Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Managing IAM in Uncertain Times


Published on

Managing IAM in Uncertain times begins with an overview of the challenges that IT organizations face with their legacy and enterprise IAM initiatives. Transformation of IAM must begin with transformation of the IT leader who drives the program. Building bridges for identity and access management helps drive digital business and improve user experiences. IAM leaders must be focused on changing professional and organizational behaviors in order to drive the next generation of IAM and GRC within the company.

Published in: Internet
  • Be the first to comment

  • Be the first to like this

Managing IAM in Uncertain Times

  1. 1. Managing IAM in Uncertain Times April 30th, 2015 Steve Tout (@stevetout)
  2. 2. Virtual Identity – Extending and Managing IAM From Enterprise To The Cloud  Part analyst, developer, investor, instigator of disruptive opportunities and introvert  15+ years in enterprise IAM: VMware, Oracle, US Bank, AT&T Wireless  Advisor to high tech startups  Author at Elsevier Syngress
  3. 3. Agenda • Enterprise IAM is in a bit of a pickle • What role will you play in fixing the mess? • Bridging the divide between on-prem and cloud
  4. 4. During a recent password audit, it was found that an employee was using the following password: MickeyMinniePlutoHueyLouieDeweyDonaldGoofySacramento "Why such a long password," someone asked. The employee replied "I was told that it had to be at least 8 characters long and include at least one capital."
  5. 5. Insider Threat Employee
  6. 6. What do companies have today? • A hodgepodge of identity provisioning systems and processes • End-of-life systems that need to be retired • Provisioning that is embedded into applications • Dependency on expensive legacy SOA frameworks • Lack of a uniform and efficient way to audit provisioning systems • Inconsistent policy enforcement across a disparate provisioning landscape
  7. 7. “58% of information security incidents are attributed to insider threat. Even where there is a policy…it probably covers around only 20% of the things that it needs to cover.” Infosecurity - 58% Information Security Incidents Attributed to Insider Threat. Available at: security-incidents-attributed-to-insider-threat-
  8. 8. Data Breach Economic Impact Source Target $148M in Q2 of 2014 eWeek News Article and reported in the company’s 10-Q filing Home Depot $28M in Q3 of 2014 eWeek News Article and reported in the company’s 10-Q filing Average cost of a data breach in the US $5.85M in 2014 up from $5.4M in 2013 Ponemon Institute 2014 Cost of Data Breach Study: Global Analysis Economic Impact of a Data Breach
  9. 9. Try Purchase Use Engage Customer Journey - The effects of IAM transformation Acting Doing Thinking Feeling Overall Downloading trial software Register contact profile Activate account with 2-Step registration Online checkout Contact Sales Click to chat Buy more licenses Activate a new service subscription Become a enterprise customer Install & register software Manage On-prem to cloud Migrate AD to cloud/SaaS portal Delegate administration Promote user to Admin role Register for Support Forums Contact Support Register for Conference Become a partner Do I have to register to download this? Does my login ID from 2 years ago still work? Does my cloud login work for this? Is this a global ID? Do I login in order to obtain a license or activate my subscription? Will tenant cloud know who I am or do I have to register again? How will I sync or migrate my users to tenant cloud? Do I use my local account or my enterprise credentials to login to cloud? How will I login to tenant cloud? How can I assign access to others within my organization? Can I audit who has access to my tenant? Does my enterprise login ID work for support? Do I have to register a new account for conference attendance? How do I access my Partner content? Consistent messaging & UI and central Login builds confidence and trust Enterprise respected my privacy and did not ask for too much information My authentication experience is the same now as it was during Trial Eval I have visibility into new products and services that my identity is allowed to see and purchase Happy that Enterprise recognizes my global ID and credentials across all of its products and services Enterprise provides me with the tools I need to monitor and manage my users Excited that the enterprise really knows me and correctly identifies me in every context of interaction I will recommend to my colleagues based on my experiences Confidence Helpfulness Confidence Helpfulness Confidence Helpfulness Confidence Helpfulness
  10. 10. Economic Impact on User Productivity IAM is a key foundational program to begin addressing user productivity enhancements KPI Description Pre Transformation Post Transformation Impact Total time spent logging into various enterprise applications each day 30 seconds 10 seconds Reduce time spent on login by 66% Total time spent logging into various applications per year (using 230 working days) 115 hours 38 hours Reduce time spent on login by 77 hours annually per user Average hourly rate $75/hr $75/hr Number of users affected 16000 16000 ($75 x 39 hours) x 16000 employees = $92.5M redirected through productivity enhancements alone
