Gartner Identity & Access Management Summit 2013

Transcription

1 Gartner Identity & Access Management Summit 2013 Pragmatic Futures for IAM: Meeting Business Needs at the Nexus of Forces Trip Report The annual Gartner Identity & Access Management Summit was held on March 2013, at the Park Plaza Westminster Bridge. This report summarizes and provides highlights from the event. Overview In 2013 the Summit brought together over 400 attendees to learn from and network with a range of end users giving case studies, key solution providers on the showfloor and in sessions, and with the Gartner analyst community. Led by the Summit Chair, Ant Allan the Summit took in over 40 presentations, roundtables and workshops furnishing attendees with the latest thinking on their strategy, tactical approaches, and key needs for The Nexus of Forces mobile, cloud, information and social brings new challenges and new opportunities for IAM. CISOs and IAM leaders have to extend their vision to include the Nexus. This is not just a strategic goal but a tactical imperative: The impact of the Nexus of Forces is clear now and underlies the trends Gartner has seen in client engagements across multiple IAM activities and markets of the past year. Meanwhile, CISOs and IAM leaders must keep sight of the needs of day-to-day operations and the demands of governance, risk management and compliance. Furthermore, the obligation remains to deliver meaningful, business-focused results. To efficiently deal with all these seemingly diverse commitments and to effectively orchestrate the necessary technology, tools and techniques and to so with lasting success CISOs and IAM leaders must establish and sustain an enduring IAM program with sound governance processes. Save the date The Gartner Identity & Access Management Summit 2014 will take place on March in London, UK. We hope to see you again! Table of Contents 2 Key Take-Aways 3 The Audience 5 Keynote Sessions 6 Top 10 Most-Attended Sessions Park Plaza Westminster Bridge, London, UK Ant Allan speaking at the Gartner Identity & Access Management Summit Sponsors 9 Post Event Resources 2013 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. or its affiliates. For more information, info@gartner.com or visit gartner.com. 1

2 Gartner Identity & Access Management Summit 2013 Key Take-Aways Best Practices for IAM Program Management and Governance Create a well-crafted vision and articulate it in light of strategic business needs. Continuously re-evaluate this. Establish an IAM program based around the activity cycle and the pillars of IAM. Establish sound formal governance processes and functions for IAM This should be incorporated within information security governance frameworks, but may require discrete entities at some levels. Bring Your Own 4G: How Secure Are the Mobile and Wireless Networks You Use for Business? Ensure secure setup of wireless networks. Maintain VPN or application-level security for sensitive applications, through Correlate wireless security with the mobile policy. Use a standard wireless provider and 4G, where possible. Dealing With Advanced Threats and Targeted Attacks Adjust the vulnerability assessment schedule to remediation cycles Initiate security hardening initiatives and evaluate application development process changes to security testing to earlier phases of the development life cycle Extend your SIEM deployment for early breach detection Balance spending among mitigation, shielding and monitoring based on practical limitations of mitigation for specific IT components Enabling Mobility Securely by Protecting Mobile Applications on Smartphones and Tablets Fix as many of the barriers as possible. Fixing even one makes a substantial difference to your success. Give up on the idea of trusting the platform. Secure your apps as soon as possible. Recognize there is not a single solution that works for everyone, and multiple approaches can coexist. Don t wait for standards act tactically, rather than strategically. 2

