IAM for the Masses: Managing Consumer Identities

© 2014 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. or its affiliates. This publication may not be reproduced or distributed in any form without Gartner's prior written permission. If you are authorized to access this publication, your use of it is subject to the Usage Guidelines for Gartner Services posted on gartner.com. The information contained in this publication has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information and shall have no liability for errors, omissions or inadequacies in such information. This publication consists of the opinions of Gartner's research organization and should not be construed as statements of fact. The opinions expressed herein are subject to change without notice. Although Gartner research may include a discussion of related legal issues, Gartner does not provide legal advice or services and its research should not be construed or used as such. Gartner is a public company, and its shareholders may include firms and funds that have financial interests in entities covered in Gartner research. Gartner's Board of Directors may include senior managers of these firms or funds. Gartner research is produced independently by its research organization without input or influence from these firms, funds or their managers. For further information on the independence and integrity of Gartner research, see "Guiding Principles on Independence and Objectivity."

Lori [email protected]

IAM for the Masses: Managing Consumer Identities

http://pvs.gartner.com/technology/about/policies/usage_guidelines.jsp

http://pvs.gartner.com/technology/about/ombudsman/omb_guide2.jsp

© 2014 Gartner, Inc. and/or its affiliates. All rights reserved.

Gartner delivers the technology-related insight necessary for our clients to make the right decisions, every day.

2


Nexus of forces


Anytime, anywhere, any device

4


Social permeates business

• BYOI• Marketing• Customer interactions• Internal communication

5

Colleagues

Teams

Network

FriendsEnterprise

Personal


Physical & virtual worlds Mmrge

Trainer

Doctor

Insurance Agent

https://www.google.com/url?q=http://thenextweb.com/gadgets/2013/01/07/ces-new-products-tap-into-personal-data-but-how-much-i-is/&sa=U&ei=P51eU-WLCKm_8gHa4IGICA&ved=0CEAQ9QEwCQ&sig2=JODQAdC4LUMKyvp4o7YReA&usg=AFQjCNGGMcHBvrBfMge4w94GM3DePa4ISA

https://www.google.com/url?q=http://www.dailytimes.com.pk/entertainment/12-Jan-2014/internet-of-things-poses-new-security-risks&sa=U&ei=ZZ1eU_DJBIi_8QGvy4H4DA&ved=0CDAQ9QEwAQ&sig2=26Jc2XofvyDjRLLoJmVzIA&usg=AFQjCNFI2ohYUIULEP0BlVGD5zR-7jc-9w


The digital business has arrived!

7

© 2014 Gartner, Inc. and/or its affiliates. All rights reserved. 8

Identity (circa) 2014…


• Government-to-citizen (G2C)• Application-to-Application (A2A)• Things-to-things (T2T)

Many relationships to manage…

• Business-to-employee (B2E)• Business-to-business (B2B)• Business-to-consumer (B2C)

© 2014 Gartner, Inc. and/or its affiliates. All rights reserved.© 2014 Gartner, Inc. and/or its affiliates. All rights reserved.

Consumer IAM Characteristics

13


14

Consumer Employee

Massive Scale Medium to Large

Distributed Control Centralized

Individual Focus Business


It’s about relationships & data!

• Consumer IAM is marketing & revenue driven• CMO often sponsors project• User experience impacts revenue: login is the

front door to the digital storefront• Identity data is the new gold!

- Personalization & contextualization- Targeted marketing- Direct sell of ID data


Consumer IAM Requirements

16


Balance benefit vs. risk

• Protect individuals’ privacy while maximizing the value of consumer data

Revenue Privacy

Consent & Permission

Choice & Control

Transparency

Data sharing & federation

Personalization

Consumer Profile Data


• Ensure that users are who they say they are.

• Make sure the right users get access to the right information.

Secure individual & business assets


User experience matters!

20

• Simplified• Seamless across domains• Mobile optimized• Personalized & Contextualized


Scale to the Masses

• Ability to support millions of identities• Available 24 x 7 x 365• Ensure throughput • Performance at scale

21


Ensure Agility

22

Employee Contractor Vendor Partner Customer Public

Traditional Hybrid Modern


Consumer IAM: Technical Approaches

23


Registration

• Self-service registration• Delegated administration• Social identities • Just-in-time (JIT) provisioning• User account provisioning

Note: Consumer identities are typically only de-provisioned or deleted upon consumer request)


Identity assurance levels

25

Generic/Guest

Social Identity

Registered User

Vetted Identity

Low Assurance High Assurance


Data validation & identity proofing

- Data validation• Data structure rules• Data verification (e.g. email address, credit card data)

- Identity proofing• E-mail verification• KBA • Identity matching & scoring• Telephone caller id• Device fingerprinting• Social footprint

26


Consumer profile management

• Consumer profile management tools allow user to:- Set user preferences- Manager user name and password- Control privacy settings - Populate identity attributes:• User volunteered: Progressive Profiling• Social sharing

27


Data collection, aggregation, & storage

28

• Identity store must scale for the masses• Consumer data is dispersed across multiple

sources• Identity Store:• Databases• Special purpose directories

• Data synchronization:• Virtual directories• Meta-directories• User provisioning


Authorization

• Rules• Roles• Group membership• OAuth• Externalized Auth


Authentication

• Username/Password combo• Multifactor authentication:

- Knowledge-based authentication (pins, images, personal information, historical information, and so on)

- One-time passwords (often using mobile devices)- Out of band (email, SMS, mobile device, phone)

• Federation/ Social Login (SAML, OpenID Connect, OAuth)


Authentication

• Adaptive Access Control

31


Audit

• Focus on protecting both the business' assets and consumers' privacy

• Differs from enterprise IAM audits• Includes:

- Reporting- Real-time Monitoring- Fraud Detection- Behavioral/Contextual Analysis- SIEM and GRC Integration


Additional Considerations


Standards and protocols

• SAML 2.0• OAuth 2.0• Open ID Connect• SCIM 1.1


REST


Technology maturity

• Not all technologies are equal on the maturity scale.• Provisioning, workflow, LDAP, enterprise federation,

and audit technologies are established, more mature.

• Federated and user-centric technologies are still evolving, less mature.

• Some "old school" technologies like directories are being revamped to handle massive scale.


Who can manage identities for me? Outsourcing alternatives

• Social Identities• Federation Hubs• Identity Providers


Recommendations


Recommendations

Build an IAM program specific to consumers: Consumer IAM use cases are not necessarily the same as employee IAM use cases.

Understand who the business stakeholders are for the consumer IAM program.

Integrate existing IAM infrastructure wherever possible.

Design a consumer IAM infrastructure that not only protects the business, but ensures the privacy of the consumer.


Recommendations

Consider using social identities (for low-assurance transactions).

Deploy identity proofing for higher assurance.Preprovision only when you have to: Use JIT.Use a scalable/purpose-built directory or

database.Implement stronger authentication mechanisms.Implement adaptive access controls.Utilize standards as much as possible.


Recommended Gartner Research

Guidance Framework for Managing Consumer Identities

Lori Robinson

Understanding Modern Federation Trends and Their Influence on Identity and Access Architecture

Mary E. Ruddy (G00251840)

Adaptive Access Control Brings Together Identity, Risk and Context

Trent Henry (G00250319) Deploying OAuth and OpenID Connect for Enterprise

Use Cases

Mary E. Ruddy (G00252923)

For more information, stop by Gartner Research Zone.

http://www.gartner.com/document/2535415?ref=QuickSearch&sthkw=G00251840








IAM for the Masses: Managing Consumer Identities

Software

Transcript of IAM for the Masses: Managing Consumer Identities