7/28/2019 Forrester Whitepaper Navigate the Future of Identity Management March22 2012
1/16
Forrester Researh, I., 60 Aor Par Drive, cambridge, MA 02140 USATe: +1 617.613.6000 | Fax: +1 617.613.5000 | www.orrester.om
Navigate The Future Of Identity AndAccess Management
b Eve Maer, Marh 22. 2012
FOR: Seurit &
Ris Proessioas
key TakeaWays
Fr surt Wt at, entrr Rqur Zr Trut intt
Te pace o enterprise change is aecting how security and risk pros engage with
the developers, users, and business stakeholders they serve. You cant slow thepace, so you need an IAM approach that withstands extreme heterogeneity in your
business inrastructure so that you can support increased competitiveness with
superior security.
Zr Trut intt i a M, Nt a prut
I youre starting rom scratch, you may be tempted to buy your way into Zero
rust with a cloud identity solution, but you rst need to conceive o IAM
unctions such as provisioning, authentication, and authorization as
application program interaces. You can benet by applying this model even to
internal applications and users.
Zr Trut intt Mut Rt on a s intt dt Funtn
In the loosely coupled regime o the cloud, you can expect every aw in role
governance to be magnied. Make your access control hygiene impeccable
through the discipline o protecting inormation consistently with identity context
(PICWIC) beore you expect your Zero rust identity approach to bear ruit.
7/28/2019 Forrester Whitepaper Navigate the Future of Identity Management March22 2012
2/16
2012, Forrester Researh, I. A rights reserved. Uauthorized reprodutio is strit prohibited. Iormatio is based o best avaiaberesoures. Opiios reet judgmet at the time ad are subjet to hage. Forrester, Tehographis, Forrester Wave, RoeView, TehRadar,ad Tota Eoomi Impat are trademars o Forrester Researh, I. A other trademars are the propert o their respetive ompaies. Topurhase reprits o this doumet, pease emai [email protected]. For additioa iormatio, go to www.orrester.om.
FOR SEcURITy & RISk PROFESSIOnAlS
Why Read This RepoRT
Tis report outlines the uture look o Forresters solution or security and risk (S&R) executives working
on building an identity and access management strategy or the extended enterprise. We designed this
report to help you understand and navigate the major business and I trends aecting identity and access
management (IAM) during the next ve years. IAM in 2012 has become a tool not just or security but also
or business agility. Competitive challenges push businesses into the cloud and encourage mobile device use
even without ull-edged access controls in place. Tese trends create pressing provisioning, authentication,
and authorization challenges or S&R proessionals. All the while, security threats and compliancerequirements continue to swell. o help security pros uniy and improve access control across the extended
enterprise, this report recommends applying a Zero rust inormation security model to IAM.
Tabe O cotets
T etn entrr Urnt N
Bttr a Mnmnt
Nw a enrnmnt ht T
Wn of T iaM
intrun Zr Trut intt
a Tr Ru T a Zr Trut
intt
enb Zr Trut intt st B st
WHAT IT MEAnS
Zr Trut intt d Mu Mr Tn
prtt it enb
notes &Resoures
I deveopig this report, Forrester drew
rom oversatios with 10 user ompaies,
vedors, ad experts, iudig eBa, Ituit,
laer 7 Tehoogies, ad Quest Sotware.
Reated Researh Doumets
your Data Protetio Strateg Wi Fai
Without Strog Idetit cotext
Jue 27, 2011
The Ve O Federated Idetit
Jue 3, 2011
no More chew ceters: Itroduig The
Zero Trust Mode O Iormatio Seurit
September 14, 2010
Nt T Futur of intt an aMnmntIAM For The Exteded Eterprise Must Start From Zero Trust
b Eve Maer
with Stephaie Baaouras,Adras cser, Joh kidervag, ad kee Ma
2
2
5
6
MARcH 22, 2012
12
11
http://www.forrester.com/go?objectid=RES57020http://www.forrester.com/go?objectid=RES57020http://www.forrester.com/go?objectid=RES59161http://www.forrester.com/go?objectid=RES56682http://www.forrester.com/go?objectid=RES56682http://www.forrester.com/go?objectid=BIO2681http://www.forrester.com/go?objectid=BIO1123http://www.forrester.com/go?objectid=BIO1762http://www.forrester.com/go?objectid=BIO1960http://www.forrester.com/go?objectid=BIO1960http://www.forrester.com/go?objectid=BIO1762http://www.forrester.com/go?objectid=BIO1123http://www.forrester.com/go?objectid=BIO2681http://www.forrester.com/go?objectid=RES56682http://www.forrester.com/go?objectid=RES56682http://www.forrester.com/go?objectid=RES59161http://www.forrester.com/go?objectid=RES57020http://www.forrester.com/go?objectid=RES57020http://www.forrester.com/7/28/2019 Forrester Whitepaper Navigate the Future of Identity Management March22 2012
3/16
FOR SEcURITy & RISk PROFESSIOnAlS
navigate The Future O Idetit Ad Aess Maagemet 2
2012, Forrester Researh, I. Reprodutio Prohibited Marh 22. 2012
The exTeNded eNTeRpRise URgeNTly Needs BeTTeR access MaNageMeNT
Forrester clients are struggling with an IAM landscape that increasingly crosses enterprise
boundaries. Tey tell us: SaaS apps are making our existing methods o access management useless.
