architecting your future-state ... - techvision research
TRANSCRIPT
Architecting Your Future-State Identity and
Access Management Program
Gary Rowe, Doug Simmons
Principal Consulting Analysts
September 10, 2020
Sept. 20-23 2021
Gary Rowe, CEO/Principal Consulting Analyst
at TechVision Research13-year President of Burton Group (sold to Gartner) and TechVision
founder. Technology thought leader for 30+ years with over 100
consulting engagements and published research in innovation,
identity management, distributed computing, security, enterprise IT,
blockchain, privacy and IOT.
Your Presenters
©️ TechVision Research Corp. 2020 - All Rights Reserved 2
Doug Simmons, Principal Consulting Analyst
at TechVision ResearchOne of the leading IT security and Identity Management experts,
has led hundreds of consulting engagements and developed leading
edge research. He ran the consulting organization at Burton Group
and led the security/risk consulting organization at Gartner for 5
years prior to joining TechVision.
Agenda
• Background and Workshop Objectives
• The Digital Enterprise: Digital Transformation and Identity Management
• The Future of Identity Management: The Top 12 IAM Trends
• The Art of the Possible: Architecting your Future-State IAM Foundation
• Zero Trust and Frictionless Security
• IT Governance and Administration
• Sponsored Session: Radiant Logic’s Role in the Future of IAM
• Discussion, Q&A
©️ TechVision Research Corp. 2020 - All Rights Reserved 3
TechVision Research at-a-glance
Founded in 2015 by veterans of the research industry to bridge the gap
between board-level strategy and technical solutions through cutting-edge
research and pragmatic consulting.
Our model is built
around industry
experts with strong
track records of
execution.
We go beyond the
trends. Our deliverables-
based engagements give
you the action plans you
need to achieve your
goals.
We make our
perspectives and
expertise available
to everyone in the
enterprise.
4Copyright(c) TechVision Research Corp. 2020- All Rights Reserved
Proven Technique
Actionable Advice
Direct Experience
TechVision Research: What we do
©️ TechVision Research Corp. 2020- All Rights Reserved 5
Take a client theme
Research
Privacy &Consent
Identity &
AccessManagement
and Connect the Dots
Cybersecurity
Architecture ,Innovation, & Collaboration
Consulting
Information Asset
Management
Providing deep knowledge to
inform executive decisions
• Broad and deep experience
• Industry specialists
• Technology pioneers
• Global perspective
• Senior, C-level clients
• Bridge between board-level
strategies and technical solutions
Identity and Access Management
Security and Risk Management
Data Management, Architecture,
Analytics, AI/ML
Digital Enterprise/Transformation
Innovating with Purpose
Privacy and Information
Protection
Blockchain Adoption
Communication, Collaboration,
Content, Activities (3CA)
Product to Platform Evolution,
DevSecOps, Microservices
Adaptable Technical Architecture
Survey Says: Workshop Priorities
(Most/Moderately Critical)
• Managing Identity during cloud migration while maintaining legacy/hybrid: 79%
• Securely managing larger remote workforce: 68%
• Acquiring better quality data to support automation/AI: 68%
• Managing scale of identity and protected data: 63%
• Increase in fraud/data theft: 53%
• Complying with rapidly changing privacy/regulatory environment: 53%
• Providing a deeper customer engagement: 47%
• Expansion of business beyond brick/mortar: 32%
©️ TechVision Research Corp. 2020- All Rights Reserved 6
Survey Says: Workshop Priorities
Added by Attendees
• Integration of IAM tools with Risk/SOD engines
• Self sovereign identity and verified credentials
• IAM for OT/ICS -- Industrial Control System
• IAM as the foundation of a zero trust architecture
• Passwordless authentication/authorization, Zero Trust
• IAM as micro services and REST APIs
• How to evangelize that identity (people, things) is fundamental to IT architectures. Most enterprise architects have little understanding of this most critical capability and how to integrate into solutions.
©️ TechVision Research Corp. 2020- All Rights Reserved 7
What are your top 2 goals/priorities in this
workshop? (poll)
❑Input towards developing IAM strategy/reference architecture
❑Understanding of how to modernize my current IAM capabilities
❑Understanding what success looks like
❑Input towards making IAM investment decisions
❑Gaining insights into the future of IAM and IT
©️ TechVision Research Corp. 2020 - All Rights Reserved 8
Agenda
• Background and Workshop Objectives
• The Digital Enterprise: Digital Transformation and Identity Management
• The Future of Identity Management: The Top 12 IAM Trends
• The Art of the Possible: Architecting your Future-State IAM Foundation
• Zero Trust and Frictionless Security
• IT Governance and Administration
• Sponsored Session: Radiant Logic’s Role in the Future of IAM
• Discussion, Q&A
©️ TechVision Research Corp. 2020 - All Rights Reserved 9
Why do we need Identity?