3 Get the Plumbing Right: Directories for Internal and Cloud Services Think tactically and strategically Maintain a service catalog Anticipate and plan for new requirements: Mobile devices Cloud XaaS Mergers/Acquisitions Minimize and consolidate (but not too much) Maintain an abstraction layer Embrace the politics of control and autonomy IAM at the Nexus of Cloud, Mobile and Social Partner with business leaders to include security/iam assessments as part of the planning process when procuring cloud-based business application services. Understand your costs for providing internal IAM functions, and your ability to obtain and retain staff as a prelude to comparative shopping for cloud-delivered IAM. Plan for mobile user use cases that will include employee- or consumer-owned devices and direct access to SaaS. Technical Insights: Making It Work: Identity and Mobility Implement adequate certificate enrollment processes for enterprise users: Don t use device-based SCEP enrollment! You will need an MDM (or MDM-like) product Protect your MDM push credentials: Certificate/Private key for Apple Notification Service Google C2MD service password Risk of unauthorized access and denial of service The Audience The Summit attracted over 350 attendees, from 29 countries including 19 European nations represented. The core of the audience was naturally from the UK, with the next highest groupings coming from Germany, Austria and Switzerland followed by Benelux, Nordic, France and the Middle East. In terms of industries represented the key sectors were government and public sector, financial services and manufacturing with a range of other sectors then present. The best represented job titles continued to be Director / Manager of Information Security / Security and variations there of with a presence from Risk, Compliance, and Security Architects. Keep a close eye on NFC developments: There is so much potential for enterprise identity! Get your AD groups right: Device policy management, credentialing, and secure file access depend on it 3

4 Gartner Identity & Access Management Summit 2013 Fighting Threats With Layered Security and Improved Identity Proofing Establish an overarching identity proofing and fraud management framework for your organization that includes multiple layers. Deploy Layer 1 endpoint-centric and Layer 2 navigation-centric solutions to start with. Integrate mobile applications into your fraud management framework to ensure a cohesive strategy, and shared user and account profiles. Recognize that the threat landscape can quickly change, pointing to the need for a layered approach and comprehensive framework. Good Authentication Choices for Smartphones and Tablets Set internal expectations early about what apps can be on personal device, and which can t Build a foundation for good IAM by matching the right baseline for device or app security Plan for UX being a barrier to meeting regulatory requirements on mobile device look to balancing in ease of use Technical Insights: A Magic 8 Ball in the Sky: Federated, Distributed and Cloud Externalized Authorization Before selecting an authorization mechanism and architecture: What is the coarseness of the decisions? How expressive of policy language is needed? Is the application externalized authorization-aware? Where can subject attributes be found? Ways to Achieve More With Less in Your IAM Program Prioritize your identity-related needs. What can realistically be accomplished through traditional methods with the budget that you have? Determine what might not be accomplished due to lack of budget (or other factors)? Put on your thinking cap, grab a list of what you have, and find a whiteboard! 4

5 Keynote Sessions Gartner Keynote: The Socialization of Identity Using social network identities can significantly help enterprises to attract and retain customers (a business priority for CIOs). Using login with Facebook (or other popular social networks) lowers friction, and thus improves the user experience (UX) for customer registration and subsequent login. Enterprises also benefit through a fall in the number of abandoned registrations and logins. Login with preferred social network identities makes it easier for customers to browse and buy especially where the merchant is present on other social networks (such as Facebook and Pinterest). Ant Allan Research VP The use of social network identities can lower customer administration costs this can be a business enabler, making profitable services that wouldn t be if they had significant overheads. Gartner sees a small but growing number of enterprises taking this approach, enabled by specialist vendors that prepackage support for a broad range of popular social networks and integrate other social network capabilities (such as gamification). Basic user attribute collection (for registration) and authentication with social identities are also being supported by Web access management products. All enterprises offering consumer-facing services, as well as government agencies offering citizen portals, should assess the benefits of accepting social network identities for customer/citizen registration and login, and weigh these against the risks posed by the lack of identity proofing and weak authentication for social network identities. Potential cost savings may be offset by the cost of mitigating these risks, say via fraud detection and prevention mechanisms and step-up user authentication methods. (But such controls may well be needed anyway!) This assessment should also consider alignment with other business use of social networks; while it can be independent of other initiatives, greater value can come from exploiting synergies. Gartner Closing Keynote: Maverick: Kill Off Security Controls to Reduce Risk Traditional security controls are increasingly ineffective and obstructive in a world where rapid technology change is driving business strategy. A radically new approach is required. Impeding the ability of the majority of users to exploit technology in furthering business objectives, just in order to prevent the bad intentions of a small minority of individuals, makes no business sense. Employees that have no stake or input in security controls and policies are alienated, having no trust in security practices. By adopting a people-centric approach to security, enterprises can reduce overall risk while simultaneously reducing the number of preventative controls. Giving users more personal responsibility, while holding them directly accountable for their actions, requires that he security team offer a more supportive role. Tom Scholtz VP Distinguished Analyst People-centric security PCS represents a major departure from conventional security strategies, but it reflects the reality that current security approaches are increasingly difficult to manage in the rapidly evolving environment Gartner defines as the Nexus of Forces. While changing a security strategy carries its own risks, security leaders should consider adopting elements of PCS as an early starting point for longer term transformation of their security programs. 5