We cant just Kerberize our apps anymore. I we keep on doing security in domains, its pointless.
Forrester denes the extended enterprise as one or which a business unction is rarely, i ever, a
sel-contained workow within the inrastructure confnes o the company. It presents unique IAM
challenges in three dimensions simultaneously (see Figure 1). For example:
Resource sharing with partners is on a knies edge between vital and perilous. Anautomotive manuacturer is expanding its internal enterprise inormation portal to include a
business partner audience, something it wouldnt have considered doing even a year ago but
now needs or business agility. It wants to put in place extra-strict access controls, since most
o its suppliers also deal with most o its competitors. However, it aces a challenge due to itsinability to control suppliers role-provisioning processes.
Security pros perorce pay less attention to cloud apps than apps they control directly. Whenbusiness owners rush to use soware-a-a-service (SaaS) apps or email, expense management,
and more, they sometimes skip over the ne details o security and access control, leaving
security pros out o the conversation. We see some companies synchronizing user accounts to
external apps on a relatively inrequent schedule through insecure le transer protocol (FP)
or relying entirely on ront-door authentication or access to wide swaths o app unctionality.
Organizations can lose all visibility into access events wherever users can access a SaaS-based
business unction through the open Internet rom an unmanaged device or network without
touching home base inrastructure.
NeWly agile eNviRoNMeNTs highlighT The WeakNesses oF Todays iaM
Tree problems typiy the disconnect between traditional IAM and the new extended-
enterprise reality: 1) stumbling blocks in cross-domain user provisioning; 2) weakened control
o authentication and authorization; and 3) siloed IAM approaches to dierent purposes and
populations.
7/28/2019 Forrester Whitepaper Navigate the Future of Identity Management March22 2012
4/16
FOR SEcURITy & RISk PROFESSIOnAlS
navigate The Future O Idetit Ad Aess Maagemet 3
2012, Forrester Researh, I. Reprodutio Prohibited Marh 22. 2012
Figure 1 Te Extended Enterprise Presents IAM Challenges In Tree Dimensions
Source: Forrester Research, Inc.61625
App hosting
and sourcing
App
access channels
User
populations
Apps in private clouds
On-premises enterprise apps
SaaS apps
Employees
Contractors
Partners
Customers
Enterprise computers
Enterprise-issued devices
Personal devices
Public computers
Apps in public clouds
Partner apps
Members
prbm N. 1: cr-dmn Ur prnn stumbn B
Ideally, I should enable all legitimate access by workorce members to SaaS apps and by partners to
internal apps and block all illegitimate access. However, conveying the attributes and entitlements
o joiners, movers, and leavers to remote apps continues to be a sore spot. Te issues include:
Tight coupling to enterprise user stores. SaaS apps oen come prepared to connect directlyto your organizations lightweight directory access protocol (LDAP) or Active Directory (AD)
store. However, this approach becomes complex and adds security and privacy concerns where
it involves multiple or heterogeneous user stores, and it doesnt scale well as the number o SaaS
apps grows. Many times, rms need to work with business partners users whose identities they
dont want to store, since this entails added liability.
Reduced security due to latency when removing authorizations. SaaS and partner appsthat rely on too-inrequent synchronization to obtain authoritative user data tend not to
catch status changes that should have resulted in denying access. Tis need becomes acute or
7/28/2019 Forrester Whitepaper Navigate the Future of Identity Management March22 2012
5/16
FOR SEcURITy & RISk PROFESSIOnAlS
navigate The Future O Idetit Ad Aess Maagemet 4
2012, Forrester Researh, I. Reprodutio Prohibited Marh 22. 2012
sensitive apps accessible to competitors and supply chain partners, as is oen the case in the
automotive and aerospace sectors.
Reduced business agility due to latency when adding authorizations. Dynamism is keyor agility and competitiveness. When a SaaS or partner app reuses access to legitimate new
employees because the apps synchronization process hasnt caught up with reality, its value
diminishes.
