The Who, What, When, Where and Why of IAM Bob Bentley Product Management Director October 2014
It s a Jungle Out There IAM is more than just provisioning user accounts and managing access to web pages 2
Identity and Access Management (IAM) Key technologies to drive your digital business Identity and access management (IAM) is the security, risk management and business discipline that enables the right individuals to have access to the right resources, at the right time, for the right reasons, enabling desired business outcomes. - Gartner, May 23, 2014, Roundup of Identity and Access Management Research, 1Q14, Ant Allen & Neil Wynne 3
The Modern IT Challenge Empowered New Expectations 4
What Users Want Use Cloud/SaaS s Agility Autonomy Simplification Productivity Cost reduction 5
Problem Access to SaaS SaaS Audit logs / Compliance No Access logs Manual process ( Shadow IT ) Corporate credentials in the cloud No strong authentication No single sign-on IT Department Security Cost Business Users Business user experience Business flexibility 6
What Users Want Access from Mobile Easy, straightforward access From any place/time/device To mission critical apps New SaaS apps Existing enterprise apps 7
Problem Access from Mobile Organization s MDM Mobile Security BYOD = no MDM Users store corporate passwords on their device What happens when one is lost/stolen? Mobile for more than SaaS Most SaaS apps are mobile friendly But what about the organization s existing apps? (The large majority of apps used) Users resist VPN on mobile 8
The Power of Mobile Research and Thoughts from Gartner Mobility fundamentally changes how people work and the pace at which decisions are made." People need to think differently about security when it comes to mobility. If security makes mobile technology unattractive to use, then security will be left by the wayside, not the mobile technology. Source: Gartner, Insights Into Mobile Security From Field Research, Eric Maiwald, Analyst. Feb 2014. 9
What Users Want Tie Into Social Media Easier to authenticate Fewer credentials to remember Less ID Information available to thieves and hackers Sites know something about me already Easy to share my experience with other people 10
Problem Social Media Authentication LOTS of users out there Billions of users are hard to ignore They expect to be able to access your web resources But how do you do it? Not easy to connect to social networks without customization Little information available about the user How do you easily manage what they should get access to? 11
The Changing State of IAM Leveraging new innovations to drive your digital business Current State CRM ERP HR File Store Office s s s s s s Access Management Tool Intranet Experience w/ Single Sign-on 13
The Changing State of IAM Leveraging new innovations to drive your digital business Current State Cloud Computing CRM ERP HR File Store Office s s s s s s Access Management Tool Intranet Experience w/ Single Sign-on 14
The Changing State of IAM Leveraging new innovations to drive your digital business Current State Cloud Computing CRM ERP HR File Store Office s s s s s s Access Management Tool Mobile Computing 15
The Changing State of IAM Leveraging new innovations to drive your digital business Current State Cloud Computing ERP s s s s s Access Management Tool How do I deliver Single Sign-on across my new enterprise reality? Mobile Computing 16
The Changing State of IAM Leveraging new innovations to drive your digital business Current State Cloud Computing ERP s s s s s Access Management Tool There a lot more web applications than SaaS applications how can I deliver them to mobile devices company and BYOD? Mobile Computing 17
The Changing State of IAM Leveraging new innovations to drive your digital business Current State ERP s s s s s Access Management Tool 18
The Changing State of IAM Leveraging new innovations to drive your digital business Current State ERP s s s s s Access Management Tool 19
Ultimate Challenge for IT Going Forward Match the speed of business vs. mitigating risks AGILITY & AUTONOMY CONTROL & COMPLIANCE We have brakes on our cars not so that we can stop, but so that we can go fast Sara Gates 20
Case Study: Modern IAM challenge at Attachmate Group Extending Access Management to BYOD Users
The Attachmate Group Information Technology Shared resource among the 4 business units Serves 5,000+ regular employees and contractors Provides two main employee portals Legacy innerweb site New intranet portal Employee access governed by NetIQ technologies edirectory Identity Manager Access Manager 22
Access Manager Securing Our lications Protects 250+ applications In house COTS SaaS Multiple authentication methods Hundreds of policies Keystone of employee web access Significant investment 23
Mobile Adoption Two types of mobile Corporate owned Bring your own device (BYOD) Variety of vendors and OS le ios (57%), Android (26%), s (17%) Employees want to use mobile for work tasks Key business driver was mobile Salesforce.com access for worldwide field organization 24
Access from Mobile Devices Benefits Bring anywhere Productivity Collaboration Challenges Typing Navigation on desktop oriented sites Security 25
Our Solution NetIQ CloudAccess 2.1 Integrated into existing access management infrastructure Employees have mobile SSO access to key enterprise applications and SaaS Advanced authentication option CloudAccess 26
Solution Benefits Using CloudAccess Typing CloudAccess Persistent login Navigation Mobile portal with one touch SSO Marks Favorites page for ios Widgets for Android Security Activity based PIN Password is never stored on the device Remote deactivation by employee or administrator 27
