This is Part 2 of why I believe implementing Claims security for Marriott is a poor choice. I'll try and keep this relatively brief and point out 3 main reasons.
1. As I laid out in Part 1, basically Marriott giving discounts is a cost of doing business. The fact that they are giving it Microsoft or Quest is irrelevant. Implementing Federation and Claims does nothing to enhance their bottom line. Further, they would still have to maintain and support their existing User ID and Password authentication that they have today for all of the users companies that don't Federate with them. They wouldn't get 100% of all companies would they?
2 - A key mantra that we at Optimal IdM have preached is the following. "When solving a given problem, minimize (and avoid if at all possible) creating new problems." There are several ways that implementing Federation and Claims would introduce other issues.
Here is just one of them that came to mind. Here is the scenario to consider. Jackson is an employee of Quest and Quest implements Federation/Claims with Marriott. So as Jackson hits the Marriott website he is redirected to Quest to authenticate. He authenticates the local ADFS at Quest using his Quest's credentials and a claim is presented to Marriott. All is well in Jackson's scenario.
Now let's suppose Jackson gets fired from Quest (don't see that happening but go with me here). Hmmm... When this grand Federation thing was underway, Jackson would have ultimately authenticated using his Quest credentials, right? So how in the world is Jackson going to authenticate and "prove" his identity to Marriott now? In a 100% pure Federation model you would have no way of authenticating. Sorry Jackson you just lost all of your Marriott points!!! Will the real Jackson Shaw please stand up?
In my view, when it comes to you authenticating to Marriott it has a lot more to do with your "personal" identity and not your corporate affiliation. Of course one answer to that would be to use one of the public identity providers and not the individual companies, but then you are once again relying on Jackson to keep his profile up to date with his current company.
3. In the end, the biggest reason is this. Federation is fundamentally a Single Sign On solution. Don't try and make it more than what it is. It is a great answer for on-premise to the cloud, but not this scenario. Marriott does not have a SSO issue.
I believe the biggest reason for the confusion on scenarios such as this is that Claims ties authentication with authorization. That can make it very difficult to manage effectively in a decentralized fashion. Managing on-premise as well as cloud security is relatively in it's infancy and everyone is just now learning the limitations and issues.
The team at Optimal IdM has been hard at work on our cloud solutions, working closely with key customers and partners. In fact, we will be announcing soon some of the new solutions we have developed to help organizations manage claims authorization. From what we are seeing, it looks like this will fundamentally change the way organizations manage cloud security. More on that subject when it is ready for public consumption.
Introducing OCI IAM Identity Domains
2 years ago
No comments:
Post a Comment