Issue 2. New Paradigms of Digital Identity: Authentication and Authorization as a Service (AuthaaS)

Transcription

1 Issue 2 New Paradigms of Digital Identity: Authentication and Authorization as a Service (AuthaaS)

2 Introduction 2 Introduction 3 The Digital Identity Ecosystem 6 New Models of Authentication/ Authorization as a Service: AuthaaS 8 An Integrated Vision 10 From the Gartner Files: New Competitive Threats as the IDaaS Opportunity Evolves The concept of identity has always been the key factor when it comes to establishing a relationship between individuals. Identification as a way to ensure someone is who they claim to be gains even greater relevance in an increasingly digitized world. This also brings a host of new challenges, including: Multidimensionality of digital identities. Their management and how this impacts on the definition of Corporate Identity (Social Identity vs Validated Identity). Attribution. Validation of the data (attributes) that make up and define a digital identity. Identity proofing. Validation of the relationship of an identity in the digital world with an identity in the real world. The aim of this document is to discuss the concept of digital identity in the current ecosystem, talk about IAM solutions (Identity and Access Management) and IDaaS (IAM as a Service) and propose a model that will reduce complexity in the process of authenticating and authorizing identity management. 14 About Telefonica Business Solutions New Paradigms of Digital Identity: Authentication and Authorization as a Service (AuthaaS) is published by Telefonica Editorial content supplied by Telefonica is independent of Gartner analysis. All Gartner research is used with Gartner s permission, and was originally published as part of Gartner s syndicated research service available to all entitled Gartner clients Gartner, Inc. and/or its affiliates. All rights reserved. The use of Gartner research in this publication does not indicate Gartner s endorsement of Telefonica s products and/or strategies. Reproduction or distribution of this publication in any form without Gartner s prior written permission is forbidden. The information contained herein has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. The opinions expressed herein are subject to change without notice. Although Gartner research may include a discussion of related legal issues, Gartner does not provide legal advice or services and its research should not be construed or used as such. Gartner is a public company, and its shareholders may include firms and funds that have financial interests in entities covered in Gartner research. Gartner s Board of Directors may include senior managers of these firms or funds. Gartner research is produced independently by its research organization without input or influence from these firms, funds or their managers. For further information on the independence and integrity of Gartner research, see Guiding Principles on Independence and Objectivity on its website, 2

3 The Digital Identity Ecosystem Background For many years, the way of moving an individual s identity into the digital world has involved the creation of a digital representation of that individual. The manner in which this individual s digital identity is formulated depends on where it is to be used. From the perspective of the public sector, the validation of the relationship between this digital identity and the real world identity (identification/identity proofing) is vital. Typically, this identification process concludes with the generation of a set of credentials which links the individual with their identity in the digital world. This is the case of the processes that allow to register an individual within the society by issuing a unique number or physical token (e.g. national identifiers, social security numbers, digital certificate passwords, etc.). This issuance, managed by public authorities, constitutes a legally validated record, and it can be affirmed that these credentials correspond uniquely to a single individual. In addition, during the process of generating these credentials, certain attributes, which define the individual (such as name, surname, date of birth, nationality, gender, etc) will be validated. This set of identifiers, along with the validated attributes, whilst taking into account this 1:1 relationship with the individual which they identify, may be called Physical Identity. Example of physical identity with validated attributes By creating these corporate digital identities, in addition to the attributes already validated by third parties, it is possible to add new attributes which can be validated by the service provider (e.g. postal address, bank account or phone number) or, even, attributes that it was not possible to validate but which have been provided by the individual themself now the user. This type of digital identity, unlike physical identities, does not have a unique relationship with the individual. That is to say, the same person may have multiple identities with a single service provider (e.g. in the case of a provider that identifies its users by their account number, a user may have multiple accounts with the same provider). These digital identities have traditionally been managed by IAM (Identity and Access Management) systems. With the advent of Social Media and the emergence of Social Identities, there is no longer a need for identification to link digital identities to a physical identity. It is now possible for individuals to assign themselves an identity on a Social Media site and, although they are asked to provide attributes, there is no robust process of identification to validate the authenticity of those attributes. The creation of an identity on a social network such as Facebook is a case where, unlike the previously mentioned, the information which an individual will be asked for during the identification process is not directly validated. When a new user joins Facebook, identification is established by requesting a prior digital identity (i.e. an account). It could be argued that this identification is verified by an identification request made to the account provider. However, there is no certainty that this provider actually validates the attributes of the individual.. In private companies the scenario is slightly different. Companies have a need to validate the existence of an individual and their attributes in order to create another type of identity: Corporate Identity. To that end, it is possible to delegate the physical responsibility for carrying out the identification of individuals to the issuers of these identities. This is the case for a service provider who, in order to convert individuals into users of their systems or services, create their own credentials (e.g. an online banking user, a company employee or a consumer of services of a retail outlet). They require, to a greater or lesser degree, the submission of the corresponding physical identities so as to incorporate the attributes, which have already been validated, into the new identity. 3

