B2C, B2B and B2E:! Leveraging IAM to Achieve Real Business Value IDM, 12 th November 2014 Colin Miles Chief Technology Officer, Pirean Copyright 2014 Pirean Limited. All rights reserved. Safe Harbor All statements other than statements of historical fact could be deemed forward-looking statements, including: any projections of product or service availability, customer or market growth projections, earnings, revenues, or other financial items; any statements regarding strategies or plans of management for future operations; any statements concerning new, planned, or upgraded services or developments; statements about current or future economic conditions; and any statements of belief. Pirean accepts no responsibility or liability for any decisions that you make based on, or influenced by, forward looking statements. Pirean undertakes no obligation to revise or update forward-looking statements as a result of new information, since these statements may no longer be accurate or timely, except as required by law.
Agenda 1 Understanding IAM: Define the strategic roadmap 2 Plan for success: Marketing IAM to the business 3 Focus on the User Experience 4 Extending the boundaries of IAM with SSO and IDaaS 5 Identity and Access Intelligence 6 Building a better framework for IAM
Introducing Pirean We are a software enabled consultancy and recognised experts in Identity and Access Management. We enable organisations to provide secure, people-focused access for employees, customers and partners across on-premise and cloud-based applications With over twelve years experience of deployment experience our cross industry expertise enables us to work with clients to deliver the right balance between rigorous control and enabled delivery. Our solutions portfolio brings together industry leading Security Systems technology with recognised best practice.
1 Understanding IAM: Define the strategic roadmap
Where are we now? Nexus of Forces CLOUD COMPUTING MOBILE COMPUTING BIG DATA BUSINESS SOCIALISATION Business Drivers AGILITY COLLABORATION COMPLIANCE UXP EFFICIENCY / COST GOVERNANCE OPTIMISATION People CUSTOMERS COLLEAGUES PARTNERS Devices Iden/ty and Access Management AUTHENTICATION AUTHORISATION USER LIFECYCLE MANAGEMENT ADAPTIVE ACCESS PERSONALISATION FEDERATION / SSO SELF- SERVICE USER EXPERIENCE BUSINESS PROCESS INTEGRATION TECHNICAL INTEGRATION Applica=ons and Services
Roadmap and Maturity Model for IAM Strategic Identity Governance & Administration BUSINESS ORIENTED Federation Identity Analytics Web Access Management User Administration & Provisioning SSO Privileged Identity Management IT ORIENTED Tactical ESSO Password Management Simple Complex
Roadmap and Maturity Model for IAM
Conclusions & Recommendations v IAM solutions will have wide ranging impact across the organisation; v IAM solutions are complex with multiple dependencies and risks to be managed; v The perception of IAM has changed. Technology only views are out-dated; v Template IAM paths for B2B, B2E and B2C are evolving. Recommendations: 1. Understand what is achievable based not only on available solutions, but what success should and could look like for your organisation; 2. Regardless of where you are in your IAM journey ensure that the time is taken to define and refine the strategic view; and 3. Articulate the plan clearly to all stakeholders.
2 Plan for success: Marketing IAM to the business
The perception of IAM has changed Security / Control / Compliance Who When New Channels Operational Efficiency Business Agility What How New Services
Themes for IAM programmes today are more diverse Agility Collaboration Consolidation Customer Experience Efficiency Cost Control Expansion Governance Service Optimisation
What do we need to do? Identify the stakeholders Articulate the business value Set realistic and achievable goals Seek commitment and active participation Communicate openly and clearly
Who are the stakeholders? Operations Executive Sponsors Line of Business Leads Data Owners System Owners
and who do we need for delivery? Phase Design Build Systems Integration Test Go-live Who (examples) Business Process Owners, Systems/Application Owners, Data Owners & Executive Sponsors. Data Centre Teams, Network Teams, Information Security, 3 rd party suppliers Application owners. Data owners, Subject Matter Experts, Systems Monitoring, Service Desk, HR Operations, User Teams, Test functions BAU Operations
Examples
Conclusions & Recommendations v Buy-in to the strategic plan for IAM from across the business is essential for the success of the programme. There have been some hard experiences for many past IAM projects when this has been under-scoped; v Poor governance and poor management contribute to most IAM project failures. Having an executive mandate for the programme, coupled with clear priorities, goals and a proven decision-making process will help avoid gaps in the perception of what is being delivered in terms of cost, function and time. Recommendations: 1. Determine your business & technology priorities and analyse how well current IAM initiatives are aligned to these items; 2. Identify and engage with all stakeholders to market IAM initiatives; 3. Publish and follow a consistent, clear IAM communications plan.
