WSO2 is that you always get an opportunity to help someone solve a challenging problem.”

I’ve learned a lot from both these groups. The joy of working at WSO2 is that you always get an opportunity to help someone solve a challenging problem. It can be as simple as building a federated login scenario with a SaaS vendor to more complicated use cases like building an identity architecture to accommodate millions of users. Overall it’s a very satisfying, rewarding journey – looking back, I’ve enjoyed every second of it.

2. What’s the most recent problem you’ve helped solve?

I get the opportunity to talk to and work with many WSO2 customers, each problem is quite interesting. Engaging with customers allows me to understand their pain points. Once you know their pain points, you can work with them to find and build a solution.

Let me give you one example. Recently we worked with a customer based in San Francisco, California, a large company with hundreds of departments. Each department has its own applications and an identity store. The employee records are scattered between those different identity stores – and a given employee has to maintain multiple records under each department if they have to access any of the applications provided by that department. This has been the way the company operated for several years. A real productivity killer – but, convincing 100+ departments to build a unified identity platform across the company was challenging, both technically and politically. We’ve had several long discussions with their technical teams and is now in the process of building a unified identity platform with WSO2 Identity Server, in a phased approach.

3. GDPR has surely caught on and everyone is throwing this term around. But there’s a deadline approaching and we need to act fast. What’s the simplest way an enterprise can get started and what do they need to keep in mind?

GDPR is a historical milestone in all the initiatives brought up so far to protect consumer privacy. Even though it’s more applicable to EU, it has a global impact in the way it’s designed. Becoming GDPR compliant starts with a self-assessment – understand what data you collect from your employees, partners, suppliers, customers, and any other entities you work with. Then you need to see how the data is being stored and processed. If you occupy third parties in the process of data collection – or if you share data with third parties for further processing, then you also need to worry about them being GDPR compliant. Once that’s done, you can come up with a phased approach to be GDPR compliant. It’s always recommended that you consult a lawyer or any GDPR consultancy firm to validate your approach and get their guidelines. GDPR is a law, so you should not mess with it!

There are no all-in-one or tailor-made solutions for GDPR. This is where WSO2 Identity Server has a key role to play. WSO2 Identity Server, as an identity provider, gets directly involved in processing personal data. We have made the product GDPR compliant and also provide a portal for consent management.

4. What’s the future like for open source IAM solutions?

A decade back, the IAM market was mostly dominated by Oracle and IBM. The entry barrier was high and was not justifying the cost over the benefits.

Today the number of companies occupying an IAM solution is much better. Cloud-based IAM solutions and open source IAM solutions increasingly reduce the cost of entry.

There are more than 100 Universities in USA and Canada, using WSO2 Identity Server for free, with no support from WSO2. That’s the beauty of real open source.”

According to Gartner, by 2021 open source IAM components will be used for one or more IAM functions by 30% of organizations, up from 20% at the end of 2016. Apart from open source, there are a large number of companies that use homegrown IAM solutions – around 20%. In the next few years, I would expect these companies using homegrown IAM solutions to select an open source IAM product. Unless you have a dedicated set of engineers, who have expertise on IAM, it’s hard to keep up with the pace in which the IAM industry is evolving.

Another important fact I would like to highlight here is open source licensing. Not all open source licenses give you the same level of freedom. Apache 2.0 is the most business-friendly open source license. You can do anything with a product released under Apache 2.0. All WSO2 products are released under the Apache 2.0 license and WSO2 is the 8th largest open source software company. There are more than 100 Universities in USA and Canada, using WSO2 Identity Server for free, with no support from WSO2. That’s the beauty of real open source.

5. What are the benefits of an open source IAM solution?

There are multiple reasons why someone would pick an open source IAM vendor over commercial off-the-shelf (COTS) software. At one point, COTS had an edge over the features, but no more. Most of the open source IAM products out there can compete with any COTS product, in terms of features, and of course, perform better.

Then the cost. Most of the open source products do not have any licensing cost, but a production support model. This definitely reduces the initial product purchasing cost. One key reason I see why people go for open source IAM products is the ‘freedom’.

Most of the open source IAM products out there have a proven track record. I can speak for WSO2 Identity Server, where we have many large scale deployments around the globe, for millions of users.”

The freedom to examine the source code, freedom to extend the capabilities, and freedom to make business decisions.

That’s about scalability, how about security? Irrespective of a product being open source or not, you need to worry about the security of the product. At WSO2, we put a lot of effort into building all WSO2 products in a secure manner. We use both open source (OWASP ZAP) and commercial code scanning tools (Veracode, IBM AppScan). All these tools are integrated into the build system and no product releases are done without fixing any of the reported issues.

