Post on 07-Aug-2015
T H E F U T U R E O F E N T E R P R I S E
I D E N T I T Y M A N A G E M E N TArchitecting for Identity & Access Management (IAM) in the Cloud
Merritt MaximSenior Analyst, Security & Risk
David MeyerVice President, Product Management
S P E A K E R S
/ / / I N T R O D U C T I O N
/ / / F O R R E S T E RGeneral SaaS TrendsChallenges with Traditional On-premise IAMRecommendationsHow to Measure IDaaS Success
/ / / O N E L O G I NMobileOn-premises ProvisioningCloud Directory
/ / / Q & A
+
A G E N D A
© 2015 Forrester Research, Inc. Reproduction Prohibited 4
Top line growth, not cost savings, is the new priority
© 2015 Forrester Research, Inc. Reproduction Prohibited 5
The profile of the technology buyer is changing
Source: February 10, 2014, “Understanding Shifting Technology Acquisition Patterns” Forrester report
© 2015 Forrester Research, Inc. Reproduction Prohibited 6
Summary revenues for cloud platforms, business services, and applications — 2008 to 2020
Source: April 24, 2014, “The Public Cloud Market Is Now In Hypergrowth” Forrester report
© 2015 Forrester Research, Inc. Reproduction Prohibited 7
Challenges with Traditional On-Premise IAM
© 2015 Forrester Research, Inc. Reproduction Prohibited 8
History of IAM
Ad-hoc in-house systems
Custom web SSO, authz, provisioning . . .
Extended help desk systems and password sync
Workflow, attestation — and self-service password reset!
On-premises point solutions
Web SSO, feed-based provisioning, RBAC . . .
Access governance
Formal processes
Cloud IAM
Access mgmt, then ID mgmt
© 2015 Forrester Research, Inc. Reproduction Prohibited 9
Challenges with traditional on-prem IAM› High total cost of ownership (TCO)
› Initial deployment
› Infrastructure
› Ongoing maintenance & upgrades
› Inflexible to support emerging enterprise requirements:
› Mobile, SaaS, API
› Inconsistent reporting/dashboards & analytics
Cloud pulls the CISO in many directions
CISO and security organization
Shadow ITLOB procures cloud services.
Cloud offers significant
benefits (financial and operational).
Security struggles to
reduce cloud security risks. Data center is
now loosely coupled.
CISO can’t say no (all the time).
© 2015 Forrester Research, Inc. Reproduction Prohibited 11
Partner apps
SaaS apps
EmployeesContractors
Partners
Enterprise computers
Personal devices
Apps in public clouds
App sourcing and hosting
App access channels User populations
Cloud apps and the extended enterprise drive the need for cloud IAM
On-premises enterprise apps
Apps in private clouds
MembersCustomers
Public computers
Enterprise-issued devices
© 2015 Forrester Research, Inc. Reproduction Prohibited 12
IAM for SaaS applications
© 2015 Forrester Research, Inc. Reproduction Prohibited 13
IAM as SaaSaka IDaaS
© 2015 Forrester Research, Inc. Reproduction Prohibited 14
How to Measure IDaaS Success
© 2015 Forrester Research, Inc. Reproduction Prohibited 15
Buyers see value in IDaaS›Lower upfront costs
›Shorter time to implement
›Faster ROI
›Reduced risk
›Greater agility to support business
›Frequent, automatic upgrades
© 2015 Forrester Research, Inc. Reproduction Prohibited 16
Measuring the success of an IDaaS implementationCosts
› Subscription fees
› Professional services
› Internal labor
Benefits / Cost Savings
› User performing self service – end user productivity improvements
› Re-allocating IT headcount to higher value activities
› Better visibility, reporting & analytics
› Audit remediation avoided
› Detecting unused SaaS users
› Reducing risk of security breaches
ROI of 100%+ over
3 years
<
© 2015 Forrester Research, Inc. Reproduction Prohibited 17
Recommendations
© 2015 Forrester Research, Inc. Reproduction Prohibited 18
Recommendations› Pitch and deliver benefits to sponsors using metrics they
can sell upward› Assess application coverage and fit of IDaaS vendors
• SAML integration v. browser form-fill• On-prem v. SaaS v. custom apps
› Plan for future IDaaS requirements now• Phase 1: SSO & 2-factor authentication• Phase 2: Provisioning, access governance, MDM longer-term
