Date post: | 14-Apr-2017 |
Category: |
Technology |
Upload: | steve-tout |
View: | 90 times |
Download: | 0 times |
Identity CoherenceMay 5, 2016
Steve Tout @stevetout
Forte Advisory @forteadvisory
@ s t e v e t o u t @ f o r t e a d v i s o r y
Your Business
• Data breach costs jumped
23% in two years
• Productivity loss in $10s
of millions annually
• Customer attrition
• Fines & litigation
• Loss of IP
• Customer & employee
expectation of privacy
• Susceptible to phishing
and social engineering
• Less than 0.5%
unemployment
• Politics undermine success
• 34% actively looking for
new job opportunities
• Legacy systems increase risk
• Interoperability often lacking
• Shadow IT
• Emerging technologies coming
at accelerated pace
o IoT
o Micro-services
o Big data
• Complexity still a problem
• Internet-connected devices
expected to reach 50B by 2020
Economic
Social
Technological
The writing on the wall
@ s t e v e t o u t @ f o r t e a d v i s o r y
Challenges with Managing IAM
• Too many products put a burden on operations
• End-of-life systems need to be retired
• Provisioning embedded into applications
• Dependency on legacy SOA frameworks
• Challenges auditing (ID & access) provisioning systems
• Unauthorized and over privileged access
• A lack of executive sponsorship
@ s t e v e t o u t @ f o r t e a d v i s o r y
Is IAM a project or a program in your
company? Identity Coherence provides
the conceptual framework critical to the
success of serious IAM initiatives.
Not every organization needs to invest equally in each leverage area, but
it’s to your benefit to consciously consider where you will direct your
investments so that you can create the strategic IAM program your
business needs to be successful and scale.
Why Identity Coherence?
• IAM is more than SSO and technology
• IT & business leaders too focused on the tactical
• Today’s “consultants” are not really consultants, but in-placement specialists
• VP-level folks such as CISO or CIO do not have the visibility or a full understanding of the impact that IAM has on the business
# I d e n t i t y C o h e r e n c e @ s t e v e t o u t @ f o r t e a d v i s o r y
The whole is greater than the sum of its parts. –Aristotle
@ s t e v e t o u t @ f o r t e a d v i s o r y
Learning Imperatives
• The upfront work needed to modernize IAM, including strategy, architecture, operations and innovation
• The new realities that have dramatically changed the way we do IAM today
• The momentum factors that will either propel your efforts forward within your organization or stop you dead in your tracks
• The reason culture and talent are so critical to the success of IAM and business
Focus on Identity Coherence
Culture Strategy Architecture InfoSec GRC
CX Integration InnovationOps Federation
Talent
PMO
# I d e n t i t y C o h e r e n c e @ s t e v e t o u t @ f o r t e a d v i s o r y
CX, Federation & InfoSec
# I d e n t i t y C o h e r e n c e @ s t e v e t o u t @ f o r t e a d v i s o r y
CUSTOMER EXPERIENCE – Delivering the right
experience, to the right people, in the right place at the right
time that provide a seamless conversion and renewal
experience to customers. E.g. Customer IAM
FEDERATION – Links provisioning and access; integrates
sales, marketing, support and so forth across a multi-vendor,
multi-cloud landscape.
INFOSEC – Delivering the right access, to the right people,
in the right place at the right time to ensure least privilege
access, privilege access management and SOD are enforceable.
@ s t e v e t o u t @ f o r t e a d v i s o r y
Customer Journey
Try Purchase Use EngageActing
Doing
Thinking
Feeling
Overall
Downloading trial softwareRegister contact profileActivate account with 2-Step registration
Online checkoutContact salesClick to chatBuy more licensesActivate a new service subscriptionBecome a enterprise customer
Install & register softwareManage on-prem to cloudMigrate AD to cloud/SaaS portalDelegate administrationPromote user to Admin (delegate)
Register for support forumsContact supportRegister for a conferenceBecome a partner
Do I have to register to download this?Does my login from 2 years ago still work?Does my cloud login work for this?Is this a global ID?
Do I login in order to obtain a license or activate my subscription?Will tenant cloud know who I am or do I have to register again?How will I sync or migrate my users to tenant cloud?
