Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

2019 | Ping Identity Presents: Customer IAM Solutions that Both Developers and IT Love | Identiverse | Day 3, June 27

1,076 views

Published on

Developers are constantly launching new customer applications and need easy-to-use solutions to meet their timelines. This includes an agile approach to embed cloud-based identity services into their applications. If IT doesn’t offer these services, developers will go out and get their own, often without the needs of central IT in mind. This could leave IT with disparate identity silos, security holes and customization/integration challenges. Join this session to learn about API-first customer IAM solutions that are easy for developers to use, and also architected to provide the manageability, security, integrations and hybrid IT capabilities that enterprise IT craves.

Published in: Technology
  • D0WNL0AD FULL ▶ ▶ ▶ ▶ http://1url.pw/bkMFD ◀ ◀ ◀ ◀
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

2019 | Ping Identity Presents: Customer IAM Solutions that Both Developers and IT Love | Identiverse | Day 3, June 27

  1. 1. ® CUSTOMER IAM SOLUTIONS THAT BOTH DEVELOPERS AND IT LOVE JUNE, 2019
  2. 2. ® What Consumers Want Good Products and Services Seamless, Personalized Experiences Take Care of My Data
  3. 3. ® Identity plays a critical role in UX and security Good Products and Services Seamless, Personalized Experiences Take Care of My Data
  4. 4. ® Why is it so hard? Mobile App Partner Customer Loyalty Program Marketing Programs Web E-Commerce Website Launched in 2005 Added in 2008 Added in 2010 Added in 2013 Separate Login Separate Login Separate Data Silos Incompatible standards Launched in 2012 Separate Data Silos Separate Login Separate Login Marketing Automation User Profiles
  5. 5. ® What happens if you get it wrong? Disjointed Experiences Why do I have to manually manage multiple passwords for one company? You still have my old account info. I changed that last week. Why didn’t you see it? My password has numbers, symbols, and is 19 characters long. You’re not accepting it because I have 2 consecutive letters? Your password reset process is a nightmare! I’d rather register for a brand new account with a competitor. You send me an MFA request EVERY. SINGLE. TIME I login. I’m using the the same device… Come on, it’s me. You want me to go download some third party app just to get MFA?
  6. 6. ® What happens if you get it wrong? Security Risks
  7. 7. ® What happens if you get it wrong? Broken Authentication Be sure to avoid these obvious loopholes… • Permits credential stuffing, brute force, or weak default passwords. • Uses weak credential recover. • Uses knowledge-based authentication. • Uses plain text, encrypted (vs hashed), or weakly-hashed passwords. • Has no MFA or ineffective MFA (SMS and Email MFA are less secure). • Doesn’t rotate session IDs after login. • Doesn’t invalidate session IDs (particularly SSO tokens after a period of inactivity). Security Risks
  8. 8. ® What happens if you get it wrong? Sensitive Data Exposure Make sure you take these steps to prevent it… • Ensure up-to-date and strong standard algorithms, protocols, and keys are in place; use proper key management. • Encrypt all data in transit with secure protocols such as TLS with perfect forward secrecy (PFS) ciphers, cipher prioritization by the server, and secure parameters. • Enforce encryption using directives like HTTP Strict Transport Security (HSTS). • Disable caching for responses that contain sensitive data. • Store passwords using strong adaptive and salted hashing functions with a work factor (delay factor), such as Argon2, scrypt, bcrypt, or PBKDF2. • Verify independently the effectiveness of configuration and settings. Security Risks
  9. 9. ® What happens if you get it wrong? Sensitive Data Exposure Make sure you take these steps to prevent it… • Classify data processed, stored, or transmitted by an application. • Identify which data is sensitive according to privacy laws, regulatory requirements, or business needs. • Apply controls as per the classification. • Don’t store sensitive data unnecessarily. • Discard it as soon as possible or use PCI DSS compliant tokenization or even truncation. Data that is not retained cannot be stolen. • Make sure to encrypt all sensitive data at rest. Security Risks
  10. 10. ® What happens if you get it wrong? Broken Access Control Make sure your app teams… • Employ least privileged concepts – apply a role appropriate to the task and no more. • Get rid of accounts you don’t need. • Audit your servers and websites – who is doing what, when, and why. • If possible, apply multi-factor authentication to all your access points. • Disable access points until they are needed in order to reduce your access windows. • Remove unnecessary services off your server. • Verify applications that are externally accessible versus applications that are tied to your network. • If you are developing a website, bare in mind that a production box should not be the place to develop, test, or push updates without testing. Security Risks
