The Future of Enterprise Identity Management

T H E F U T U R E O F E N T E R P R I S E

I D E N T I T Y M A N A G E M E N TArchitecting for Identity & Access Management (IAM) in the Cloud

Merritt MaximSenior Analyst, Security & Risk

David MeyerVice President, Product Management

S P E A K E R S

/ / / I N T R O D U C T I O N

/ / / F O R R E S T E RGeneral SaaS TrendsChallenges with Traditional On-premise IAMRecommendationsHow to Measure IDaaS Success

/ / / O N E L O G I NMobileOn-premises ProvisioningCloud Directory

/ / / Q & A

+

A G E N D A

© 2015 Forrester Research, Inc. Reproduction Prohibited 4

Top line growth, not cost savings, is the new priority


The profile of the technology buyer is changing

Source: February 10, 2014, “Understanding Shifting Technology Acquisition Patterns” Forrester report


Summary revenues for cloud platforms, business services, and applications — 2008 to 2020

Source: April 24, 2014, “The Public Cloud Market Is Now In Hypergrowth” Forrester report


Challenges with Traditional On-Premise IAM


History of IAM

Ad-hoc in-house systems

Custom web SSO, authz, provisioning . . .

Extended help desk systems and password sync

Workflow, attestation — and self-service password reset!

On-premises point solutions

Web SSO, feed-based provisioning, RBAC . . .

Access governance

Formal processes

Cloud IAM

Access mgmt, then ID mgmt


Challenges with traditional on-prem IAM› High total cost of ownership (TCO)

› Initial deployment

› Infrastructure

› Ongoing maintenance & upgrades

› Inflexible to support emerging enterprise requirements:

› Mobile, SaaS, API

› Inconsistent reporting/dashboards & analytics

Cloud pulls the CISO in many directions

CISO and security organization

Shadow ITLOB procures cloud services.

Cloud offers significant

benefits (financial and operational).

Security struggles to

reduce cloud security risks. Data center is

now loosely coupled.

CISO can’t say no (all the time).


Partner apps

SaaS apps

EmployeesContractors

Partners

Enterprise computers

Personal devices

Apps in public clouds

App sourcing and hosting

App access channels User populations

Cloud apps and the extended enterprise drive the need for cloud IAM

On-premises enterprise apps

Apps in private clouds

MembersCustomers

Public computers

Enterprise-issued devices


IAM for SaaS applications


IAM as SaaSaka IDaaS


How to Measure IDaaS Success


Buyers see value in IDaaS›Lower upfront costs

›Shorter time to implement

›Faster ROI

›Reduced risk

›Greater agility to support business

›Frequent, automatic upgrades


Measuring the success of an IDaaS implementationCosts

› Subscription fees

› Professional services

› Internal labor

Benefits / Cost Savings

› User performing self service – end user productivity improvements

› Re-allocating IT headcount to higher value activities

› Better visibility, reporting & analytics

› Audit remediation avoided

› Detecting unused SaaS users

› Reducing risk of security breaches

ROI of 100%+ over

3 years

<


Recommendations


Recommendations› Pitch and deliver benefits to sponsors using metrics they

can sell upward› Assess application coverage and fit of IDaaS vendors

• SAML integration v. browser form-fill• On-prem v. SaaS v. custom apps

› Plan for future IDaaS requirements now• Phase 1: SSO & 2-factor authentication• Phase 2: Provisioning, access governance, MDM longer-term

› Promote the benefits• Important to keep awareness of IAM value high


Manage this handshakeIDaaS vendor & your org have mutual responsibilities

U S E C A S E SMobile Identity and Access

On-Premises Provisioning and OnboardingCloud Directory and Directory Consolidation

