Customer identity and access management (CIAM) is a high-priority imperative in the age of the customer. If your customers can’t register or log in for service, and can’t conduct transactions in an easily usable manner, it really doesn’t much matter how your website, mobile app, or phone channel is architected; they may move on to your competition.Learn how customer experience influences IAM and security and what actions you can take to meet both sets of goals.
48. NEW PARADIGM IN SECURITY
Single-point access to applications
within the firewall
– Proprietary
– On-premise
– Web only
– Single domain
Legacy Security Model
Cloud, Social, Mobile & Data drive a new
approach
– Open standards
– Hybrid, datacenter and cloud
– Web, API and mobile
– Federated by default
Next-Gen Identity Model
76% of Network Intrusions Exploited Weak or Stolen Passwords (1)
Traditional Identity Management not Working
(1) Verizon Data Breach Investigations Report 2013
52. IDENTITY WEAKNESSES EXPLOITED
~110M
accounts
jeopardized
~5M
usernames &
phone numbers
stolen
~7M
passwords
stolen
~250K
passwords
stolen
~38M
usernames &
passwords
stolen
~318K
accounts
hacked
~50M
usernames &
passwords
stolen
~50M
user accounts
compromised
2013 was the most
historic year for cyber
attacks
Several prominent
brands experienced
high profile data
breaches
Hundreds of millions
of usernames,
passwords and
accounts were
jeopardized
Stolen social media
credentials fetch more
than credit card
numbers on
cybercrime black
markets
53. Secures Access to
Any App, on Any
Device from Any
Location
Enterprise Grade
Flexible Hybrid
Deployment
Committed to Open
Standards
Web, Mobile, and API
Committed to Open
Standards
Web, Mobile, and API
Simple to Advanced
Use-Case Support in
a Single Platform
CENTRALIZE CONTROL
Ping Identity – Ushering in the New Era of Identity
60. Security for APIs
User Authentication API User Management API
APIs FOR IDENTITY
(Not identity-enabled APIs)
61. FUNDAMENTAL TENETS TO SCALE
• No more passwords
• Automate as much as possible
– Eliminate IT Administrative overhead
– Application registration is dynamic
• Ease of use
– Effortless self service
– Developer-friendly
– IT-friendly
– User-friendly
64. WHAT IS ACTIONABLE?
• Apps and devices need a modern identity
protocol stack
– Starts with OAuth 2.0, OpenID Connect and
SCIM
• No more passwords
– Federated access by default
• Ease of use means automate everything
– Or enable self-service as a backup
Abstract: Customer identity and access management (CIAM) is a high-priority imperative in the age of the customer. If your customers can’t register or log in for service, and can’t conduct transactions in an easily usable manner, it really doesn’t much matter how your website, mobile app, or phone channel is architected; they may move on to your competition. In this webinar, learn how customer experience influences IAM and security and what actions you can take to meet both sets of goals.
Image source: Flickr (http://www.flickr.com/) | CC BY 2.0 | https://www.flickr.com/photos/ladydragonflyherworld/8437959241
Integral to public/private clouds
Device computing is connecting everything
Protecting from unauthorized access is no longer enough
Enabling services across desktop, mobile, and APIs is essential
Identity is an integral part of public and private cloud services.
In recent years we have seen the emergence of a new reality in people and device computing, everything is connected. From power grids to smartphones, everything is connected to the internet and as a result everything is exposed to security breach.
But effective identity and access management is not just about protecting things from unauthorized access, and that is what we are here to talk about today.
Identity and access management is about enabling services for legitimate purpose, and bringing together a portfolio of services to support business outcomes like customer retention, cross selling of services, and customer satisfaction.
As the collision of cloud-mobile-social-api economy grows to it’s inevitable conclusion, we are facing a massive explosion of internet endpoints, and a desperate future problem of securing and coordinating them.
How does this begin to play out from a security perspective and how can an identity layer enable a simpler, more secure, and more fluid experience that matches the way your customers engage with you today? One of the main challenges we face in connecting with customers (as well as partners and applications) today is lack of portable, automated, discoverable and scalable identity management.