4 FIGURE 1 How to obtain the best balance between usability, security and verification when authenticating and identifying users? PHYSICAL IDENTITY CORPORATE IDENTITY SOCIAL IDENTITY add VERACITY SECURITY B2B B2C USABILITY add SECURITY Digital Certificate Physical Check IAM Social Login User/Password - 2FA (token - IDAAS solutions are key factors in the evolution of traditional IAM management models Source: Telefonica Whilst the benefits of social identities means better usability (fewer passwords, login and registration steps, improved and easy support) and improved intelligence (which make it easier to use these OTT solutions), there are disadvantages concerning privacy or identity theft. This, in turn, is leading to hybrid models which link digital identities generated by service providers with the identities that users provide. This need, together with the emergence of federated identity management, has given rise to complex scenarios in which identity management is carried out in a fragmented and adaptable way. This fragmentation means that now whoever issues and validates the credentials of a digital identity does not necessarily have to be the owner of the resource. This means being able to provide identity, as well as its management, as a service (IDaaS). Source: Telefonica 4

5 FIGURE 2 Source: Telefonica 5

6 New Models of Authentication/ Authorization as a Service: AuthaaS Following this trend (IDaaS), in which companies or service providers increasingly delegate certain aspects of identity management to a third party, it is fundamental to focus on verifying that an individual is who they claim to be and therefore authorize their access to a resource. User authentication must be able to validate that the credentials a user provides have not been altered and thus enable verification that the user who owns them is, in fact, a legitimate user of the system. User authorization must be able to establish how users can gain access to certain resources, and who is authorized to do so at any given time. AuthaaS solutions should adapt how users authenticate, access and interact with the business. Within this proposal the mobile device is the key: Maximizes universality, allowing any user to interact anywhere using any technology. The mobile device is the only physical device that nowadays can be considered universal Maximizes usability, allowing user interactions with no barriers (anywhere, anytime) Identification, with solutions that give the ability to individuals, businesses and governments to trust and have confidence in the identities of people with whom they interact. The use of mobile device requires a SIM card which distribution is highly regulated by the market (Telcos) and in that process a validation of the identity holder is carried out prior to activation controlled; Evolving security. Mobile device allows companies to create authentication/authoritation adaptatives schemes over traditional IAM models FIGURE 3 Mobile devices key factors in the search for convergence between physical identity and digital identity Network Connectivity 3G 4G Wifi Internet, apps and data ID-related Technologies Camera GPS Screen NFC Bluetooth Biometric Sensors Security elements to protect user data SIM (Suscriber Identity Module) MICRO SD (Micro Secure Digital) ese (Embedded Secure Element) Your mobile, your identity Source: Telefonica 1. Mobile Device = Authentication Device There are a huge number of types of credentials that are being explored in order to create a way of preserving the unchanged relationship of digital identities. The various solutions that exist on the market today are based on something that the individual knows (e.g. passwords), something that the individual possesses (e.g. physical tokens: smartcards, NFC tokens, etc.), something that the individual is (e.g. fingerprints, voice signature, iris signature, etc.), or something that tells you how the individual behaves (e.g. behavioural analysis). In fact, in order to ensure the usability of authentication solutions, hybrid systems are often devised involving several of these methods, and providing differing degrees of authentication. 6

