More Related Content Similar to CWIN17 london - how digital identity is fundamentaly enabling business tranformation - andrew critchely (20) CWIN17 london - how digital identity is fundamentaly enabling business tranformation - andrew critchely2. 2© Capgemini 2017. All rights reserved |Digital Identity Andrew Critchley | Nov 2017
Introduction: Capgemini CyberSecurity global practice
ONE TEAM
More than 3,000
resources with
Cybersecurity skills
www.capgemini.com/cybersecurity
Intelligent CYBERSECURITY SERVICES
Our mission: We enable your Digital Transformation while keeping you secure
100% services but with a deep know-how of security products
CyberSecurity
Securing the digital world against cyber
attacks and malicious internal behaviour
3. 3© Capgemini 2017. All rights reserved |Digital Identity Andrew Critchley | Nov 2017
Digital Identity
The Past
The Future
The Present
01
02
03
Where have we come from?
How are organisations addressing
the management and exploitation
of Digital Identity today?
Personal view: What is the future
of Digital Identity?
4. 4© Capgemini 2017. All rights reserved |Digital Identity Andrew Critchley | Nov 2017
The good old days of Digital Identity…
5. 5© Capgemini 2017. All rights reserved |Digital Identity Andrew Critchley | Nov 2017
Moving on 15 years…
Directory Enablement
User Provisioning
SSO
"Identity and Access Management is the set
of business processes, and a supporting
infrastructure for the creation, maintenance,
and use of digital identities.“
Burton Group, 2002
6. 6© Capgemini 2017. All rights reserved |Digital Identity Andrew Critchley | Nov 2017
Today: Identity is “the new perimeter”
"IAM ensures that the right people get the right
access to the right resources at the right time for
the right reasons, enabling the right business
outcomes.“ Gartner Group, 2016
7. 7© Capgemini 2017. All rights reserved |Digital Identity Andrew Critchley | Nov 2017
Identity and Access Management Today
8. 8© Capgemini 2017. All rights reserved |Digital Identity Andrew Critchley | Nov 2017
What Business Challenges are driving the need for effective IAM?
Consumers are a click away
for going elsewhere. Simplified
user experience through
effective use of identity is
essential to keeping customers
and growing business
Business
Enablement
Security breaches are
occurring at an alarming rate.
In modern extended
enterprises, identity and
context are the only points of
control that now remain
Control
Reduce costs associated with
the governance and
management of user access,
including the costs of running
flexible underpinning IAM
services
Cost
9. 9© Capgemini 2017. All rights reserved |Digital Identity Andrew Critchley | Nov 2017
Challenge #1. How to establish an effective IAM
strategy?
10. 10© Capgemini 2017. All rights reserved |Digital Identity Andrew Critchley | Nov 2017
IAM improvements must be integrated with existing IAM services
Centralized
Identity Store
Self
service
Role
management
Compliance
reporting Automated
provisioning
Identity
lifecycle
Policy
management
Authorization
lifecycle
Risk
managementSecurity
User
experience
Review
attestation
Single
Sign On
Access
management
Federation
Privileged
accounts
11. 11© Capgemini 2017. All rights reserved |Digital Identity Andrew Critchley | Nov 2017
IAM needs to be aligned to Business Needs
December 2016INN - IAM/IMLT 15th Dec 2016
Business Value Governance:
Digital survey for continuous Business need expression done,
33 Face to face interviews, 11 interviews performed with the new online survey
A communication will be sent to the business to provide the feedbacks on their business needs
o In progress: set up of the governance body
<Name 1> Project Leader
We have ca. 700 subs of <og>, with systems
disconnected from <og>; we must facilitate collaboration across the
group.
<Name 2> CTO/DTO
We need to deliver business requirements quickly. A lot of needs
cannot be given because of IT Security restrictions so the business
do look to 'go it alone' with cloud solutions
<Name 4> Head of ICT <org> North America
Time to get access to applications such as the HUB is the main
priority. It currently takes one month between the creation of the
employee in ADP and the actual access to the HUB.
<Name 5> HO Customer & Selling Exp <og>
During a Sales meeting a salesman cannot authenticate 3 times in a
raw to access his data (SSO is key): Access shall be "immediate“/
Name 6> CIO <org subsid>
Administration rights will have to be shared between central,
divisional and local teams in order to allow agility
<Name 3> HO Customer Affairs Method & Tools
For the salesmen, everything shall be available through mobile
devices (smartphones, tablets).
