I have a paper at IANS that's on Cloud Identity Management Standards. One of the main points is to communicate the need to understand the limitations of standards. Standards like SAML, Oauth, OpenIDConnect have helped enterprises make a lot of progress on security issues in recent years, but there are no silver bullets and this is just another example of that. CSA and other industry guidance is replete with pointers to interesting standards that can help enterprises on the journey to the Cloud, but its equally important to know the gaps of what the standard is not doing for you.
I like the scene in The Untouchables when they are preparing the ambush Al Capone's gang at the Canadian border. The Canadian Mountie (1) says:
When they're on the road and have given the signal, we will engage from the Canadian side of the bridge. Thus taking them by surprise from the rear. And surprise, as you very well know, Mr Ness, is half the battle.
Ness: Surprise is half the battle. Many things are half the battle. Losing is half the battle. Let's think about what is all the battle.
The cocktail napkin for Cloud Identity usually starts with something like this
And standards give us a good start at half the battle but if we zoom out a bit further, gaps start to emerge
And its these gaps that enterprises need to focus on, including
- Governing the security protocols and standards - how policies are developed, where are they enforced, and how are they updated and managed?
- How is the protocol integrated into authZ code and processes?
- What level of visibility does the logging and monitoring have?
- How is the client storage and sandbox protected?
- How is the token scoped and what limits are in place around replay and theft?
This isn't a complete set obviously, but its showing that looking at the wider view - how the standard fits into the system as a whole - beyond just the standard is critical at the system level