Because on the Internet everybody doesn’t know your name.
©️ TechVision Research Corp. 2020- All Rights Reserved 10
Identity and Access Management (IAM) Services at
Internet Scale
• The policies, processes and technology to support the right access, to the right resources, at the right time, for the the right individuals and things.
• Starts with Identity Proofing
• IAM is a key infrastructure supporting security, privacy and governance in—and critical to support Digital Engagement
• Market is speaking: Okta (pure play IAM) IPO in 2017 with current Market Cap of over $26 Billion
• We’ll now look at how the Digital Enterprise is requiring a new IAM foundation
©️ TechVision Research Corp. 2020- All Rights Reserved 11
2020: Engaging The “New” Digital Reality
“Radical rethinking of
how the organization
uses technology”- Clint Boulton CIO.com
©️ TechVision Research Corp. 2020- All Rights Reserved 12
Digital Technology Brings Together People,
Processes, Data & Things
THINGSDevicesObjects
EndpointsInterfaces
PROCESSESLearning
ReportingIntegratedAutomatedDATA/
INFORMATIONFindableShared
Intelligent
PEOPLEAnywhereIn ContextConnected
©️ TechVision Research Corp. 2020- All Rights Reserved 13
Digital Enterprise Drives New IT
©️ TechVision Research Corp. 2020- All Rights Reserved 14
IAM Governance
InfoSec
People Process
Technology
TRADITIONAL IT
“RESPONDERS”
People
Process
Data & Information
Technology
DIGITAL ENTERPRISE
“CURATORS”
IAM
InfoSec
Governance
Data
&
Info
Requires a Change in ThinkingIT RESPONDERS IT CURATORS
PRINCIPLES
GOVERNANCE
FOCUS
EXPERIENCE
IMPLEMENTATIO
N
INNOVATION
INDUSTRY
Ownership & central delivery
Whole feature sets
Distributed oversight,
protection & accessibility
Command & control
Least common denominator
Siloes of tech, info & data
Limited capabilities
Operations oriented
Favorite vendors
Agile & flexible to meet
business’ goals
Central oversight,
protection & risk mgt
Integration & interfacing
Use tech to fit needs
Tech as facilitator
Innovation mind set
Outsourcing
Responsive
Not either/or
Centralized
Fragmented
Managed
Destination
Large &
Complex
Revolutionary
Systems
Business
Aligned
Pervasive &
Coordinated
Utilization &
Accessibility
Seamless
Interfacing
Speed to Value
Evolutionary
Platforms
Certainty
Big Bang
Experimentation
Incremental
Components & Interop
Subscriptions
Features releases
Self contained Products
Licensed based
Upgrade cycles
©️ TechVision Research Corp. 2020- All Rights Reserved 15
Digital Enterprise Principles & Practices
Centralized Oversight, Pervasive,
Accountability
OpEx, Business Driven,
Opportunistic, Responsive
Storage Agnostic, Metadata & Tagging,
Internal/External, Compliant
Anytime, Anyplace, Anywhere, Anything
Frictionless, Consumerized, Contextual,
Usability, Personalized
Integrated, Automated, Outcome Aligned,
Proactive, Persistent, Learning
Agile, Flexible, Innovation,
Speed to Value, Bespoke
Platforms, Federated, Cloud, Microservices,
Modular, Integratable
Accessibility
Experience
Functionality
Governance
Data Model
Architecture
Management
Implementation
CONTINUOUS TRANSFORMATION
©️ TechVision Research Corp. 2020- All Rights Reserved 16
Agenda
• Background and Workshop Objectives
• The Digital Enterprise: Digital Transformation and Identity Management
• The Future of Identity Management: The Top 12 IAM Trends
• The Art of the Possible: Architecting your Future-State IAM Foundation
• Zero Trust and Frictionless Security
• IT Governance and Administration
• Sponsored Session: Radiant Logic’s Role in the Future of IAM
• Discussion, Q&A
©️ TechVision Research Corp. 2020 - All Rights Reserved 17
IAM 2020+: Building/Enabling the New Digital
Foundation
• The foundation to seamlessly embrace new technologies, business models & approaches while “keeping the IAM plane in the air”
• The Digital Enterprise transitions from “point programs” to new enterprise business models
• Flexibility, openness, scale, adaptability and inclusiveness are critical; NO LOCK IN