6. How did you start working in IAM?

It just happened. When I joined WSO2 in 2007, I was assigned to the WSO2 Identity Server team. At that time it was called, ‘Identity Solution’ – and we only had 4 members in the team. WSO2 was founded in 2005, where SOAP, SOA, web services were at the top of the hype. We had a strong, solid foundation in that space. Both of our founders are pioneers in the web services domain, and authored many key web services specifications. Axis2, Synapse, Rampart, WSS4J are top open source Apache projects initiated and mostly contributed by WSO2 employees at that time. Apache Rampart is the web services security module for Axis2 – and it has all WS-Security, WS-Security Policy, WS-Trust specifications covered. Around 2006/2007 we were closely working with Microsoft for interop testing, and that was the time Microsoft came up with an open specification called ‘Information Cards’, which is based on WS-Security and WS-Trust. Since we already had them implemented in Rampart, it only needed a little more effort on top of that to build support for Information Cards. That’s how the WSO2 Identity Server was born in 2007 – and it was one of the very first implementations of Information Cards in Java.

7. What is your proudest accomplishment in recent times?

WSO2 Identity Server celebrated its 10th anniversary in December 2017. Looking back, there are many proud moments that were accomplished as a team. Today, WSO2 Identity Server is a globally recognized brand and is one of the top open source IAM products. There are more than 40 million users globally using WSO2 Identity Server for authentication on daily basis. There are more than 100 paying customers, which we are extremely proud of. Just to name a few, Nissan, HP, GE, Verizon, Vodafone, Seagate, Department of Homeland Security (DHS), Verifone, Align Tech, WEST, Nutanix, Trimble and many more. It’s extremely satisfying to see how the product evolved over the last 10 years and is now trusted by many Fortune 100 and Fortune 500 companies to build the most critical parts of their core business on top of WSO2 Identity Server.

8. What advice would you like to give a budding developer or an architect to better their career?

Failing to innovate is the biggest failure in anyone’s life. The world does not lack technical skills, but fresh ideas.”

Failing to innovate is the biggest failure in anyone’s life. The world does not lack technical skills, but fresh ideas. Fresh ideas are born when you start feeling your problems and those of others. You may choose to live with the pain or get rid of it by fixing the problem. The latter leads to innovation. There is always room for improvement, room for innovation. Capitalize on those and enjoy what you do.

You can follow Prabath here and read his blog here.

Guest Blog: Speeding Delivery of Affordable E-Health With WSO2

The good news is that modern technology is helping us to live longer. According to the Ambient Assisted Living Joint Programme, some 25% of the population in the European Union will be over 65 by the year 2020, and the number of people aged 65 to 80 years will rise by 40% between 2010 and 2030.

The challenge before us is to ensure that as people age, we can enable them to live independently and experience the highest quality of life possible—and do so in a way that is affordable for individuals and governments. Addressing that demand has been a key priority here in the Active Independent Living (AIL) group within Barcelona Digital Technology Center (BDigital).

We have built eKauri, a non-invasive e-health and smart home platform that empowers seniors to gain autonomy, participate in modern society, and achieve independence through solutions based on information and communications technologies (ICT). It includes a patient application that provides a range of services activated by the users—for example a home media center and video conferencing—plus sensors that monitor the patient’s activities and environment. A second care center module gives caregivers and managers tools for such activities as monitoring and managing patients and handling patient alarms, among many others.

The cloud-enabled eKauri platform takes advantage of credit-card sized Raspberry Pi computers and Z-Wave wireless home automation devices within patients’ homes. It also relies on four products from the open source WSO2 Carbon enterprise middleware platform: WSO2 API Manager, WSO2 Identity Server, WSO2 Enterprise Service Bus and WSO2 Application Server. Together, these products enable eKauri to tie together data, applications and services across a range of applications, computers and Internet of Things (IoT) devices.

Notably, all WSO2 products extend from its Carbon base, so it created a seamless environment that allowed for our programmers to rapidly gain an understanding of the technology as well as accelerate our integration and product development.

Because our charter is to develop technology that commercial partners can then deliver as solutions to the market, we wanted to provide a minimally viable version that our commercial partners could start using by January 2015. By speeding our development with WSO2, we were able to complete the first minimally viable version of eKauri in October 2014, three months ahead of schedule, and we already have a built-in market and clients that want to pay for the product.

With a rapidly aging population worldwide, we need to move quickly to bring new solutions to market that enhance the health and quality of life for senior citizens. WSO2 has played an important role in helping us meet that demand with eKauri.

