Post on 15-Jul-2015
© 2015 IBM Corporation
Managing Identity from the CloudTransformation Advantages at VantisLife Insurance
Eric MaassDirector, IAM Strategy, IBM
Jim LovelaceVP of IT, VantisLife Insurance Co.
Trends
Evolutionary Themes of IAM
Technical Scope of IDM and WAMIDM, WAM, IGA, PIM, Federation,
Intelligence, etc.
IAM as a Tool of Policy EnforcementIAM as a Tool of Compliance and
Intelligence
IAM as a Project IAM as a Program
IAM as a Cost of Doing Business IAM as a Business Differentiator
IAM Infrastructure and Expertise On-
PremiseIAM in the Cloud
Evolutionary Shift of IAM
Traditional View Modern View
IAM is shifting to become an ongoing program that delivers intelligence, meets
regulatory compliance requirements, adds value differentiation, and unburdens the
organization
Expanding Ecosystem of Identities and Assets
Identity
Management
Access
Management
People Assets
Suppliers Vendors Resellers
On-Premise
Applications
Social Sites
and Identities
Partners and
Channels
SaaS, PaaS,
and IaaS
Mobile Devices,
Apps, and Identities
Challenges Our Clients Are Facing
• Constrained Budgets• Lack of funding, newly constrained IT budgets
• Limited Deployment Windows / Dependent Project Schedules• Necessity to deploy quickly, dependent project schedules being held
up on IAM
• Difficulty Acquiring and Retaining Specialized Skills• Limited availability of specialized skills in high-end IAM product
suites, certification, training, and retention
• Falling Behind on Product Versions• Inability to keep up with upgrades, patches, and general lifecycle
challenges
• Inability to Integrate Assets Quickly & Remain Agile• Growing portfolio of assets, slow to integrate
• Lack of Stability and Operations Management• Difficulty stabilizing infrastructure, tuning, and providing transparent
high-quality service levels
Overview of Cloud Identity Services
IBM Cloud Identity Services – What Is It?
• The IBM Cloud Identity Services provide clients with a unique way to acquire Identity and Access Management technologies – as a multi-tenant service, offered from the public cloud.
• The IBM Cloud Identity Services are based upon IBM’s market-leading IAM software products (e.g. ISAM, ISIM, FIM, etc), providing clients with enterprise class IAM capabilities in a cost-effective, timely, and agile cloud delivery model.
Cloud Identity Services
IBM Cloud Identity Services - Tackling Our Clients’ Most Critical Challenges
Reduce total cost of
ownershipImprove agility and flexibility
Expedite deployment Reduce skills requirements
Reduce ownership costs over
on-premises infrastructure
• Infrastructure (hardware, software)
• Personnel costs
• Maintenance, operations, support
• Soft costs (opportunity, agility, etc.)
Enable ability to act and
respond more quickly and
nimbly
• Policy and progress changes
• Asset integration
Get our clients to their desired
end state more quickly
• Start-up time / time-to-value
• Upgrade and maintenance lifecycle
• Dependency value
Reduction in need for
specialized skills
• Acquisition
• Training
• Retention
Identity
Management
Access
Management
Identity
Federation
User provisioning
Automated lifecycle management
User self-service
Role governance and compliance
Web single-sign-on
Centralized access control policy
Strong authentication
Federated SSO
Business-to-business federation
Full spectrum of IAM capabilities delivered from the Cloud
Key Statistics14M+ users
57+ countries of user origin
Millions of hourly transactions
Enterprise, B2B,and B2C users
Capabilities and Technology Comprehensive Cloud-based IAM solution built upon IBM’s
best-in-class IAM software
Global delivery capabilities provided by IBM’s market leading
Managed Security Services
Unlike competitive cloud IAM services, IBM’s Cloud Identity
Service provides deep functionality for enterprise clients
Automation and templates result in rapid integration and
faster time to value
IBM’s Cloud Identity Service provides a less expensive and faster-time-to value
alternative to traditional IAM deployments
IBM Cloud Identity Service at a glance
IAM from the Cloud
Cloud Identity Services
IBM Cloud Identity Services can be utilized to outsource an organization’s full or partial
IAM infrastructure to the cloud
Eliminates the need for the client to deploy and maintain on-premise IAM
infrastructure.