3 Focus on the User Experience
IAM solutions focus areas IAM solutions should be built around three core areas of focus: User experience Ensuring a first class user experience for all system touch points. Actively promoting the use of new identity and access services to drive business value. Business process integration Ensuring identity and access is aligned to business processes and can adapt as business requirements change. Technical integration Building the information flows between directories, databases, applications and systems (both on-premise and cloud based) that ensure identity and access controls can be enforced across a heterogeneous estate.
Why is User Experience important? 1. Treat every user as a consumer 2. IAM is a brand opportunity 3. Move from Gatekeeper to Guide 4. Increase service adoption 5. Reduce load on helpdesks / call centres
What makes a good User Experience? Follow best practice for UX design: 1. Be helpful 2. Be logical 3. Be consistent 4. Keep it brief
User experience - Examples
Conclusions & Recommendations v IAM is often the first touch-point for a user accessing a service (registration, login) so UX should be a fundamental consideration for any IAM solution design; v IAM provides an opportunity to build your brand and increase adoption of services; and v Multiple channels for access and the different demands for different types of user make this a challenge. Recommendations: 1. Stay ahead of your users their expectations for UX will be high; 2. Follow best practice steps for good UX design. IAM presents great options for transforming the user experience quickly and at a low cost; and 3. Aim to provide the same experience, regardless of device.
4 Extending the boundaries of IAM with SSO and IDaaS
Approaches for Single Sign-On USERS Employees UIs & DEVICES Terminal Emulators Java TARGETS Mainframe TECHNIQUES ENTERPRISE SSO Partners Thick Client Application Client Application Servers Web Portals WEB SSO Customers Browser Mobile Cloud / SaaS FEDERATED SSO IDaaS
What is IDaaS? a predominantly cloud-based service in a multi-tenant or dedicated and hosted delivery model that brokers identity and access functions to target systems on customer s premises and in the cloud. Gartner Functionality will include coverage across: Identity Governance and Administration Lifecycle management of identities and accounts & governing the access request process. Access Management User authentication, SSO and authorisation enforcement. Intelligence Logging IGA and access events.
What benefits can IDaaS deliver? 1. Improve productivity for employees, partners and customers Deliver seamless Single Sign-On to SaaS and on-premise web applications; Provide a centrally managed, dynamic cross-platform launchpad that allows secure access to your web based applications from any device; Deliver best practice processes for user self-service; aiding user productivity and time-to-access. 2. Take control: improve security and gain insight into user access Enable and manage secure access to SaaS applications based on existing controls within the enterprise; Provide a kill switch to de-provision access for leavers instantly; Implement governance over identities and access; Support better business decision making with Identity and Access Intelligence. 3. Deliver better services to more users Improving business flexibility and agility by delivering access to the next generation of IT services today. Encourage service adoption through delivery of a first class user experience and ready-to-use, bestpractice IAM journeys; Decrease service costs while increasing the speed of deployment for new services.
What can IDaaS provide? Enterprise Directory Integration Provisioning Single Sign-On Strong Authentication User Self-Care Auditing and Reporting Extensible and flexible framework We onboard users from existing repositories; We enable access to SaaS and on-premise applications; We provide users with access to all services via a single login; We support integration with the right technologies and processes to verify access on high value / high risk transactions; We provide out-of-the-box support for registration, password management and account management; We demonstrate control over access privileges; We provide a plug-in based architecture and highly adaptable workflow engine means we can quickly adapt to new business and technology demands.