• Moving to cloud-first wherever possible, but hybrid support is still critical
• IAM is critical in support of the “Safe Digital Enterprise”
• Areas of Focus for the next several years follow:
©️ TechVision Research Corp. 2020- All Rights Reserved 18
Future of Identity Management; Enterprise Top 12
List (2020-2025)1. Zero Trust Security Model: Identity is the
primary tool for locking down ecosystems, protecting enterprises and supporting Zero Trust
2. Unprecedented Scale/Speed: Supporting larger numbers of customers, prospects, things, employees, partners with near real-time response times
3. User Experience: 2020+ is all about the user experience and user-friendly interfaces for developers, administrators and end-users
4. Cloud and Hybrid Identity: Identity services move to the cloud, but on-premise IAM needs to seamlessly integrate with cloud-based IAM
5. New Authentication models including MFA, Adaptive Authentication and Password-Less: Passwordless for users and PAM emerges to tightly secure those with Amin rights
6. Use of AI/ML for Contextual Awareness and “Frictionless Security”: Using context, big data, pattern recognition to understand normal and anomalous activity so support better, lower-friction security
7. IAM Inclusion of Diverse Object Types--Internet of Everything: Support for IoT, contextual data, customer data, RPA, processes, consent, tokens, DID
8. Customer-centric IAM and Identity of Things (IDoT): CIAM /IoT services still treated with unique management controls, but increasingly integrated/accessible via apps & services.
9. Identity Services and Security Controls as Microservices: Identity, security API microservices critical in support of DevSecOps, new JIT security
10. Privacy Protecting Identity and Security Services : Increasingly leveraging analytics, contextual data & AI/ML to support usability and privacy regulations by limiting and controlling the collection of PII
11. Decentralized IAM built on Blockchain: Identity services leveraging blockchain, verifiable claims and trust frameworks emerge and support user-centric, privacy-compliant IAM services
12. Centralized Identity Governance: Achieving centralized control while distributing computing, applications and data. Harmonization of IAM across multiple functional areas.
©️ TechVision Research Corp. 2020- All Rights Reserved 19
Survey Says: Highest Rated Categories within the
Top 12 List
1. Cloud/Hybrid Identity
2. Zero Trust Security
3. Centralized Identity Governance
4. User Experience
5. IAM Scale/Performance
6. Decentralized Identity
©️ TechVision Research Corp. 2020- All Rights Reserved 20
Survey Says: Comments/Additions to the Top 12 List
1. 75% liked it as is
2. 20% wanted to explicitly add PAM as a Category
3. Don’t put CIAM and IDoT together (1)
©️ TechVision Research Corp. 2020- All Rights Reserved 21
Evolution of Identity
Classic
IDM
IDaaS
Identity
as an
API
EmployeePerimeter
PartnerFederated
CustomerCloud/IDP
ThingsWallets, Chips
RelationshipsClaims, Context
On Premise
Directories
Networked
Identity Graphs
©️ TechVision Research Corp. 2020- All Rights Reserved 22
Decentralized,
Self-Sovrin
Identity
Enterprise IAM Progression Towards the Cloud
1. Become Cloud aware
2. Factor in Cloud migration
3. Develop global IAM data integration approaches
©️ TechVision Research Corp. 2020 - All Rights Reserved 23
Many of today’s IAM
environments are largely
on-premise and only in the
early stages of migration or
seamless integration with
cloud Infrastructure as a
Service (IaaS) and
Software as a Service
(Saas) IAM solutions.
Not only B2E, but B2B and
B2C are increasingly
important and must be
considered in the next
generation IAM
architecture. For most
enterprises this may
include:• Azure AD as a cloud identity
store as it is already being
leveraged by many
organizations.
• Internal as well as external
users will need to securely
access services and data.
