Identity CoherenceMay 5, 2016

Steve Tout @stevetout

Forte Advisory @forteadvisory

@ s t e v e t o u t @ f o r t e a d v i s o r y

Your Business

• Data breach costs jumped

23% in two years

• Productivity loss in $10s

of millions annually

• Customer attrition

• Fines & litigation

• Loss of IP

• Customer & employee

expectation of privacy

• Susceptible to phishing

and social engineering

• Less than 0.5%

unemployment

• Politics undermine success

• 34% actively looking for

new job opportunities

• Legacy systems increase risk

• Interoperability often lacking

• Shadow IT

• Emerging technologies coming

at accelerated pace

o IoT

o Micro-services

o Big data

• Complexity still a problem

• Internet-connected devices

expected to reach 50B by 2020

Economic

Social

Technological

The writing on the wall

@ s t e v e t o u t @ f o r t e a d v i s o r y

Challenges with Managing IAM

• Too many products put a burden on operations

• End-of-life systems need to be retired

• Provisioning embedded into applications

• Dependency on legacy SOA frameworks

• Challenges auditing (ID & access) provisioning systems

• Unauthorized and over privileged access

• A lack of executive sponsorship

@ s t e v e t o u t @ f o r t e a d v i s o r y

Is IAM a project or a program in your

company? Identity Coherence provides

the conceptual framework critical to the

success of serious IAM initiatives.

Not every organization needs to invest equally in each leverage area, but

it’s to your benefit to consciously consider where you will direct your

investments so that you can create the strategic IAM program your

business needs to be successful and scale.

Why Identity Coherence?

• IAM is more than SSO and technology

• IT & business leaders too focused on the tactical

• Today’s “consultants” are not really consultants, but in-placement specialists

• VP-level folks such as CISO or CIO do not have the visibility or a full understanding of the impact that IAM has on the business

# I d e n t i t y C o h e r e n c e @ s t e v e t o u t @ f o r t e a d v i s o r y

The whole is greater than the sum of its parts. –Aristotle

@ s t e v e t o u t @ f o r t e a d v i s o r y

Learning Imperatives

• The upfront work needed to modernize IAM, including strategy, architecture, operations and innovation

• The new realities that have dramatically changed the way we do IAM today

• The momentum factors that will either propel your efforts forward within your organization or stop you dead in your tracks

• The reason culture and talent are so critical to the success of IAM and business

Focus on Identity Coherence

Culture Strategy Architecture InfoSec GRC

CX Integration InnovationOps Federation

Talent

PMO

# I d e n t i t y C o h e r e n c e @ s t e v e t o u t @ f o r t e a d v i s o r y

CX, Federation & InfoSec

# I d e n t i t y C o h e r e n c e @ s t e v e t o u t @ f o r t e a d v i s o r y

CUSTOMER EXPERIENCE – Delivering the right

experience, to the right people, in the right place at the right

time that provide a seamless conversion and renewal

experience to customers. E.g. Customer IAM

FEDERATION – Links provisioning and access; integrates

sales, marketing, support and so forth across a multi-vendor,

multi-cloud landscape.

INFOSEC – Delivering the right access, to the right people,

in the right place at the right time to ensure least privilege

access, privilege access management and SOD are enforceable.

@ s t e v e t o u t @ f o r t e a d v i s o r y

Customer Journey

Try Purchase Use EngageActing

Doing

Thinking

Feeling

Overall

Downloading trial softwareRegister contact profileActivate account with 2-Step registration

Online checkoutContact salesClick to chatBuy more licensesActivate a new service subscriptionBecome a enterprise customer

Install & register softwareManage on-prem to cloudMigrate AD to cloud/SaaS portalDelegate administrationPromote user to Admin (delegate)

Register for support forumsContact supportRegister for a conferenceBecome a partner

Do I have to register to download this?Does my login from 2 years ago still work?Does my cloud login work for this?Is this a global ID?

Do I login in order to obtain a license or activate my subscription?Will tenant cloud know who I am or do I have to register again?How will I sync or migrate my users to tenant cloud?

Do I use my local account or my enterprise credentials to login to cloud?How will I login to tenant cloud?How can I assign access to others within my organization?Can I audit who has access to my tenant?

