Post on 15-Jul-2015
transcript
Managing IAM in Uncertain TimesApril 30th, 2015
Steve Tout (@stevetout)
steve@stevetout.com
Virtual Identity – Extending and Managing IAM From Enterprise To The Cloud
Part analyst, developer, investor, instigator of disruptive opportunities and introvert
15+ years in enterprise IAM: VMware, Oracle, US Bank, AT&T Wireless
Advisor to high tech startups Author at Elsevier Syngress
Agenda
• Enterprise IAM is in a bit of a pickle
• What role will you play in fixing the mess?
• Bridging the divide between on-prem and cloud
During a recent password audit, it was found that an employee was using the following password:
MickeyMinniePlutoHueyLouieDeweyDonaldGoofySacramento
"Why such a long password," someone asked.
The employee replied "I was told that it had to be at least 8 characters long and include at least one capital."
Insider Threat Employee
What do companies have today?
• A hodgepodge of identity provisioning systems and processes
• End-of-life systems that need to be retired
• Provisioning that is embedded into applications
• Dependency on expensive legacy SOA frameworks
• Lack of a uniform and efficient way to audit provisioning systems
• Inconsistent policy enforcement across a disparate provisioning landscape
“58% of information security incidents are attributed to insider threat. Even where there is a policy…it probably covers around only 20% of the things that it needs to cover.”
Infosecurity - 58% Information Security Incidents Attributed to Insider Threat. Available at: http://www.infosecurity-magazine.com/view/32222/58-information-security-incidents-attributed-to-insider-threat-
Data Breach Economic Impact Source
Target $148M in Q2 of 2014 eWeek News Article and reported in the company’s 10-Q filing
Home Depot $28M in Q3 of 2014 eWeek News Article and reported in the company’s 10-Q filing
Average cost of a data breach in the US
$5.85M in 2014 up from $5.4M in 2013
Ponemon Institute 2014 Cost of Data Breach Study: Global Analysis
Economic Impact of a Data Breach
Try Purchase Use Engage
Customer Journey - The effects of IAM transformation
Acting
Doing
Thinking
Feeling
Overall
Downloading trial softwareRegister contact profileActivate account with 2-Step registration
Online checkoutContact SalesClick to chatBuy more licensesActivate a new service subscriptionBecome a enterprise customer
Install & register softwareManage On-prem to cloudMigrate AD to cloud/SaaS portalDelegate administrationPromote user to Admin role
Register for Support ForumsContact SupportRegister for ConferenceBecome a partner
Do I have to register to download this?Does my login ID from 2 years ago still work?Does my cloud login work for this?Is this a global ID?
Do I login in order to obtain a license or activate my subscription?Will tenant cloud know who I am or do I have to register again?How will I sync or migrate my users to tenant cloud?
Do I use my local account or my enterprise credentials to login to cloud?How will I login to tenant cloud?How can I assign access to others within my organization?Can I audit who has access to my tenant?
Does my enterprise login ID work for support?Do I have to register a new account for conference attendance?How do I access my Partner content?
Consistent messaging & UI and central Login builds confidence and trustEnterprise respected my privacy and did not ask for too much information
My authentication experience is the same now as it was during Trial EvalI have visibility into new products and services that my identity is allowed to see and purchase
Happy that Enterprise recognizes my global ID and credentials across all of its products and servicesEnterprise provides me with the tools I need to monitor and manage my users
Excited that the enterprise really knows me and correctly identifies me in every context of interactionI will recommend to my colleagues based on my experiences
Confidence
Helpfulness
Confidence
Helpfulness
Confidence
Helpfulness
Confidence
Helpfulness
Economic Impact on User ProductivityIAM is a key foundational program to begin addressing user productivity enhancements
KPI DescriptionPre
TransformationPost
TransformationImpact
Total time spent logging into various enterprise applications each day
30 seconds 10 seconds Reduce time spent on login by 66%
Total time spent logging into various applications per year (using 230 working days)
115 hours 38 hoursReduce time spent on login by 77
hours annually per user
Average hourly rate $75/hr $75/hr
Number of users affected 16000 16000
($75 x 39 hours) x 16000 employees = $92.5M redirected through productivity enhancements alone
“Your personal philosophy is the greatest determining factor in how your life works out.” – Jim Rohn
Transform yourself
• You are in the idea business
• But you have to get crystal clear on your purpose and mission
• So what are the three key themes that matter the most?