CloudAccess at Attachmate Group CloudAccess 28
CloudAccess Takeaways Integration Relatively easy No major changes to infrastructure Solution Actively used by Attachmate Group Solves real business problems Enhanced productivity 29
NetIQ CloudAccess
What is CloudAccess? CloudAccess is an integrated identity and access management (IAM) appliance solution. It delivers what business users want easy access to SaaS, web and even native mobile apps, and freedom to use mobile devices without the compromises. CloudAccess can run on its own or enhance existing IAM solutions. 31
Solution CloudAccess Access from Mobile SaaS Access logs Automated process Corporate credentials secured Multi-factor authentication Single sign-on Smart mobile support IT Department Audit logs / Compliance Cost Security Business user experience Business flexibility Business Users 32
How Does CloudAccess Work? User is presented with a customized view of available applications, on the device being used User launches and authenticates to CloudAccess from mobile, laptop or desktop CloudAccess CloudAccess validates user s login with the on-site corporate user store (AD, edirectory or database) 33
My Organization How Does CloudAccess Work? User launches apps with one touch You can also make CloudAccess available to external users to give them access to what they need Customers Partners CloudAccess Provisioning & SSO Employees, Contractors Organization s SSO User enjoys immediate SSO access CloudAccess can also handle provisioning of user accounts, if the target app requires it 34
My Organization What about Securing Sensitive s? User launches apps with one touch, just like always CloudAccess can require multi-factor authentication using a variety of methods! Employees, Contractors Organization s! SSO CloudAccess Provisioning & SSO User is allowed access after successfully authenticating! 35
Key Features Modern End-User Experience One-touch SSO access to SaaS, web and native mobile apps Choice of device (ios, Android or desktop browser) BYOID support (Facebook, Google, LinkedIn, etc.) High Security No credentials ever leave the enterprise Supports multi-factor authentication Security hardened appliance with automated update channel to stay current Performance, Scalability & Reliability Handles hundreds of authentications per second under sustained load Scalable to 50k+ users per cluster Clustering support for failover and disaster recovery Fast and Easy Setup & Management Large catalog of pre-made connectors Existing directory or database groups define access privileges Simple mobile enrollment/management Only requires typical administrator skills not specialized consultants 36
Customer Benefits Powerful and secure SSO to all kinds of apps SaaS/cloud Internal web Native mobile apps SaaS Enables secure access from mobile devices Protects sensitive apps with multi-factor authentication Support for all kinds of users Internal users (employees, contractors) Partner organization users (suppliers, distributors) External users (customers, citizens, students) Fast and easy setup and management 37
How is this better than competitive IDaaS solutions? Several startups have begun selling cloud-hosted IAM solutions ( IDaaS ), offering SSO with quick time-to-value CloudAccess brings the same benefits, but adds more The CloudAccess Difference: Your corporate credentials never leave the enterprise Cloud-hosted competitors require copying or creating separate credentials CloudAccess easily integrates with on-premise resources Identity Management, Access Management Databases, directories, applications You own CloudAccess much lower cost over time 38
How does it integrate with IAM solutions? CloudAccess can be easily added to your existing IAM to bring significant new capabilities your users need without disrupting what you already have Add-on to Access Management Provides a convenient mobile or desktop SSO launchpad for applications protected by web access management Easily extends on-premise access management to cloud/saas application targets Adds BYOID capabilities for external users Add-on to Identity Management Adds SSO access from desktop or mobile devices to resources provisioned through identity management 39
New in CloudAccess v2.1 SSO to any cloud or web application Multi-factor authentication OTP included Optional NAAF integration for many more methods Mobile app available for Android SSO to native mobile apps Support for self-registering external users Updated UI, can be branded by customer New identity sources supported: JDBC, Federated partner 41
This document could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein. These changes may be incorporated in new editions of this document. NetIQ Corporation may make improvements in or changes to the software described in this document at any time. Copyright ActiveAudit, ActiveView, Aegis, Manager, Change Administrator, Change Guardian, Compliance Suite, the cube logo design, Directory and Resource Administrator, Directory Security Administrator, Domain Migration Administrator, Exchange Administrator, File Security Administrator, Group Policy Administrator, Group Policy Guardian, Group Policy Suite, IntelliPolicy, Knowledge Scripts, NetConnect, NetIQ, the NetIQ logo, PSAudit, PSDetect, PSPasswordManager, PSSecure, Secure Configuration Manager, Security Administration Suite, Security Manager, Server Consolidator, VigilEnt, and Vivinet are trademarks or registered trademarks of NetIQ Corporation or its subsidiaries in the United States and other countries.