› Promote the benefits• Important to keep awareness of IAM value high
© 2015 Forrester Research, Inc. Reproduction Prohibited 19
Manage this handshakeIDaaS vendor & your org have mutual responsibilities
U S E C A S E SMobile Identity and Access
On-Premises Provisioning and OnboardingCloud Directory and Directory Consolidation
Firewall
Active Directory
Mobile Workers Customers & Partners
Employees
E N T E R P R I S E I D E N T I T Y L A N D S C A P E
U S E C A S EMobile Identity and Access
O N E V E R Y D E V I C E
Most mobile apps don’t even support SAML
• Tiny keyboards are incompatible with passwords
• SAML for web + password = #failure
M O B I L E - T H E L A S T M I L E P R O B L E M I N S S O
The mobile apps that do support SAML
• Clunky SAML handshake that requires user to authenticate twice
• Sessions not frequently revalidated because of the sign-in complexity
M O B I L E - S A M L I S N O T T H E S O L U T I O N
Designed for MobileStandards-BasedSuperior User Experience
Major driver in NAPPS specification workLeverage vendor traction to change the game
T H E N E W S T A N D A R D F O R M O B I L E S S OI N B E T A W I T H C U S T O M E R S & P A R T N E R S
N A P P S
W E ’ V E D O N E I T B E F O R E
OneLogin SAML toolkits adopted by 300+ ISVs600+ SAML apps in our catalog
Driving SCIM for user provisioningCo-authoring NAPPS standard for mobile SSO
Good standards prevail
SAML-based apps integrated with OneLogin
S T A R T B U I L D I N G T O D A Y
Major ISVs & Major CustomersBuilding NAPPS Apps Today
Free Toolkits AvailableDEVELPERS.ONELOGIN.COM
email: napps-info@onelogin.com
Sandy, Contractor working at a cafeMFA Required
Rob, Sales meetings from the HQAuto logged-in
M O B I L E T R E N D S - D E V I C E S A R E E V E R Y W H E R E
E N D P O I N T S A R E T H E N E W P E R I M E T E R
Brent, In-person Sales meetings at the HQNo access to BillingMFA Required
Brent, Designer working at the HQAuto logged-in
Finally can manage the actual risk of mobile access
IT Admin
Private Key ProtectedPolicy ControlledNAPPS Enabled
Launch any Web appLaunch any Native App“Push” based OTP
O N E V E R Y D E V I C E
M O B I L E T R E N D S
• Mobile is becoming the primary mode of work• % of employees that are full time, in office, is plummeting• OS vendors are doing more of the heavy lifting for security• Identity is a growing risk / gap• Solving identity let’s employees do work without risk
U S E C A S EOn-Premises Provisioning and Onboarding
P R O V I S I O N I N G TO L E G A C Y A P P S
60+ custom fields PROVISIONING
MAPPINGSRULES
COMPLIANCE
SAML SSOCLOUD APPS
Firewall
PROXY AGENT
CUSTOM
PROVISIONING
SCIM
TLS SOCKETPROVISIONING POWER• Org Hierarchy• Any Custom Attributes• Proxy Agents• Custom Schema• Scriptlets• Photos
P R O V I S I O N I N G T R E N D S
• On-premise provisioning infrastructure not suitable for cloud
• Increasing desire to “move off” of on-premises pain• Shift to Workday (SaaS HCM) puts the data in the cloud
anyway• Shift to ServiceNow (SaaS ITSM) demands service
activation of cloud apps• IDaaS is the logical conclusion for SaaS• IDaaS doing on-premises provisioning makes it
complete
U S E C A S ECloud Directory and Directory Consolidation
I D A A S A S M E T A D I R E C T O R Y
ACTIVE DIRECTORYFOREST A
ACTIVE DIRECTORYFOREST B
OPENLDAPWORKDAY
Contractors
Cloud DirectoryAPIsLDAP
Policies
Partners
Employees
A L L T Y P E S O F U S E R S A L L T Y P E S O F A P P L I C A T I O
N S
Customers
Custom AppsOn-Prem
Cloud
No External Directory Required
C L O U D D I R E C T O R Y
E X C I T I N G P O S S I B I L I T I E S
D I R E C T O R Y T R E N D S
Heterogeneity is the norm
Increasingly users are mastered in the cloud
This allows a modern workplace that is compliant
This allows policy enforcement outside the domain
Q & A
THANK YOUDavid MeyerVice President, Product Management
david@onelogin.com
@meyerwork
Merritt MaximSenior Analyst, Security & Risk
mmaxim@forrester.com
@merrittmaxim