Secure Identity:
The Future is Now
Jason Keenaghan
Director, Offering Management
Adam Case
Technical Offering Manager

Agenda
IBM Security / © 2019 IBM Corporation
Introduction
Access & Authentication
Identity Analytics
Decentralized Identity
2

The evolution of identity
IBM Security / © 2019 IBM Corporation 4
Empower
Today & beyond
Protect
2010s
Automate
2000s
§ How to help business reduce
abandonment of online service by
frustrated users?
§ How to streamline and create a
frictionless user experience?
§ How to empower developers to build
secure apps?
§ How to reduce the risks associated with
weak passwords?
§ How to protect the critical assets?
§ How to ensure users
have the right level of access?
§ How to reduce administrative overhead
when granting users access?
§ How to minimize productivity loss by not
forcing employees to remember multiple
passwords?
§ How to reduce help desk costs associated
with password resets?

All users expect seamless and secure experiences
Joiner
Mover
Leaver
Regular
Elevate
Restore
Unknow
n
Known
Forgotten
Employee
Contractor
Administrator
Developer
Consumer
Constituent
• Time to productivity
• Need automated provisioning
• Enforce segregation of duties
• Too many entitlements
• Forgotten credentials
• Shared or sensitive accounts
• Time to productivity
• Rotating staff needs sensitive access
• Need to limit actions
• Don’t know where all privilege
credentials reside
• Reduce time to market
• Increase security
• Easy registration
• Frictionless authentication
• Consent & profile management
• Forget me
Key pain points

Identity is hard.
Done right, it can become
a business enabler.
But, done wrong…
IBM
Security
/ ©
2019
IBM
Corpora
tion /
IBM
6
• Cloud (public, private, multicloud)
• Digital transformation
• Workforce transformation
• API economy
• DevOps / DevSecOps
• Robotic Process Automation (RPA)
• IoT
• AI and analytics
• Regulatory compliance
• Consumer privacy
• Insider threats

IBM manages over 2 billion identities

IAM services offered by IBM
salesforce
Concur
WebEx
G Suite
O365
Zoho
Workday
…
……
…
SaaS On-premiseHybrid Cloud ManagedPrivate Cloud
ACCESS & AUTHENTICATION IDENTITY GOVERNANCEPRIVILEGED ACCESS

10 to20%
higher adoptions of digital services
if authentication is easy
20%
more revenue for digital businesses
with a better customer experience
64%
security decision makers plan to
centralize customer insights
Organizations are evaluating a wide range of
authentication options across the
infrastructure – web, mobile, desktop,
servers, mainframes
Frictionless experience with consumer authentication
Reduce password dependence with MFA everywhere for workforce
Multi-factor authentication will
reduce reliance on passwords
within the enterprise

11 © 2018 IBM Corporation
Building Digital Identity Trust Throughout the User Journey
LevelofContext
Unknown User
Trusted
User
Onboard
Register for app or service
and become an authorized
user by proving initial
identity claims
Use
Continuous and ongoing
usage of apps/services
Join
Learn about the app or
service and explore new
relationship
Login
Use established credentials
to authenticate self
Stage in Digital Lifecycle
ESTABLISH TRUST SUSTAIN TRUST
CONFIRM TRUST

Deliver unified experience to consumers
Standards based, developer
friendly, identity infrastructure
for omni-channel (web, mobile,
API, IOT) user access control
Single identity across
independent brands and
business lines accelerates
transitions and reduces churn
Frictionless experience with
user-customizable choice for
personalizing authentication
experience
12IBM Security / © 2019 IBM Corporation

The best security is the kind you don’t know is there
Silent Security Approach
I see you are on your
enrolled phone which is not
jail broken or rooted, you are
connecting from the usual
region with no signs of malware
and your activity is in a low-risk
area. Come on in!
Hello…
…Nice!
What’s the password?
Wrong!
You may enter
It’s “Security”
Hello, can I enter?
Ugh! it’s “Security” with
a “1” instead of the “i”
PASSWORD ONLY (older approach)

• Proactively analyze hundreds of parameters to
authenticate users against a uniquely created
user profile
• Profile is based on user interaction patterns,
account usage and frequently used devices,
learned during service accesses
• User is authenticated by a much richer
identifying data set that can augment traditional
authentication factors
• No user interaction is required in most logins -
Only when suspicion arises, user is presented
with authentication challenges
Behavior based profiling and
fraud detection

Gartner names IBM the top AM vendor for B2C Use Cases
Top Criteria
• Ability to support a wide range of
applications
• Self-service features
• API access
• Nonstandard application enablement
• Consumer friendly authentication
methods
• Self-service features
IBM AND BUSINESS PARTNER INTERNAL USE ONLY
– :Source: Gartner, Critical Capabilities for Access Management 2018::

Extend the experience to employees to quickly find & use apps
Improve user productivity and reduce help desk costs
• No need to remember multiple passwords
• Add stronger methods of authentication than traditional weak passwords
• Single platform to access ALL on-premises and cloud apps securely