Do I use my local account or my enterprise credentials to login to cloud?How will I login to tenant cloud?How can I assign access to others within my organization?Can I audit who has access to my tenant?
Does my enterprise login ID work for support?Do I have to register a new account for conference attendance?How do I access Partner Portal?
Consistent messaging & UI and central login builds confidence and trustEnterprise respected my privacy and did not ask for too much information
My authentication experience is the same now as it was during evaluation periodI have visibility into new products and services that my identity is allowed to see and purchase
Happy that enterprise recognizes my identity across all of its products and servicesEnterprise provides me with the tools I need to monitor and manage my users
Excited that the enterprise really knows me and correctly identifies me in every context of interactionI will recommend to my colleagues based on my experiences
Confidence
Helpfulness
Confidence
Helpfulness
Confidence
Helpfulness
Confidence
Helpfulness
The larger a company gets, often the harder it becomes to do business with.
KPI DescriptionPre
Transformation
Post
TransformationImpact
Total time spent logging
into various enterprise
applications each day
30 seconds 10 secondsReduce time spent on login by
66%
Total time spent logging
into various applications
per year (using 230 working
days)
115 hours 38 hoursReduce time spent on login by 77
hours annually per user
Average hourly rate $75/hr $75/hr
Number of users affected 16000 16000
@ s t e v e t o u t @ f o r t e a d v i s o r y
($75 x 39 hours) x 16000 employees = $92.5M redirected through productivity enhancements alone
Economic Impact on Productivity
@ s t e v e t o u t @ f o r t e a d v i s o r y
Federated IAM
Externally hosted
Internally hosted
Attribute services
Dir
ecto
ry s
yn
c
Access Gateway AuthZ query
AuthNE
nti
tlem
ent
pu
sh
Identity Hub
IDM
Sales/
Mktg
HR
ERPAD
Portals
GRC
E.g. O365, Salesforce, Workday, Okta, Google Apps
Fed
erate
d S
SO
IDaaSCASB
@ s t e v e t o u t @ f o r t e a d v i s o r y
Integrated IAM & GRC
• Streamline access review and certification
• Business rules driven identity & access provisioning
• Automate the join/move/leave process
• Simplify compliance audit and readiness (we want to audit the IAM processes, not the applications or data)
Identity HubGRC
@ s t e v e t o u t @ f o r t e a d v i s o r y
SIEM in the Cloud
Service Provider
IAM
Cloud Access Security Broker
• Policy enforcement point
• On-prem or cloud-based proxy
• Data encryption & tokenization
• Enforce DLP policies
• User behavior analytics
Risk & Threat Services
• Real-time visibility
• Machine learning
• Security configuration management
• Predictive analytics
• Automated incident response
CASB
@ s t e v e t o u t @ f o r t e a d v i s o r y
Risk Driven IAM
• IAM projects fail or stall because of a lack of strategy, which increases risk to the business
• With dozens of priorities competing, make sure IAM initiatives are aligned to C suite and the business
• The IAM program will be under funded, under utilized and under performing without strong dedicated leadership
• Leverage IAM initiatives and capabilities to reduce the number of credentials and identity stores
How do corporate politics and directors with big egos affect your security
posture?
@ s t e v e t o u t @ f o r t e a d v i s o r y
2 ROIs
Return on Investment • Increase revenues
• Improve employee productivity
• Reduce risk
• Avoid fines
• Reduce costs
Risk of Ignoring • Loss of competitive advantage
• Loss of IP
• Breach customer PII
• Increase customer churn
• Reputational damage
• Missed earnings
@ s t e v e t o u t @ f o r t e a d v i s o r y
Key Takeaways
• Get business stakeholders and end users involved in your assessment to quantify IAM impact on productivity and CSAT
• Engage your risk management and business stakeholders to inform and prioritize IAM initiatives
• Use systems thinking to look at IAM from end-to-end, not just within a department
• Don’t let consultants die at your company – expect transformation, not just sustaining life support
• Integrate IAM with GRC and CASB for near continuous compliance and risk reduction
Are you planning for massive results in your IAM program in 2016, or are
you responding to last year's problems today?
Thank You!Follow us online at:
Steve Tout
@stevetout
@forteadvisory
www.forteadvisory.com