7 Mobile devices as authenticators: They act as alternative channels for the verification of access to services (enabled for OTP service implementation via SMS, or automatic notification via APP). They are a good method to protect users against malicious acts, such as phishing or identity theft. They provide different degrees of authentication Simple Authentication: Single factor = something I have Click OK (SMS URL or SIM click OK) Strong Authentication: Two factors = something I have and something I know PIN Two factors = something I have and something I am Biometrics 2. Mobile Devices as Authorization Devices The most frequent use of the authentication mechanisms mentioned above is usually related to the control of access to the resources of a system. This enables authorization mechanisms to establish how users can gain access to certain resources, and who is authorized to do so at any given time. In this regard, as is the case with authentication, mobile devices can be used as elements of interaction with users which can apply global strategies (Mandatory Access Control MAC) or discretionary strategies (DAC). As a part of those strategies, different methods are defined: RBAC, capabilities, as a couple of examples. In a complementary manner, the use of mobile devices would enable the role of who defines access policy to be widened, so that it is not only the owner of the resource. This would enable the mobile user to set controls on the use of resources when such a use is made using their credentials. 3. Mobiles Devices as Signature Devices Mobile devices incorporated as part of business processes can be used to perform digital signature processes, either by using a digital certificate stored on the device itself, through the use of a PIN encrypted in the SIM card, or by using a handwritten signature (biometrics). It is clear that mobile devices used as identity tokens offer companies or service providers the following benefits: A secure element for the authentication and identification of users thanks to the use of the operator s infrastructure: mobile network + SIM as a secure container. A link between physical identity and digital identity. Phone numbers enable us to establish this link between identities, by enabling the identification of an individual in services, both public and private, thanks to authentication and the sharing of attributes. Global reach. Mobile devices (Smartphones) have undoubtedly become the most used and widely adopted form of technology which keeps digital users connected. More frequent log-ins by removing passwords while improving security, at the time it improves customer insights by receiving a persistent, unique, User ID across any device used by the same user. Creation of adaptive models. Mobile identity management as part of IAM solutions enables authentication/adaptive authorization systems to be configured based on context. This enables riskbased policies to be defined and so improves the end user experience (mobility, elimination of the password). Show innovation and leadership by supporting a mobile first strategy. Source: Telefonica 7

8 An Integrated Vision Based on the mobile device as the key to set authentication and authorization, Telefonica go for a combined model Authentication / Authorization as a Service that allows companies to: a) Enjoy different levels of authentication (multifactor adaptive authentication) depending on the context and the risks that the company are ready to assume: from basic authentication to strong authentication. b) Be able to apply an effective access control strategy (Authorization) across traditional IT environments and over current IAM environments: OTP and digital latch. c) In addition, under the same approach, the integration of the solution with business processes will allow the Enterprise to turn the mobile device company in a security tool to sign. Telefónica has increased its Security offering with the generation of brand new and innovative products focused on Identity and Privacy. Our Identity and Access solutions adapt to the way users authenticate, access and interact with businesses, based on a vision that maximizes four key vectors: Identification; solutions that give the ability to individuals, businesses and governments to have confidence in the identities of people with whom they interact. Universality; allowing any user to interact anywhere using any technology. Compliance; making security a companion for your business, not a barrier. Usability; solutions that allow user interactions with no barriers (mobility and avoiding the use of passwords). FIGURE 4 AuthaaS reduces complexity when authenticating and authorizing combined with Enterprise current IAM solutions. SERVICE PROVIDER Enable users to authenticate to your applications and to authorize access to resources via their phone TELEFÓNICA SERVICE AUTHENTICATION AUTHORIZATON AUTHENTICITY Basic Authentication Strong Authentication Otp Digital Signature Seamless Click OK SMS Url Click OK SMS Applet SIM Applet + PIN TEE + Biometrics SIM / SMS Digital Latch SIM + Certificate Biometric signature - Fingerprint - Handwritten Source: Telefonica 8