Can integrate with enterprise applications and directories, providing equivalent
capabilities of market-leading IAM software suites.
Attractive to clients who are looking to minimize costs, time to deployment, improve
organizational agility, reduce in-house specialized skills, and plan with greater
confidence.
Attractive to green-field deployments of IAM or migrations (moving clients from
their on-premise IAM infrastructure, regardless of vendor, to the cloud).
IAM for Cloud, Mobile, and Social
Cloud Identity Services
IBM Cloud Identity Services can be utilized to bridge / extend client IAM infrastructure to
new cloud, mobile, and social use cases.
Enables clients to extend existing IAM infrastructure for new cloud, mobile, or
social use cases without the need to rip-and-replace on-premise IAM infrastructure.
Provides a cost-effective and timely solution for clients looking to garner new value
from their existing IAM infrastructure or the IBM Cloud Identity Services platform.
A New Unified and Integrated Service Management Strategy
• Globally Integrated Management• Global Infrastructure Platform
– IBM SoftLayer
• Unified Software Development Lifecycle Management
– IAM Software Development
– Cloud Identity Services Software Development
• Professional Services
– IBM Global Technology Services
Infrastructure
• Compute
• Storage
• Networks
• Cloud IaaS
Software
• IAM Software
• Development
• Testing
• Quality /
Certification
Services
• Delivery
• Operations
• Support
• Project
Management
IBM Global and Integrated Management
IBM is able to offer a completely horizontally and
vertically integrated set of services spanning
infrastructure, software, and services due to the
acquisition of Lighthouse Security Group, while
strategically integrating the company’s people and
assets into IBM’s Global Technology Services (GTS)
and Software Group (SWG).
Capabilities and Technology Overview
Capabilities - High Level Overview of the Strategic Platform
• Identity Management• User Provisioning
– 70+ App / Protocol Connectors
• Identity Lifecycle Automation
• Self Service
– User Registration
– Password Reset
– Username Recovery
– Profile Management
– Delegated User Management
– Access Request & Approval
– Recertification Approval
• Identity Governance
– Dynamic Role Provisioning
– Recertification
– Approval Workflow
• Audit & Reporting• Ad-Hoc Reporting
– 100+ Audit Event Types
– Graphical, Text, and Drill-Down
– Report Scheduling
• Audit Feed
– Semi-Real-Time Audit Event Data Feed to Client SIEM or RDBMS
Web Access Management
– Authentication
• UID/PW Forms, Basic Auth, X.509, and others OOTB
– Single Sign On (SSO)
• SSO via HTTP Headers, Kerberos, PKI X.509, Credential
Vault, and others OOTB
– Authorization
• Group, Role, and Attribute Based Authorization Policies
• URL Stateful Inspection by Proxy
Federation
– IdP and SP Capabilities
– SSO to SaaS Applications and Private 3rd Parties
– Federated Provisioning with 3rd Parties
– Security Token Service (STS) for Credential Issuance,
Validation, and Exchange – SAML, WS-Fed, Oauth,
OpenID, and others.
– Social Network Federation (Facebook, Google+, Twitter, etc)
API and Misc.
– REST API Provides Programmatic Access to All Functions of
the Service (e.g. user, role, and policy management).
– API Supports Native Mobile App Integration.
– Akamai Edge Network Integration Support
Web Access Management and Federation Use Cases
Identity Management Use Cases
Cloud Data Center Operations
On Board Services Methodology
Repeatable processes for
onboarding enterprise
customers
IBM Cloud Identity Services Framework Strategy
IBM Security Identity &
Access Management
Platform Technology
Middleware Automation and Multi-tenancy(Compilers, rules engines, controllers,
logical and physical asset management, integration layer, data access layer)
Governance and Self Service Software(Web Administration Console – J2EE and Flash / Flex UI,
self service apps – portal, registration, password reset, and username recovery)
Advanced Point-and-Click Governance
Deployment Highlights
• Public Cloud• By default, IBM Cloud Identity Services is offered as a “Public Cloud” offering –
meaning, clients will connect to it via network (e.g. site-to-site VPN and/or WAN connections) and simply use its services remotely.