12. 12© Capgemini 2017. All rights reserved |Digital Identity Andrew Critchley | Nov 2017
IAM Strategy needs to be supported by a Fact-based
approach to understand current issues and get traction
Email, 14
UserID, 12
Line Manager, 86
Full Name, 12
Missing Attributes within System X
Identities
Email UserID Line Manager Full Name
868
4000
0 500 1000 1500 2000 2500 3000 3500 4000 4500
Disabled
Enabled
System X Enabled/Disabled Account Counts
144
39
105
0
20
40
60
80
100
120
140
160
Never Logged In (Total) & Disabled & Enabled
System Y Account Never Used
567
1393
System Y
Orphan Matching
0.0
1.0
2.0
3.0
4.0
5.0
IAM…
Identity…
Identity…
User…
Role…
Credentials…Authorisation
Authentication
IAG
Applications…
Extended…
Overall Summary Ratings
Assessed Rating
Year 3 Target
13. 13© Capgemini 2017. All rights reserved |Digital Identity Andrew Critchley | Nov 2017
Example Business IAM Roadmap
Year 1 Year 2 Year 3 Year 4+
Customer&PartnerExperienceBusinessUserExperience
Security silos
Poor experience
Cloud complexity
Non-intrusive security
User empowerment
Cloud control
Business User Experience Management Information & Insight Compliance & Control
3rd Party simplified login &
self service
Employee simplified
login & self service
Improved malware and spam
protection
Access anywhere
from any device
Customer login
using social media
Seamless & secure access
for business partners
Access
anywhere from
any device
Improved security awareness
Secure & reliable connectivity
Informed stakeholders
through a cyber
dashboard
Cloud ready policy framework
(CSRM)
Engaged senior stakeholders
through board level security
briefing
Monitored Security
through selected security
metrics
Enterprise app store
Quick turnaround
on user requests
(i.e. new access request)
Demonstrable
security compliance
(e.g. IAM compliance)
Improved user compliance
Unified Security
Governance across
Identities
Personalised
Services
14. 14© Capgemini 2017. All rights reserved |Digital Identity Andrew Critchley | Nov 2017
A PHASED APPROACH TO EFFECTIVE IAM
IAM improvement will be based on conducting initial work to set up the organisation and drive value from existing assets and
investment; then prepare for and eventually delivering major transformation
VISION
Enable all types of
users* simple and
timely access to all (but
only) the information
they need to perform
their roles, irrespective
of the device, location
or time of their access
and the location of the
service and data.
A single IAM operating and ownership
model, overseen by effective
Governance. Tactical process and data
improvements and initial integration of
core IAM to key systems
Improved IAM Platform capabilities ,
particularly around the areas of Identity
Governance and Administration, Access
Management and Privileged Access
Management, enabling the capability to
tightly integrate initial key systems and
more effectively manage 3rd party and
privileged users
Year 2Year 1
Integration of increasing number of
business applications with the core IAM
platform, providing a single and
comprehensive view of system access
across Unilever, and an improved user
experience for end users (for example,
increased single sign on (SSO) and more
rapid provisioning of resources required)
Year 3 onwards
To deliver….
Delivering….
Delivering….
Delivering….
PLATFORM IMPROVEMENT
PHASE 2
TRANSFORM
PHASE 3
DEFINE & FIX
PHASE 1
15. 15© Capgemini 2017. All rights reserved |Digital Identity Andrew Critchley | Nov 2017
IAM Strategy
Provides executive direction and sponsorship of IAM, ensuring IAM is aligned
with and enabling strategic business goals.
IAM Steering Group
Responsible for agreeing business requirements, creating the IAM Strategy &
Roadmap in consultation with all business functions. Drives IAM adoption..
Programme
Ensure all IAM projects are co-
ordinated and delivering against
objectives and KPIs
Operational
Ensure IAM Platform tools and
processes are working effectively, incl.
IAM Assurance
Design Authority
Translate strategic and business requirements into technical reality
Policy & Standards
Create, apply and review baseline IAM policies, standards and controls
IAM
Governance
Boards
Design
Governance
Information
Security
Governance
IMPLEMENT EFFECTIVE IAM GOVERNANCE
Implement 3 layers of IAM Governance, as listed below, to drive and monitor IAM on a co-ordinated basis across the organisation:
• CIO
• Information Security
• IAM Platform
Board Ownership
16. 16© Capgemini 2017. All rights reserved |Digital Identity Andrew Critchley | Nov 2017
Challenge #2. How to successfully implement major IAM
initiatives?