• Support for hybrid environments
• Cloud-enabling
• Global scalability and
flexibility in support
Customer IAM, IoT
• Privacy regulation
support
• Expansive federation
• High performance
IDoT and CIAM Drive IAM Scale/Relationship Management
Identity of Things (IDoT)
• Identity of Things (IDoT)
as a major IAM category
• Scale to billions of
objects
• Management of complex
relationships
• Securing dumb sensors
to highly sophisticated
devices
• Unique security, privacy
and consent issues
Customer IAM (CIAM)
• CIAM as a major IAM category
• Performance and context is critical
• Scale to the hundreds of millions of objects
• Integration with CRM and Marketing systems
• Unique security, privacy and consent issues
©️ TechVision Research Corp. 2020- All Rights Reserved 24
ZT: Gone Is The Secure Network Perimeter
The Digital Economy blends customers, suppliers, organizations.
Cloud, Mobile, BYOD, IoT create a fluid network perimeter
©️ TechVision Research Corp. 2020- All Rights Reserved 25
The Identity Problem & User Experience
©️ TechVision Research Corp. 2020- All Rights Reserved 26
The average American currently has about 200
accounts that require some sort of password
identification, and that number will rise to 400 within
five years or so. (per Dashlane)
The average business employee must keep track
of 191 passwords and 81% of confirmed data
breaches are due to passwords. (per LastPass)
This is the single biggest usability problem on
the Internet today; the foundation is collapsing
Passwordless & MFA in the Future
We have anticipated the demise of password-centric
authentication for decades - the time has arrived to deploy MFA
and passwordless security solutions within your enterprise
• Device and network ubiquity, reliability, Bring Your Own
Device (BYOD) initiatives coupled with the accelerating levels
of fraud associated with password-based authentication
• Many large, influential vendors such as Microsoft, Okta, Ping,
ForgeRock and others have laid down the gauntlet - the
password is truly dead
• The shift to the cloud provides the opportunity to reinvent
authentication
Furthermore, as the concepts associated with Zero Trust
continue to evolve and take hold, passwordless & MFA will be
an imperative
©️ TechVision Research Corp. 2020- All Rights Reserved 27
• Addressing the hundreds of IDs/passwords often maintained today
• Move from BYOD to BYOI, to SSI
• Identity control by identity owner like in the physical world
• Peer-to-peer (no 3d party)
• Integrity of the identity record can be verified via blockchain
• Stronger authentication via digitally signed, verifiable credentials
• Better privacy by limiting non-essential verification data
• Requires the development of an underlying ecosystem
• Significant investment by Microsoft, IBM, Ping, SAP and several early stage companies
Decentralized Self-Sovereign Identity Built on
Blockchain(?)
©️ TechVision Research Corp. 2020- All Rights Reserved 28
In our mobile, volatile world Identity is the only
viable perimeter
©️ TechVision Research Corp. 2020- All Rights Reserved 29
Big data, mobile, AI/ML …
Identity and Access Management
…blockchain, context,
faster product cycles …
… cloudification of IT,
innovation, disruption and
personalization, automation,
security focus/investment …
… BYOD/BYOI,
privacy/GDPR, IoT
Disintermediation in Banking & Other
Markets
Strategic Investments in
Innovation/Disruption
Democratization & Consumerization
Privacy & Regulatory Volatility
Internet of “Me”
Sharing Economy
Momentum
Better Customer Connections & Relationships
New IT Models
New Business Models
IoT at scale
Agenda
• Background and Workshop Objectives
• The Digital Enterprise: Digital Transformation and Identity Management
• The Future of Identity Management: The Top 12 IAM Trends
• The Art of the Possible: Architecting your Future-State IAM Foundation
• Zero Trust and Frictionless Security
• IT Governance and Administration
• Sponsored Session: Radiant Logic’s Role in the Future of IAM
• Discussion, Q&A
©️ TechVision Research Corp. 2020 - All Rights Reserved 30
Developing a 5 Year IAM Plan
• Modern IAM supporting the Digital Enterprise starts by “going back to basics”
• TechVision recommends starting a current-state capabilities assessment, a requirements review (business and tech) and the development of a capabilities-based reference architecture
– Ensures all major areas are covered
– Helps to understand the big picture while developing specific strategies for each category of capabilities
– Structured approach to provide the flexible, open, modular, dynamic and inclusive IAM model for digital transformation
– Factor in the key future state areas we’ve described
• High-level view follows:
©️ TechVision Research Corp. 2020- All Rights Reserved 31
Survey Says: Top Requirements for 2020-2025
• Consistent Customer IAM across a variety of LOBs
• IAM support for IoT, automated devices running critical infrastructure
• Privacy controls/compliance
• Centralized Cloud/hybrid governance
• Dealing with executive expectation that there is a simple Zero Trust
'solution' building/combining offerings
• Need a Zero Trust roadmap
• More consistently address hybrid
©️ TechVision Research Corp. 2020- All Rights Reserved 32
Typical Enterprise Requirements, Pain Points and
Current State Review
33
Requirements and current-state data
collected via interviews and
questionnaires to discuss, refine and
add to during Reference Architecture
development.