• Multi-Tenant• By default, nearly all components of the IBM Cloud Identity Service is offered in a
multi-tenant manner. This means:– Clients have their own logical instances of services; they will share physical instances of
hardware and base software with other clients, leading to economies of scale.
– Client data will coexist on physical hardware, but it will be logically isolated, and appropriate access controls will prevent comingling or bleed-over between tenants.
– Clients may select optional subscription services that permit them to have completely separate LDAP directories (dedicated) where coexistence with other client directory data is not acceptable.
– Certain optional components of the system may only be deployed in a single-tenant fashion for scale, security, or other rationale.
• Integration with On-Premise IAM• The IBM Cloud Identity Service may be used completely independent of any other
IAM system, as is the case with most client deployments; however, clients may also opt to integrate the service with one or more existing on-premise IAM products or services (e.g. the Cloud Identity Service may integrate with an on-premise IDM platform to consume identity data as a Source of Record).
Client On-Ramp Process
Client On-Ramp Process
• Client On-Ramp Guide
• Master Design Artifact (MDA)
• Defines the Process
• Orients Stakeholders
• Educates Client on System Capabilities
and Options
• Captures Client Configuration Choices
• Captures Client Sign-Off Incrementally
during Process
Client On-Ramp Goals
• Educate the Client
• Clients must be educated on system capabilities, limitations, and
options to ensure they are a long-term, satisfied subscriber.
• Set Expectations
• Clients must be given a clear set of expectations including time-frame
and responsibilities.
• Coordinate All Stakeholders
• Clients must have clear insight into stakeholders, their roles, and
impact to the project.
• Control the Process
• The process must be controlled in a manner that is proven and has
risk mitigation embedded.
• Expedite Delivery of Services
• The ultimate goal is to bring the client live as quickly and safely as
possible.
Comprehensive Master Design Artifact (MDA)
Master Design Artifact (MDA)
A comprehensive Master Design Artifact
(MDA) guide within the On-Ramp process
captures all details regarding the client’s Cloud
Identity Service configuration.
Education along the way ensures the client
understands their options and system
capabilities. Sign-offs ensure agreement and
ability to move ahead.
Education and Workbook
Education Followed
by Workbook
Exercise
Education and Workbook Exercises
The guide provides client education on system
capabilities followed by workbook exercises to
capture the client’s desired configurations. IBM
staff configuration manage the workbook and
all selected options.
MDA Sign-Off Process
Incremental MDA Sign Off
Clients “sign-off” on chosen configuration
options along the way to ensure:
Client understands options chosen
IBM and client are in agreement
Progress on configurations can be
incrementally carried out in a rapid fashion
The sign-off process also protects the client
and IBM from thrashing (change in
configuration) during the on-ramp.
Operations
Highly Available Services
• Highly Available
• All IBM Cloud Identity Services are designed for High Availability, with redundancies including:
– Clutered applications
– Dual network paths (bonded NICs)
– RAID storage arrays / SANs
– Replicated LDAP servers
– Clustered RDBMS
– Multiple ISP paths
• Disaster Recovery
• All IBM Cloud Identity Services are replicated daily to off-site warm-standby Disaster Recovery (DR) systems, including:
– Full System VMs
– Configuration Data
– Identity Data
– Event and Audit Log Data
• Uptime
• The IBM Cloud Identity Services are designed for 99.9% or greater uptime.
IBM Cloud Identity Services Locations
• Sites:• Stamford, CT
• Dallas, TX
• San Jose, CA
• London, UK
• Paris, France
Client Experience – VantisLife Insurance Company
Who is Vantis Life?
