BRING YOUR OWN ID

Kevin Sullivan

Director of Sales Engineering

Specops Software

Welcome

• Kevin Sullivan

– kevin.Sullivan@specopssoft.com

– @kevsully67

• Director of Sales Engineering

• Recovering GP MVP, Musician

• Previously Principal Program Manager at Microsoft

• Technology lover – geek dad

WHOAMI

Agenda

• Identity

• BYOID

• Benefits

• Challenges

WHAT ARE WE GOING TO TALK ABOUT

Who are you?

IDENTITY

Who do you trust?

BALANCE TRUST AND RISK

Identity is growing in complexity

ITS NOT THAT SIMPLE

Sorting it all out

FRAGMENTED IDENTITY

Confused Enough?

MIND BLOWN

WHY

Why BYOID

• Millennials – new ways of working and living

• The “rise of digital business’

• Convergence of Mobile, Social, Cloud and Information

• BYOD

– Working mobility

– Cross platform

– Different use cases for mobile

• Gartner says that a 2014 survey showed ~40% of survey respondents are now consuming social or other third-party identities

IS RESISTANCE FUTILE

Adaptive Access Control

TECHNOLOGY GETS IN THE WAY

BENEFITS OF BYOI

Attract and Retain

• Do you want this cool white paper?

– Fill out this form/create an account?

– Sign in with Facebook?

• Gartner says “Software vendors that enable

the consumption of social identities report

that acceptance of social identities can

increase registrations by up to 90%.”

OLD WAYS ARE… OLD

ID.me

• On the surface – online discounts and shopping

• Behind the scenes the service provides government supported identity validation service…

– If the request comes to me through ID me your group affiliations are accepted

– Specific discounts are available (military, teachers, students, first responders, doctors etc.)

• It is like a badge

• “Are you the police?”

• “No ma'am, we’re musicians”

WHAT IS OUT THERE

CHALLENGES

This is NOT the only scenario – but common

HOW DOES IT WORK

Not the Automobile Association of America

• Does ByoID fit the entire life-cycle?

– Authentication

• authN

– Authorization

• authZ

– Access Control

AAA

Availability

• What choices do you have?

• Social?

– FB, Twitter, Instagram, etc.

• Enterprise?

– Azure, Google, etc.

• Facebook is very popular

– But not in all countries

– Typically it is a ‘personal’ persona

• LinkedIn is popular for professional networking

– Does everyone need to know your ‘professional’ persona

• LiveID – Google ID –

– Identities used for many connected services

DOES IT WORK FOR EVERYONE

Flexibility

• Not every identity service may be appropriate for every use case

• Step-up

– Initial access to low impact ‘stuff’

– Additional access, with additional verifications and ‘stuff’ grows in importance

• Understand your constituency

• Who needs what?

• Are enforceable policies in place?

IF THE GLOVE FITS

What data to share

• Is the whole profile exposed?

– Friends list

– Status updates

• More of a anecdotal scenario

– Facebook and privacy

– Google + and future

– Who cares about your cat pictures?

– Is your data trusted?

• Address

• Phone number

ARE YOU AN OPEN BOOK

Identity Proofing

• Areas of study and analysis are dedicated to Identity Proofing

• Geo-specific

– What is trusted in US may not be trusted in Sweden and visa-versa

• Some interest and support for providing third party identities

– Verizon, ID.me, Governamne ID (e-ID), Microsoft Cloud Services (Azure IdM/AD), Google Apps

• Some albeit expensive vendors jumping in…

– LexisNexis, Equifax, Experian

– Gartner reports relatively low adoption due to cost and complexity

Are the protocols ready?

• Still some churn

• New stuff coming in

• Old stuff showing wear

• Public vulnerabilities create concern

• NIST – defines LOA

– ‘Lower Level of Assurance’

– Levels 1 – 3

• OpenID (2.0 is for ‘lower security use cases’)

• OpenID Connect (supports NIST LOA levels 1 – 3)

• Oauth

IF YOU CAN SMELL IT, IT IS DONE

What to do?

• Plan carefully

• Learn and understand

• Be the best <fill in the blank> organization you can be

– <obvious>Don’t try to be something you are not…

– If you are not a security software development organization then don’t build your own authentication frameworks</obvious>

• Step-up

• Multi-factor models

– Use mobile-device verification everywhere you can

– Or other multi-factor models

PLAN, PLAN, PLAN

Thanks and send us your feedback!

• Topics of interest?

• Suggestions?

• Corrections?

• Criticisms?

• Kevin.Sullivan@specopssoft.com

• http://www.specopssoft.com

• @kevsully67

• Follow Specops Software on Facebook!

Resources

APPENDIX

Password Strength

Password Policy

• If the password satisfies the rule it is strong

• If the password satisfies the rules and it is weak the rules are wrong

Notes

• Identity Proofing Services

• “Consumption of social identities can reduce friction and is particularly helpful for new and transient relationships “

• Attestation –

– “a solemn statement made under oath”

– “Certification by signature or oath”

• ID.me – trusted verification

– Verify group affiliateions (military, teacher, student, etc…) and store verification in ID.me account.

– Used for online discounts and shopping