17. 17© Capgemini 2017. All rights reserved |Digital Identity Andrew Critchley | Nov 2017
The #1 implementation mistake with IAM according to analysts:
18. 18© Capgemini 2017. All rights reserved |Digital Identity Andrew Critchley | Nov 2017
The two ways to approach IAM…
19. 19© Capgemini 2017. All rights reserved |Digital Identity Andrew Critchley | Nov 2017
Capgemini IAM Best Practice Implementation Approach
INSIGHT
Where are we now?
Understand Process, Technology
and Data Environments
Where do we want to be?
Understand business drivers and
high level business case
How do we get there?
Prioritised activity areas
VISION
How identity data is stored and used (high level)
Process and Systems inventories
Access Controls
Identity data inventory
Document IAM Vision
Define strategic objectives, requirements and target
state for effective IAM
Establish Governance
Approve vision across the organisation and establish
ownership
Business Case
Costs and Benefits
IAM Programme Charter
Projected Roadmap & Organisation
PSPGs
Policies
Stand alone Identity Policies across all
Identity areas
Standards
Define standards that will be used
(interoperability framework)
COMMUNICATE
Review
Wider audience agreement
Communicate
Communicate to wide audience
Verification
Level of policy acceptance
DEVELOP ARCHITECTURE
How identity data is created, stored and used
(detailed + maintained)
Process Redesign and Systems inventories
Roles Models, Access Controls
Identity data inventory
Define business, systems & technology components
required
Basis for product evaluation
How systems are to be built
Reference Architecture
IMPLEMENT
Requirements Catalogue
High Level Design
Incl. Product Evaluation, POC
Detailed Design
Incl. Service, Technical and Integration
Design
Data Improvement
Build
Test
Deployment
OPERATE
20. 20© Capgemini 2017. All rights reserved |Digital Identity Andrew Critchley | Nov 2017
The industry is increasingly going agile…
Lead Architect
Works with <customer> representatives to understand and develop solution requirements, epics and user stories, the design of the IAM Platform
solution and guide other team members
Business Analyst
Gathers and formulates requirements for architect to produce design;
Security Architect
Produces security designs and documentation and works with security teams to take solution through process for security approval
Technical Architect / Lead Developer
Works with lead architect to develop and deploy the IAM Platform solution
IAM Developers x 3
Assists architects in deploying and configuring <IAM Product>, produces documentation and provides support
Works with <customer> teams to develop API integration with <customer> systems and develop UI for user authentication
Scrum Master: Owns and facilitates the Scrum process; Experienced in Agile techniques
Testing SME: Develop and support test automation using tools such as Selenium WebDriver
Service Management SME
Develops logging, auditing, monitoring and reporting functionality for the IAM Platform, using tools such as Grafana, Logstash, Kabana, Splunk
Automated Provisioning SME
Creates a build pipeline to enable release of new features on a regular basis, using tools such as Puppet, Docker, Packer, Vagrant or Terraform.
Deploying Infrastructure as a code using scripting, virtual machines and containerisation
Gartner 2016
21. 21© Capgemini 2017. All rights reserved |Digital Identity Andrew Critchley | Nov 2017
Organisations are increasingly moving to IDaaS
1. Predictable Costs and Lower TCO – minimal
up-front; upgrade; 3rd party license; and maintenance costs.
2. Automatic Updates
3. Reliability –purpose built data centres
4. Time to Value – delivery in weeks instead of months.
5. Adoption – applications optimised for usability
6. Security – strong physical and virtual security
7. Compliance - compliance with industry, regulatory and country-
specific laws and standards
8. Extensibility – standard use cases out of the box ready for
configuration to local policy
9. Scalability – virtual hosting allows capacity to scale up and down
as required
10.Integration - standards based architecture and APIs
What drives the move to the cloud?
IDaaS has superior RoI
Don’t try to build your own
IAM solutions – they are
29% more expensive than
COTS IAM and 85% more
expensive than cloud IAM.
(Source: Forrester 2014)
Benefits for migrating to IDaaS
0%
25%
50%
75%
100%
Build your
own
COTS IAM IDaaS
90%
IDaaS cuts costs by 90% for
operations and development
personnel compared to on-site
IAM.
(Source: Forrester)
Organisations use Identity as a Service (IDaaS) for two main reasons:
ease of deployment and cost savings.
22. 22© Capgemini 2017. All rights reserved |Digital Identity Andrew Critchley | Nov 2017
Active
Directory
Kenexa
SAP
Ellipse
Office 365
IDaaS Go-Live
Integrate
Integrate
SSO/Provisioning
Decom.
