Claims Based Security…I Do Declare!

Blog Post created by richard Employee on Oct 11, 2011

In the back rooms of OSIsoft (yes, we have those, shhh) we have been pounding out prototypes for cloud (hosted) based extensions to on premises PI Systems including prototypes of hosted PI Coresight and “Coresight-like” experiences for mobile devices (and yes, we are looking at your favorite devices, unless it happens to be running Symbian.) We also have some exciting prototypes of a new “enterprise” grade PI System Search Engine for improved search experiences - designed to run on premises or as a hosted service.


In itself this is all some really exciting work some of which we hope will see the light of day in 2012 (all the PM’s just fell over, you see, I really shouldn’t set expectations around features/products, especially with dates! So, standard disclaimer, none of this has even hit the engineering plan so there are no promises here. But come on, inquiring minds should at least know where we are heading…’nough said.) But, what has really hit home for us as we have pushed in this direction, is the need for an improved (possibly new) security model in our system. Since many users haven’t even been through the upgrade to 2011 to the significant security changes that represents I imagine there were just a few shutters and huh’s – but there are some clear changes and trends that PI needs to honour.


As the boundaries of a “PI System” expands across complex enterprise topologies and out to the cloud, the need for a more flexible access model is made very clear. All of this, without any compromise to the integrity of the system and data. The clear path forward is through “claims based” security models which allows administrative flexibility to enable cross domain/system identities secure access to PI System assets.


From the developer point of view, the claims based approach permits a single implementation where the security aspects such as authentication and authorization are abstracted out of the code. The specifics are implemented through configuration at the deployment and administration phases. Want to allow Facebook or Yahoo users to have read access to specific data in your system? Maybe that is a stretch for some, but how about allowing authorized users from other windows domains or by trusted authorization systems outside of the corporate boundary? This model potentially allows this as an administrative exercise, keeping your system secure, while providing data access from a mobile device which never has to tunnel or join a corporate network or domain. We expect that much of our customer’s future value will come from the way in which their corporate asset, data, is leveraged across corporate boundaries, with partners, with customers, with suppliers and with employees.


As always, anyone excited or interested in discussing these topics is welcome to contact me directly or comment on this blog.