Does my enterprise login ID work for support?Do I have to register a new account for conference attendance?How do I access Partner Portal?

Consistent messaging & UI and central login builds confidence and trustEnterprise respected my privacy and did not ask for too much information

My authentication experience is the same now as it was during evaluation periodI have visibility into new products and services that my identity is allowed to see and purchase

Happy that enterprise recognizes my identity across all of its products and servicesEnterprise provides me with the tools I need to monitor and manage my users

Excited that the enterprise really knows me and correctly identifies me in every context of interactionI will recommend to my colleagues based on my experiences

Confidence

Helpfulness

Confidence

Helpfulness

Confidence

Helpfulness

Confidence

Helpfulness

The larger a company gets, often the harder it becomes to do business with.

KPI DescriptionPre

Transformation

Post

TransformationImpact

Total time spent logging

into various enterprise

applications each day

30 seconds 10 secondsReduce time spent on login by

66%

Total time spent logging

into various applications

per year (using 230 working

days)

115 hours 38 hoursReduce time spent on login by 77

hours annually per user

Average hourly rate $75/hr $75/hr

Number of users affected 16000 16000

@ s t e v e t o u t @ f o r t e a d v i s o r y

($75 x 39 hours) x 16000 employees = $92.5M redirected through productivity enhancements alone

Economic Impact on Productivity

@ s t e v e t o u t @ f o r t e a d v i s o r y

Federated IAM

Externally hosted

Internally hosted

Attribute services

Dir

ecto

ry s

yn

c

Access Gateway AuthZ query

AuthNE

nti

tlem

ent

pu

sh

Identity Hub

IDM

Sales/

Mktg

HR

ERPAD

Portals

GRC

E.g. O365, Salesforce, Workday, Okta, Google Apps

Fed

erate

d S

SO

IDaaSCASB

@ s t e v e t o u t @ f o r t e a d v i s o r y

Integrated IAM & GRC

• Streamline access review and certification

• Business rules driven identity & access provisioning

• Automate the join/move/leave process

• Simplify compliance audit and readiness (we want to audit the IAM processes, not the applications or data)

Identity HubGRC

@ s t e v e t o u t @ f o r t e a d v i s o r y

SIEM in the Cloud

Service Provider

IAM

Cloud Access Security Broker

• Policy enforcement point

• On-prem or cloud-based proxy

• Data encryption & tokenization

• Enforce DLP policies

• User behavior analytics

Risk & Threat Services

• Real-time visibility

• Machine learning

• Security configuration management

• Predictive analytics

• Automated incident response

CASB

@ s t e v e t o u t @ f o r t e a d v i s o r y

Risk Driven IAM

• IAM projects fail or stall because of a lack of strategy, which increases risk to the business

• With dozens of priorities competing, make sure IAM initiatives are aligned to C suite and the business

• The IAM program will be under funded, under utilized and under performing without strong dedicated leadership

• Leverage IAM initiatives and capabilities to reduce the number of credentials and identity stores

How do corporate politics and directors with big egos affect your security

posture?

@ s t e v e t o u t @ f o r t e a d v i s o r y

2 ROIs

Return on Investment • Increase revenues

• Improve employee productivity

• Reduce risk

• Avoid fines

• Reduce costs

Risk of Ignoring • Loss of competitive advantage

• Loss of IP

• Breach customer PII

• Increase customer churn

• Reputational damage

• Missed earnings

@ s t e v e t o u t @ f o r t e a d v i s o r y

Key Takeaways

• Get business stakeholders and end users involved in your assessment to quantify IAM impact on productivity and CSAT

• Engage your risk management and business stakeholders to inform and prioritize IAM initiatives

• Use systems thinking to look at IAM from end-to-end, not just within a department

• Don’t let consultants die at your company – expect transformation, not just sustaining life support

• Integrate IAM with GRC and CASB for near continuous compliance and risk reduction

Are you planning for massive results in your IAM program in 2016, or are

you responding to last year's problems today?

Thank You!Follow us online at:

Steve Tout

@stevetout

@forteadvisory

www.forteadvisory.com