VPN Access
Providing multi-factor authentication for network access is important.
Verify provides a RADIUS service that makes it easy to integrate Verify
with common VPN services like CISCO® and Checkpoint®.
Linux, AIX
Securing your Linux & AIX servers via PAM /RADIUS integration with
Verify is straight forward. Administrator access to can be protected by
Verify with a native PAM and/or RADIUS integration.
Microsoft® Windows Login
Windows Desktops and Servers can be protected by leveraging Verify’s
integration with Windows. The operating system access can now be
secured with multi-factor authentication from the cloud.
MFA everywhere within the enterprise
One experience for all users – employees, privileged users,
mainframe admins across all channels
Mainframe
With an optional MFA solution for z platform, protect your mainframe
with the same Verify app.

Business benefits
Improved customer experience
Customers use one username and
password to login
Reduced costs.
No overheard of password resets and
reducing friction for the end user
Increase protection.
Using step-up authentication methods
to confirm risky transactions
Large telecommunications co
Protects over 200 million customers
Uses IBM for a variety of environments: internal, employee
authentication and a separate consumer authentication
platform serving over 200 million users. They also use
OAuth for mobile applications. Using IBM as their
underlying directory containing all the employee and
consumer identities.
Existing deployments with millions of consumers
18
This leading credit services provider offers customer support
to more than one million credit card holders around the
world through more than 40 regional branches and service
centers. The company implemented a system that combines
single sign-on access to all applications with fingerprint-
based access instead of passwords. Because agents can no
longer share passwords, the company knows exactly who
accessed what information and when. New agents can be on-
boarded in five minutes.
Credit services leader
Reduces risk and increases
profitability
Business benefits
Improved agent productivity.
Sub-second bio authentication
shortened customer response times
Reduced payroll costs
Confirming that agents were paid for
actual hours worked reduced payroll
expense by 12 percent.
Decreased IT costs
Eliminating the need for password
resets saved USD110,000 annually.

DemoLet us show you how easy it is to get started

Identity Governance has evolved to meet the demands of shifting
business drivers, creating the arrival of Identity Analytics
User Account
Provisioning
Mid 90s
Security-Driven
• Identity Lifecycle Management
• User Account Provisioning
• Centralized Identity
• Password Management
• Simple Report
Identity and Access
Governance
Early 2000s
Compliance-Driven
• Access Certification
• Centralized Policy
Administration
• Access Request
Entitlement Catalog
• Role Management
Advanced Reporting
Identity
Analytics
Today
Risk-Aware
• Risk Scoring
• Behavior Analytics
• Anomaly Detection
• Peer Group Analysis
• Continuous Monitoring

Identity Analytics applies logic and science to identity and access
data to provide insights for making better IAM decisions
“Identity analytics is
the Next Evolution
of the IGA
market.”
“Identity analytics is
one of the fastest
changing disciplines
of IAM.”
“Identity analytics
solutions are estimated
to grow at the highest
CAGR.”

Azar
Compliance Analyst
Problem: I’m unable to monitor
risk across my IAM solutions so
I’m not sure if I’m carrying
compliance risk.
Solution: Healthceck
Gain a complete view of access
risks from existing IAM
deployments within your
environment.
Jessica
IAM Admin
Problem: My IAM processes
inhibit me from being able to
identify anomalies within peer
groups.
Solution: Peer Group Analysis
Identify rouge and outlier access,
compare peer groups (role, geo,
department, etc.) and ensure
policy adherence.
Identity Analytics helps reduce risk with features like risk scoring,
behavioral analytics, anomaly detection and continuous monitoring
John
Line of Business
Problem: I need insights to make
informed access and certification
decisions, otherwise I’ll just
approve everything.
Solution: Help Me Decide
Reduce access certification
fatigue with identity analytic data
such as risk scores and
confidence scores.

Identity Analytics with IBM Cloud Identity
• Gain a 360o view of access risks from existing IAM
deployments
• Analyze user entitlements to provide remediation
and recommendations
• Modernize existing IAM investments by bringing
actionable intelligence
• Apply Peer Group Analysis to find outliers and risky
entitlements
• Utilize out-of-the-box support for ISIM, IGI and IBM
Cloud Identity
• Gain a framework to integrate with other IAM
solutions, including third-party
IBM and Business Partner Internal Use Only
Provide risk-aware actionable intelligence to your IAM program
*This product is currently in Beta

IdentityAnalyticswith
IBMCloudIdentity
Analytics
Data Store
Analytics
Engine Peer Group
Analysis
Risk Analysis
Engine
Outlier
Analysis
Machine
Learning
360 degree view of
access risk
(Risk Dashboard)
Role
Mining
Risk based
certifications
Correlator
Help Me
Decide
Config
Data Store
Entitlement
Analytics
Data feed
agents
Custom
Sources
QRadarGuardium
(Aveksa)
RACF UDS
Correlator
Configurations
Custom
Policies
Custom
Actions
Rest API
Supported
Tech Preview
MaaS360
Remediation examples:
Recertify
Suspend
Recert in custom tool
Create a case in
Create a case in
Report to manager
Notify App Owner
Block Firewall
Identity Analytics with IBM Cloud Identity
ISIM IGI ISAM CI
Legend

