Chris Bauserman, Senior Director of Product Marketing, Cloud and SaaS, SailPoint
This session will discuss how next-generation IAM strategies can holistically address the security and compliance requirements of mission-critical applications and data that span an enterprise's data center, cloud and mobile environments.
Chris Bauserman will also provide technical insights to help attendees answer these questions:
· How do I provide full account lifecycle management?
· How do I ensure consistency across provisioning and runtime access?
· How do I provide a single-point for end user self-service?
· How do I efficiently and securely manage a bridge to on-prem IT?
· How do I implement audit, governance and compliance?
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
CIS13: Avoiding the Pitfalls of Managing IAM for a Hybrid Environment
1. Echo in the Silo
Avoiding the Pitfalls of Managing IAM
for a Hybrid Environment
Chris Bauserman, Director of Product Marketing
Cloud Identity Summit 2013
2. 2
Goals for this Session
§ Recap challenges in IAM for today’s Hybrid IT
§ Explore approaches that avoid these pitfalls
§ How do I provide full account lifecycle management?
§ How do I ensure consistency across provisioning & runtime
access?
§ How do I provide a single-point for end user self-service?
§ How do I efficiently and securely manage a bridge to on-prem IT?
§ How do I implement audit, governance & compliance?
§ See this approaches in action with customer case studies
4. 4
Echo in the Silo
§ IAM was born in a world of change & isolation…
§ Mainframe -> Distributed -> Web
§ “Silos of management” – designed for IT users
§ Fragmented, isolated, stand-alone tools & management processes
5. 5
Echo in the Silo
§ But we learned our lessons well…
§ A single point of visibility, management & controls
§ Built for the business user
§ Focus on business models with sustainable controls & governance
6. 6
Echo in the Silo
§ Now infrastructure change is accelerating again…
§ Cloud, mobile and social - distribution at a new level
§ User experience is king
§ Cost reduction is mandatory
7. 7
Echo in the Silo
§ And silo is creeping back!
§ Management by infrastructure type
§ Stand-alone tools and administration processes
§ Fragmentation & isolation of IAM processes & practices
CloudIAM
AWSIAM
MDM
SharePoint
8. 8
Echo in the Silo
§ Can you hear the echo?
§ How do I provide full account lifecycle management?
§ How do I ensure consistency across provisioning & runtime access?
§ How do I provide a single-point for end user self-service?
§ How do I implement audit, governance & compliance?
11. 11
Cloud (network)
Centric Identity
Enterprise (domain)
Centric Identity
The Blue Pill - How We’d Like Things To Be
MobileCloud Social
Enterprise
Applications
LAN
HR
Business
Process
Policy & Control
Process
Identity &
Attribute Data
Session &
User Experience
12. 12
Cloud
Cloud (network)
Centric Identity
Enterprise (domain)
Centric Identity
The Red Pill – How Things Often Really Are
MobileCloud
Enterprise
Applications
LAN
HR
Business
Process
Social
MDM
Active Directory
Sync
13. 13
Cloud IAM Pitfalls
§ Pure AD sync cloud propagation for SSO & provisioning
§ Firewall & agent issues
§ The group overloading and de-provisioning issues
§ No business engagement / oversight / controls
§ Account-level provisioning
§ Lack of fine-grained entitlements
§ No understanding of “entitlement”
§ Loosely attached to corporate JML
§ Making it stand-alone!
§ Isolated user experience
§ No common policy or controls
§ Not integrated with enterprise IAM
14. 14
Mobile IAM Pitfalls
§ AD sync for mobile account propagation
§ Infrastructure focused & “fragile”
§ The group overloading and de-provisioning issues
§ No business engagement / oversight / controls
§ SSO model inconsistencies
§ Lack of a commonly adopted standards for mobile app SSO
§ No common keychain or account store
§ Separate platforms, approaches and user experiences
§ MDM Tools are not IAM centric
§ Device centric not identity centric
§ Everything's the same but everything is different…
§ Not integrated with enterprise IAM processes
16. 16
Cloud (network)
Centric Identity
Enterprise (domain)
Centric Identity
Avoiding the Pitfalls
MobileCloud Social
Enterprise
Applications
LAN
HR
Business
Process
Policy & Control
Process
Identity &
Attribute Data
Session &
User Experience
17. 17
Avoiding the Pitfalls
Cloud (network)
Centric Identity
Enterprise (domain)
Centric Identity
MobileCloud Social
Enterprise
Applications
LAN
HR
Business
Process
Internal IAM
Control Point
External IAM
Control Point
Identity
Data
Access
Data
Controls
Context
Policy
Data
18. 18
Avoiding the Pitfalls
Cloud (network)
Centric Identity
Enterprise (domain)
Centric Identity
MobileCloud Social
Enterprise
Applications
LAN
HR
Business
Process
IAM Gateway
IDaaS
Control Point
Push
Change
Pull
Change
19. 19
Avoiding the Pitfalls
§ Extend enterprise IAM to meet the cloud
§ Connectors for leading SaaS apps
§ Provisioning & SSO working hand-in-hand
§ Connected business processes
§ Inter-connected IAM & Mobile Device Management (MDM)
§ Treat the MDM platform like a provisioning connector
§ Connect & model “entitlements”
§ Provision as part of existing Joiner/Mover/Leaver flows
§ Full governance visibility and control
§ Capture and correlate full record of app usage: cloud and internal
§ Drive additional AuthN requirements based on ‘whole identity’
§ Incorporate SaaS and BYOA in certifications and self-attestations
20. 20
Avoiding the Pitfalls
§ Resiliency to operate ‘disconnected’ from cloud
§ Avoid unnecessary cloud to on-premises round trips
§ Cache policy and sessions for local app SSO
§ Firewall-friendly, self-managing on-prem integration point
§ Don’t expose inbound firewall ports or use costly VPNs
§ Consolidate with self-updating, self-monitoring virtual appliance
§ Remember what we’ve learned so far
§ Consistent business-level user interface
§ Integrated visibility, controls & governance
§ IAM does not work in a silo!
21. 21
A Secure IAM Gateway Appliance
SailPoint Access Management
Managed Virtual Appliance
Request Queue
REST/SSL
Request
REST/SSL
Response
Identity & Access Management Payload
Standard
443 Port
Long
Polling
25. 25
Manufacturer Transitioning to “Cloud First”
Business Drivers
§ Increased SaaS adoption
§ Internal WAM missing SLAs
Solution
§ Hybrid IAM: SSO as SaaS,
IAG/provisioning on-premises
§ Web-proxy virtual appliance
Results
§ Greater SSO uptime
§ Cost savings via soft tokens
§ Smarter certifications based on
actual usage
26. 26
Retailer Creates 360o Consumer Experience
Business Drivers
§ Build interactive community
§ Support huge traffic spikes
Solution
§ B2C portal with social sign-on
and step-up assurance
§ SaaS IdP to partner apps
§ REST APIs to analytics
Results
§ Elastic capacity to handle peak
loads at substantial cost saving
§ Lowers user registration friction
while meeting PCI
§ Rich set of data for marketing
27. 27
“Those who cannot remember
the past are
condemned to repeat it”
George Santayana