Pamela Dingle, Technical Director, Ping Identity Applying concepts of identity and access to real world business situations is really just a case of knowing where one's towel is. Once you have a working, accurate identity lifecycle, and the tools to leverage that lifecycle across business domains, the last thing to do is to apply those tools to the problems at hand. Pamela Dingle will walk you through real world use cases and discuss how everything works together, so that your organization can do its very best to figure out the right questions to ask for success (of course we already know the answer is 42).

1. Copyright ©2013 Ping Identity Corporation. All rights reserved.1
The
How to Apply Identity Concepts to
the Business
P. Dingle
Ping Identity, CIS 2013

2. Copyright ©2013 Ping Identity Corporation. All rights reserved.2
• f
Hammers are Fun – but what’s the Construction Project?

3. Copyright ©2013 Ping Identity Corporation. All rights reserved.3
Risks must be
identified and
mitigated
The NAILS of Business: RISK and ENABLEMENT
http://www.flickr.com/photos/nicolopaternoster/3933549608
When risk is understood
and measured, it does not
have to hold you back
http://www.flickr.com/photos/boogieswithfish/5173834794/

4. Copyright ©2013 Ping Identity Corporation. All rights reserved.4
• How does the business run today?
– Where are the inefficiencies
– Where is the danger
• How can the risk be mitigated?
• What can success enable?
• What are common solution architectures?
• How do you know when you’re done?
DIY: Explaining & Measuring Identity & Access Risk
http://www.flickr.com/photos/hadesigns/3223831119

5. Copyright ©2013 Ping Identity Corporation. All rights reserved.5
• Every application is written to run as an island
– User Account Store
– Login Page
– Password Recovery Mechanism
– Administration Console
Basic Challenges: Application Isolation
http://www.flickr.com/photos/sussetuss77/8582289800

6. Copyright ©2013 Ping Identity Corporation. All rights reserved.6
• Management Inefficiency becomes Security Risk
– 1000 Applications require 1000 Administrators to get the
memo about Fred changing roles
• How long does it take to change Fred’s access?
• How many applications are missed or never know?
• Data Divergence
– How many admins update Janice’s surname when she gets
married?
• How many help desk calls does she have to make?
• What if the data that is obsolete is her job role?
• What happens if the corporate username standard is first-intial-last-
name?
• Disgruntled Employees are a serious risk
– When Fred gets fired, can you protect your assets?
• Cloud assets are at greatest risk
• Inefficient administrative process can cost millions
Risks of Application Silos

7. Copyright ©2013 Ping Identity Corporation. All rights reserved.7
• Every application has a
different security regime
– Separately emulating policies
around passwords, data
retention, roles, minimal
disclosure in a thousand
applications is a non-starter
• Lifetime Employee Problem
– How many incorrect
permissions does an
employee have if he’s
perfomed multiple jobs at the
company?
• How can you expect staff to
consistently adhere to
policy if you can’t
consistently apply it?
Basic Challenges: Inconsistent Policy & Interaction
http://www.flickr.com/photos/kaiban/4351734363

8. Copyright ©2013 Ping Identity Corporation. All rights reserved.8
• Users who can bypass policy could:
– Be phished
– Practice poor security hygiene
– Breach separation of duty rules
– Access unapproved applications
– Get really ticked off because they never understand
how to comply
• Businesses who can’t judge policy:
– Can’t see what is happening
– Must blindly trust that execution matches expectation
– Cannot prove anything
Risk: Inadvertent Breach of Security Policies

9. Copyright ©2013 Ping Identity Corporation. All rights reserved.9
• Shadow IT
– The cost boundary for software has been
compromised
– Monthly subscriptions can fly under the wire
– IT may never know that applications are in use
• Orphaned Accounts
– Admin gets fired
– Group stops using tool
• Password Abuse
– Cloud app hacked
– Corporate creds stolen
Challenges: Cloud Applications
http://www.flickr.com/photos/pinksherbet/179279964

10. Copyright ©2013 Ping Identity Corporation. All rights reserved.10
• Loss of Visibility
– IT no longer knows what apps are in use
• Loss of Control
– User may start in the cloud and end in the cloud
– Relationship is between cloud application and
user
– Business doesn’t control policy, session, or logs
Risks: Cloud Applications

11. Copyright ©2013 Ping Identity Corporation. All rights reserved.11
• Hardware you might not own or control
• Personal data and Private data colocated
• Much easier object to steal or lose
• Difficulty in typing credentials on tiny
keyboards
• Huge expanding set of connections
– Multiple applications on thousands of devices
• APIs may represent all new application silow
Challenges: Mobile
http://www.flickr.com/photos/32245753@N07/3333572689
• Developers may want to
do their own thing
• You can’t get web working
and forget about services

12. Copyright ©2013 Ping Identity Corporation. All rights reserved.12
• Industry best practice in Enterprise
has been to build a set of services
to abstract the management of
identities and coarse grained
access away from applications
– Central infrastructure, managed by IT
– One (or very few) single source(s) of
truth for User Presence in the
organization
– One place to set and enforce policies
• Result: INTERCONNECTIVITY
– Apps need to trust infrastructure
– Vendors/developers need to help
An Answer: 42 Identity/Access Management
http://www.flickr.com/photos/23881436@N05/2853260749

13. Copyright ©2013 Ping Identity Corporation. All rights reserved.13
• [meta]Directories
• Provisioning Solutions
– Automation of account
lifecycle
• Web Access
Management Solutions
• Federation Solutions
• SIEM, multifactor
• Workflow
Common Solutions to Identity and Access Risk?

14. Copyright ©2013 Ping Identity Corporation. All rights reserved.14
The Question: Integration Answer: Standards!

15. Copyright ©2013 Ping Identity Corporation. All rights reserved.15
• Backend Synchronization
– Push identity data directly into databases
– Great inside the Enterprise, impossible in the clouds
• Proprietary Protection schemes
• Standards-based interaction
– Use standardized interfaces to pass data in
auditable ways
• APIs
• Protocols
Options for Identity Architects

16. Copyright ©2013 Ping Identity Corporation. All rights reserved.16
• Sometimes it’s better to
link constellations of
apps instead of directly
connect to apps
– Often you find groups of
apps that already have
SSO enabled
Good Business: Interfederation not Refederation

17. Copyright ©2013 Ping Identity Corporation. All rights reserved.17
• Users know what to expect
– Consistent ceremony
• Lifecycle can be explained by
your superiors
• App access on Day One
• Zero day de-provisioning
• Lifetime employees lose access
when they change jobs
• Execs comfortable attesting
• The D can by BYO’d
Signs of Success --- AKA proving ROI
http://www.flickr.com/photos/geckoam/2723280142

18. Copyright ©2013 Ping Identity Corporation. All rights reserved.18
• Pamela Dingle: @pamelarosiedee
– http://eternallyoptimistic.com
• Nishant Kaushik: @NishantK
– http://blog.talkingidentity.com
• Dale Olds: @daleolds
– http://virtualsoul.org
Thank You!