9 Secure digital identity is now in our hands Mobile Connect an operator service for secure authentication and identification: Uses a mobile phone for authentication (i.e. no passwords). Easy to use, anonymous and many uses including second factor authentication. Develops a secure way of sharing attributes putting the user in control. Leverages existing operator assets there is no user name and password to make a phone call or send SMS. Offered as APIs for service providers to integrate into their digital services. Sign your documents using your mobile phone SealSign - digital and biometric signature to securely sign electronic documents through your mobile phone Scalable, modular and full enterprise platform for electronic document signatures compatible with digital certificates, biometric systems, OTP systems and long-term archiving of signed documents. Reduces costs associated with hardcopy management (printing, digitalization, transfer, archiving). Improves productivity and efficiency of business processes. Accessible from business applications and mobile devices. Generates electronic documents with full legal validity. Possibility of service via cloud or on-premise platform to meet enterprise needs. For more information see Telefonica Security Services portfolio at A digital Switch Latch - protect your business and provide your users with an extra security layer Source: Telefonica Latch lets you implement a safety latch on your online services. By minimizing the time during which services are accessible the risk of theft or unauthorized usage is reduced. Reduces the risk of attacks directed at your online services by letting the users to lock the service account or selected features conveniently, when they don t want to use them. Independent of other authentication mechanisms, as it supports most platforms and programming languages through APIs, SDKs and plugins. Available for Android, Blackberry, iphone, Firefox OS devices and Windows Phone. 9

10 From the Gartner Files New Competitive Threats as the IDaaS Opportunity Evolves As IDaaS adoption increases, PaaS providers will expand their mind share, altering the dynamics of the IAM market. As the opportunity evolves, product and go-tomarket strategists at IDaaS and IAM providers should highlight their uniqueness and target skills gaps and IoT-related demand. Impacts Increasing SaaS and public cloud adoption will favor the growth and influence of large PaaS and IaaS IDaaS players, pushing many small pure-play IDaaS providers to look for new opportunities. The evolution of enterprises IT infrastructure toward mobile and cloudbased ecosystem needs will push IDaaS and IAM providers into expanded feature sets and/or services, such as enterprise mobility management. The proliferation of connected, networked devices will bring major changes to the IAM space, and this will force IDaaS and broader IAM providers to align their approaches with new enterprise scenarios where access control activities will expand to external users, devices and systems. Recommendations existing stand-alone IDaaS providers: Exploit clients potential concerns about lock-in with platform vendors to fend off increasing competition from cloud providers such as Microsoft and Salesforce. pure-play and PaaS IDaaS providers: Market your IDaaS solution s ability to address skills shortages, the simplification of the existing IAM ecosystem, and rapid integration and implementation. When organizations decide to buy IDaaS over on-premises software, business drivers centered on time-to-value often trump cost. IAM vendors and service providers: Expand new capabilities to account for more complex IAM use cases involving the management of relationships between objects, systems and users. Strategic Planning Assumption By 2019, 40% of IDaaS revenue will accrue to PaaS vendors, up from less than 5% in Analysis Introduction Growth in the identity and access management as a service (IDaaS) market (see Note 1) outpaces that in the overall identity and access management (IAM) market, thanks in large part to increased adoption of SaaS and platform as a service (PaaS) computing models. Compared with even a few years ago, the IDaaS market is much more competitive, varied and diverse. Longstanding players, such as CA Technologies (CA), Okta, OneLogin and Ping, compete with new entrants, including broader platform vendors (such as Microsoft and Salesforce) and providers with an integrator background. This will put pressure on IDaaS pricing in the next few years, changing the competitive dynamics of both the cloud and on-premises IAM markets. Product and go-to-market strategists at traditional IAM providers and IDaaS providers must be aware of these changing dynamics and adjust their market approaches accordingly. A Diverse, Changing and Attractive Market The IDaaS market is still in its early stages, but will carry on, growing rapidly. Gartner estimates that, over the next five years, the average annual growth rate in the IDaaS market will be 37%, compared with 8% for the overall IAM market. (Note that we do not include current calculations of the user authentication market in these estimates. Authentication as a service is a simple function to deliver compared with multifunction IDaaS.) Estimated total spend on multifunction IDaaS was almost $300 million in 2014, and we expect it to exceed $1 billion by year-end The IDaaS solutions market is composed of many startups that often specialize in IAM. This is in contrast to the traditional onpremises IAM market, which is dominated by big providers such as IBM, Oracle, CA and Microsoft, which offer products that span the security and IT space. But growing interest in cloud-based IAM, and the sheer numbers of smaller players in the market, have resulted in a recent spate of mergers and acquisitions (M&As) and market consolidation,1 which has now peaked. Many IAM providers are less likely to acquire in this space as a result of prior acquisitions or internal development of their own IDaaS capabilities. Looking ahead, the overall IAM market will be shaped by elements of what Gartner defines as digital business: social media, mobility, the cloud, data and the Internet of Things (IoT). Employees widespread use of new mobile platforms and devices, social media and most importantly cloud computing will characterize IAM activities in the future. Users growing need for mobile applications, for example, will create pressure to authenticate mobile users and support mobile applications. Multifactor and device authentication will be particularly important, especially with the proliferation of devices that the IoT is likely to create. Providers will have to create and deploy hybrid product features. This imperative will be driven by the need to authenticate access to SaaS applications by employees and external users (such as business partners or contractors), and the continuing need to meet more traditional IAM requirements. 10