Garbage in, garbage out user data. As one large proessional services rm told us, Tecloud has exposed the act that even well-governed companies are not prepared. SaaS apps are
orcing businesses to conront the inadequate quality o the data in their user repositories, no
matter how they convey the data to remote apps. In the loosely coupled regime o the cloud, you
can expect every governance aw to be magnied.
prbm N. 2: snr Tt aw Wn autnttn an autrztn
Inormation workers are driving big bring-your-own-device (BYOD) moves; recent Forrester
research reveals that 57% o North American and European ino workers chose and paid or
their own smartphones.1 Organizations are now beginning to take better advantage o the BYOD
opportunity. One Dutch company exemplies an increasingly common scenario by giving
employees access to its legacy enterprise applications through specialized iPad apps. However,
mobile and other extended-enterprise trends introduce the ollowing challenges:
Mobile use eliminates classic Windows-based authentication options. Organizations
extreme mobile users, typically salespeople and other eld personnel, might never log intoa Windows-based computer. Tis puts Integrated Windows authentication (IWA), desktop-
riendly smartcard readers, and desktop-to-web single sign-on (SSO) ows out o reach.
Organizations authentication strategies must account or the plethora o new login ows in
BYOD environments.2
External apps local authentication options may not sync with organization requirements.Conguring each o your SaaS and partner apps to perorm the types o employee or customer
authentication you would normally require, such as multiactor authentication (MFA) or
risk-based authentication (RBA), ranges rom daunting to impossible. Popular apps such as
salesorce.com may oer integration o various strong authentication methods such as RSA
SecurID tokens, but long-tail apps are likely to oer only passwords.
Its hard to give SaaS apps all the tools they need to make access decisions on your behal.Your internal users have an overabundance o authorization-related attributes, whether in role,
group, or other orm. Sometimes getting the right ones to a SaaS application in the right orm
can be cumbersome and problematic.
7/28/2019 Forrester Whitepaper Navigate the Future of Identity Management March22 2012
6/16
FOR SEcURITy & RISk PROFESSIOnAlS
navigate The Future O Idetit Ad Aess Maagemet 5
2012, Forrester Researh, I. Reprodutio Prohibited Marh 22. 2012
prbm N. 3: iaM s Fr dffrnt pur an putn
Oen, dierent business owners drive the decision-making around IAM unctions or dierent
populations, such as: 1) employees rom various company divisions; 2) business partners; 3)
consumers; and 4) developers o third-party applications that interact with corporate systems.
Tis leads to divergent architectural choices and added complexity. As a VP o I risk or a large
computer systems rm noted simply, Complexity drives risk. Te extended enterprise causes these
scenarios to blend and merge, drawing attention to mismatches in inrastructure that add security
risk and stall agile business moves. For example:
A change in employee status is sometimes a continuum rather than an event. Mergers andacquisitions throw together I organizations that use dierent IAM platorms, leading to
Band-Aid solutions on top o diverse user stores to begin the process o representing a unied
employee base. When its time to part ways, a similar problem arises: Te rm mentioned above
sold a major division in 2004, but because o remaining close business relationships, its IAMsystems overlap in hard-to-manage ways eight years later.
Federation looks very dierent in business settings versus consumer ones. Many mediaand retail companies are moving rapidly to accept social sign-in rom the likes o Facebook
and witter, exempliying identity ederation or marketing and eCommerce purposes.
Although the underlying mechanisms or providing consumer SSO are identical to SaaS and
business-partner SSO, the corporate business owners and the solution providers addressing
these markets tend to diverge radically. As data breaches and password stealing increase,
hardening consumer IAM to levels expected in enterprise I and aligning inrastructure to
reduce complexity look more attractive.
Many SaaS apps cater to businesses and individuals alike, orcing the unifcation issue.Cloud service providers such as Google, Intuit, and salesorce.com work with individuals along
with enterprises and SMBs and must integrate with each others services or mashup scenarios
as well. Organizations interacting with these services using dierent inrastructure or dierent
use cases multiply their costs and security vulnerabilities.
iNTRodUciNg ZeRo TRUsT ideNTiTy
Forresters Zero rust model o inormation security eliminates the idea o distinct trusted internal
networks versus untrusted external networks. It requires security pros to veriy and secure all
resources, limit and strictly enorce access control, and inspect and log all network trafc.3 Tus,
Zero rust reers to an initial stance toward access. What, then, are the goals or a Zero rust
approach to identity? It must:
Center on sensitive applications and data. Organizations perimeters arent going away, buttheyre clearly not doing a good enough job; the Privacy Rights Clearinghouse has identied 542
data breaches rom 2005 through 2011 due to electronic entry by an outside party, malware and
spyware, and only a ew o the aected organizations reported absence o a rewall.4 For Zero
7/28/2019 Forrester Whitepaper Navigate the Future of Identity Management March22 2012
7/16
FOR SEcURITy & RISk PROFESSIOnAlS
navigate The Future O Idetit Ad Aess Maagemet 6
2012, Forrester Researh, I. Reprodutio Prohibited Marh 22. 2012
rust, every protected resource, whether its an older on-premises CRM app or a business SaaS
app that launched last week, must be equally capable o assessing incoming access requests and
treating each one as a potential threat.