WSO2 recently published a case study about our use of its products with eKauri. You can read it here.

WSO2Con Insights – AlmavivA Adopts Lean Approach to Public Administration with WSO2

The Italian Ministry of Economy was looking for a complete transformation in data management by redefining and organizing its own data, so that information of millions of employees of the Italian Public Administration would be unique and certified.

The proposed system spelt the integration of two main IT systems in the Ministry; one that handles personal data, and a second that handles economic data, so that the system would have one single point of management, and serve applications regarding salaries and personal data as a self-service for the Italian public sector employees.

The Ministry approached AlmavivA Group, Italy’s number one Information and Communication Technology provider, for a solution. Guiseppe Bertone, Solution Architect at AlmavivA S.p.A. said during his session at WSO2Con 2014 EU, in Barcelona, Spain that AlmavivA designed and proposed an ad hoc master data management (MDM) solution for the Ministry, based on WSO2 products to manage the data of 2.6 million employees.

Picking the Best Product Solution

He said that there was a set criteria that AlmavivA and their client listed out prior to choosing the right products and platform for the project. Some of the critical features were interoperability with existing IT components, high modularity, optimized for performance, and most importantly, open source. Comparing pre-built product solutions available in the market, Bertone and his team made a decision to use WSO2 products for the entire solution.

“WSO2 products fit the requirement. You can enable only the components that you need, and leave the rest of it out, unlike in pre-built solutions,” he said.

He added that there were many redundant repositories within the Ministry IT systems; datasets needed to be optimized and integrated with external systems, and a migration workflow for the existing data had to be defined.

The reference architecture for the MDM solution included interface, events, security, and data quality components, as well as the repository layer, which consists of four databases; master data, metadata, historical data and reference data.

The AlmavivA project ‘Anagrafca Unica’, roughly translating to ‘Unique Repository’, was initiated in March 2012.

The WSO2 Advantage

The mapped reference architecture was a total solution platform based on a set of WSO2 products;

WSO2 Enterprise Service Bus (ESB) for interface services, the WSO2 Data Services Server (DSS) to access the repository layer and manage all life cycle services, WSO2 Identity Server (IS) as the security and identity component, WSO2 Message Broker (MB) for communication between applications, WSO2 Governance Registry (G-REG) to store configurations of all components, and the WSO2 Business Activity Monitor (BAM) to monitor services across the entire MDM solution. OracleDB is used as the repository layer.

With BAM being easily integrated to other WSO2 products, AlmavivA simply had to install only a specific BAM load inside each component, so that the statistics and real-time performance could be monitored. An additional console was added as an UI for the system’s custom procedures.

Another advantage of using WSO2 products was brought to light during the development stage; “Many aspects of WSO2 products can be simply configured from the web UI, or the developer studio for all WSO2 components. It’s really useful and easy to use,” explained Bertone.

In a covalent situation such as this, WSO2 deploys Carbon Apps. By creating a carbon app, a single file consisting of all components is created, so that once the file is deployed, the server knows which components to take, according to Bertone. “This is useful because once you have a system like this you can integrate it with an application cycle management solution already present in the customer environment, like we did,” he says. “We have now created a console where with a single click, the customer can pass from staging to production.”

AlmavivA is looking to expand Anagrafica Unica across the country to include all employees of the Italian Public Administration sector in the system, bringing the total user count to 3.5 million. Bertone and his team are also looking to serve data to external systems, such as the Ministry of Health, with more government institutions being added along the way.

For more information on AlmavivA’s development of the Master Data Management System, view the recording of Bertone’s WSO2Con EU presentation.

WSO2Con Insights–Trimble Builds an Enterprise PaaS Framework with Open Source

A large part of the value of Trimble solutions is that they enable customers to build and manage their own positioning-centric solutions for employees in the field—a key requirement for customers in the agriculture, construction, and transportation sectors. Trimble also needs this capability in-house, since its various divisions are set up to be entrepreneurial and have the speed and agility to execute. As Prakash Iyer, Trimble’s vice president for software architecture and strategy, explained during his session at WSO2Con 2013 US, building an enterprise platform as a service (PaaS) framework with open source solutions helped Trimble meet these goals.

The Move to a Cloud Platform

When Trimble first considered building a flexible development platform, the question was whether to go with a traditional platform versus a product-driven platform, Iyer recalled. With a traditional platform, by the time the hard work is done, the technology is likely to have changed, he noted. The better solution, the Trimble team realized, was a product-driven platform where selection of the platform elements is driven by the product. Users can then build applications on the platform and deliver them efficiently.