Today we’ll talk at a high level about how a next-generation identity and access management layer encompassing the identity of:
people and things
passive analytics
active feedback
and automated connections to partners, customers, and apps underlies
We’re still in a bespoke era
Endpoints are known, services highly structured
Social logins and “profile free” access is the new norm
Today we are at the “craftsman” stage of identity. Carefully constructed connections allow a small number of endpoints and users to be secured.
Identity today is still in the craftsman stage where carefully constructed connections against known endpoints are secured around known uses.
This is evolving quickly and in no small part to the proliferation of social networks and as a result the experience that your customers expect is shifting. Creating and managing a profile has given way to using a social login that provides the basics for establishing service. Your customers expect you to deliver increasingly personalized services to them based on who they are, their customer history, and inferred preferences.
Think about your own behavior interacting with ecommerce sites, your bank, subscription services, and much more. We expect more from merchants, banks, our insurance company… we expect more without wanting to give more.
And it’s only going to get more demanding
Recent Experian study stated the #1 reason for negative brand perceptions is bad customer experience, #3 is data breach
Today we think of many customer access points – most fairly straightforward, albeit potentially out of the brands sphere of control -- a web portal, a mobile app, a partner site or application, a social channel or coupon site. These already pose a challenge in terms of “knowing” the customer from an identity perspective. But consider the environment consumers will live in over the next 5-10 years – an explosion of connected devices and endpoints – and the impact those will have on how customers interact with your brand.
Identity is the new security perimeter
Services are dynamically provisioned according to user attributes
Authentication is continuous and highly intelligent
The future is exponential growth of users: not just customers, but partners, and the extended workforce – all connecting to an ever-expanding universe of endpoints (applications, services, devices)
What’s pretty daunting to think about is that just at the point where customer expectations are rising, the challenges presented by mobility, device proliferation, and diversity of application services means that this is not an incremental layering of new security technology.
Legacy approaches to security make the firewall the security perimeter, we propose that the identity itself, whether employees, your business partners or your customers, is the new security perimeter.
Legacy solutions are ill-suited for new challenges
Architectural limitations that arise from managing sessions and tokens in a world where:
Access isn’t just about web apps any more
Applications aren’t just inside the firewall anymore
Customers’ identities don’t live in a central location
Customer access points can’t be controlled
The next generation of identity solutions solve for the security and control needed in today’s cloud-connected and mobile world
Addresses all identity types (employees, customers, and partners) across all channels (web, mobile, and API)
Encompasses every company resource (internal, private, or public cloud), from any device (desktop, tablet or mobile), in any location (inside or outside the network)
Differs from legacy IAM solutions in that it is built from the ground up to break from siloed architectures
Federated by default, built on open standards, and offers the widest array of deployment options (100% cloud, 100% data center, or hybrid environments)
Replacing legacy stacks for enterprises shifting emphasis towards cloud and mobile platforms, while delivering mission critical security cloud-only start-ups cannot provide.
The reason we are here today is because consumers are changing
The way they buy is more complex
Their relationship with your brand hinges on how well you meet their increased expectations
And how easy you make it for them
Your customers’ digital world is exploding. The number of connected devices they touch in a given day continues to drastically increase. Not long ago, a generation of interconnected devices emerged – each with their own IP address. Now these devices not only have discrete IP addresses, they will all need their own identity, and enterprises will need to understand how those identities relate to their customer’s identities.
What began as simple single sign on, has grown rapidly over the past decade, at a rate that continues to accelerate with mass consumer adoption of mobile, and the API economy. While we used to just be concerned with how a customer moved through the web experience, we now have to extend that to a fluid experience across channels, and what that means in terms of an authentication experience. Customers should be able to maintain states as they shift and do different things across those different channels.
And then came Oauth, targeted not at organizations implementing it to support their apps but instead at developers building identity protocols into their application offerings.