Uniy treatment o access channels, populations, and hosting models. Organizationssystems should always use the same robust and reliable mechanisms to determine and track
access. Tey shouldnt go easy on a request or access just because it comes rom a physically
badged-in employee sitting in the cubicle next to the server arm that hosts the app, rather
than an external partner halway around the globe using a newangled mobile device to get
into a SaaS app (see Figure 2).
Prepare or interactions at Internet scale. Google engineer Steve Yegge made waves with a publicrant in late 2011 about Googles ailures in light o his ormer employer Amazons successes. Te
observation at its heart: Amazons success is due to one simple mandate, which begins, All teams
will henceorth expose their data and unctionality through service interaces. 5 Te lesson applies
not just to high-tech companies but also to every organization that wants to unlock the value o
its data and services. Internet scalability enables integration and aggregation o business value but
also points the way to a robust and repeatable approach to access control.
Figure 2 Zero rust Identity Accommodates Mix-And-Match Access Scenarios
Source: Forrester Research, Inc.61625
Workforce Business partners Consumers and customers
Authoritativeuser store
Provisioning,proofing,self-service
Authentication,session management,
SSO, federation
Authorization,consent,
access control
SaaS appsOrganization appsBusiness partner
apps
Attestation,delegated
administration, audit
End-userpopulations
IAMfunctionality
Protectedresources
Consumer-facing apps
apply ThRee RUles To achieve ZeRo TRUsT ideNTiTy
o achieve Zero rust identity, S&R pros must apply three important rules: 1) plan or both outward
and inward identity propagation; 2) ormalize and robustly protect the interaces or IAM unctions;
and 3) use and advocate standards or IAM interaces. I you stick only to traditional approaches
suitable or the unextended enterprise o the past, you could pay in integration costs, agility,
or regulatory compliance whenever users cross security domain boundaries to use technology
unctions that orm a virtual part o your business.
7/28/2019 Forrester Whitepaper Navigate the Future of Identity Management March22 2012
8/16
FOR SEcURITy & RISk PROFESSIOnAlS
navigate The Future O Idetit Ad Aess Maagemet 7
2012, Forrester Researh, I. Reprodutio Prohibited Marh 22. 2012
Ru N. 1: pn Fr Bt outwr an inwr intt prtn
Zero rust identity supports the goal oidentity statelessness, allowing each app to consume just-
in-time identity data and services coming rom other organizational domains that are authoritative
or them.6 Given the need or bidirectional ow, you can see the classic identity provider (IdP) and
relying party (RP) roles as merely special cases o a generic security token service (SS) (see Figure
3). Tis rule requires a change in mindset, and its not a trivial one. Te ollowing are some business
motivations or this bidirectional ow:
Figure 3 Many Scenarios Require wo-Way Flows O Identity And Access Inormation
Source: Forrester Research, Inc.61625
Staffuser store
Institutionaluser store
Consumeruser store
Staffuser store
Consumeruser store
For functions internalto the organization
Organization serves as
an identity client ofuser stores
Organization serves asan identity server for
business functions
Internal to the
organization
At externalpartners
Exposed tocustomers
A security token service (STS)
handles token issuance, translation,
and consumption.
7/28/2019 Forrester Whitepaper Navigate the Future of Identity Management March22 2012
9/16
FOR SEcURITy & RISk PROFESSIOnAlS
navigate The Future O Idetit Ad Aess Maagemet 8
2012, Forrester Researh, I. Reprodutio Prohibited Marh 22. 2012
External identities need to be able to knock on an organizations door or access. A largeconsulting rm with a substantial IAM practice observed: Some organizations are on the cusp
o guring out how to address identity in a cloud environment. Everyone comes with identity
inside their house, and moving it outside the house is what were trying to address. Living up
to this goal, a US technology research rm is deliberately exposing its employee identities in a
orm that is usable on both sides o the rewall and is working to accept third-party logins
rom US ederal government contractors who can present a Common Access Card (CAC)
smartcard credential on a dynamic basis.
Business units and partners alike need to integrate at a moments notice. Intuit has oundthat externalized authentication and authorization APIs allow apps rom dierent business
units and third-party partners, such as QuickBooks, FreshBooks, Bill.com, and Expensiy, to be
nearly completely interoperable when it comes to access management, and it nds this ability
to be eective in encouraging customers to use additional services. Its goal is to avoid askingits enterprise architecture (EA) team or its multitenant cloud service providers to do anything
special when its time to integrate a new identity channel, such as a nancial services rm.