11 11 Figure 1 highlights the main impacts affecting the developing IDaaS market, and corresponding recommendations for product and go-to-market strategists. Impacts and Recommendations Increasing SaaS and public cloud adoption will favor the growth and influence of large PaaS and IaaS IDaaS players, pushing many small pure-play IDaaS providers to look for new opportunities Several factors are influencing the higher uptake of IDaaS: Increasing use of SaaS applications in companies, and the need to authenticate users using these applications. This is creating more demand for security controls to cope with users changing requirements. The challenges posed by the complexity of traditional on-premises IAM tools, and the lack of suitably qualified staff to implement solutions (especially in small or midsize businesses [SMBs]). The increasing requirement for IAM in consumer-facing applications. Large vendors such as Microsoft, IBM and Salesforce entered the market in These more general providers are likely to have a considerable influence, offering IDaaS as part of a broader portfolio. We can expect PaaS IDaaS vendors to capture 40% of the overall IDaaS market by Cloud platform players can become very competitive in this growing market via two connected routes. They can offer integrated good enough IDaaS capabilities to both existing and new PaaS and IaaS clients. Along with this, they can offer discounted pricing or some bundled cloud-based IAM capabilities at no extra cost. Examples of this approach include Amazon, which offers some limited cloudbased IAM capabilities as part of its PaaS product, or Microsoft s free Azure AD option. The expansion of general cloud providers into this market is likely to push down prices, putting further pressure on this evolving but increasingly competitive space. In small and midsize organizations, SaaS models within IAM systems remain a popular alternative. But we can expect uptake among large organizations to increase as they try to cope with the IAM demands originating from new digital business requirements such as mobility, cloud and IoT. FIGURE 1 Impacts and Recommendations for Product and Go-to-Market Strategists Source: Gartner (January 2015) 11