• Life insurance and annuities through financial institutions
• $5 billion of life insurance in force
• $900 million in assets
• Vantis products sold by appointed bank and credit union
employees
• 85% of business processed through web-based broker-agent
portal
Our Challenges
• VantisLife experienced significant growth from 2004 thru 2007, driving the organization to change a number of ways it did business.
• Because the web accounts for Vantis’ most significant route to market, many of these changes in business process, tooling, and capabilities centered around Information Technology and our web presence.
• Vantis’ business is largely broker-based, requiring broker agents to book and manage business (e.g. policies) through Vantis’ agent portal.
• 30 bank/credit union partners in CT to 100+ nationwide
• 300 broker / agent users to more than 5,000 institutional users
• Supporting conventional IAM around Vantis’ agent portal was becoming laborious – consuming both time and limited IT resources
• Manually provisioning agent accounts
• Managing credentials manually
• Granting application access
• Maintenance of organically built IAM environment
• Authentication - labor intensive
• Buried in forms, paperwork, timeliness
Challenges – continued
• Tooling and Efficiency
• Vantis determined it needed a smarter approach to IAM
• New approach required:
– Less manual process and overhead on limited IT staff
– Ability to delegate certain identity functions to brokers and agents
(e.g. Self Registration, Password Reset, Account Management).
– Ease of implementation – no sharp learning curve or long-term
overhead for on-going skills and management of the IAM system.
• Security and Compliance
• Height of financial crisis – 2008 timeframe
• Vantis’ larger banking partners were becoming increasingly
sensitive to IT measures around security and compliance.
• Vantis wished to strategically position itself to be ready for
increased focus on security, compliance, and potential new
regulatory measures.
Decision-Making Process
• Vantis considered a number of options to address its strategic initiative of increasing security and compliance, as well as IAM tooling and efficiency:
• Organically Built IAM– Continue with organic IAM software strategy – build and maintain in-
house
• Traditional IAM Deployment– Procurement, build-out, and management of a commercial vendor on-
premise IAM solution
• Cloud IAM– Procurement and integration with a cloud-based IAM solution
• Vantis had previously built an organic IAM solution consisting of various capabilities:
• Authentication and Authorization
• User and Group Management
• Single Sign-On (SSO)
• Vantis weighed its options regarding organic, traditional commercial deployment on-premise, and cloud (Software-as-a-Service)
Our Solution
• Vantis determined its values for a next generation IAM system would be:• Total Cost of Ownership (TCO) – Vantis was seeking a cost-effective approach to IAM that
enabled the business to achieve enterprise-grade IAM while doing so on a budget
• Skills – Vantis was seeking a solution that would not force an investment in on-staff skills in complex IAM technologies
• Time-to-Deployment – Vantis had a critical time-frame with two large banking relationships dependent upon the availability of its new IAM platform
• Security – Vantis was seeking a solution that could raise the bar in its security and compliance standards, which was consequently being sought by the company’s banking partners
• Scalability – Vantis was seeking a solution that would easily grow with its rapidly expanding business, including both technical scale but also availability of features/functions that may become necessary as its business needs expanded
• Engaged IBM (formerly Lighthouse Security Group) for security review• State of existing technology – effectiveness of controls in authentication, authorization,
auditing, and identity/credential management
• Made decision to go with IBM Security Access Manager for Web (formerly Tivoli Access Manager for e-Business) and Tivoli Federated Identity Manager
• Made decision augment IBM SW with a Cloud solution (IBM Cloud Identity Service)• Provided added benefits of lower TCO, lesser on-staff skills requirement, and quicker time-to-
deployment
• Three (3) years of cloud services were deemed less expensive than initial on-premise deployment
IBM
CON
FIDE
Our Solution – continued
• Vantis Internal Discussions and Decision Criteria:• Concerns regarding being an early adopter
– IBM Cloud Identity Service (formerly Lighthouse Gateway) was only just launched
• Was the cloud secure?
• With heightened sensitivity to security (height of financial crisis), how would our partners perceive our decision?