Firewall

Active Directory

Mobile Workers Customers & Partners

Employees

E N T E R P R I S E I D E N T I T Y L A N D S C A P E

U S E C A S EMobile Identity and Access

O N E V E R Y D E V I C E

Chloë Bregman

[email protected] Please use our current public facing app images

Most mobile apps don’t even support SAML

• Tiny keyboards are incompatible with passwords

• SAML for web + password = #failure

M O B I L E - T H E L A S T M I L E P R O B L E M I N S S O

The mobile apps that do support SAML

• Clunky SAML handshake that requires user to authenticate twice

• Sessions not frequently revalidated because of the sign-in complexity

M O B I L E - S A M L I S N O T T H E S O L U T I O N

Designed for MobileStandards-BasedSuperior User Experience

Major driver in NAPPS specification workLeverage vendor traction to change the game

T H E N E W S T A N D A R D F O R M O B I L E S S OI N B E T A W I T H C U S T O M E R S & P A R T N E R S

N A P P S

W E ’ V E D O N E I T B E F O R E

OneLogin SAML toolkits adopted by 300+ ISVs600+ SAML apps in our catalog

Driving SCIM for user provisioningCo-authoring NAPPS standard for mobile SSO

Good standards prevail

SAML-based apps integrated with OneLogin

S T A R T B U I L D I N G T O D A Y

Major ISVs & Major CustomersBuilding NAPPS Apps Today

Free Toolkits AvailableDEVELPERS.ONELOGIN.COM

email: [email protected]

Sandy, Contractor working at a cafeMFA Required

Rob, Sales meetings from the HQAuto logged-in

M O B I L E T R E N D S - D E V I C E S A R E E V E R Y W H E R E

E N D P O I N T S A R E T H E N E W P E R I M E T E R

Brent, In-person Sales meetings at the HQNo access to BillingMFA Required

Brent, Designer working at the HQAuto logged-in

Finally can manage the actual risk of mobile access

IT Admin

Private Key ProtectedPolicy ControlledNAPPS Enabled

Launch any Web appLaunch any Native App“Push” based OTP

O N E V E R Y D E V I C E

M O B I L E T R E N D S

• Mobile is becoming the primary mode of work• % of employees that are full time, in office, is plummeting• OS vendors are doing more of the heavy lifting for security• Identity is a growing risk / gap• Solving identity let’s employees do work without risk

U S E C A S EOn-Premises Provisioning and Onboarding

P R O V I S I O N I N G TO L E G A C Y A P P S

60+ custom fields PROVISIONING

MAPPINGSRULES

COMPLIANCE

SAML SSOCLOUD APPS

Firewall

PROXY AGENT

CUSTOM

PROVISIONING

SCIM

TLS SOCKETPROVISIONING POWER• Org Hierarchy• Any Custom Attributes• Proxy Agents• Custom Schema• Scriptlets• Photos

P R O V I S I O N I N G T R E N D S

• On-premise provisioning infrastructure not suitable for cloud

• Increasing desire to “move off” of on-premises pain• Shift to Workday (SaaS HCM) puts the data in the cloud

anyway• Shift to ServiceNow (SaaS ITSM) demands service

activation of cloud apps• IDaaS is the logical conclusion for SaaS• IDaaS doing on-premises provisioning makes it

complete

U S E C A S ECloud Directory and Directory Consolidation

I D A A S A S M E T A D I R E C T O R Y

ACTIVE DIRECTORYFOREST A

ACTIVE DIRECTORYFOREST B

OPENLDAPWORKDAY

Contractors

Cloud DirectoryAPIsLDAP

Policies

Partners

Employees

A L L T Y P E S O F U S E R S A L L T Y P E S O F A P P L I C A T I O

N S

Customers

Custom AppsOn-Prem

Cloud

No External Directory Required

C L O U D D I R E C T O R Y

E X C I T I N G P O S S I B I L I T I E S

D I R E C T O R Y T R E N D S

Heterogeneity is the norm

Increasingly users are mastered in the cloud

This allows a modern workplace that is compliant

This allows policy enforcement outside the domain

THANK YOUDavid MeyerVice President, Product Management

[email protected]

@meyerwork

Merritt MaximSenior Analyst, Security & Risk

[email protected]

@merrittmaxim

The Future of Enterprise Identity Management

Technology

Transcript of The Future of Enterprise Identity Management