Ru N. 2: Frmz an Rbut prtt T intrf Fr iaM Funtn
Many security pros tell us that or years they have exhorted line-o-business developers to stop baking
access management logic into applications. Why is it more important than ever to externalize and
centralize that logic? Its because the only sae prediction about the next application your organization
will deploy, user it will serve, and device or network he or she will use is a Zero rust prediction.
Te secret to making progress is to push identity-as-a-service (IDaaS) to its logical limit intothe realm o the open web platorm.7 Conceive o IAM unctions as ully externalizable application
programming interaces (APIs) that serve client apps in need o access protection (see Figure 4).
aking this step enables your intentions around Rule No. 1 on a technical level.
In oering IAM APIs, your organization becomes, in a sense, an IAM cloud service provider. It
must protect these APIs as it would protect any open web APIs oering core business unctions, and
the IAM services themselves can recursively play a role in this protection, urther uniying your
inrastructure.8 Intuit went through exactly this process by conceiving o and building a central
identity authority, which could be hosted on-premises or as a cloud service. It then built a layer over
all o its services that could test all inbound trafc.
Te three primary IAM APIs we see enabling mix-and-match access scenarios are as ollows:
Authentication. Tis is a centralized service that perorms identication, authentication, andattribute delivery o all users under your authoritative control. It has an open API, which
internal and external apps can call when your user population needs to access them. Tis
API lets your organization unction as an IdP, enabling cross-domain SSO, login session
7/28/2019 Forrester Whitepaper Navigate the Future of Identity Management March22 2012
10/16
FOR SEcURITy & RISk PROFESSIOnAlS
navigate The Future O Idetit Ad Aess Maagemet 9
2012, Forrester Researh, I. Reprodutio Prohibited Marh 22. 2012
management, ederation, social sign-in, and similar use cases. aking an API approach prepares
or access by native mobile apps as well as web apps. Large enterprises can benet rom this API
even in an internal ederation scenario; our computer systems rm ound that getting all o its
apps to use one directory is a $200 million I problem.
Figure 4 Apply Te API Faade Pattern o IAM Functions
Source: Forrester Research, Inc.61625
API client
Scale-outinfrastructure
IAMinfrastructure
API faade patternApplying the pattern
to IAM functions
IAM API client IAM API client
Web service and app APIsAPIs for authentication,
authorization, provisioning . . .
Back-end apps, web apps, mobile apps . . . Business apps
API client
The business apps
own API determines
access control
granularity
Robustly protect all
interfaces, regardless
of their sourcing
model
Internet Internet
Provisioning. Tis is an open API over your user stores that allows internal and external client
apps to read and write identity inormation as appropriate, including deprovisioning accounts.Tis API enables account synchronization with internal, SaaS, and partner apps when ederation
is not an option, as well as internal provisioning workows that work with your existing
directory or database inrastructure in a loosely coupled way.
Authorization. Tis is a centralized policy decision point (PDP) with an open API thatinternal and external business apps running on your behal can consult beore allowing access
by requesters. Tis API enables business apps to serve as auditable policy enorcement points
7/28/2019 Forrester Whitepaper Navigate the Future of Identity Management March22 2012
11/16
FOR SEcURITy & RISk PROFESSIOnAlS
navigate The Future O Idetit Ad Aess Maagemet 10
2012, Forrester Researh, I. Reprodutio Prohibited Marh 22. 2012
(PEPs) no matter where they are hosted. API management vendor Layer 7 has been nding that,
to the extent that these business apps themselves expose ne-grained eatures through their
APIs, they can support arbitrarily ne-grained access control by this method. Least-privilege
access is an important tenet o Zero rust inormation security.
Ru N. 3: U an at stnr Fr iaM intrf
Te Zero rust identity vision and its open web emphasis play into a larger vision that some,
including our technology research rm rom above, label Enterprise 2.0. Te goal: Couple your
systems as loosely as you can, avoiding dependencies on IWA, AD, LDAP, or Kerberos identity
technologies wherever you can. While enterprises oen employ internal standardization o IAM
APIs as a rst step, they requently report that orcing developers onto an API that the outside world
doesnt use merely delays extended-enterprise benets and orces unnecessary implementation
upgrades. Tereore, the best way to achieve Zero rust identity is to use global standards that
dene well-accepted and loosely coupled messaging around IAM unctions. For the standardization
needs o the three key IAM APIs, we see the ollowing solutions (see Figure 5):
Service Provisioning Markup Language (SPML). Although it never reached pervasivedeployment, this long-established provisioning standard uses a web services approach that is
riendly to service-oriented architecture (SOA) environments.
Simple Cloud Identity Management (SCIM). Tis emerging web-riendly provisioning standardis appealing to cloud service providers and was developed rapidly over the past year and a hal. It
is entering a nal standardization phase now but is already seeing product support rom vendors
such as UnboundID. Using SCIM as a jumping-o point is valuable even as it evolves.
