Public cloud Identity-as-a-Service (IDaaS) providers are not immune to data breaches. IDaaS companies will live and die by their appetite for innovation and speed to market.
Customer Journey - The effects of IAM transformation
1.
2.
3. Try Purchase Use Engage
Customer Journey - The effects of IAM transformation
Acting
Doing
Thinking
Feeling
Overall
Downloading trial software
Register contact profile
Activate account with 2-Step registration
Online checkout
Contact Sales
Click to chat
Buy more licenses
Activate a new service subscription
Become a enterprise customer
Install & register software
Manage On-prem to cloud
Migrate AD to cloud/SaaS portal
Delegate administration
Promote user to Admin role
Register for Support Forums
Contact Support
Register for Conference
Become a partner
Do I have to register to download this?
Does my login ID from 2 years ago still
work?
Does my cloud login work for this?
Is this a global ID?
Do I login in order to obtain a license or
activate my subscription?
Will tenant cloud know who I am or do I
have to register again?
How will I sync or migrate my users to
tenant cloud?
Do I use my local account or my
enterprise credentials to login to cloud?
How will I login to tenant cloud?
How can I assign access to others within
my organization?
Can I audit who has access to my tenant?
Does my enterprise login ID work for
support?
Do I have to register a new account for
conference attendance?
How do I access my Partner content?
Consistent messaging & UI and central
Login builds confidence and trust
Enterprise respected my privacy and did
not ask for too much information
My authentication experience is the same
now as it was during Trial Eval
I have visibility into new products and
services that my identity is allowed to see
and purchase
Happy that Enterprise recognizes my
global ID and credentials across all of its
products and services
Enterprise provides me with the tools I
need to monitor and manage my users
Excited that the enterprise really knows
me and correctly identifies me in every
context of interaction
I will recommend to my colleagues based
on my experiences
Trust
Helpfulness
Trust
Helpfulness
Trust
Helpfulness
Trust
Helpfulness
4. Business Driven IAM
Typical Approach Typical Challenges
• Focused within the
perimeter
• Static protection (rule
based)
• Isolated from SOC & GRC
controls
• Legacy systems and
applications
• Too many silos
Intelligent
IAM
SSO
Dynamic user
provisioning
Automated
access
governance
Event/activity
monitoring
5. Business
Concerns
• We don’t want to
be the next
massive data
breach
• We want to make
sure our identity
providers are as
secure as it can
be
• We are prioritizing
our security spend
around that
7. Risk Aware IAM
• Quantify user risk scores
over time to enhance
adaptive authentication
• Connect risk insight into
meaningful and rapid
response
• Addresses the biggest
cause of modern day
data breaches
UEBA
Detect risky
behaviors
SIEM
Single pane of
glass for on-prem
and cloud
Credential
Verification
Detect leaked
credentials during
logon
8. Detect & Verify
Compromised
Credentials
• Prevent stolen credentials
from being used during
logon
• Automate response &
remediation
• Outsource liabilities & risk
• Support for NIST 800-63B
• Complement 2FA and MFA
11. L1 Risk
15 – 40%
When When a compromised credential is
linked to the username (E.g. email
address)
When only either compromised
credential or account is known
Where During login and self-service
password reset
Risk score, user and domain
dashboard
Action Taken Force change password; step-up
authentication; revoke user access
Assess degree of risk; display a
warning
L2 Risk
87%
12. My.VeriClouds.com
• Check if your credentials have been
leaked
• Check how many credentials are
leaked in your business domain
• Search against more than 6B leaked
accounts
• Your information stays private
• Mobile friendly
13. How do you get there?
• Integrating and uniting these platforms
—Begin using CASB, SIEM and credential verification services
• Start small – increase the scope of “risk aware IAM”
every quarter
—Begin with the end in mind, and work backwards
• Avoid silo’d thinking
—Connect your IAG/IAM initiatives to other SOC and GRC
initiatives
14. The Future
• Not as simple as enabling MFA and creating a dashboard
—Analytics, reports, dashboards – potential data overload!
• The industry will move more towards risk aware IAM that:
— Automates risk insight into actionable policy enforcement
• Assume you have been breached already
— Good enough usually isn’t
Today, IAM (and even security) is not secure
Recent data breaches – most all of them involve compromised credentials, exploit human weakness
What I’ve spent time doing
Specifically from my perspective, I’m going to share what I see the forward-thinking companies are doing to make IAM more secure by making it more risk aware.
Balance between convenience and privacy and better security
Story about using IAM to drive customer experience in CTO working group at VMWare
Closes the gap on risk (mostly)
Every year data breaches expose billions of account credentials