LDAP
Identity
Portal
Data
Quality
Checks
Standardised
Department
Naming
Migrate User
Structure
Migrate to
Email Based
UserID
Fix Missing
Line
Managers
Create
Application
Roles
Fix Orphan
Accounts
Fix Orphan
Accounts
Fix Orphan
Accounts
Phase 3
End
Phase 3
Start
Migrate to
SW Email
Addresses
Migrate to
SW Email
Addresses
Integrate
SSO/Provisioning
Integrate
SSO/Provisioning
Integrate ?
Identity Data
Management
Road Map of Identity Analysis Recommendations
2
3
3
3
1
1
2
5
5
5
5
4
1
2
3
6
4
8
5 7
6 8
IDaaS integration
with Active Directory
Criteria for Identity
Data Validation
Point 6 & Integration with
IDaaS for Provisioning
SAP integration with
IDaaS
UserID, Email & Line
Manager as pre-reg
IDaaS Go-Live and
AD pre-reg’s
Mandatory Change
Requirement prior to
Orphan Account Fix
7
Dependencies*
*dependencies for each applications are shown in sequential order
2
2
2
System X
System Y
System Z
Beware: Implementing IDaaS (properly) can take 2 years or more…
23. 23© Capgemini 2017. All rights reserved |Digital Identity Andrew Critchley | Nov 2017
Challenge #3. How to manage and exploit IAM on an
ongoing basis
24. 24© Capgemini 2017. All rights reserved |Digital Identity Andrew Critchley | Nov 2017
Change & Communications
Information
Security
Enterprise
Architecture
IDAM Platform Geo IT
Application
Platforms
Audit &
Compliance
Service Desk
IAM Strategy
Controls & Policy
Design
Controls & Policy
Enforcement
Security Operations
Enterprise
Architecture
Patterns, Tech
Selection & Design
IAM Requirements
KPIs, BI
IAM User
Requirements
IAM Application
Requirements
IAM Audit
Requirements
IAM Service
Requirements
IDAM Platform Run Application
IAM Adoption
Audit & Compliance
Actions
User Service Desk
Actions
RequirementsDesignImplementOperateAssure
Application
IAM Adoption
Architecture
Requirements
IAM Adoption
& Benefits Case
IAM User
Administration
IAM Advisory
Audit IAM Projects
User Access
Management
IAM Programme
& Roadmap
User Experience
IDAM Platform
Design
IMPLEMENT AN IAM TARGET OPERATING MODEL
Implement new roles and responsibilities to drive the improvement and adoption of IAM across the organisation:
ExistingNew Partial
Platform
Projects
Adopt’n
Projects
25. 25© Capgemini 2017. All rights reserved |Digital Identity Andrew Critchley | Nov 2017
Capgemini IDaaS – redefines IDaaS to be IAM orchestration…
Advisory consulting capability to enable
organisations to justify and plan the
move to IDaaS
Professional Services capability to
design, build ,deploy and manage the
use cases on top of the core IAM
services – majority of effort is here
Capgemini resell, build, integrate,
manage and support the full set of IAM
and IDaaS services as required to
provide the core functionality of IAM to
meet business requirements
DevOps and supporting technologies
and agile processes underpinning IAM
services e.g. Capgemini Enterprise
iPaaS
The IDaaS service
layer allows all
layers to be
provided as-a-
service, and
includes:
L2: 24x7
Operational
Support of the
Application Layer
L3: Release
Packaging,
Development and
Support
L4: Vendors
L5: Professional
Services
Service
Management:
Requests, Incident
Management,
Billing etc.
Cloud
Business
Enablement
Layer
Preconfigured policies, processes, workflows,
application integrations etc.
Derive Business Value from IAM
Application
Layer
Integration
Platform
Layer
IDaaSServiceLayer
Integration Flows, API Management,
Deployment, Testing, Security, Service
Management, Analytics, Logging,
Monitoring, Reporting
Consulting
Layer
IAM FastTrack Insight
Modelling, Visioning, Architecture, POC
Enables move to IDaaS
CapgeminiHosting
Layer
On-prem
Flexible infrastructure hosting
IAM Orchestration Service
Identity
Intelligence
Identity
Admin
Full-
Featured
IDaaS
Shrink-
Wrapped
IDaaS
Access
Management
Privileged
Identity
Management
Identity
Storage
26. 26© Capgemini 2017. All rights reserved |Digital Identity Andrew Critchley | Nov 2017
The Future of Digital Identity
“I never make predictions and I never will”: Paul Gascoigne
27. 27© Capgemini 2017. All rights reserved |Digital Identity Andrew Critchley | Nov 2017
Trust
© Kuppinger Cole 2016
With Digital Transformation – Everything and Everyone becomes connected:
28. 28© Capgemini 2017. All rights reserved |Digital Identity Andrew Critchley | Nov 2017
Privacy
“The chief principle of a well-regulated police state is
this: That each person shall be at all times and
places…recognised as this or that particular person”
Johann Gottlieb Fichte (1796)
29. 29© Capgemini 2017. All rights reserved |Digital Identity Andrew Critchley | Nov 2017
Personalisation
30. Continuous Security and Risk Mitigation
@
1. Curious Claire
downloads a retailer’s app
and registers using her
Facebook credentials,
giving the retailer access
to her basic Facebook
profile.