Security Assertion Markup Language (SAML). Tis is the granddaddy o open standards thatenable cross-domain SSO and ederation. It remains popular in enterprise and government
settings or its robustness and time-tested nature.
OpenID Connect. Tis emerging web standard solves or SSO, session management, andidentity claims retrieval.9 You can think o it as a lightweight SAML that enables dynamic B2E,
B2B, and B2C use cases, in a way thats o particular interest to eorts such as the National
Strategy or rusted Identities in Cyberspace (NSIC).10 Its dra specications passed a vote o
the OpenID Foundation membership in early 2012, and interoperability testing among seven
implementers, including Google and eBay, is under way. Using OpenID Connect as a starting
point or integrating with small partners that dont have SAML chops can be valuable.
Extensible Access Control Markup Language (XACML). Tis standard includes anauthorization decision protocol and a ormat or expressing authorization policies. Although
it has not yet seen deployment at the scale o SAML, XACML use is increasing, particularly in
national deense settings.
7/28/2019 Forrester Whitepaper Navigate the Future of Identity Management March22 2012
12/16
FOR SEcURITy & RISk PROFESSIOnAlS
navigate The Future O Idetit Ad Aess Maagemet 11
2012, Forrester Researh, I. Reprodutio Prohibited Marh 22. 2012
OAuth. Tis is an emerging standard or user-authorized access by an API client to a web API.It provides security plumbing similar in purpose to the WS-Security standard or HP Basic
Authentication. It is becoming a key method o protecting APIs including IAM-related APIs
such as SCIM and OpenID Connect to the level required or Zero rust.
User-Managed Access (UMA). Tis emerging web protocol solves or access control by thirdparties to arbitrary protected web resources. Te initial use cases included enabling individual
Web 2.0 users to share calendars, health records, and other data and content with riends, amily,
and organizations. Business-related use cases include enterprise oversight o employees use
o cloud services. You can think o it as a lightweight XACML (without the policy expression
language) that enables loose coupling between authorization decision and enorcement points.11
Figure 5 Standard Protocols Make Zero rust Identity Interactions More Uniorm
Source: Forrester Research, Inc.61625
Provisioning, proofing,self-service
Authentication, sessionmanagement, SSO, federation
Authorization, consent,access control
IAMfunctionality
EstablishedSOA-friendlystandards
Emergingweb-friendlystandards
eNaBle ZeRo TRUsT ideNTiTy sTep By sTep
Zero rust identity is a model, not a product. I youre starting rom scratch, you may be tempted to
buy your way into Zero rust with a cloud identity solution, but you can benet by applying the
model even to internal applications and users. Follow these our steps to enable and leverage Zero
rust identity in support o a more agile, competitive, and secure organization:
Step 1: Map identity context to your data. Remember: Garbage in, garbage out. Apply the
practices o protecting inormation consistently with identity context (PICWIC) to ensure thatyour access control hygiene is impeccable beore you expect your Zero rust identity approach
to bear ruit.12
Step 2: Federation-enable your organization and its applications. I you havent yet, becomean IdP or your workorce so that youre ready or SSO into business partner and SaaS apps, and
plot a strategy or converting your business applications into RPs to leverage your new IdP. A
7/28/2019 Forrester Whitepaper Navigate the Future of Identity Management March22 2012
13/16
FOR SEcURITy & RISk PROFESSIOnAlS
navigate The Future O Idetit Ad Aess Maagemet 12
2012, Forrester Researh, I. Reprodutio Prohibited Marh 22. 2012
large proessional services rm has seen ederation enablement pay o even or companies that
havent yet taken the SSO plunge with a single strategic partner or cloud app. Tis is because
competitive pressures inevitably demand quick SSO action, and you want to be ready with
an enterprise-grade solution rather than a quick-and-dirty one that suers rom security andperormance holes.
Step 3: Create communities o developers to increase the attraction o your IAM services.Preparing your IAM services or loose coupling provides a means o outsourcing security logic,
but creating a developer community enables you to promote this goal actively. Tis can take
a lightweight orm, such as creating and evangelizing soware development kits and sample
hello world code, or it can involve a ormal developer orum and portal, typical or an external
developer audience. API management vendor Layer 7 advises orming an internal community
rst as a test audience; its own API Portal product is deployed in an inward-acing ashion more
than 50% o the time. Focus rst on enabling developers to turn apps into RPs.
Step 4: Push the edge o the envelope in externalizing authorization. Elderly on-premisesapps tend to control a great deal o their own security logic, delivering the desired ne-grained
authorization but in a manner that quickly becomes unsustainable in an extended enterprise. A
greeneld is your best chance o building better habits: Leverage your developer community to
promote outsourcing authorization decisions rom new apps to a centralized API. When you
just cant wait or the natural end o a legacy apps lie, build a aade that handles translation in
and out on the basis o your PICWIC data classication.
