identity beyond employees: how customer experience impacts your iam practices
DESCRIPTION
Customer identity and access management (CIAM) is a high-priority imperative in the age of the customer. If your customers can’t register or log in for service, and can’t conduct transactions in an easily usable manner, it really doesn’t much matter how your website, mobile app, or phone channel is architected; they may move on to your competition.Learn how customer experience influences IAM and security and what actions you can take to meet both sets of goals.TRANSCRIPT
Identity Beyond Employees:How Customer ExperienceImpacts Your IAM PracticesEve Maler, Principal AnalystMay 28, 2014
Customer experienceis not monolithic
© 2014 Forrester Research, Inc. Reproduction Prohibited 3
Users are escaping captivity
Benefitin
sharingcredentials
Degree offreedom to
walk away fromrelationship
Baseline
Greaterbenefit
Largebenefit
None (captive) Some at cost A lot
© 2014 Forrester Research, Inc. Reproduction Prohibited 4
Users are escaping captivity
Benefitin
sharingcredentials
Degree offreedom to
walk away fromrelationship
Baseline
Greaterbenefit
Largebenefit
None (captive) Some at cost A lot
Regular employee
Contractor
Privileged employee
Employee of partner
© 2014 Forrester Research, Inc. Reproduction Prohibited 5
Users are escaping captivity
Benefitin
sharingcredentials
Degree offreedom to
walk away fromrelationship
Baseline
Greaterbenefit
Largebenefit
None (captive) Some at cost A lot
Regular employee
Contractor
Nonpaying affiliate
Paying affiliate
Privileged employee
Employee of partner
© 2014 Forrester Research, Inc. Reproduction Prohibited 6
Users are escaping captivity
Benefitin
sharingcredentials
Degree offreedom to
walk away fromrelationship
Baseline
Greaterbenefit
Largebenefit
None (captive) Some at cost A lot
Regular employee
Contractor
Nonpaying affiliate
Paying affiliate
Bank customer
Privileged employee
Payout beneficiary
Employee of partner
© 2014 Forrester Research, Inc. Reproduction Prohibited 7
Users are escaping captivity
Benefitin
sharingcredentials
Degree offreedom to
walk away fromrelationship
Baseline
Greaterbenefit
Largebenefit
None (captive) Some at cost A lot
Regular employee
Contractor
Nonpaying affiliate
Paying affiliate
Bank customer
Privileged employee
Social network
user
Retail customer
Payout beneficiary
Employee of partner
© 2014 Forrester Research, Inc. Reproduction Prohibited 8
Users are escaping captivity
Benefitin
sharingcredentials
Degree offreedom to
walk away fromrelationship
Baseline
Greaterbenefit
Largebenefit
None (captive) Some at cost A lot
Regular employee
Contractor
Nonpaying affiliate
Paying affiliate
Bank customer
Privileged employee
Social network
user
Retail customer
Service-paying
customer
Payout beneficiary
Employee of partner
© 2014 Forrester Research, Inc. Reproduction Prohibited 9
But the Internet has become a bad neighborhood
© 2014 Forrester Research, Inc. Reproduction Prohibited 10
We see the disproportionate targeting of credentials in the data
Source: December 30, 2013, “Market Overview: Employee And Customer Authentication Solutions In 2013, Part 1 Of 2” Forrester report
© 2014 Forrester Research, Inc. Reproduction Prohibited 11
What do customers experience when security goes bad?
› A few: major consequences such as identity theft
© 2014 Forrester Research, Inc. Reproduction Prohibited 12
What do customers experience when security goes bad?
› A few: major consequences such as identity theft
› Many: loss of trust in the brand
© 2014 Forrester Research, Inc. Reproduction Prohibited 13
What do customers experience when security goes bad?
› A few: major consequences such as identity theft
› Many: loss of trust in the brand
› Everyone: an involuntary password reset flow
© 2014 Forrester Research, Inc. Reproduction Prohibited 14
What do customers experience on a good day?