The Trimble Platform as a Service, known as TPaaS, provides the core services needed to build any modern enterprise application, and also provides an architectural framework to build loosely coupled SOA applications, Iyer explained. Providing a foundation for TPaaS are four multi-tenant, cloud-enabled WSO2 Carbon products: WSO2 Enterprise Service Bus, WSO2 API Manager, WSO2 Application Server, and WSO2 Identity Server.

“Our first implementation of TPaaS had Identity Server, App Server, API Manager and ESB. We didn’t use the whole stack but then we incrementally added to it,” Iyer noted. “We’re able to then build an app on that platform and then deliver it to the team, and prove it can be done efficiently. And that creates momentum.”

TPaaS Supports Internal and External Users

Iyer explained that Trimble’s development platform includes deployment infrastructure and managed hosting services, all of which help reduce the cost, time, and complexity of application development.

A key advantage of TPaaS is that it is accessible to Trimble’s network of partners and dealers, who often need to use the system to exchange data and flow transactions through it, Iyer said. It can be offered as a service framework to these partners and dealers to host their applications. He noted that the platform also provides a cloud container that can host any Trimble service, and act as a gateway to share any Trimble service for wider reuse.

The Benefits of Open Source

While the cost savings of open source were attractive, Iyer stated that other aspects of an open source licensing model were important.

“We can take WSO2 and customize it. If we don’t find everything we need, we can customize it. We don’t have to take everything, just the part needed for us,” Iyer observed. “The other advantage is portability and ownership. I want to take my PaaS across multiple infrastructures and services; some divisions may want to deploy in Rackspace, some in Amazon, or even internally.”

Additionally, since technology changes so quickly, using WSO2 open source products allows  Trimble to avoid costly investments in solutions that will become out of date, or can’t be customized. Finally, there was the issue of focus. Iyer recalled that Trimble needed to build a solution, and using open source would allow the team to focus on those areas where Trimble could differentiate.

“My goal was always to eventually have everything from writing the code to deployment; things we could assemble and put together our own platform, and then we can focus on the applications,” Iyer said. “That was the strategic alignment part we shared with WSO2.”

For more information about Trimble’s development of an enterprise PaaS framework, view Iyer’s WSO2Con 2013 presentation.

WSO2 Joins Cloud Security Alliance

After watching the good work of the Cloud Security Alliance (CSA) for more than a year, WSO2 has joined as a Corporate Member.

As you know, WSO2 offers the very first completely open source Platform as a Service (PaaS). Taking our Carbon-based middleware platform to the next level, WSO2 Stratos offers the most complete, enterprise-grade, open PaaS, with support for more core services than any other available PaaS today. Unlike many cloud platforms, WSO2 Stratos, the software behind the WSO2 StratosLive Java PaaS, is available as a fully supported product that can be installed and run on-premise.

WSO2 Stratos provides the core cloud services and essential building blocks, for example federated identity and single sign-on, data-as-a-service and messaging-as-a-service and more, required for developing SaaS and cloud applications.

Building a cloud PaaS is actually quite a challenge, but no pain, no gain!

We took up the first challenge of getting our Carbon stack running on OSGi runtime, not an easy task and one that some vendors were unable to complete, but one that we found necessary to build cloud nativity deeply into the platform, and to enable incremental upgrades and addition of the platform as a live entity.

Security represents one of the biggest challenges we faced making Stratos a reality.  We had to rebuild the foundations of the system to focus on tenant isolation, data security, restricted operations, tenant-based user stores, standards-based security models, integration with other *aaS models among other concerns. Stratos today supports many of the most popular open standards related to security and identity management including SAML2, OpenID, OAuth, XACML and WS-Security.

A few months back we received some recognition of this work, as a recipient of KuppingerCole’s European Identity Award 2011 for the Cloud Provider Offerings category.  The award recognizes WSO2 specifically for WSO2 Stratos Identity, citing the multi-tenant open source cloud service for its OpenID and XACML support and its innovative features, including the ability to migrate from on-premise to a full cloud service (and back).

Stratos has come a long way, with customers now adopting the platform, and we welcome the opportunity to both share our experiences with other cloud providers and be part of the conversation in moving cloud security forward.

The CSA is a not-for-profit organization with a mission to promote the use of best practices for providing security assurance within Cloud Computing, and to provide education on the uses of Cloud Computing to help secure all other forms of computing.

Among many of our community, questions about whether to move to cloud or not, whether to move to a private or public cloud and so forth mostly revolve around security concerns.  We are looking to helping address those concerns, and contributing to the standards and guidelines promoted by the CSA to educate users about ensuring the future of cloud is secure.