IDaaS as an Integration Layer An IDaaS service can also be a central point of integration, bringing together users & components across both the enterprise and the cloud. Integrated components cover: Users (colleagues, partners, clients all accessing via different channels) Existing and new on-premise enterprise applications Cloud based SaaS applications
Example value-add SSO portals The examples above provide an application launch-pad, SSO, access store as well as end user identity and device management screens.
Conclusions & Recommendations v SSO is a very common use-case within IAM; v The forces of Cloud, Mobile and Business Socialisation are presenting organisations with new opportunities to deliver SSO in an effective manner. Recommendations: 1. Identify key target systems (most used, most administrative effort); 2. Evaluate how systems requirements will change; 3. Select the right solutions to meet requirements; 4. IDaaS solutions maybe the best fit for internal-to-saas scenarios; and 5. Leverage IDaaS for more than SSO alone.
5 Identity and Access Intelligence
Identity and Access Intelligence Basic Model Systems, Applications, Databases & Directories Identity & Access Management Collect Data Cleanse Correlate Classify Information Sort Transform Knowledge IT Business
Identity and Access Intelligence Example: Security Intelligence IAM and SIEM technologies can complement each other offering potential enhancements to the solutions provided on both sides. For example: IAM provides a context on the user profile to enhance SIEM (identity information and aggregation, roles, access entitlements, account status); SIEM provides user activity and resource access monitoring that complements IAM (how are users using the access entitlements that have been granted?); Together, IAM and SIEM provide scope for monitoring of user activity monitoring that goes beyond basic activity monitoring to exception monitoring.
Identity and Access Intelligence Example: User Tracking
Conclusions & Recommendations v IAM has traditionally had one customer IT. This misses the value that IAM can bring to the business; v Identity and Access Intelligence is about leveraging identity information to enable better business decisions. Recommendations: 1. Engage with your stakeholders to discuss requirements and opportunities for leveraging identity and access data to meet business focussed objectives; 2. Identify the repositories to mine information regarding identifiers, credentials, attributes, policies, rules, roles, entitlements, events, status and access; and 3. Implement the structured, formal processes to supply the business with identity enriched information on who/what/when/where and why.
6 Building a better framework for IAM
There is a lot to cover
What is the best approach? Key questions: v How can we avoid becoming locked-in to individual technologies or suites? v How can we adopt best-of-breed today and retain flexibility for tomorrow? v How do we do this without disrupting the user experience? We need a framework that will: 1. Support seamless integration of the right technology at the right time; 2. Allow swap-in / swap-out when changes are needed; 3. Remain current with business requirements and be able to integrate with changing business processes; and 4. Don t disrupt the consumer make sure that the User Experience is a constant.
Example: IAM as a framework Build a framework for IAM. Utilise plug-in architectures and workflow to aid integration but retain loose coupling / high cohesion on individual components.
Conclusions & Recommendations v The IAM market is evolving as new demands shape new solutions, driving innovation and requiring new approaches; v While deployment of IAM solutions remains a complex, multi-dependency undertaking customers need to be wary of solution inertia leading to stagnation. Recommendations: 1. IAM services should be built upon a framework building value in phases and aligning to a strategic plan while remaining adaptable for the unknown; 2. Plug-in architectures and approaches enable loose coupling of components and encourage adoption of best-of-breed software & services; 3. Workflow engines provide the flexibility needed for integration of both technology and business process at the right points; and 4. The user experience should remain your constant concern.
Summary 1 Understanding IAM: Define the strategic roadmap 2 Plan for success: Marketing IAM to the business 3 Focus on the User Experience 4 Extending the boundaries of IAM with SSO and IDaaS 5 Identity and Access Intelligence 6 Building a better framework for IAM
Thank you Copyright 2014 Pirean Limited. All rights reserved. Pirean, and the Pirean logo are registered trademarks of Pirean Limited. pirean.com /company/pirean-ltd @pirean +pirean