› Onerous account registration forms
› Those @%@#$ password policies…
› …that are both hard to choose and hard to remember…
› …and usually aren’t even secure
› Those @%@#$ security questions
© 2014 Forrester Research, Inc. Reproduction Prohibited 15
When user self-service fails…you pay
› In CSR costs
› In user experience friction
© 2013 Forrester Research, Inc. Reproduction Prohibited
Source: Google - The New Multi-screen World: Understanding Cross-platform Consumer Behavior, August 2012
People cross devices to accomplish a single goal
© 2014 Forrester Research, Inc. Reproduction Prohibited 17
“Mobile first” means IT security has less room to maneuver than ever
› Business owners want in-app registration and login.
© 2014 Forrester Research, Inc. Reproduction Prohibited 18
“Mobile first” means IT security has less room to maneuver than ever
› Business owners want in-app registration and login.
› Individuals demand user experiences with a clear purpose.
© 2014 Forrester Research, Inc. Reproduction Prohibited 19
“Mobile first” means IT security has less room to maneuver than ever
› Business owners want in-app registration and login.
› Individuals demand user experiences with a clear purpose.
› Security task flows on mobile devices feel different.
Responsive design for CIAMenables security and experience
© 2012 Forrester Research, Inc. Reproduction Prohibited
Typical external users and IAM needs in a franchise-type business
21
External
Managed Unmanaged
Sole Group
• Retail customer• Requires self-registration• Can be inactivated
• All partners• Must follow per-country
regulations• May need high
assurance
• Multi-employee partner• Complex record
structure• Needs delegated
administration and entitlement management
• Sole proprietor partner• Simple record structure
© 2012 Forrester Research, Inc. Reproduction Prohibited
• Optional• Optional• Optional
Possible segmentation of identity sources
22
Unified IAM framework
RP interface
IdP interface
• Other partners
IdP interface
• Retail customers
RP interface
IdP interface
IdP interface
RP interface
• Managed by cloud broker
• Social IdPs
• Employees• Some partners
• Natively managed
© 2014 Forrester Research, Inc. Reproduction Prohibited 23
Ways CIAM is unique
› CX can have a direct impact on the top line› Multiple customer-facing properties› Complete lack of mobile device security controls› Scale and volume, along several dimensions
© 2014 Forrester Research, Inc. Reproduction Prohibited 24
Source: May 22, 2014 “Introducing Forrester's Customer IAM Security Maturity Assessment Model” Forrester report
What engagement channels are you providing?
…and what is the importance of each?
© 2014 Forrester Research, Inc. Reproduction Prohibited 25
Source: May 22, 2014 “Introducing Forrester's Customer IAM Security Maturity Assessment Model” Forrester report
What life cycle elements now become relevant?
…and what authentication role does each channel serve at each moment?
© 2014 Forrester Research, Inc. Reproduction Prohibited 26
Security best practices that areusability-friendly: leveraging context
User identification
based on something they . . .
Know.
Have.
Are.
Do.
© 2014 Forrester Research, Inc. Reproduction Prohibited 27
Usability Deployability Security
Memorywise-Effortless
Accessible Resilient-to-Physical-Observation
Scalable-for-Users
Negligible-Cost-per-User
Resilient-to-Targeted-Impersonation
Nothing-to-Carry Server-Compatible Resilient-to-Throttled-Guessing
Physically-Effortless
Nothing-to-Provision-to-User
Resilient-to-Unthrottled-Guessing
Easy-to-Learn Mature Resilient-to-Internal-Observation
Efficient-to-Use Multiple-Purposes Resilient-to-Leaks-from-Other-Verifiers
Infrequent-Errors Available-Offline Resilient-to-Phishing
Easy-Recovery-from-Loss
Resilient-to-Theft
No-Trusted-Third-Party
Requiring-Explicit-Consent
Unlinkable
Risk-based techniques improve “UDS”
© 2014 Forrester Research, Inc. Reproduction Prohibited 28
Usability Deployability Security
Memorywise-Effortless
Accessible Resilient-to-Physical-Observation
Scalable-for-Users
Negligible-Cost-per-User
Resilient-to-Targeted-Impersonation
Nothing-to-Carry Server-Compatible Resilient-to-Throttled-Guessing
Physically-Effortless
Nothing-to-Provision-to-User
Resilient-to-Unthrottled-Guessing
Easy-to-Learn Mature Resilient-to-Internal-Observation