Identity Analytics for Cloud Identity Beta Program
1. We’re looking for Customer feedback
– Would you be interested in adopting these scenarios?
– What capabilities/use cases would be most impactful to your organization?
2. Beta Requirements
– IGI 5.2.3/5.2.4/5.2.5 OR ISIM 6/7
– Docker Set Up Free Edition
– Can deploy on Cloud Identity or on-prem through Docker Bridge
3. Interested Customers
– Reach out to us to further discuss at cloud_id_analyze@wwpdl.vnet.ibm.com
IBM and Business Partner Internal Use Only

We need a new way
The Problem
• Fraud and identity breaches coupled with password management
cost businesses billions of dollars
• Individuals lack control of their identity because of central
authorities and third parties
• Fragmented and siloed data results in costly processes and poor
client experiences
The Solution
• Bring aspects of identity in the physical world to the digital world
• Enable self-sovereign identity for people, organizations and devices
• Derive identity through distributed verifiable credentials
• Provide governance : Global Public and Domain Specific (Business, Legal,
Technical)
• Build-for security and scale: push identity to the edges of the networks
Distributed Identifiers
Public Blockchain

Decentralized Identity: A win-win technology shift
NO MORE
PASSWORDS
IDENTITY
OWNERSHIP
DATA
CONTROL
INFORMATION
ECONOMY
REDUCED RISK AND
COMPLIANCE COST
BUSINESS PROCESS AND
CUSTOMER EXPERIENCE
INDIVIDUALS ENTERPRISE

Decentralized Identity: Why Blockchain and why now?
Blockchain enables scale and trust
̶ Users will create and manage identities
which are cryptographically generated – no
central registration authority
̶ This removes a failure point of centralized
issuers, and allows identity to scale at the
edges
̶ To establish trust and build new
connections, users can verify the identity of
a person, organization, or thing on the
public ledger
Blockchain provides privacy
̶ Zero knowledge proofs to only disclose the
information that is needed to be shared
Identity Owners
Edge Layer
(Device/App/Wallet)
Agent Layer
Distributed Ledger Layer

Open Standards Are the Foundation for Global Interoperability
• Open Source Blockchain Project for Fabric and
Indy - code base for Sovrin Trust Framework
• Designed for scale and optimized for identity
solutions
Open
• Standardizing protocols for communication
between encrypted systems
• Decentralized Key Management System
• Standards specification of verifying
and exchanging credentials
• Standardizing schemas and
operations for Decentralized
Identifiers (DIDs)
• Foundation of self-sovereign identity
providers
• Focus on identity registration, identity
hubs, and resolving of identifiers
• Non-profit foundation governing
network to achieve SSI
• Contributor of Indy codebase

Why Should Organizations Care?
• Simple Pass-wordless
authentication -remove
the complexity of
username and passwords
• Cohesive customer
experience across data
silos –provide a single user
experience across
decentralized data (e.g.
multiple government
agencies or cross) without
needing to move the data
Improve Digital
Experience
• Users are in control and
permission the exchange
of information
• Cryptography such as
zero-knowledge proofs
mean you are only exposed
to what you need to know
for your business reducing
liability risk of holding
excess data
• Helps meet regulatory
compliance such as GDPR
Data Regulatory
Compliance
• Governance frameworks
provide the business,
legal, and technical
structure required for new
decentralized business
models
• Create an own Domain
Specific (Private)
Governance framework
and create the right hybrid
balance of public and
private.
The “BLT” Sandwich

Case Study: Multi-source credentials to support new user reg.
Mobile Wallet
Driving License
Employment Credential
1. Obtain Identity Credentials 2. Provide Identity Proofs
Account Application
Global Decentralized Identity Network
• Verifiable Credentials from
trusted issuers stored in a
personal mobile wallet
• Decentralized Identifiers
(DIDs) for participants
• Zero-Knowledge Proofs to
disclose attributes while
preserving privacy
• Strong cryptographic
verification using a global
blockchain network

Thank you
Follow us on:
ibm.com/security
securityintelligence.com
ibm.com/security/community
xforce.ibmcloud.com
@ibmsecurity
youtube/user/ibmsecuritysolutions
© Copyright IBM Corporation 2019. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty
of any kind, express or implied. Any statement of direction represents IBM's current intent, is subject to change or withdrawal, and represent only goals and objectives. IBM, the IBM logo,
and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service
names may be trademarks or service marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and
outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including
for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing
improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational
procedures, and may require other systems, products or services to be most effective. IBM does not warrant that any systems, products or services are immune from, or will make your
enterprise immune from, the malicious or illegal conduct of any party.

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Recently uploaded

Recently uploaded (20)