Modern Identity Landscape
Targeted at Application developers
Learned from previous attempts
We have built on the success of OAuth with OpenID Connect, with critical capabilities for identity provider discovery and application registration.
SCIM is crucial as a mechanism for API-based provisioning to any app that supports SCIM.
Two pillars of scalable modern identity: SCIM and OIDC
OIDC is crucial for modern identity
IdP discovery – important as number of IdPS increase in the modern identity era.
Applicaton registration. Provides a mechanism ern idetntiy.
Scale: to enable applications (be they on mobile devices or web applications) to act on behalf of the user to do things.
Finally delivers SSO via ID token for native devices (pivot to OAuth).
SCIM
Authorization and SSO isn’t possible without a provisioning event. aaS vendors have service level agreements that preclude the use of the enterprise identity store. The current insanity vis-à-vis proprietary provisioning won’t scale. SCIM is modern (REST-based) and is our last best hope at scalable provisioning because it delivers a standards-based approach.
And all of this extends to APIs
OpenID Connect
Authentication API (also enables SSO)
Developer calls GetUserInfo API Endpoint
Replace Login.jsp and the Password DB
Federated Domain, Single Domains, whatever
SCIM
User Management API
Create, Read, Update, Delete
Developer exposes API to Add, Change & Delete user accounts
Where this leads us is to an API-centric approach for user authentication across apps, mobile, and custom applications, and standards-based provisioning of services.
OpenID Connect
Authentication API (also enables SSO)
Developer calls GetUserInfo API Endpoint
Replace Login.jsp and the Password DB
Federated Domain, Single Domains, whatever
SCIM
User Management API
Create, Read, Update, Delete
Developer exposes API to Add, Change & Delete user accounts
Two pillars of scalable modern identity: SCIM and OIDC
Not Identity Enabled API’s
SCIM
Authorization and SSO isn’t possible without a provisioning event. aaS vendors have service level agreements that preclude the use of the enterprise identity store. The current insanity vis-à-vis proprietary provisioning won’t scale. SCIM is modern (REST-based) and is our last best hope at scalable provisioning because it delivers a standards-based approach.
OIDC is crucial for mod
IdP discovery – important as number of IdpS increase in the modern identity era.
Client registration. Provides a mechanism ern idetntiy. Scale:
to enable applications (be they on mobile devices or web applications) to act on behalf of the user to do things.
Finally delivers SSO via ID token for native devices (pivot to OAuth).
This is all to say that the idea of an open platform that allows for new and emerging identity standards and protocols becomes paramount.
Passwords are the problem, we see a future with no passwords
IT administration has to be automated, with as much self-service as possible
Our partner today, Forrester Research, has done extensive work in this area
Identity isn’t just about securing your assets and managing risk, it’s about money
In a composite example of a large insurance company with more than 8,000 employees, 19k agents, and 75k licensed agents serving 50 million policy holders we calculate incremental revenue of $45m from just reducing one contributor to customer churn.
Enterprise federated identity isn’t just about easing the customer burden, or even reducing risk and improving security – it is both of those, but perhaps more significantly, it has a direct impact on revenue generation. In a recent Total Economic Impact study conducted by Forrester Research, results showed significant revenue potential for consumer-facing implementations.
The composite organization used for this economic impact included both a Fortune 500 insurance company providing supplemental insurance in the US and select international markets. Its users include more than 8,000 employees, more than 19,000 sales agents, and more than 75,000 licensed sales agents. It also provides access for subsets of its 50 million policyholders worldwide as well as a a multinational banking and financial services organization with more than 55 million customers worldwide and 260,000 employees.
Founded: 2002
Offices: Denver, Boston, Vancouver, London, Tokyo, Salt Lake, San Francisco
Employees: 350+
The time of building purpose-built identity silos is over. The next generation identity platform delivers a layer unifying disparate identity architectures of legacy systems, and allows the enterprise to emerge into the future.
I’ll leave you with a few insights into what you can/should begin thinking about today. [points listed above]