Framework for an Identity and Access Management Roadmap

Framework for Developing an IAM Roadmap

Presentation to theDenver IAM Users Group

October 7, 2014

Dr. Paul D. BailorPresident and CEO

[email protected]

October 7, 2014 Copyright, PEGRight Inc., 2014 1

Changing Face of IAM

All Groups

Cloud/SaaS/IDaaS

Desktops and BYOD

Standards-Based

SSO/Federation

Modern IdentityEmployees Only

Enterprise Apps

Enterprise Desktop

Proprietary

Direct Authentication

Legacy IAM


Elements of Modern Identity

Support for Multiple Device Typesand Access Points

Modern Identity

EnterpriseDesktops

Shared Computers

BYOD EnterpriseIssued Mobile

Support Diverse User Populations

EmployeesContractorsTeammates

Business Partners

CustomersMembers

Support Diverse Application Hosting

SaaS Apps Partner Apps On-Premise Apps


Why Modernize?

Workforce

Mobile Devices

BrowsersAccess to Cloud Apps

Access to Corporate Apps

On-Premise Hosted Apps and Services

Business desires ease of Workforce Access to Apps and Services

Access to Apps and Services on the

Cloud

Business Partnersand Customers

Internal SSO

External SSO

Federation Cloud Identity

Business desires to provide Apps and Services to Partners and Customers over the internet


IAM Roadmap Building BlocksFederation

&Single Sign-On

Provisioning

API SecurityIdentity Analytics

Implement via Proven Integration PatternsOctober 7, 2014 Copyright, PEGRight Inc., 2014 5

Federation Patterns

Workforce to SaaS and On-Premise

On-PremiseApplications

IdP

VDS

D1

…

SaaSSaaS

SaaS

D2 DN

SaaS Provider with Backend Partners

IdPPartner1

IdPPartner2

IdPPartnerM

SaaS ProviderCapability

IdPDiscovery

IdP Discovery Patterns:• Vanity URL• Ask User for IdP (Select from List)• Prompt for User Name


Single Sign-On (SSO) Patterns

• SSO leverages federated IdP’s to provide identity attributes to Service Providers (SP’s)

• Token Protocols and Cross Device/Domain Integration– SAML, OAuth, OpenID, OpenID Connect, JWT– WS-Federation, WS-Trust– Secure API’s (Mobile and Backend Services)

• Forms-Based with/without specialization – Multi-Factor and Step-Up Authentication– Network Context– Digital DNA/Identity Proofing (Requires Analytics)


Provisioning Patterns

• SaaS Applications– Just-in-Time (SAML Assertion)– Pre-configured API

• System for Cross-domain Identity Management (SCIM)• Proprietary

• Identity Lifecycle Engine• Roles and Privileges– Difficult to Discover Rules

• Self-Service Management

Provision

De-Provision

Authentication

Authorization

Management

IdentityCredentialLifecycle


API Security

CloudRequests

Secure API GatewayBackend Hosted Infrastructure

Services, Business Applications, and Business Services

Functions:•Web and Mobile Security• Step-Up Authentication• Token Protocols/Signing

•Security Policy Definition andEnforcement (PDP/PEP)•Protocol Translation•Payload/Data Transformation•Governance

SecureTokens

SecureSessions


Identity Analytics and Intelligence

Provision

De-Provision

Authentication

Authorization

Management

IdentityCredentialLifecycle

SIEM/Log File

SIEM/Log File

...

Service Providers

SecurityIntelligence

Products

Identity Credential LifecycleChronology and Behaviors

Identity CredentialBehaviors+

IAM Products


Summary

• Changing Face of IAM and Business Partnerships– Growing acceptance of the Cloud– BYOD and Internet of Things

• IAM Roadmap based on Building Blocks and Patterns• Growing importance of measuring and tracking the

identity lifecycle• For More Information Contact:– Eric Uythoven, VP of Security Solutions– 719.648.8548, [email protected]

• Slides available on www.pegright.com via SlideShare


Framework for an Identity and Access Management Roadmap

Technology

Transcript of Framework for an Identity and Access Management Roadmap