Anthony Randall, Monsanto
A discussion of the concept of large-scale engineering of millions of customer identities combined with many applications and partners, identity information engineering, and thoughts about how to better to mesh the internal IT landscape to improve identity services, user support and user experience.
2. Growth
• Organiza%ons
offering
more
consumer
Web-‐
and
mobile-‐based
services
• 2.4
billion
internet
users
on
the
planet
• 1.75
billion
smart
phones
• Six
fold-‐growth
in
Mobile
e-‐commerce
thru
2017
• IoT
50
billion
devices
in
2020
3. IAM
industry
is
catching
up
• IAM
technologies
con%nue
to
enable
• Tools
and
technologies
are
improving
• New
standards
for
mobile,
cloud
+
API
economy
• And
new
ways
of
doing
things
4. Directories
for
Authen/ca/on
-‐
Stores
iden/ty
(And
some
authoriza%on)
Databases
for
authoriza/on
-‐
Also
stores
iden/ty
=
Hundreds
=
Few
Security
Business
IT
Iden%ty
Data
Management
is
lagging
behind
5. Current
state
applica%on/Service
Silos
Disconnected
IT
Roles
created
for
each
individual
applica/on/service
New
database
for
each
applica/on
containing
iden/ty
and
applica/on
roles
6. And
we
keep
hearing
about
context
• XACML
• OpenID
Connect
• UMA
7. Name
Brand
Informa%on
Market
Segment
Billing
Status
Licensing
&
Cer%fica%on
Role
Contact
informa%on
Account
Status
Devices
Consent
Loca%on
Organiza%on
Iden%fiers
Interac%ons
Agreements
Product
subscrip/ons
Authorized
Acct
Rela%onships
But
we
have
a
lot
of
informa%on
about
our
customers
We
don’t
use
it!
8. Business
context
o]en
remains
in
back-‐office
systems
Front
of
house
Back
Office
Directory
Services
-‐
Iden%ty
-‐
Email
Address
-‐
Group
OIen
no
user
context
-‐
Iden%ty
-‐
authoriza%on
-‐
Iden%ty
-‐
User
context
Customer
CRM
Integra/on
Services
Spend
lots
$$$
doing
the
same
things
over
-‐
Iden%ty
-‐
authoriza%on
Targets
9. “Killing
IAM
in
order
to
save
it”
• Need
to
beder
define
and
describe
business
rela%onships
and
context
for
online
ac%vity
• Create
single
user
views
for
mul%ple
services
Parental
Controls
10. Back
to
the
Future
• Directories
store
informa%on
once
for
many
applica%ons
and
services
to
use
• Business-‐oriented
object
based
systems
with
security
and
distribu%on
X
User
Iden%ty
/
Authoriza%on
11. Build
Namespace
according
to
objects
and
func%ons
–
Not
hierarchies
OU=
En/tlements
OU=
Devices
OU=
Profiles
OU=
Names
OU=
Roles
OU=
Users
OU=
Products
OU=
Configura/on
Mgt
OU=
Preferences
OU=
Apps
OU=
Addr
Books
Tie
users
to
objects
using
GUIDs
to
create
rela%onships
12. Adding
it
all
up
=
+
Business
Context
Rela/onships
Scalable
+
contextual
Iden/ty
Data
Model
13. Well
designed
informa%on
sets
provide
business
efficiency
and
scale
System
Scale
Self-‐Managed
CRM
/
Billing
Directory
NameSpace(s)
Updates
/
Reads
Reflected
in
informa%on
objects
Single
user
view
VMs
VMs
VMs
VMs
14. Provides
a
ready-‐made
recipe
for
cloud
Single
user
view
-‐
with
context
Iden%ty
Bridge
Portable
context
15. Beder
prepared
for
paradigm
shi]
• An
API-‐centric
methodology
relies
on
well
managed
and
described
informa%on
about
users
• Requires
closer
integra%on
with
data
architecture
Services
Services
Services
Services
Services
Web
Services
Updates
Self-‐service
Self-‐subscribing
Names
Users
Devices
Products
Profiles
Roles
Addr.