6 Gartner Identity & Access Management Summit 2013 Top 10 Most-Attended Sessions Best Practices for IAM Program Management and Governance Ant Allan, Research VP Bring Your Own 4G: How Secure Are the Mobile and Wireless Networks You Use for Business? Dionisio Zumerle, Principal Research Analyst Dealing With Advanced Threats and Targeted Attacks Mark Nicolett, Managing VP Enabling Mobility Securely by Protecting Mobile Applications on Smartphones and Tablets John Girard, VP Distinguished Analyst and Dionisio Zumerle, Principal Research Analyst Get the Plumbing Right: Directories for Internal and Cloud Services Andrew Walls, Research VP IAM at the Nexus of Cloud, Mobile and Social Gregg Kreizman, Research VP Technical Insights: Making It Work: Identity and Mobility Trent Henry, Research VP Fighting Threats With Layered Security and Improved Identity Proofing Avivah Litan, VP Distinguished Analyst Good Authentication Choices for Smartphones and Tablets Eric Ahlm, Research Director and John Girard, VP Distinguished Analyst Technical Insights: A Magic 8 Ball in the Sky: Federated, Distributed and Cloud Externalized Authorization Ian Glazer, Research VP Ways to Achieve More With Less in Your IAM Program Ray Wagner, Managing VP 6

7 TM R Sponsors Premier Platinum Silver 7

8 Gartner Identity & Access Management Summit 2013 Radiant Logic Launches First On-Premise Identity Bridge Based on Virtualization TM Airbus Discusses the Value of Identity Virtualization at 2013 Gartner IAM Summit The recent rise of cloud applications mobile devices have posed serious challenges for Identity and Access Management practitioners, while the fragmentation of identity systems has frustrated efforts to meet those growing needs. At the 2013 Gartner IAM Summit, Radiant Logic demonstrated how it is uniquely positioned to meet these evolving demands with the release of RadiantOne 6.1, the industry s first complete on-premises enterprise identity provider. The release bundles Radiant Logic s Cloud Federation Service with its market-leading VDS, delivering a standards-based federated identity and access management solution. The newest version of the RadiantOne Cloud Federation Service includes: Support for SAML 2.0, OpenID Connect, and OAuth 2.0 Support for new trusted identity providers such as Facebook, Microsoft, and MyOpenId The ability to indicate the authentication level required to access certain applications Support for over forty new relying parties, making it simple to get single sign-on to almost any new cloud application There is a host of new features in the new VDS as well: Support for SCIM, REST, and SPML protocols to enable robust bulk user provisioning operations to cloud applications Better support for cloud applications such as Salesforce, Office 365, and Google Apps for unified access and provisioning Also at the Gartner IAM Summit, Frederic Fenoglietto, IAM Architect, highlighted how Airbus used RadiantOne to improve performance and service. He demonstrated how RadiantOne VDS enabled Airbus to rationalize and transform data, and eventually retire legacy directories. Learn more about Radiant Logic, a 2012 Gartner Cool Vendor, at 8

9 Post Event Resources Recommendations Summary A recommendations summary containing of all of the key recommendations from the Gartner analyst sessions is available for download from Agenda Builder. Please look for the Recommendations Summary file. Learn more with relevant research Want to learn more about the topics that interest you most? Turn to the end of each session presentation for a list of related Gartner research notes. Select Gartner research is available on demand at gartner.com. CONNECT WITH GARTNER IAM Connect with Gartner Business Process Management Summit on Twitter and LinkedIn. #GartnerIAM Gartner IAM Xchange Gartner has you covered View the full Gartner Events Calendar! The World s Most Important Gathering of CIOs and Senior IT Executives 9