During the eternal battle between open source and close/commercial source that we are assisting during the latest years, soon or later we should have expected that also something related with the secure management of the access for the employees should have arrived.
A couple of months ago I had a talk with Michael Schwartz, who asked my opinion about how the Identity and Access Management (IAM) market is evolving. We shared our view about some projects, current challenges and, of course, about some solutions.
At the end of our talk he decided to offer me as present the book written by him and by Maciej Machulak “Securing the Perimeter”.
I had the chance to go through it during the Xmas time and I would like to share with you my opinion about it. But, before doing this, I would need to clarify that I was not requested to write such a review and/or I was paid to do it. This article came just spontaneously.
Free vs. Open
First of all, it’s important to mention the usual misunderstanding between the words “open” and “free”.
While it’s quite clear what “free” means, many time we don’t understand that open means that we might have the opportunity to see the code, to understand the quality how it was written or, sometimes, if there might be inside any trapdoor or backdoor.
The open source software is generally developed by a community of volunteers, but it could also be maintained by a privately held company, who is taking care about evolution's and/or maintenance of the product against a regular fee, a subscription.
About the book
Starting with the review of the book, it is structured in 10 different chapters, that covers mainly Access Management, and only in the second part there are more information about Identity Management.
After a general introduction, the authors start with the infrastructure (LDAP, as any IAM expert could expect) and then we start with the well-known standards.
There is an extensive description for the SSO protocols, i.e. SAML, OAuth and OIDC. We see how the messages are exchanged, how the payloads are managed by applications and we can learn how applications are actually processing the authentications.
The authentication moves to the Multi-Factor Authentication (MFA), where the authors describes the concepts behind the MFA and how One-Time Passwords (OTP), and their tokens, are managed.
The book concludes with Multiparty Federation and Identity Management. A special attention is given to two interesting products (that I had personally the chance to work with): midPoint and Apache Syncope.
It’s important to mention that the Michael Schwartz is the founder of Gluu, a security software company that proposes its own IAM solution.
In most of the chapters explored in this book there will be also a reference about how Gluu has decided to face such a challenge.
Independently by what your IAM strategy could be (open vs commercial products), this book provides the key knowledge that you should have to understand what components should be part of your architectures and which role they should play. This is perfect if you are just approaching to such solution and you would like to start to make your own personal opinion before vendors will jump over you. The book contains several technical examples, so it might be required to have an understanding about how to apply some specific configurations.
On the other side, I consider this book mainly oriented for a technical audience, instead for C-level manager, meaning that you might not find design, or other sort of examples, that might help you to prepare your IAM strategy.
I can confirm that this book should be in the library of any IAM passionate.
Where to find
For your information, you might easily find this book from Amazon, both in electronic and digital format, entering this search key: “Securing the Perimeter Schwartz Machulak”.
Being confident that you might have found any of my comment useful, if you might want to have a deeper talk about the topic discussed, don’t hesitate to contact me.