Managing IAM in Uncertain TimesApril 30th, 2015

Steve Tout (@stevetout)

steve@stevetout.com

Virtual Identity – Extending and Managing IAM From Enterprise To The Cloud

Part analyst, developer, investor, instigator of disruptive opportunities and introvert

15+ years in enterprise IAM: VMware, Oracle, US Bank, AT&T Wireless

Advisor to high tech startups Author at Elsevier Syngress

Agenda

• Enterprise IAM is in a bit of a pickle

• What role will you play in fixing the mess?

• Bridging the divide between on-prem and cloud

During a recent password audit, it was found that an employee was using the following password:

MickeyMinniePlutoHueyLouieDeweyDonaldGoofySacramento

"Why such a long password," someone asked.

The employee replied "I was told that it had to be at least 8 characters long and include at least one capital."

Insider Threat Employee

What do companies have today?

• A hodgepodge of identity provisioning systems and processes

• End-of-life systems that need to be retired

• Provisioning that is embedded into applications

• Dependency on expensive legacy SOA frameworks

• Lack of a uniform and efficient way to audit provisioning systems

• Inconsistent policy enforcement across a disparate provisioning landscape

“58% of information security incidents are attributed to insider threat. Even where there is a policy…it probably covers around only 20% of the things that it needs to cover.”

Infosecurity - 58% Information Security Incidents Attributed to Insider Threat. Available at: http://www.infosecurity-magazine.com/view/32222/58-information-security-incidents-attributed-to-insider-threat-

Data Breach Economic Impact Source

Target $148M in Q2 of 2014 eWeek News Article and reported in the company’s 10-Q filing

Home Depot $28M in Q3 of 2014 eWeek News Article and reported in the company’s 10-Q filing

Average cost of a data breach in the US

$5.85M in 2014 up from $5.4M in 2013

Ponemon Institute 2014 Cost of Data Breach Study: Global Analysis

Economic Impact of a Data Breach

Try Purchase Use Engage

Customer Journey - The effects of IAM transformation

Acting

Doing

Thinking

Feeling

Overall

Downloading trial softwareRegister contact profileActivate account with 2-Step registration

Online checkoutContact SalesClick to chatBuy more licensesActivate a new service subscriptionBecome a enterprise customer

Install & register softwareManage On-prem to cloudMigrate AD to cloud/SaaS portalDelegate administrationPromote user to Admin role

Register for Support ForumsContact SupportRegister for ConferenceBecome a partner

Do I have to register to download this?Does my login ID from 2 years ago still work?Does my cloud login work for this?Is this a global ID?

Do I login in order to obtain a license or activate my subscription?Will tenant cloud know who I am or do I have to register again?How will I sync or migrate my users to tenant cloud?

Do I use my local account or my enterprise credentials to login to cloud?How will I login to tenant cloud?How can I assign access to others within my organization?Can I audit who has access to my tenant?

Does my enterprise login ID work for support?Do I have to register a new account for conference attendance?How do I access my Partner content?

Consistent messaging & UI and central Login builds confidence and trustEnterprise respected my privacy and did not ask for too much information

My authentication experience is the same now as it was during Trial EvalI have visibility into new products and services that my identity is allowed to see and purchase

Happy that Enterprise recognizes my global ID and credentials across all of its products and servicesEnterprise provides me with the tools I need to monitor and manage my users

Excited that the enterprise really knows me and correctly identifies me in every context of interactionI will recommend to my colleagues based on my experiences

Confidence

Helpfulness

Confidence

Helpfulness

Confidence

Helpfulness

Confidence

Helpfulness

Economic Impact on User ProductivityIAM is a key foundational program to begin addressing user productivity enhancements

KPI DescriptionPre

TransformationPost

TransformationImpact

Total time spent logging into various enterprise applications each day

30 seconds 10 seconds Reduce time spent on login by 66%

Total time spent logging into various applications per year (using 230 working days)

115 hours 38 hoursReduce time spent on login by 77

hours annually per user

Average hourly rate $75/hr $75/hr

Number of users affected 16000 16000

($75 x 39 hours) x 16000 employees = $92.5M redirected through productivity enhancements alone

“Your personal philosophy is the greatest determining factor in how your life works out.” – Jim Rohn

Transform yourself

• You are in the idea business

• But you have to get crystal clear on your purpose and mission

• So what are the three key themes that matter the most?

