Bring Your Own Identity


Published on

Bring Your Own Identity (BYOI) is the enabling of employees, customers, and constituents to use their own defined identities to access organizational resources and or entitlements. This trend is being embraced and extended to use individual social media identities. Organizations that embrace BYOI save on identity management costs as well as enable better directed marketing and communications. As all new trends, the question must come up 'Does BYOI come with hidden costs or exposures?'.

This deck covers the items you need to consider in order to move forward, including:
1) - Benefits of BYOI and why
2) - Potential downsides of blending organizational and personal identities? I.e: What is the potential privacy impact of using BYOI
3) - Issues that may arise with the use of non-organizational / personal identities while accessing information and entitlements?
4) - What can happen if a social identity is compromised? 5) - How can we use them securely?

Published in: Technology
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Identity provisioning really breaks down into two classes. The first class is that of people you provide a service to – constituents, customers , etc . The second class are employees. People who require access to provide a service for you.We collect different identity information from both of these groups. The mechanisms for collection and storage are different, as are the purposes for collection. While some of this identity information is equivalent in sensitivity, it is often handled differently.Depending on what identity class you lost the data from, it will probably have different mitigation requirements and even impact on your organization.
  • Residents : Another #$%^$#**** account and password?Not more paperwork…NYC Politicianseasy to use and reduce work (admins)merge disparate accessprovide graded access for customers / constituents and employeeshandle high volume accessneed a drop in solutionneeds to be personalizedcheap (comptroller)Not going to get me in trouble ( compliance)Site admins – need to: work with staff they have
  • Always appear to be openSecure identity be available, but did not want to mint a new identity for all constituents. Optimize the consituent experience on the web site to improve customer experience – what have they done before, highlight services based on who, what they have done in the pastAM – SecurityPR – Group of users to sort and filter informationSA – Tailoring it for them
  • Bring Your Own Identity

    1. 1. Bring Your Own Identity (BYOI) strategies for organizations and their impact Matthew Ulery Director of Product Management
    2. 2. Agenda  What is BYOI?  Why do we care about BYOI?  When to allow BYOI?  What are others doing about BYOI? 2 © 2013 NetIQ Corporation. All rights reserved.
    3. 3. What is BYOI?  Bring your own Infrastructure  Bring your own Iron  Bring your own Identity  Bring your own Improv  Bring your own Intoxicant 3 © 2013 NetIQ Corporation. All rights reserved.
    4. 4. Early adopters and providers BYOI Trends  Social, web resource and retail ─ ─ ─ ─  Social identity providers investing in BYOI ─ 4 Use LinkedIn account to access a whitepaper Use Amazon ID rather than creating a new retail account Apply to a new job using LinkedIn account NYC adopting to support constituents Seeking greater return on their identity validation investment © 2013 NetIQ Corporation. All rights reserved.
    5. 5. BYOD accelerating BYOI BYOI Trends  Identity Overload ─ ─ ─ ─ ─  Merging of personal device and identity ─ ─ 5 Average 25 accounts per person and growing Social Networking Financial Accounts (bank, payment, entertainment) Loyalty programs etc Collection of business and personal identities Expect seamless experience from personal device © 2013 NetIQ Corporation. All rights reserved.
    6. 6. 6 © 2013 NetIQ Corporation. All rights reserved.
    7. 7. Why do we care about BYOI?  Cost reduction / avoidance ─  Increase customer / constituent engagement ─ ─  Reduce registration abandonment Enable more personalized experience interactions Emerging changes in risk ─ ─ ─ 7 Management of identities is expensive Risk shared with customer/constituent and identity provider Responsibility to protect customer privacy remains Privacy risk mitigated by reducing identifiable information © 2013 NetIQ Corporation. All rights reserved.
    8. 8. Big Question? Should we allow BYOI? 8 © 2013 NetIQ Corporation. All rights reserved.
    9. 9. Security Concerns When to allow BYOI?  Strength of authentication ─ ─  Strength of identity administration ─ ─  How is identity validated for administration? What is required to issue a password reset? Compromised identity ─ ─ 9 Hurdles required to create the identity Hurdles required to validate the identity Who is responsible if identity is breached? How can you revoke access? © 2013 NetIQ Corporation. All rights reserved.
    10. 10. Different Identity Types When to allow BYOI?  Customer and constituents ─ ─  Privileged users ─ ─ ─  Employees, partners, contractors, etc. Significant access to sensitive information & systems Much greater level of personal identifiable information Allow BYOI…? ─ 10 Limited to no access to sensitive information & systems Limited amount of personal identifiable information Must balance risk and value © 2013 NetIQ Corporation. All rights reserved.
    11. 11. NYC.GOV BYOI Case Study • Different Goals / Desires / Requirements – Residents – NYC – Site Politicians admins Needed a Lightly secured, customer facing portal 11 © 2013 NetIQ Corporation. All rights reserved.
    12. 12. NYC Constituent Experience BYOI Case Study Access Management requirements Secure Identity-enabled Web Services to provide account info Public Resources Non Identity-based information and services, optimized for speed is a site composed of information from other webservices, secure, public, and semipublic. 12 © 2013 NetIQ Corporation. All rights reserved. Social Access requirements Personalized Web content, requires only simple consumer authentication or NYC.ID
    13. 13. Management of public resources BYOI Case Study  NYC Tennis Courts ─ ─ ─  Is this a candidate for BYOI? ─ ─ ─ 13 60,000 permits and tickets, 500 courts Annual permits ($100) Scheduling courts a nightmare for NYC and permit holders Low risk Lower cost from web scheduling and external identity Enables external payment collection (i.e. PayPal) © 2013 NetIQ Corporation. All rights reserved.
    14. 14. Risk of Hacked Identity Mat Honan, Wired Magazine  Linked many of his accounts ─ ─ Social accounts: Twitter, LinkedIn Personal: Amazon, Gmail  Hackers wanted Twitter handle  Hackers exploited weak link 14 © 2013 NetIQ Corporation. All rights reserved.
    15. 15. Risk of Hacked Identity Mat Honan, Wired Magazine  “In the space of one hour, my entire digital life was destroyed.” ─ ─ ─  15 “First my Google account was taken over, then deleted.” “Next my Twitter account was compromised, and used as a platform to broadcast racist and homophobic messages.” “And worst of all, my AppleID account was broken into, and my hackers used it to remotely erase all of the data on my iPhone, iPad, and MacBook?” “In many ways, this was all my fault. My accounts were daisy-chained together.” © 2013 NetIQ Corporation. All rights reserved.
    16. 16. Required no advanced skills Mat Honan, Wired Magazine  Twitter linked to Gmail account ─ ─ ─  Resetting Apple account requires ─ ─ ─  Physical address & last four digits of credit card Easy to get address How could they get the credit card information? Amazon and AppleID accounts linked ─ ─ ─ 16 Google Account recovery page Gave alternate email: m**** (hmmmm mhonan)… Letting them know he had an AppleID Name and email address needed to add a card to Amazon Knowing card number allows resetting password Now they have the credit card number for AppleID © 2013 NetIQ Corporation. All rights reserved.
    17. 17. Key Take-aways Balancing Risk and Value  BYOI benefits ─ ─ ─  BYOI risk assessment ─ ─ ─  Customers/constituents involved in identity selection Security of identity beyond your control Still must protect personal identifiable information Must balance value against savings ─ ─ 17 Reduce cost of generating and managing identities Reduce customer/constituent engagement Enable more personalized experience interactions What type of access does it fit? May not be right for your organization…yet © 2013 NetIQ Corporation. All rights reserved.
    18. 18. Q&A