Digital transformation brings several challenges on how identity and access management (IAM) is handled. People expect seamless experiences when dealing with a digital business. Digital business use several systems, each having different identities. But users still expect to use the entire system using the same identity. In addition, with the widespread adaptation of social networks, users expect to access these systems using their social identities. The more systems you integrate with using a single identity, the weaker your security becomes, making the demand for multi-factor authentication and authorization higher. This shows that IAM is not an option but a necessity when digitally transforming your business. In this session, we will discuss the concerns of IAM that we have had to deal with when preparing for digital transformation, and why they are important considerations.

1. Identity and Access Management in the
Era of Digital Transformation
Selvaratnam Uthaiyashankar
VP – Engineering
WSO2

2. Identity and Digital Business
• Identity is at the heart of
Digital Business
Image source: http://coranet.com/images/network-security.png

3. Identity Centric
• Digital Business is all about “User”
– How do we know who is accessing
– Things user can access or do
– User’s preferences
– Rules User has to adhere
– Relationship with other entities

4. Proper identity enforcement is essential for
customer experience, security, privacy

5. Authentication
• Direct Authentication
– Basic Authentication
– Digest Authentication
– TLS Mutual Authentication
Service Providers
Authentication
Service Consumption
Image Source : http://www.densodynamics.com/wp-content/uploads/2016/01/gandalf.jpg

6. Digital business requires seamless integration of
various systems…

7. Identity Challenges When Integrating Multiple Systems
• Different username, password (credential) for different
systems
– Preferred username is already taken
– Using same username/password might become a security risk
• Too many username, password
• Loosing possible collaborations between applications

8. Authentication
• Brokered Authentication
– SAML
– OAuth : SAML2/JWT grant type
– OpenID
– OpenID Connect
• Single Sign-On
Service Providers
Service Providers
Service Providers
Identity Provider
Service Providers
Authentication
Service Consumption
Trust
Image source: http://savepic.ru/6463149.gif

9. Users Might Want to Use Their Social Identities
• BYOID

10. Users Might Want to Use Their Enterprise Identity
• Trust between different Identity Domains
• Identity Federation
Service Providers
Service Providers
Service Providers
Identity Provider B
Service Providers
Authentication
Service Consumption
Trust
Identity Provider A Trust

11. Multi-option Authentication

12. Identity Bus

13. Identity links all the systems. You just increased the
risk of attack on your identity…

14. Often, weak link is poor user credential
https://www.infosecurity-magazine.com/news/compromised-credentials-quarter/

15. Multi Factor Authentication
• What you know
• What you have
• What you are
Image source: http://it.miami.edu/_assets/images/multifactor1.png

16. Adaptive Authentication
• Ability to change authentication options based on the context
https://3c1703fe8d.site.internapcdn.net/newman/gfx/news/hires/2013/howdochamele.jpg

17. Provisioning Users
• Self Service
– Complete user management
– User Portal
• Approvals and Workflows
• Just In Time Provisioning
http://blog.genesys.com/wp-content/uploads/2014/07/Road-Sign-Self-Service.jpg

18. Provisioning Users in Multiple Systems

19. Access Control
• Principle of least privilege
• Role based access control
• Attribute based access
control
• Fine-grained access control
with XACML
http://findbiometrics.com/assets/iStock_Access-300x225.jpg

20. Auditing User Activities
• You might not know who will access
your system (BYOID)
• Full Audit on user activities are
important
– Specially on User Management, Admin
operations
– Who, What, From Where, When, How
• Accountability, Reconstruction, Problem
Detection, Intrusion Detection
http://cdn.gocertify.com/images/Auditing%20team%20going%20over%20report.jpg

21. Analytics
• Understanding user behavior
• Predicting future needs
• Fraud detection
http://www.labrechedigital.com/images/analytics.png

22. API Security
• APIs are powering the Digital Business
• Ability to secure the API (OAuth)
• Identity delegation
https://edinversity.files.wordpress.com/2013/07/handing-over-car-keys.jpg

23. IoT is an Essential Element in Digital Business
• Identity Include “Things”
• Securing your IoT devices is a must
• Consider scalability of your IAM System
https://media.licdn.com/mpr/mpr/shrinknp_400_400/AAEAAQAAAAAAAAWRAAAAJDkwODMwYzIyLTA5MzktNDAwZi05ZmI4LWJkYT
AyM2U4MDBlNQ.jpg

24. Perimeter of Your Digital Business will Increase
• Data is in cloud, mobile devices
• Borders across systems don’t work anymore
• Your Attack Surface increases
– you can’t remove unused features in the cloud services
• Security by obscurity doesn’t work anymore
• Expect hacking, DoS attacks, phishing attack
• Controlling access, monitoring, analyzing and predicting attacks
are the way forward

25. Bridging Cloud and Internal Systems
• Connectors to bridge Cloud Systems
and Internal Systems
– Might not be able to open ports for
outside world
http://www.stratoscale.com/wp-content/uploads/gap-1080x1080.jpg

26. Digital Business Requires Agility
• Should be able to connect new systems
easily
• Frequent changes to external system
• Future Proof
• Needs some Identity Mediation
Concepts
http://s3-us-west-2.amazonaws.com/abacus-blog/wp-content/uploads/2015/10/dog-agility.png

27. Digital Business Encourages Innovation
• Often, security strategy is viewed as restrictive for Innovation
– Specially, when involving with public services, APIs
• Security should be transparent to the user for better user
experience
https://www.gatesnotes.com/~/media/Images/Articles/About-Bill-Gates/Accelerating-Innovation/innovation_2016_article
_1200px_v1.jpg

28. Digital Transformation Requires Cultural Changes
• More and more, business units
are in control rather than IT and
security teams
– Yet you need to know who is
accessing, what they are
accessing, etc.
• Understanding this cultural shift
will reduce frustrations
http://www.leehopkins.net/wp-content/uploads/2010/11/iStock_000010822711XSmall_thumb.jpg

29. WSO2 Identity Server

31. http://cdn.ttgtmedia.com/rms/security/Gartner2014_ASA.jpg

32. Thank You!