• You must integrate thinking and doing
• Don’t go without getting supporters behind you
Managing IAM in Uncertain Times
1. Integrate with GRC
2. Create organizational alignment
3. Evolve the architecture
4. Rethink the platform
5. Renew operational focus
What is your IAM scorecard?• Are you comfortable with data tampering or a customer/employee data breach due to compliant solutions not being consistently applied
across the organization?
• Are you comfortable with a disgruntled employee who has recently been terminated exploiting known vulnerabilities in our data and services
without your knowledge?
• Are you comfortable with the knowledge that security audits and dashboard reporting systems could have incomplete data, giving false
confidence?
• Are you comfortable with not knowing about partner/employee data being breached at SFDC and finding out about it days later?
• With programs like PRISM undermining SaaS and CSPs on practically a daily basis, are you comfortable entrusting Salesforce as the system-of-
record for identity & authentication data for more than 400M partner users?
• Are you comfortable with knowing that policy audit and lifecycle management practices are not being followed?
• Are you comfortable with the knowledge that there are inadequate and vulnerable authorization models in place as more of our compute
goes to SaaS and Mobile platforms?
• Are you comfortable with developers and admins can access production outside of authorized window or with network admins or security
engineers sniffing traffic unnoticed?
IAM 2.0 Visibility
Superior Security
Efficiency
Scalability
• “Being able to act means we have an efficient method for event processing and management.”
• “The speed to detect events in real time for security must be complimented by the scale, correlation capabilities and long term data retention requirements for compliance purposes.”
• “Dynamic and agile controls can exist across a diverse set of protective layers and capabilities and can make these existing investments even more effective.”
Amit Yoran, SVP @ RSA
Big Data Transforms Security (YouTube)
Spheres of Influence
• Performance optimization
• Multi-tenant scale & management (E.g. SDLC instances)
• Elastic managementScale
• Identity bridge for SaaS
• Identity provider for IaaS/PaaS (E.g. vCHS, SFDC)
• Hybrid cloud managementCloud
• Mobile REST SDK
• Mobile enterprise (BYOD, MDM, MAM, and EMM)
• Mobile IAM toolkit (SDK, Gateway)Mobile
• Common frameworks & reusable code libraries
• SAML, SCIM, OAuth and OpenID Connect
• Common STS
• Cloud AuthZ
Standards & API Governance
A Basic Roadmap
Technology Focused IAM Architecture
GRC Driven IAM Architecture
Renew Operational Focus
• Guidance on end-to-end SSO scenarios such as enterprise to cloud, cloud to enterprise, cloud to cloud, mobile enterprise
and how to support the use cases
• Guidance about how authentication, authorization, account provisioning and governance works in the web services world
• Governance, analytics and audit for user/partner/employee identity and entitlements across on-prem, SaaS and mobile
applications for privacy assurance and risk management
• Guidance and support for leveraging CMDB and ITSM for managing IAM in a hybrid cloud environment for operational
efficiency and scale
• Integration of IAM and GRC systems to improve user/role management, enable real-time risk and audit capabilities for
threat and compliance management and prevent APTs
“New school” cyber defenses & partnerships
Protecting the enterprise cloud
Automating incident management & remediation
Managed service for cloud security automation
Real time continuous threat protection
Automating access governance, identity intelligence & compliance
Virtualizing identity for a correlated global view of users and his or her entitlements
“Dreaming about the future can be a delightful way to spend time. As an architect, in fact, it is absolutely essential to have the ingenuity and imagination to create new things, to think well enough into future and to maintain a rather complex calculus for how the IAM landscape needs to evolve to support business goals and achieve predictable results. An architect who fails to do that, and who rather falls back into his or her former role as a superhero to development or operations, is not doing architecture. Taking into account one’s core competencies as an architect, the success of the IAM architecture – and to some extent the IAM program – depends a lot on the skills and qualities that the IT leader possess who drives it.”
Questions?