Efficient-to-Use Multiple-Purposes Resilient-to-Leaks-from-Other-Verifiers
Infrequent-Errors Available-Offline Resilient-to-Phishing
Easy-Recovery-from-Loss
Resilient-to-Theft
No-Trusted-Third-Party
Requiring-Explicit-Consent
Unlinkable
Risk-based techniques improve “UDS”
© 2014 Forrester Research, Inc. Reproduction Prohibited 29
Security best practices that areusability-friendly: leveraging mobile
As a secondary channel
›True OOB authentication
›Contextual fairy dust with device identification and reputation
© 2014 Forrester Research, Inc. Reproduction Prohibited 30
Security best practices that areusability-friendly: leveraging mobile
As a secondary channel
›True OOB authentication
›Contextual fairy dust with device identification and reputation
As a primary channel
› In-app integration for seamless authentication
›Contextual fairy dust to strengthen the singular channel
© 2014 Forrester Research, Inc. Reproduction Prohibited 31
31
Usability best practicesthat cost nothing to remember:clarity and context sensitivity
© 2014 Forrester Research, Inc. Reproduction Prohibited 32
© 2014 Forrester Research, Inc. Reproduction Prohibited 33
© 2014 Forrester Research, Inc. Reproduction Prohibited 34
© 2014 Forrester Research, Inc. Reproduction Prohibited 35
35
Usability best practicesthat cost nothing to remember:
feedback
Sew together experiencesthat maximize success
© 2013 Forrester Research, Inc. Reproduction Prohibited
People use multiple touchpoints at once
Source: Google - The New Multi-screen World: Understanding Cross-platform Consumer Behavior, August 2012
© 2014 Forrester Research, Inc. Reproduction Prohibited 38
So, prepare for channel-jumping
› Unify back-end records so that the user experiences no latency in “what you know” about him
© 2014 Forrester Research, Inc. Reproduction Prohibited 39
So, prepare for channel-jumping
› Unify back-end records so that the user experiences no latency in “what you know” about him
› Leverage contextual cues to enable a channel to be “in-band” for primary tasks and “out-of-band” for authentication tasks
© 2014 Forrester Research, Inc. Reproduction Prohibited 40
So, prepare for channel-jumping
› Unify back-end records so that the user experiences no latency in “what you know” about him
› Leverage contextual cues to enable a channel to be “in-band” for primary tasks and “out-of-band” for authentication tasks
› Match session length to the entirety of the risk: the nature of the transaction, channel, user…
© 2014 Forrester Research, Inc. Reproduction Prohibited 41
IT and the business are expected to work hand in hand
© 2014 Forrester Research, Inc. Reproduction Prohibited 42
So, negotiate!
› Hammer out agreement on formal levels of risk› Map tasks and channels to them› Seek the highest security maturity scores for the
most important tasks and channels
© 2014 Forrester Research, Inc. Reproduction Prohibited 43
Source: May 22, 2014 “Forrester's Customer IAM Security Maturity Assessment Model” Forrester tool
So, negotiate!
› Hammer out agreement on formal levels of risk› Map tasks and channels to them› Seek the highest security maturity scores for the
most important tasks and channels
Deregister device
We allow users to deregister a device explicitly. Yes
We authenticate users before allowing this task to proceed.
Yes
We keep track of devices that have been associated with a user.
Yes
We notify the customer in an email or SMS text message if a device has been deregistered.
No
A customer can have only a limited number (e.g., 10) of registered devices across all channels.
No
THE IDENTITY INDUSTRY IS EXPLODING
TODAY
NEW PARADIGM IN SECURITY
Single-point access to applications within the firewall
– Proprietary
– On-premise
– Web only
– Single domain
Legacy Security Model
Cloud, Social, Mobile & Data drive a new approach
– Open standards
– Hybrid, datacenter and cloud
– Web, API and mobile
– Federated by default
Next-Gen Identity Model
76% of Network Intrusions Exploited Weak or Stolen Passwords (1)
Traditional Identity Management not Working
(1) Verizon Data Breach Investigations Report 2013
THE CONNECTED CUSTOMER
Single Channel
Multichannel
Multiple Identities
Omnichannel
Customers experience a single type of touch-point
Customers see multiple touch-points acting independently.