– Impact for new banking partners as well as review of our strategic shift to cloud for existing partners
• Concerns regarding how our external auditors may evaluate a decision to use cloud IAM
• Requirement for Vantis key decision makers (COO and VP of IT) to achieve buy-in on a cloud IAM strategy from its Board of Directors
Cloud Identity Services
Our Deployment Experience
• Contract Process Considerations• Service Level Agreements• Out-Year Affordability – Post initial three year
term cost considerations• Data Privacy – controls, policies, and
measures in the subscription agreement• Deployment Process
• Deployed in 6 six weeks – contract signing to go-live
• IBM / Lighthouse professional security services performed integration and configuration work in cooperation with Vantis’ application owners– Branding / look-and-feel for user-facing web
pages of the system (e.g. login, self service, etc)
– Integration of Vantis’ initial top 3 web applications
– Testing – functional and regression– User experience planning – e.g. initial self
registration of all broker agents
• Seamless transition for all users• Necessity to have a smooth on-boarding
process for brokers – simple to use, self explanatory… just plain works!
• Provided a better life experience for our users
IBM
CON
FIDE
Policy
Quotes Application
Process
Account
Mgmt.
Expansion of Services
• B2C Expansion• Vantis had initially launched its IBM CIS (Lighthouse Gateway) services for B2B –
its broker agents
• Vantis had top-down direction to begin supporting B2C use cases with its web presence (e.g. selling direct to consumer)
• Vantis quickly deployed a secondary instance of the IBM Cloud Identity Service for its consumer-facing web applications and users.
– Policy Quoting
– Application Process
– Limited Account / Policy Maintenance
• Federated SSO Use Case Expansion – Quicklife• Vantis had requirements to expand its IAM solution to begin supporting federated
use cases with multi-partner quoting platform (Quicklife)
• Vantis needed to establish ability to act as a federated Service Provider (SP)
– Ability to seamless provide quotes into third-party quoting platform (Quicklife)
– Ability to seamlessly allow Quicklife agents to SSO into Vantis agent portal (Agentweb) to continue the policy booking process
– Ability to support all federated use cases with standard SAML assertions and protocol
• Easy implementation
Future Enhancements
• Enhanced Self Service• Delegated User Administration
– Leveraging Cloud Identity Service (CIS) Self Service Portal’s delegated user administration functions
– Allowing “power users” at brokers to manage their own VantisLife agent users on our system
• Self Service Access Request– Leveraging CIS Self Service Portal to enable agents to electronically
request access to applications and/or application roles within the VantisLife portfolio of web apps.
• Identity Governance• Recertification
– Leveraging CIS recertification capability to begin pushing agents through an electronic access recertification process
IBM
CON
FIDE
An Early Success
• Utilizing IBM’s Cloud Identity Service, VantisLife was able
to:
• Deploy an enterprise class IAM solution in under six weeks
• Avoid significant costs traditionally associated with IAM
platforms
• Keep its IT staff focused on projects that enable VantisLife to be
a competitive life insurance company
• Provide its users with an intuitive, easy-to-use platform to
manage their identities and associated access to VantisLife
applications
• Position the company for future growth, including the ability to
rapidly “turn on” new IAM capabilities as demand requires
• Help “Future-Proof” the company’s compatibility with emerging
technologies, standards, and regulatory requirements
38
Engaging
Engagement Process
Initial Scoping
• Client provides IBM with an overview of project requirements.
• IBM provides client with education on Cloud Identity Services features and capabilities.
• IBM performs initial scoping of required features, user counts, integrated applications, and options.
Non-Binding Initial Estimate
• Estimate of project costs (including services and subscription) based upon initial scoping.
• IBM may present estimates as a range along with other information to help the client understand potential drivers in the estimate.
SOW Scope Workshop
• If the provided estimate is deemed accepted to the client, IBM will perform a SOW Scope Workshop.
• Half-to-full day workshop is performed at client site with key stakeholders to drill into project specifics.
• The workshop is intended to allow IBM to produce a detailed SOW and refined pricing information.
SOW
• An executable SOW is drafted and delivered to the client, along with any Terms and Conditions, for signature.
