The Future of Enterprise Identity Management

T H E F U T U R E O F E N T E R P R I S E
I D E N T I T Y M A N A G E M E N T
Architecting for Identity & Access Management (IAM) in the Cloud

Merritt Maxim
Senior Analyst, Security & Risk
David Meyer
Vice President, Product Management
S P E A K E R S

/ / / I N T R O D U C T I O N
/ / / F O R R E S T E R
General SaaS Trends
Challenges with Traditional On-premise IAM
Recommendations
How to Measure IDaaS Success
/ / / O N E L O G I N
Mobile
On-premises Provisioning
Cloud Directory
/ / / Q & A
+
A G E N D A

© 2015 Forrester Research, Inc. Reproduction Prohibited 4
Top line growth, not cost savings, is the
new priority

The profile of the technology buyer is
changing
Source: February 10, 2014, “Understanding Shifting Technology Acquisition Patterns” Forrester report

Summary revenues for cloud platforms,
business services, and applications —
2008 to 2020
Source: April 24, 2014, “The Public Cloud Market Is Now In Hypergrowth” Forrester report

Challenges with
Traditional On-Premise IAM

History of IAM
Ad-hoc in-house systems
Custom web
SSO, authz,
provisioning .
. .
Extended help desk systems and password sync
Workflow,
attestation
— and self-
service
password
reset!
On-premises point solutions
Web SSO,
feed-based
provisioning
, RBAC . . .
Access governance
Formal
processes
Cloud IAM
Access
mgmt, then
ID mgmt

Challenges with traditional on-prem IAM
› High total cost of ownership (TCO)
› Initial deployment
› Infrastructure
› Ongoing maintenance & upgrades
› Inflexible to support emerging enterprise requirements:
› Mobile, SaaS, API
› Inconsistent reporting/dashboards & analytics

Cloud pulls the CISO in many directions
CISO and security
organization
Shadow IT
LOB procures
cloud services.
Cloud offers
significant
benefits (financial
and operational).
Security
struggles to
reduce cloud
security risks.
Data center is
now loosely
coupled.
CISO can’t say
no (all the time).

Partner apps
SaaS apps
Employees
Contractors
Partners
Enterprise computers
Personal devices
Apps in public clouds
App sourcing and hosting
App access channels User populations
Cloud apps and the extended enterprise
drive the need for cloud IAM
On-premises enterprise apps
Apps in private clouds
Members
Customers
Public computers
Enterprise-issued devices

IAM for SaaS applications

IAM as SaaS
aka IDaaS

How to Measure IDaaS Success

Buyers see value in IDaaS
› Lower upfront costs
› Shorter time to implement
› Faster ROI
› Reduced risk
› Greater agility to support business
› Frequent, automatic upgrades

Measuring the success of an IDaaS
implementation
Costs
› Subscription fees
› Professional services
› Internal labor
Benefits / Cost Savings
› User performing self service – end user
productivity improvements
› Re-allocating IT headcount to higher
value activities
› Better visibility, reporting & analytics
› Audit remediation avoided
› Detecting unused SaaS users
› Reducing risk of security breaches
ROI of 100%+ over
3 years
<

Recommendations

Recommendations
› Pitch and deliver benefits to sponsors using metrics they
can sell upward
› Assess application coverage and fit of IDaaS vendors
• SAML integration v. browser form-fill
• On-prem v. SaaS v. custom apps
› Plan for future IDaaS requirements now
• Phase 1: SSO & 2-factor authentication
• Phase 2: Provisioning, access governance, MDM longer-term
› Promote the benefits
• Important to keep awareness of IAM value high

Manage this handshake
IDaaS vendor & your org have mutual responsibilities

U S E C A S E S
Mobile Identity and Access
On-Premises Provisioning and Onboarding
Cloud Directory and Directory Consolidation

Firewall
Active Directory
Mobile Workers Customers & Partners
Employees
E N T E R P R I S E I D E N T I T Y L A N D S C A P E

U S E C A S E
Mobile Identity and Access

Most mobile apps don’t even support SAML
• Tiny keyboards are incompatible with passwords
• SAML for web + password = #failure
M O B I L E - T H E L A S T M I L E P R O B L E M I N S S O