W H A T I T M E A N S
ZeRo TRUsT ideNTiTy does MUch MoRe ThaN pRoTecT iT eNaBles
Steve Yegges rant uses snark to highlight the seeming contradiction between accessibility open
interaces and security: Accessibility is actually more important than Security because dialing
Accessibility to zero means you have no product at all, whereas dialing Security to zero can still get
you a reasonably successul product such as the PlayStation Network. As a wise person observed,
however, we have brakes on our cars not so that we can stop, but so that we can go ast.13 o
extended enterprises, organizational domains become a secondary consideration and so their
IAM strategies must respond in kind.
Zero rust identity does more, however. Moving to the cloud and enabling BYOD entail cedingcontrol. Zero rust identity brings it back, in ner granularity. I your organization cant transition
to this model, it wont be able to apportion control and responsibility to the correct party,
whether that party is itsel, an employee, a business partner, or an external service provider.
7/28/2019 Forrester Whitepaper Navigate the Future of Identity Management March22 2012
14/16
FOR SEcURITy & RISk PROFESSIOnAlS
navigate The Future O Idetit Ad Aess Maagemet 13
2012, Forrester Researh, I. Reprodutio Prohibited Marh 22. 2012
eNdNoTes
1 Hal o ino workers are using three or more devices, and many report signicant inuence on and personal
spending or their devices. See the February 22, 2012, Ino Workers Using Mobile And Personal Devices
For Work Will ransorm Personal ech Markets report.
2 Te strong authentication landscape has undergone tremendous churn in recent years as new mobile-
ueled technologies have come online and as RSA, the premier vendor o hardware one-time password
(OP) tokens, experienced a breach. See the February 3, 2012, echRadar For Security Pros: Strong
Authentication, Q1 2012 report.
3 I the current trust model is broken, how do we x it? It requires a new way o thinking. Te way we x the
old trust model is we begin at the beginning and look or a new trust model. See the September 14, 2010,
No More Chewy Centers: Introducing he Zero rust Model O Inormation Security report. Once upon
a time, security and risk proessionals had dened borders to protect a limited and highly restricted user
community and a visible set o threats, such as worms and viruses. oday, our organizations unctional
network has extended well outside o our controllable borders. See the August 5, 2011, Applying Zero rust
o he Extended Enterprise report.
4 Source: Te Privacy Rights Clearinghouse (http://www.privacyrights.org/data-breach/new).
5 Te Amazon mandate in ull, as related by Yegge, was as ollows: 1) All teams will henceorth expose their
data and unctionality through service interaces. 2) eams must communicate with each other through
these interaces. 3) Tere will be no other orm o interprocess communication allowed: no direct linking,
no direct reads o another teams data store, no shared-memory model, no back-doors whatsoever. Te
only communication allowed is via service interace calls over the network. 4) It doesnt matter what
technology they use. HP, Corba, Pubsub, custom protocols doesnt matter. Bezos doesnt care. 5) All
service interaces, without exception, must be designed rom the ground up to be externalizable. Tat is tosay, the team must plan and design to be able to expose the interace to developers in the outside world. No
exceptions. 6) Anyone who doesnt do this will be red. Te rant is worth reading in ull. Source: Google
Plus (https://plus.google.com/112678702228711889851/posts/eVeouesvaVX).
6 Federated identity solutions enable identity statelessness, which we dene as ollows: networked services
achieving access control and personalization goals by consuming just-in-time identity data and services
rom authoritative sources living in other organizational domains, at the moment users and applications
approach, removing the need or long-term identity data replication. See the June 3, 2011, he Venn O
Federated Identity report.
7 IDaaS architectures provide discrete but complementary and coordinating services that enable applications
and portals to perorm identity and access management unctions. Tese services can work in a standalone
ashion or be chained and orchestrated in the manner o an enterprise service bus. See the April 2, 2008,
Identity-Management-As-A-Service report. Open Web developers tend to use a variation o the aade
pattern or their applications but rene the pattern to ocus on standard web ormats and protocols
and services delivered via the Web so we reer to it as the open Web aade. See the January 24, 2012,
Embracing he Open Web: Web echnologies You Need o Engage Your Customers, And Much More
report.