Books
Apps
Prefs
Config.
Web
16. Making
progress
=
Hundreds
of
iden//es
We
s%ll
need
to
move
away
from
this
DBs
Single
Iden/ty
Towards
this
CRM
/
Billing
$$
17. Next
Steps
•
Get
a
handle
on
the
number
of
iden%%es
out
there
•
Use
tools
to
discover,
map
and
clean
up
duplicate
iden%%es
•
Use
Tools
to
understand
which
applica%ons
are
using
which
iden%ty
stores
VDS
•
Create
a
taxonomy
of
applica%ons
that
require
authen%ca%on/authoriza%on
and
the
condi%ons
for
access
(e.g.,
Gold
subscriber,
all
users,
certain
users)
VDS
18. Next
Steps
$$
•
Use
the
context
in
the
systems
you
own
and
build
a
richer
set
of
user
context
•
CRM/Billing
systems
don’t
sign-‐in
users
•
Build
systems
that
represents
the
business
context
of
users
and
what
they
do
•
Needs
to
be
scalable,
distributed
and
secure
•
Transi%on
authen%ca%on
to
new
tools
•
Work
with
app
owners
to
lifecycle
current
apps
•
Use
new
tools
to
build
new
apps
VDS
19. When
you
get
back
to
the
office
• Understand
vision
for
customer
centricity
• Start
cleaning
up
the
iden%ty
silos
that
cause
a
disconnected
view
of
the
customer
• Change
legacy
mindsets
and
look
to
beder
combine
iden%ty
with
data
architecture
• Correlate
insufficient
technology
investments
to
current
problem
sets
• Build
the
business
case
and
understand
dimensions
22. There
is
a
lot
of
valuable
context
informa%on
in
billing
systems
and
CRMs
that
can
replace
IT
security
groups
Name
Brand
Informa%on
Market
Segment
Billing
Status
Licensing
&
Cer%fica%on
Role
Contact
informa%on
Account
Status
Devices
Consent
Loca%on
Organiza%on
Iden%fiers
Interac%ons
Agreements
Product
subscrip%ons
Authorized
Acct
Rela%onships
CRM
/
Billing
$$
Applica/on
iden/ty
silos
23. Graph
databases
offer
another
way
to
depict
the
same
core
problem
Is
it
a
storage
and
scale
problem…
Or
the
method
we
use
to
represent
informa/on?
VS
24. Requirements
and
Processes
Business
User
Solu%on
Vision
Goals
and
drivers
Legal
and
Regulatory
Use-‐cases
Product
Defini/on
Simple
to
use
Fast
Self-‐service
Self-‐controlled
Online
trust
Customer
support
Parental
controls
Privacy
control
Personaliza%on
Massive
scale
Millions
of
users
Mobile
Op/mized
Cloud-‐based
Ensure
data
privacy
Secure
Support
social
IDs
Integrated
Federated
Account
crea%on/registra%on
Product
Management
Provisioning
Processes
Context-‐driven
access
Account
Management
User
lifecycle
Mgt
Configura%on
Mgt
Business/Decision
Support
Customer
care
25. Model
for
Scale
Namespace,
business
objects
that
provide
specific
func%on
and
context;
Can
be
scaled
independently
according
to
need
SaaS
CRM
3Rd
Party
Billing
Administration Tools
Self-Service Tools
Identity Information
Service
Provisioning
SelfService
Administration
Product Mgt Tool
Data Tools
Provisioning
Synchronization
Service Access/
Policy Information
Point
Audit
Authoritative Sources
People
Products
Name
Mgt
Devices
Servers
SaaS Satellite Information
SaaS
Profiles
Role
Def.
eMail
SF.com
Name
Mgt
Config.
Mgt.
<new>@service.com
Single User
View
Addr
Books
Policies
Registration/
Account Creation
Prefs
Registration/
Account Creation
MDM
Business Context