Questions and More Information
• Contact:
• IBM Security
– Eric Maass
Director, IAM Strategy
emaass@us.ibm.com
– Ed Terry
Cloud Identity Sales Leader
eterry@us.ibm.com
On the web:
http://www-935.ibm.com/services/us/en/it-services/security-
services/cloud-identity-service/
Notices and Disclaimers
Copyright © 2015 by International Business Machines Corporation (IBM). No part of this document may be reproduced or
transmitted in any form without written permission from IBM.
U.S. Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with
IBM.
Information in these presentations (including information relating to products that have not yet been announced by IBM) has been
reviewed for accuracy as of the date of initial publication and could include unintentional technical or typographical errors. IBM
shall have no responsibility to update this information. THIS DOCUMENT IS DISTRIBUTED "AS IS" WITHOUT ANY WARRANTY,
EITHER EXPRESS OR IMPLIED. IN NO EVENT SHALL IBM BE LIABLE FOR ANY DAMAGE ARISING FROM THE USE OF
THIS INFORMATION, INCLUDING BUT NOT LIMITED TO, LOSS OF DATA, BUSINESS INTERRUPTION, LOSS OF PROFIT
OR LOSS OF OPPORTUNITY. IBM products and services are warranted according to the terms and conditions of the
agreements under which they are provided.
Any statements regarding IBM's future direction, intent or product plans are subject to change or withdrawal without
notice.
Performance data contained herein was generally obtained in a controlled, isolated environments. Customer examples are
presented as illustrations of how those customers have used IBM products and the results they may have achieved. Actual
performance, cost, savings or other results in other operating environments may vary.
References in this document to IBM products, programs, or services does not imply that IBM intends to make such products,
programs or services available in all countries in which IBM operates or does business.
Workshops, sessions and associated materials may have been prepared by independent session speakers, and do not
necessarily reflect the views of IBM. All materials and discussions are provided for informational purposes only, and are neither
intended to, nor shall constitute legal or other guidance or advice to any individual participant or their specific situation.
It is the customer’s responsibility to insure its own compliance with legal requirements and to obtain advice of competent legal
counsel as to the identification and interpretation of any relevant laws and regulatory requirements that may affect the customer’s
business and any actions the customer may need to take to comply with such laws. IBM does not provide legal advice or
represent or warrant that its services or products will ensure that the customer is in compliance with any law.
Notices and Disclaimers (con’t)
Information concerning non-IBM products was obtained from the suppliers of those products, their published
announcements or other publicly available sources. IBM has not tested those products in connection with this
publication and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM
products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products.
IBM does not warrant the quality of any third-party products, or the ability of any such third-party products to
interoperate with IBM’s products. IBM EXPRESSLY DISCLAIMS ALL WARRANTIES, EXPRESSED OR IMPLIED,
INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE.
The provision of the information contained herein is not intended to, and does not, grant any right or license under any
IBM patents, copyrights, trademarks or other intellectual property right.
• IBM, the IBM logo, ibm.com, Bluemix, Blueworks Live, CICS, Clearcase, DOORS®, Enterprise Document
Management System™, Global Business Services ®, Global Technology Services ®, Information on Demand,
ILOG, Maximo®, MQIntegrator®, MQSeries®, Netcool®, OMEGAMON, OpenPower, PureAnalytics™,
PureApplication®, pureCluster™, PureCoverage®, PureData®, PureExperience®, PureFlex®, pureQuery®,
pureScale®, PureSystems®, QRadar®, Rational®, Rhapsody®, SoDA, SPSS, StoredIQ, Tivoli®, Trusteer®,
urban{code}®, Watson, WebSphere®, Worklight®, X-Force® and System z® Z/OS, are trademarks of
International Business Machines Corporation, registered in many jurisdictions worldwide. Other product and
service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on
the Web at "Copyright and trademark information" at: www.ibm.com/legal/copytrade.shtml.
Thank YouYour Feedback is
Important!
Access the InterConnect 2015
Conference CONNECT Attendee
Portal to complete your session
surveys from your smartphone,
laptop or conference kiosk.