http://www.forrester.com/go?objectid=RES60567http://www.forrester.com/go?objectid=RES60567http://www.forrester.com/go?objectid=RES57314http://www.forrester.com/go?objectid=RES57314http://www.forrester.com/go?objectid=RES56682http://www.forrester.com/go?objectid=RES60253http://www.forrester.com/go?objectid=RES60253http://www.forrester.com/go?objectid=RES59161http://www.forrester.com/go?objectid=RES59161http://www.forrester.com/go?objectid=RES43824http://www.forrester.com/go?objectid=RES61294http://www.forrester.com/go?objectid=RES61294http://www.forrester.com/go?objectid=RES43824http://www.forrester.com/go?objectid=RES59161http://www.forrester.com/go?objectid=RES59161http://www.forrester.com/go?objectid=RES60253http://www.forrester.com/go?objectid=RES60253http://www.forrester.com/go?objectid=RES56682http://www.forrester.com/go?objectid=RES57314http://www.forrester.com/go?objectid=RES57314http://www.forrester.com/go?objectid=RES60567http://www.forrester.com/go?objectid=RES605677/28/2019 Forrester Whitepaper Navigate the Future of Identity Management March22 2012
15/16
FOR SEcURITy & RISk PROFESSIOnAlS
navigate The Future O Idetit Ad Aess Maagemet 14
2012, Forrester Researh, I. Reprodutio Prohibited Marh 22. 2012
8 When it comes to web-based APIs, security proessionals are coming under pressure in opposite directions:
1) to reduce the number o moving security parts, and 2) to manage the exposure o more APIs to a wider
range o access, more dynamically. See the July 13, 2011, Protecting Enterprise APIs With A Light ouch
report.
9 Te new suite o OpenID Connect and JavaScript Object Notation (JSON) Web oken specications brings
another round o standards disruption but also promises a no-compromises approach to highly distributed
identity and access management (IAM). See the October 6, 2011, OpenID Connect Heralds he Identity
Singularity report.
10 More inormation about the NSCI program is available at Te National Strategy or rusted Identities in
Cyberspaces website: http://www.nist.gov/nstic/.
11 Disclosure: Te author o this report ounded the UMA eort and serves as the chair o the UMA working
group at the Kantara Initiative.
12 Te identity lie cycle contains our critical stages where you must set up and enorce epolicies regarding
how you grant and revoke users (employees and business partners) access to inormation. Te
undamental premise o PICWIC is that you should assign data to business owners at all times. See the June
27, Your Data Protection Strategy Will Fail Without Strong Identity Context report.
13 Te wise person was Sara Gates. Source: Sara Gates, Accelerate Without Fear, From Here to Identity,
November 3, 2005 (https://blogs.oracle.com/saragates/entry/accelerate_without_ear).
http://www.forrester.com/go?objectid=RES59162http://www.forrester.com/go?objectid=RES60893http://www.forrester.com/go?objectid=RES60893http://www.forrester.com/go?objectid=RES57020http://www.forrester.com/go?objectid=RES57020http://www.forrester.com/go?objectid=RES60893http://www.forrester.com/go?objectid=RES60893http://www.forrester.com/go?objectid=RES591627/28/2019 Forrester Whitepaper Navigate the Future of Identity Management March22 2012
16/16
Forrester Researh, I. (nasdaq: FORR) is a idepedet researh ompa that provides pragmati ad orward-thiig advie to
goba eaders i busiess ad tehoog. Forrester wors with proessioas i 19 e roes at major ompaies providig proprietar
researh, ustomer isight, osutig, evets, ad peer-to-peer exeutive programs. For more tha 28 ears, Forrester has bee maig
Forrester Focuses On
Security & Risk Professionals
To hep our irm apitaize o ew busiess opportuities sae,
ou must esure proper goverae oversight to maage ris whie
optimizig seurit proesses ad tehoogies or uture exibiit.
Forresters subjet-matter expertise ad deep uderstadig o ourroe wi hep ou reate orward-thiig strategies; weigh opportuit
agaist ris; justi deisios; ad optimize our idividua, team, ad
orporate perormae.
SEAN RHodES, client persona representing Security & Risk Professionals
About Forrester
A goba researh ad advisor frm, Forrester ispires eaders,
iorms better deisios, ad heps the words top ompaies tur
the ompexit o hage ito busiess advatage. Our researh-
based isight ad objetive advie eabe IT proessioas to
ead more suessu withi IT ad exted their impat beod
the traditioa IT orgaizatio. Taiored to our idividua roe, our
resoures aow ou to ous o importat busiess issues
margi, speed, growth frst, tehoog seod.
foR MoRE INfoRMATIoN
o nd out how Forrester Research can help you be successul every day, please
contact the ofce nearest you, or visit us at www.orrester.com, For a complete list
o worldwide locations, visit www.orrester.com/about.
ClIENT SuppoRT
For inormation on hard-copy or electronic reprints, please contact Client Support
at +1 866.367.7378, +1 617.613.5730, or [email protected] . We oer
quantity discounts and special pricing or academic and nonprot institutions.
mailto:[email protected]:[email protected]://www.forrester.com/