12 Recommendations: existing stand-alone IDaaS providers: Exploit clients potential concerns about lock-in with platform vendors to fend off increasing competition from cloud providers such as Microsoft and Salesforce. broad IAM providers: Consider new pricing models to align with new technology consumption demands originating from cloud-based IAM. On-premises providers introducing subscription models will be able to cope better with the pressure brought by IDaaS. The evolution of enterprises IT infrastructure toward mobile and cloud-based ecosystem needs will push IDaaS and IAM providers into expanded feature sets and/or services, such as EMM The new requirements of mobile computing and the cloud will also change the dynamics of the IAM market. The need to provision and authenticate users access to applications from traditional Windows endpoints to multiplatform mobile devices will have to fulfill users requirements for adaptable and flexible functionality that can be delivered rapidly. Providers will position IDaaS to deliver this functionality with better time to value for organizations that do not have the expertise to deliver on-premises solutions. We don t expect market share positioning in the overall IAM market to change dramatically in the short term. But traditional on-premises providers that do not also have an IDaaS offering will come under increasing pressure from enterprises growing demands for cloud-based IAM. This will produce its own competitive pressure, particularly as PaaS and IDaaS providers increase their market presence. Recommendations: pure-play and PaaS IDaaS providers: Market your IDaaS solution s ability to address skills shortages, the simplification of the existing IAM ecosystem, and rapid integration and implementation. This is particularly true in those cases where IDaaS is used to address and replace ineffective deployments. When organizations decide to buy IDaaS over on-premises software, business drivers centered on time to value often trump cost. Bear in mind that business drivers often determine how cloud-based IAM capabilities are deployed. These drivers include time to value, movement to operating expenditure (opex) over capital expenditure (capex), and reducing duplicate IAM infrastructures rather than cost. The proliferation of connected, networked devices will bring major changes to the IAM space, and this will force IDaaS and broader IAM providers to align their approaches with new enterprise scenarios where access control activities will expand to external users, devices and systems. New IoT-based challenges to IAM will arise because of the following key factors. A huge number of new devices will be deployed, with identities that have to be managed. There will be a wide variety of device types, some smarter than others. Most IoT devices are expected to use different protocols, so proxies will be needed to manage them. IAM tools will have to find a way to interface with these proxies. People and things will have multiple relationships, with each other and with various services. IAM will become more about managing relationships among people, services and things. The added complexity caused by these factors will bring a set of new problems to organizations. Being able to apply an effective access control strategy across traditional IT environments and IoT infrastructures will become crucial, to avoid potential security breaches. Product and go-to-market strategists at IDaaS providers will have to determine which competencies and strengths they can use to meet these new requirements, and how well-positioned they are to compete in this evolving scenario. Based on this assessment, they can consider and develop a new IAM strategy to align with new enterprise scenarios. This is especially pertinent because there will be a push to expand the focus of the approach to a more complex set of relationships involving users, systems and devices. Potentially, in the long term, the entire competitive landscape may change, with new players, such as traditional asset management vendors, becoming competitors. Ownership of devices may not reside within the organization that interconnects with them, and IoT devices may not be operating within the enterprise s boundaries. This is likely to be the biggest challenge to face. And it should make a cloud-based IAM approach more suitable to catering to the needs of an IoT environment, because of its greater flexibility and potential for faster implementation. 12

13 13 Recommendations: IAM vendors and service providers: Expand new capabilities to account for more complex IAM use cases involving the management of relationships between objects, systems and users. pure-play IDaaS providers: Expand your capabilities for internal IAM and privileged account management (PAM) delivered via hybrid solutions or entirely from the cloud. This will require you to invest in development or acquire small identity governance and administration (IGA) or PAM providers. pure-play and PaaS IDaaS players: Consider the short-term opportunities created by the demand for external identity management requirements to allow access by contractors, vendors and other external users, especially around PAM. Evidence Examples of such activity include IBM s purchase of Lighthouse Security Group, Intermedia s purchase of SaaSID, and EMC/ RSA s purchase of Symplified s intellectual property. 1 Note 1 IDaaS Identity and access management as a service (IDaaS) is a subset of IAM. Vendors in the IDaaS market deliver a service that is predominantly cloudbased, in a multitenant or dedicated and hosted delivery model. This service brokers core identity governance and administration, access and intelligence functions to target systems on customers premises and in the cloud. Source: Gartner Research, G , Ruggero Contu, Gregg Kreizman, 30 January

14 About Telefonica Business Solutions Telefonica Business Solutions, a leading provider of a wide range of integrated communication solutions for the B2B market, manages globally the Enterprise (Large Enterprise and SME), MNC (Multinational Corporations), Wholesale (fixed and mobile carriers, ISPs and content providers) and Roaming businesses within the Telefonica Group. Business Solutions develops an integrated, innovative and competitive portfolio for the B2B segment including digital solutions (m2m, Cloud, Security, e-health or Digital Marketing) and telecommunication services (international voice, IP, bandwidth capacity, satellite services, mobility, integrated fixed, mobile, IT services and global solutions). Telefonica Business Solutions is a multicultural organization, working in over 40 countries and with service reach in over 170 countries. 14