Bring Your Own Identity (BYOI)strategies for organizations and their impactMatthew Ulery Director of Product Management
© 2013 NetIQ Corporation. All rights reserved.2
Agenda
What is BYOI? Why do we care about BYOI? When to allow BYOI? What are others doing about BYOI?
© 2013 NetIQ Corporation. All rights reserved.3
What is BYOI?
Bring your own Infrastructure
Bring your own Iron
Bring your own Identity
Bring your own Improv
Bring your own Intoxicant
Sometimes shown as BYOId
© 2013 NetIQ Corporation. All rights reserved.4
Early adopters and providersBYOI Trends
Social, web resource and retail─ Use LinkedIn account to access a whitepaper─ Use Amazon ID rather than creating a new retail account─ Apply to a new job using LinkedIn account─ NYC adopting to support constituents
Social identity providers investing in BYOI─ Seeking greater return on their identity validation investment
© 2013 NetIQ Corporation. All rights reserved.5
BYOD accelerating BYOI BYOI Trends
Identity Overload─ Average 25 accounts per person and growing─ Social Networking─ Financial Accounts (bank, payment, entertainment)─ Loyalty programs─ etc
Merging of personal device and identity─ Collection of business and personal identities ─ Expect seamless experience from personal device
© 2013 NetIQ Corporation. All rights reserved.6
© 2013 NetIQ Corporation. All rights reserved.7
Why do we care about BYOI?
Cost reduction / avoidance─ Management of identities is expensive
Increase customer / constituent engagement─ Reduce registration abandonment─ Enable more personalized experience interactions
Emerging changes in risk─ Risk shared with customer/constituent and identity provider─ Responsibility to protect customer privacy remains─ Privacy risk mitigated by reducing identifiable information
© 2013 NetIQ Corporation. All rights reserved.8
Big Question?
Should we allow BYOI?
© 2013 NetIQ Corporation. All rights reserved.9
Security ConcernsWhen to allow BYOI?
Strength of authentication─ Hurdles required to create the identity─ Hurdles required to validate the identity
Strength of identity administration─ How is identity validated for administration?─ What is required to issue a password reset?
Compromised identity─ Who is responsible if identity is breached?─ How can you revoke access?
© 2013 NetIQ Corporation. All rights reserved.10
Different Identity TypesWhen to allow BYOI?
Customer and constituents ─ Limited to no access to sensitive information & systems─ Limited amount of personal identifiable information
Privileged users ─ Employees, partners, contractors, etc.─ Significant access to sensitive information & systems─ Much greater level of personal identifiable information
Allow BYOI…?─ Must balance risk and value
© 2013 NetIQ Corporation. All rights reserved.11
NYC.GOVBYOI Case Study
• Different Goals / Desires / Requirements– Residents
– NYC Politicians
– Site admins
Needed a Lightly secured, customer facing portal
© 2013 NetIQ Corporation. All rights reserved.12
NYC Constituent ExperienceBYOI Case Study
Social Access
requirements
Secure Identity-enabled Web Services to provide account info
Non Identity-based information and services,optimized for speed
Access Management requirements
Public Resources
Personalized Web content, requires only simple consumer authentication or NYC.ID
www.nyc.gov is a site composed of information from other webservices, secure, public, and semi-public.
am.nyc.gov
pub.nyc.gov
cf.nyc.gov
© 2013 NetIQ Corporation. All rights reserved.13
Management of public resourcesBYOI Case Study
NYC Tennis Courts ─ 60,000 permits and tickets, 500 courts─ Annual permits ($100)─ Scheduling courts a nightmare for NYC and permit holders
Is this a candidate for BYOI?─ Low risk ─ Lower cost from web scheduling and external identity─ Enables external payment collection (i.e. PayPal)
© 2013 NetIQ Corporation. All rights reserved.14
Risk of Hacked IdentityMat Honan, Wired Magazine
Linked many of his accounts─ Social accounts: Twitter, LinkedIn─ Personal: Amazon, Gmail
Hackers wanted Twitter handle
Hackers exploited weak link
© 2013 NetIQ Corporation. All rights reserved.15
Risk of Hacked IdentityMat Honan, Wired Magazine
“In the space of one hour, my entire digital life was destroyed.”
─ “First my Google account was taken over, then deleted.”─ “Next my Twitter account was compromised, and used as a
platform to broadcast racist and homophobic messages.” ─ “And worst of all, my AppleID account was broken into, and my
hackers used it to remotely erase all of the data on my iPhone, iPad, and MacBook?”
“In many ways, this was all my fault. My accounts were daisy-chained together.”
© 2013 NetIQ Corporation. All rights reserved.16
Required no advanced skillsMat Honan, Wired Magazine
Twitter linked to Gmail account─ Google Account recovery page─ Gave alternate email: m****[email protected] (hmmmm mhonan)…─ Letting them know he had an AppleID
Resetting Apple account requires─ Physical address & last four digits of credit card─ Easy to get address─ How could they get the credit card information?
Amazon and AppleID accounts linked─ Name and email address needed to add a card to Amazon─ Knowing card number allows resetting password─ Now they have the credit card number for AppleID
© 2013 NetIQ Corporation. All rights reserved.17
Key Take-awaysBalancing Risk and Value
BYOI benefits─ Reduce cost of generating and managing identities─ Reduce customer/constituent engagement─ Enable more personalized experience interactions
BYOI risk assessment─ Customers/constituents involved in identity selection─ Security of identity beyond your control─ Still must protect personal identifiable information
Must balance value against savings─ What type of access does it fit?─ May not be right for your organization…yet
Top Related