Prabath Siriwardena, Architect & Senior Manager – Carbon Platform & Security
blog: http://blog.facilelogin.com

Why Governance Isn’t Just for SOA – but Identity Too!

People often think of security in terms of barriers. But anyone who looks after a barrier knows that its an ongoing process. And managing processes is what we call governance. A few years ago, I would talk to people who had put in place a firewall. They were convinced they were now “secure”. But then I’d ask what process they had to monitor the firewall and its logs. Unfortunately too often a look of “do I have to do that?” crept onto their faces. Without governance, a firewall is no good: if you don’t know someone is making a concerted effort to attack you, they will eventually get through.

It is not just firewalls that require governance. Increasingly I see examples of security issues that also are linked to governance. I think Wikileaks is a good example: whoever did it had too much access (not policy based but simply yes/no) and there was no “alert” that perhaps an unusual access pattern was in operation. Similarly I recently heard of a situation where an employee kept their online work log in for six months after they left the company.

There are two prime causes for this:

  • Firstly, there are too many identities. Each of us knows we have tens if not hundreds of identities on different systems. And there is no overall control of those identities.
  • Secondly, there are too many places that permissions are checked, or not checked. On the whole we rely on each application to implement permissions and there is a huge lack of consistency between these systems.

Its possible to fix some of these problems with manual governance processes. But even better is to automate them: the least human effort giving the most security.

We believe that there are two key technologies that can help:

1. Federated Identity Tokens

For example – SAML2 – the Security Assertion Markup Language v2 is a standard for XML-based identity tokens. These tokens give us two big benefits: single-sign on and federated identity. SAML2 can help unify as many systems as possible around a single identity. You can configure Salesforce or Google Apps to accept SAML2 tokens from a system driven by your internal LDAP. When an employee leaves, all you need to do is to remove them from your LDAP system and they are automatically shut out of all SAML2 based systems. This is an example of federating the identity from your internal model into Salesforce or Google. Amazingly, unlike most security systems that make life harder, SAML2 actually helps your users, because it gives them single-sign on onto many different websites.

How does SAML2 do this? The key benefit of SAML2 is that the user authenticates to a single “identity server”. Then this server creates a token which is trusted for a limited time by the target. The token can contain a variety of information (“claims”). These claims can be used as part of any authorization process. For example, a claim could assert that the user is logging in from a secure network.

2. Policy-based authorization and entitlement

For example: XACML – the XML Access Control Markup Language – does for authorization what SAML2 does for authentication. It allows a single policy based model for who can access which resources. XACML is very powerful too. It can work in conjunction with SAML2 to create very rich security models. For example, you can allow different access to users who are logged into a secure computer on a secure network as opposed to users coming via their laptop from Starbucks.

XACML does this by being able to capture complex “entitlement” logic into the Policy. The Policy is an XML file that can be stored in a smart registry. For example a policy might state that user Paul may access a salary update process between 9AM and 5PM GMT if Paul is in Role Manager.

The title of this blog is that governance is not just for SOA. SOA Governance has been — in our view — an area where the architecture community has learnt a lot of useful lessons. Let’s try to apply the SOA Governance lessons to Identity and Security Governance.

In the SOA world a common pattern for governance is the combination of a Registry and an ESB. The secret to this is:

  • Using policy and metadata instead of code, and managing the metadata in a Registry.
  • Moving towards a canonical model and transforming legacy systems into the canonical model.
  • Putting in place central logs and monitoring.

It turns out we can learn exactly the same lessons for Identity:

  • Using XACML to have a consistent model and way of defining authorization and entitlement using policy instead of hard-coding it into apps and storing these policies in a Registry.
  • Using SAML2 as a canonical model for Identity and bridging that into legacy systems as much as possible.
  • Using common auditing across your Policy Enforcement Points (PEPs) to ensure a single central audit log.

With this kind of model the governance becomes much more simple and automated. Removing a user’s login permission can remove login from everything. Authorization can be based on policies, which can be managed using processes. Even remote systems like Salesforce will still be included in the audit, because when a user signs in via SAML2, the SAML2 token server will create an audit event.

OpenID and OAuth are alternatives that perform similar and complementary functions to SAML2 and XACML, and are supported by a number of websites and web-based systems.

Good governance is tricky, and an ongoing process. The best way to get good governance is to automate it around simple straightforward approaches. The trio of metadata, canonicalization and log/audit is a great start and putting in place a solution around that architecture is an effective way to improve your Identity Governance.

 

Portions of this post have previously appeared in an article written by the author for Enterprise Features

Paul Fremantle, WSO2 CTO
Paul’s blog: http://pzf.fremantle.org/