Register or
Login
Navigate,
Browse or Search
2. Meaningful data such as
products viewed, number
of clicks and time spent are
captured about Claire’s
shopping experience. This
data can be combined with
other sources to build a
richer profile of Claire.
Place Order and
Complete Transaction
Confirm Order
Fulfil Order
3. Claire selects a
number of products and
checks out. As her
shopping is more than
£100, she is directed to
‘swipe’ via the app to
confirm the transaction.
4. A confirmation of
Claire’s order or
transaction is displayed
on screen and she also
receives an email or text
message confirming her
order.
5. Claire’s order is
fulfilled as per her
order. She has
easy access to
change her
preferences and
privacy settings.
Illustrative Customer Journey
31. 31© Capgemini 2017. All rights reserved |Digital Identity Andrew Critchley | Nov 2017
A new definition of Digital Identity?
"IAM ensures that the right people get the right
access to the right resources at the right time for
the right reasons, enabling the right business
outcomes.“ Gartner Group, 2016
“Digital Identity provides the secure framework for
simple, trusted connectivity between people,
services, data and things”
"Identity and Access Management is the set
of business processes, and a supporting
infrastructure for the creation, maintenance,
and use of digital identities.“
Burton Group, 2002
The Past
The Present
The Future?
32. 32© Capgemini 2017. All rights reserved |Digital Identity Andrew Critchley | Nov 2017
In conclusion
Editor's Notes There are 3 main business challenges that modern IAM is trying to address. Traditionally IAM was considered to focus particularly on:
1. Control
- Identity is the main point of control that organizations still have over information in a world where users own the clients and outsourcers own the servers. This includes risk and compliance.
2. Cost
- Unlike many other areas of CyberSecurity, IAM can provide positive ROI benefits in terms of process improvement. But of course, administration and operation costs around IAM can be high, and IAM projects costly.
3. Business Enablement
Now increasingly, a third business challenge is coming to the fore as the biggest driver for IAM. Especially in the customer space, where IAM enables customers to engage securely and simply with your organisation. And IAM enables organisations to move to new ways of working e.g. mobility and the move to the cloud Every organisation already has a large IAM investment. Can’t really start again The impact of taking that IT-led approach is this. It is the yellow line here – it takes longer and ends up with more rework. The real work with IAM is all around defining policies and improving processes – the blue line. The better planning direction is not to get into product selection too quickly, but to focus on the real work up front.
In Capgemini, we have a business-led approach to IAM. Lots of organisations just want to focus on the bottom left of this diagram – selecting a product and implementing an IT solution. But actually so much work is around the rest of this diagram – establishing and agreeing a vision, developing business, systems and data architecture, policy and process design. This is the way that organisations should be implementing IAM – a business-led approach.
For anyone familiar with Architecture frameworks like TOGAF, they will see approach here – basically going through various iterations, each time in more detail. In a green field organisation, would go clockwise from left to right. In most organisations, see all these activities going on all at once. Useful to understand, which activities are actually at what stage, and what is required for any particular activity to be successful. The trick in a more agile organisation is also to be getting business benefits at all stages, and not in 12 months time. And going faster around this loop of course, by reuse and focus. This is what we achieve in our IAM FastTrack approach. So why and how are organisations implementing IAM systems? We are seeing organisations are increasingly moving away from self-build to IDaaS as a model for delivery of IAM – currently around 20% of IAM deployments are IDaaS, and growing rapidly. There are many reasons that organisations are starting to move to IDaaS solution. But the main two reasons are currently ease of deployment and cost savings. This is IDaaS level 1.
[Source: SAP Top10 reasons to move to the cloud https://www.kpit.com/SAPCMS/outputHcmcloud/downloads/kpit-top-10-reasons-to-move-to-the-cloud-sf-100114.pdf]