• You must integrate thinking and doing

• Don’t go without getting supporters behind you

Managing IAM in Uncertain Times

1. Integrate with GRC

2. Create organizational alignment

3. Evolve the architecture

4. Rethink the platform

5. Renew operational focus

What is your IAM scorecard?• Are you comfortable with data tampering or a customer/employee data breach due to compliant solutions not being consistently applied

across the organization?

• Are you comfortable with a disgruntled employee who has recently been terminated exploiting known vulnerabilities in our data and services

without your knowledge?

• Are you comfortable with the knowledge that security audits and dashboard reporting systems could have incomplete data, giving false

confidence?

• Are you comfortable with not knowing about partner/employee data being breached at SFDC and finding out about it days later?

• With programs like PRISM undermining SaaS and CSPs on practically a daily basis, are you comfortable entrusting Salesforce as the system-of-

record for identity & authentication data for more than 400M partner users?

• Are you comfortable with knowing that policy audit and lifecycle management practices are not being followed?

• Are you comfortable with the knowledge that there are inadequate and vulnerable authorization models in place as more of our compute

goes to SaaS and Mobile platforms?

• Are you comfortable with developers and admins can access production outside of authorized window or with network admins or security

engineers sniffing traffic unnoticed?

IAM 2.0 Visibility

Superior Security

Efficiency

Scalability

• “Being able to act means we have an efficient method for event processing and management.”

• “The speed to detect events in real time for security must be complimented by the scale, correlation capabilities and long term data retention requirements for compliance purposes.”

• “Dynamic and agile controls can exist across a diverse set of protective layers and capabilities and can make these existing investments even more effective.”

Amit Yoran, SVP @ RSA

Big Data Transforms Security (YouTube)

Spheres of Influence

• Performance optimization

• Multi-tenant scale & management (E.g. SDLC instances)

• Elastic managementScale

• Identity bridge for SaaS

• Identity provider for IaaS/PaaS (E.g. vCHS, SFDC)

• Hybrid cloud managementCloud

• Mobile REST SDK

• Mobile enterprise (BYOD, MDM, MAM, and EMM)

• Mobile IAM toolkit (SDK, Gateway)Mobile

• Common frameworks & reusable code libraries

• SAML, SCIM, OAuth and OpenID Connect

• Common STS

• Cloud AuthZ

Standards & API Governance

A Basic Roadmap

Technology Focused IAM Architecture

GRC Driven IAM Architecture

Renew Operational Focus

• Guidance on end-to-end SSO scenarios such as enterprise to cloud, cloud to enterprise, cloud to cloud, mobile enterprise

and how to support the use cases

• Guidance about how authentication, authorization, account provisioning and governance works in the web services world

• Governance, analytics and audit for user/partner/employee identity and entitlements across on-prem, SaaS and mobile

applications for privacy assurance and risk management

• Guidance and support for leveraging CMDB and ITSM for managing IAM in a hybrid cloud environment for operational

efficiency and scale

• Integration of IAM and GRC systems to improve user/role management, enable real-time risk and audit capabilities for

threat and compliance management and prevent APTs

“New school” cyber defenses & partnerships

Protecting the enterprise cloud

Automating incident management & remediation

Managed service for cloud security automation

Real time continuous threat protection

Automating access governance, identity intelligence & compliance

Virtualizing identity for a correlated global view of users and his or her entitlements

“Dreaming about the future can be a delightful way to spend time. As an architect, in fact, it is absolutely essential to have the ingenuity and imagination to create new things, to think well enough into future and to maintain a rather complex calculus for how the IAM landscape needs to evolve to support business goals and achieve predictable results. An architect who fails to do that, and who rather falls back into his or her former role as a superhero to development or operations, is not doing architecture. Taking into account one’s core competencies as an architect, the success of the IAM architecture – and to some extent the IAM program – depends a lot on the skills and qualities that the IT leader possess who drives it.”

Questions?