The mobile apps that do support SAML
• Clunky SAML handshake that requires user to authenticate twice
• Sessions not frequently revalidated because of the sign-in complexity
M O B I L E - S A M L I S N O T T H E S O L U T I O N

Designed for Mobile
Standards-Based
Superior User Experience
Major driver in NAPPS specification work
Leverage vendor traction to change the game
T H E N E W S T A N D A R D F O R M O B I L E S S O
I N B E T A W I T H C U S T O M E R S & P A R T N E R S
N A P P S

W E ’ V E D O N E I T B E F O R E
OneLogin SAML toolkits adopted by 300+ ISVs
600+ SAML apps in our catalog
Driving SCIM for user provisioning
Co-authoring NAPPS standard for mobile SSO
Good standards prevail
SAML-based apps integrated with OneLogin

S T A R T B U I L D I N G T O D A Y
Major ISVs & Major Customers
Building NAPPS Apps Today
Free Toolkits Available
DEVELPERS.ONELOGIN.COM
email: napps-info@onelogin.com

Sandy, Contractor working at a cafe
MFA Required
Rob, Sales meetings from the HQ
Auto logged-in
M O B I L E T R E N D S - D E V I C E S A R E E V E R Y W H E R E
E N D P O I N T S A R E T H E N E W P E R I M E T E R
Brent, In-person Sales meetings at the HQ
No access to Billing
MFA Required
Brent, Designer working at the HQ
Auto logged-in
Finally can manage the actual risk
of mobile access
IT Admin

Private Key Protected
Policy Controlled
NAPPS Enabled
Launch any Web app
Launch any Native App
“Push” based OTP
O N E V E R Y D E V I C E

M O B I L E T R E N D S
• Mobile is becoming the primary mode of work
• % of employees that are full time, in office, is plummeting
• OS vendors are doing more of the heavy lifting for security
• Identity is a growing risk / gap
• Solving identity let’s employees do work without risk

U S E C A S E
On-Premises Provisioning and Onboarding

P R O V I S I O N I N G TO L E G A C Y A P P S
60+ custom fields
PROVISIONING
MAPPINGS
RULES
COMPLIANCE
SAML SSO
CLOUD
APPS
Firewall
PROXY
AGENT
CUSTO
M
PROVISIONING
SCIM
TLS SOCKETPROVISIONING POWER
• Org Hierarchy
• Any Custom Attributes
• Proxy Agents
• Custom Schema
• Scriptlets
• Photos

P R O V I S I O N I N G T R E N D S
• On-premise provisioning infrastructure not suitable for cloud
• Increasing desire to “move off” of on-premises pain
• Shift to Workday (SaaS HCM) puts the data in the cloud
anyway
• Shift to ServiceNow (SaaS ITSM) demands service activation
of cloud apps
• IDaaS is the logical conclusion for SaaS
• IDaaS doing on-premises provisioning makes it complete

U S E C A S E
Cloud Directory and Directory Consolidation

I D A A S A S M E T A D I R E C T O R Y
ACTIVE DIRECTORY
FOREST A
ACTIVE DIRECTORY
FOREST B
OPENLDAPWORKDAY

Contractors
Cloud Directory
APIs
LDAP
Policies
Partners
Employees
A L L T Y P E S O F U S E R S A L L T Y P E S O F A P P L I C A T I O N S
Customers
Custom AppsOn-Prem
Cloud
No External Directory Required
C L O U D D I R E C T O R Y

E X C I T I N G P O S S I B I L I T I E S

D I R E C T O R Y T R E N D S
Heterogeneity is the norm
Increasingly users are mastered in the cloud
This allows a modern workplace that is compliant
This allows policy enforcement outside the domain

THANK YOU
David Meyer
Vice President, Product Management
david@onelogin.com
@meyerwork
Merritt Maxim
Senior Analyst, Security & Risk
mmaxim@forrester.com
@merrittmaxim

The Future of Enterprise Identity Management

More Related Content

What's hot (20)

Viewers also liked (12)

Similar to The Future of Enterprise Identity Management (20)

More from OneLogin (14)

Recently uploaded (20)

The Future of Enterprise Identity Management