Customers see multiple touch-points as part of the same brand.
Customers experience a brand, not a channel within a brand.
Confidential — do not distributeCopyright © 2014 Ping Identity Corp. All rights
reserved. 49
EMERGING IDENTITY LAYER
Simplify access
Manage identities
Single customer
view
Connect apps
Scale and grow
OPEN ACCESS
IDENTITY WEAKNESSES EXPLOITED
~110M
accounts jeopardized
~5M usernames &
phone numbers
stolen
~7M
passwords stolen
~250Kpasswords
stolen
~38M
usernames &
passwords stolen
~318K
accounts hacked
~50M
usernames &
passwords stolen
~50M
user accounts
compromised
2013 was the most historic year for cyber attacks
Several prominent brands experienced high profile data breaches
Hundreds of millions of usernames, passwords and accounts were jeopardized
Stolen social media credentials fetch more than credit card numbers on cybercrime black markets
Secures Access to Any App, on Any Device from Any Location
Enterprise Grade
Flexible Hybrid Deployment
Committed to Open Standards
Web, Mobile, and API
Committed to Open Standards
Web, Mobile, and API
Simple to Advanced Use-Case Support in a Single Platform
CENTRALIZE CONTROLPing Identity – Ushering in the New Era of Identity
SINGLE CUSTOMER VIEW
TODAY’S IDENTITY PROTOCOL LANDSCAPE
SAML
LDAP
X.509
MODERN IDENTITY PROTOCOL STACK
OAuth 2.0
MODERN IDENTITY PROTOCOL STACK
OpenID Connect SCIM
OAuth 2.0
Security for APIs
APIs FOR IDENTITY
OpenID Connect SCIM
Security for APIs
User Authentication API
User Management API
APIs FOR IDENTITY
Security for APIs
User Authentication API
User Management API
APIs FOR IDENTITY(Not identity-enabled APIs)
FUNDAMENTAL TENETS TO SCALE
• No more passwords
• Automate as much as possible– Eliminate IT Administrative overhead
– Application registration is dynamic
• Ease of use– Effortless self service
– Developer-friendly
– IT-friendly
– User-friendly
IMPACT EXPERIENCE AND REVENUE
Confidential — do not distributeCopyright © 2014 Ping Identity Corp. All rights
reserved. 62
For a more detailed analysis on the Total Economic Impact of Ping solutions,please join us for a webinar on September 26 at 11am ET.https://www.pingidentity.com/about-us/event-detail.cfm?customel_datapageid_1455=71219
$12M $21M $45MIncremental revenue from faster time-to-market following M&A activity
Incremental revenue from reduced application dropout rates
Incremental revenue from white-labeled apps
Copyright © 2014 Ping Identity Corp. All rights reserved. 63
Half of the Fortune 100
4 of the 6 Largest US Banks
8 of the 10 Largest Biopharmas
3 of the 5 Largest Healthcare Plans
CUSTOMER SUMMARY GLOBAL LEADERS & INNOVATORS
1,000+ global
customers
98%customer
satisfaction
93%customerretention
SI, TECH & SAAS PARTNERS
Offices: Denver, Boston, Vancouver, London, San Francisco, Halifax, Tel Aviv, Tokyo
Employees: 350
Founded: 2002
COMPANY BACKGROUND
STANDARDS BODY PARTICIPATION
THE IDENTITY SECURITY COMPANY
WHAT IS ACTIONABLE?
• Apps and devices need a modern identity protocol stack
– Starts with OAuth 2.0, OpenID Connect and SCIM
• No more passwords– Federated access by default
• Ease of use means automate everything– Or enable self-service as a backup
Thank You
Confidential — do not distributeCopyright © 2014 Ping Identity Corp. All rights
reserved. 65
Eve Maler+1 425.345.6756
[email protected]@xmlgrrl
Jeff Nolan+1 650.430.3947
[email protected]@jeffnolan