  11. 11. “Your personal philosophy is the greatest determining factor in how your life works out.” – Jim Rohn
  12. 12. Transform yourself • You are in the idea business • But you have to get crystal clear on your purpose and mission • So what are the three key themes that matter the most? • You must integrate thinking and doing • Don’t go without getting supporters behind you
  13. 13. Managing IAM in Uncertain Times 1. Integrate with GRC 2. Create organizational alignment 3. Evolve the architecture 4. Rethink the platform 5. Renew operational focus
  14. 14. What is your IAM scorecard? • Are you comfortable with data tampering or a customer/employee data breach due to compliant solutions not being consistentlyapplied across the organization? • Are you comfortable with a disgruntled employee who has recently been terminated exploiting known vulnerabilities in our data and services without your knowledge? • Are you comfortable with the knowledge that security audits and dashboard reporting systems could have incomplete data, giving false confidence? • Are you comfortable with not knowing about partner/employee data being breached at SFDC and finding out about it days later? • With programs like PRISM undermining SaaS and CSPs on practically a daily basis, are you comfortable entrusting Salesforce as the system-of- record for identity & authentication data for more than 400M partner users? • Are you comfortable with knowing that policy audit and lifecycle management practices are not being followed? • Are you comfortable with the knowledge that there are inadequate and vulnerable authorization models in place as more of our compute goes to SaaS and Mobile platforms? • Are you comfortable with developers and admins can access production outside of authorized window or with network admins or security engineers sniffing traffic unnoticed?
  15. 15. IAM 2.0 Visibility Superior Security Efficiency Scalability • “Being able to act means we have an efficient method for event processing and management.” • “The speed to detect events in real time for security must be complimented by the scale, correlation capabilities and long term data retention requirements for compliance purposes.” • “Dynamic and agile controls can exist across a diverse set of protective layers and capabilities and can make these existing investments even more effective.” Amit Yoran, SVP @ RSA Big Data Transforms Security (YouTube)
  16. 16. Spheres of Influence
  17. 17. • Performance optimization • Multi-tenant scale & management (E.g. SDLC instances) • Elastic management Scale • Identity bridge for SaaS • Identity provider for IaaS/PaaS (E.g. vCHS, SFDC) • Hybrid cloud management Cloud • Mobile REST SDK • Mobile enterprise (BYOD, MDM, MAM, and EMM) • Mobile IAM toolkit (SDK, Gateway) Mobile • Common frameworks & reusable code libraries • SAML, SCIM, OAuth and OpenID Connect • Common STS • Cloud AuthZ Standards & API Governance A Basic Roadmap
  18. 18. Technology Focused IAM Architecture
  19. 19. GRC Driven IAM Architecture
  20. 20. Renew Operational Focus • Guidance on end-to-end SSO scenarios such as enterprise to cloud, cloud to enterprise, cloud to cloud, mobile enterprise and how to support the use cases • Guidance about how authentication, authorization, account provisioning and governance works in the web services world • Governance, analytics and audit for user/partner/employee identity and entitlements across on-prem, SaaS and mobile applications for privacy assurance and risk management • Guidance and support for leveraging CMDB and ITSM for managing IAM in a hybrid cloud environment for operational efficiency and scale • Integration of IAM and GRC systems to improve user/role management, enable real-time risk and audit capabilities for threat and compliance management and prevent APTs
  21. 21. “New school” cyber defenses & partnerships Protecting the enterprise cloud Automating incident management & remediation Managed service for cloud security automation Real time continuous threat protection Automating access governance, identity intelligence & compliance Virtualizing identity for a correlated global view of users and his or her entitlements
  22. 22. “Dreaming about the future can be a delightful way to spend time. As an architect, in fact, it is absolutely essential to have the ingenuity and imagination to create new things, to think well enough into future and to maintain a rather complex calculus for how the IAM landscape needs to evolve to support business goals and achieve predictable results. An architect who fails to do that, and who rather falls back into his or her former role as a superhero to development or operations, is not doing architecture. Taking into account one’s core competencies as an architect, the success of the IAM architecture – and to some extent the IAM program – depends a lot on the skills and qualities that the IT leader possess who drives it.”
  23. 23. Questions?