  11. 11. ® What happens if you get it wrong? Employ Standards Properly That part is easy… just follow these steps: Security Risks …of course, that’s just the implicit flow
  12. 12. ® What has to be built? Password Username LOGIN Forgot username Forgot password ACCOUNT RECOVERY STEP 1 First Name Last Name Email Name SAVE PROFILE Password LOGOUT FORGOT REGISTRATION & PROFILE MANAGEMENT LOGIN EDIT PROFILE First Name Last Name Email Name REGISTER Password CREATE ACCOUNT
  13. 13. ® What has to be built? Password Username LOGIN Forgot username Forgot password ACCOUNT RECOVERY STEP 1 First Name Last Name Email Name SAVE PROFILE Password LOGOUT FORGOT REGISTRATION & PROFILE MANAGEMENT LOGIN EDIT PROFILE First Name Last Name Email Name REGISTER Password CREATE ACCOUNT STEP 2 SOCIAL LOGIN & REGISTRATION
  14. 14. ® What has to be built? Password Username LOGIN Forgot username Forgot password ACCOUNT RECOVERY STEP 1 First Name Last Name Email Name SAVE PROFILE Password LOGOUT FORGOT REGISTRATION & PROFILE MANAGEMENT LOGIN EDIT PROFILE First Name Last Name Email Name REGISTER Password CREATE ACCOUNT STEP 2 SOCIAL LOGIN & REGISTRATION STEP 3 MULTI-FACTOR AUTHENTICATION IDENTITY PROOFING
  15. 15. ® What has to be built? Password Username LOGIN Forgot username Forgot password ACCOUNT RECOVERY STEP 1 First Name Last Name Email Name SAVE PROFILE Password LOGOUT FORGOT REGISTRATION & PROFILE MANAGEMENT LOGIN EDIT PROFILE First Name Last Name Email Name REGISTER Password CREATE ACCOUNT STEP 2 SOCIAL LOGIN & REGISTRATION STEP 3 MULTI-FACTOR AUTHENTICATION IDENTITY PROOFING STEP 4 ADAPTIVE AUTHENTICATION
  16. 16. ® What has to be built? Password Username LOGIN Forgot username Forgot password ACCOUNT RECOVERY STEP 1 First Name Last Name Email Name SAVE PROFILE Password LOGOUT FORGOT REGISTRATION & PROFILE MANAGEMENT LOGIN EDIT PROFILE First Name Last Name Email Name REGISTER Password CREATE ACCOUNT STEP 2 SOCIAL LOGIN & REGISTRATION STEP 3 MULTI-FACTOR AUTHENTICATION IDENTITY PROOFING STEP 4 ADAPTIVE AUTHENTICATION STEP 5 INBOUND FEDERATION SP
  17. 17. ® What has to be built? Password Username LOGIN Forgot username Forgot password ACCOUNT RECOVERY STEP 1 First Name Last Name Email Name SAVE PROFILE Password LOGOUT FORGOT REGISTRATION & PROFILE MANAGEMENT LOGIN EDIT PROFILE First Name Last Name Email Name REGISTER Password CREATE ACCOUNT STEP 2 SOCIAL LOGIN & REGISTRATION STEP 3 MULTI-FACTOR AUTHENTICATION IDENTITY PROOFING STEP 4 ADAPTIVE AUTHENTICATION STEP 5 INBOUND FEDERATION SP STEP 6 CONSENT
  18. 18. ® What has to be built? Password Username LOGIN Forgot username Forgot password ACCOUNT RECOVERY STEP 1 First Name Last Name Email Name SAVE PROFILE Password LOGOUT FORGOT REGISTRATION & PROFILE MANAGEMENT LOGIN EDIT PROFILE First Name Last Name Email Name REGISTER Password CREATE ACCOUNT STEP 2 SOCIAL LOGIN & REGISTRATION STEP 3 MULTI-FACTOR AUTHENTICATION IDENTITY PROOFING STEP 4 ADAPTIVE AUTHENTICATION STEP 5 INBOUND FEDERATION SP STEP 6 CONSENT STEP 7 PASSWORDLESS
  19. 19. ® How do we get identity into apps? IAM-managed UIs Shared UIs Registration Login MFA Profile Mgmt Central Identity Service Apps App Layer
  20. 20. ® How do we get identity into apps? IAM-managed UIs Customizable UI templates per app Apps App-managed UIs Registration Login MFA Profile Mgmt Central Identity Service App Layer Shared UIs Registration Login MFA Profile Mgmt Central Identity Service Apps App Layer
  21. 21. ® How do we get identity into apps? IAM-managed UIs App-embedded UIs Customizable UI templates per app Apps App-managed UIs Registration Login MFA Profile Mgmt App Layer Central Identity Service Identity UIs Apps Registration Login MFA Profile Mgmt Central Identity Service App Layer Native Application UIs Shared UIs Registration Login MFA Profile Mgmt Central Identity Service Apps App Layer
  22. 22. ® How do we get identity into apps? IAM-managed UIs App-embedded UIsApp-managed UIs PROS + Focus on Value + Time To Market CONS - Limited Control PROS + UI Experience + Reusability + Responsive CONS - Time to Develop PROS + Immersive CONS - Maintenance - Coordination
  23. 23. ® There are other considerations too… Per-app environments Per-app mappings Dev Env Staging Env Production Env Dev Env Staging Env One Account App 1 App 2 App with PII PII App Session > 1 day Require UN / PW Push MFA Assurance Level 2 Session < 5 days Session > 5 days Require UN / PW Require MFA App with no PII Assurance Level 3 Assurance Level 4 PII App Session < 1 day Require UN / PW Assurance Level 1 Push MFA Passwordless Per-app policies App-specific attributes returned
  24. 24. ® Add MFA that’s convenient and secure A ******Device Secrets Let customers authenticate with a face-scan from your own app Leverage device secrets They’re more secure than SMS or email Deny Touch ID for “Your App” A New Device is Attempting to Login
  25. 25. ® Demo Delivering customer MFA from a cloud-based service
  26. 26. ®

×