©️ TechVision Research Corp. 2019 - All Rights Reserved
Capturing Enterprise Requirements (poll)
• Where is your organization in gathering cross-functional IAM
requirements?
❑Known, published, prioritized
❑Known but need more refinement/update
❑Known but not written
❑Not known
©️ TechVision Research Corp. 2020 - All Rights Reserved 34
IAM Market Category Requirements
Consumer IdentityEnterprise Identity Identity of Things
Need to protect the
organization from
cybersecurity threats
Need to efficiently
provision/de-provision
access
Need to ensure
appropriate access
Need to facilitate easy
authentication
Need a frictionless user
experience
Need to provide personalized,
engaging experience
Need to scale
Need to protect consumer
data and enforce consent
restrictions
Need to ensure
appropriate access
Need to efficiently
provision/deprovision
access
Need to facilitate stronger
security controls without
getting it the way of the
deployment or device use
Need to secure
communications
Need to demonstrate
compliance
Need to track and manage
customer relationships
Need to provide easy
integration with existing
applications and services
Need to protect consumer
data and enforce consent
restrictions
Need to scale
©️ TechVision Research Corp. 2020- All Rights Reserved 35
Example: Business Outcomes• Employees have access to enterprise systems immediately
upon hire. – Currently provided by what source systems (e.g., HR?)
– Does it require much manual intervention?
• Automate de-provisioning in cases of leaving the organization.– De-provisioning is often currently a manual process.
• Perform attestation on all employees– Typically performed on high risk areas only.
• Improve customer experience– Are customer accounts linked across multiple LOBs?
– Do you offer MFA for higher risk customer transactions?
– Can you eliminate passwords?
• Other Expected Business Outcomes?
36©️ TechVision Research Corp. 2020 - All Rights Reserved
Example: Current Unmet Needs• Lack of self-service provisioning functionality:
– Excessive manual intervention required for provisioning—no workflows
– No mandatory approval capabilities
• No self-service password capability:
– Password resets must be done with the assistance of the Help Desk without ability to
perform off-network resets—thousands of calls/mo.
– Causes risky behavior for remote access users without reset capability
• De-provisioning and modifications are a manual process
• No functionality to review or update roles within business
• Attestation can’t be performed (with the current tool), leaving many in the organization
with excessive privileges—can’t restrict requestors to specific departments or
applications
• Review of key administrative functions is currently a manual monthly process.
• Other unmet needs?
37©️ TechVision Research Corp. 2020 - All Rights Reserved
Reference Architecture: Top-Level
©️ TechVision Research Corp. 2020- All Rights Reserved 38
Reference Architecture 2nd Level
©️ TechVision Research Corp. 2020- All Rights Reserved 39
Elements of the Combined Portfolio Architecture
©️ TechVision Research Corp. 2020- All Rights Reserved 40
Identifying Capabilities for Each Service (e.g., Login)
©️ TechVision Research Corp. 2020- All Rights Reserved 41
Example: Login Template
©️ TechVision Research Corp. 2020- All Rights Reserved 42
Identifying Capabilities for Each Service (e.g., PAM)
©️ TechVision Research Corp. 2020- All Rights Reserved 43
Example: PAM Template
©️ TechVision Research Corp. 2020- All Rights Reserved 44
Connectors
Application Interface
Persistent View
Join
Identity Orchestration Template
Application Database DirectoryEmail
Resources
Directory Database Application OSSaaS Application Devices
Persistent,
Replicated
Identity
Repository
…
Remote Connectors Local Connectors
Bidirectional Change
Events
Activity
Auditing
Consuming
Applications
NormalizedSharedView
Join Engine
The Join Engine manages the
data sharing relationships
between connected systems.
The Normalized Shared
View maintains the common
state of the shared data
between connected systems
…
©️ TechVision Research Corp. 2020- All Rights Reserved 45
Agenda
• Background and Workshop Objectives
• The Digital Enterprise: Digital Transformation and Identity Management
• The Future of Identity Management: The Top 12 IAM Trends
• The Art of the Possible: Architecting your Future-State IAM Foundation
• Zero Trust and Frictionless Security
• IT Governance and Administration
• Sponsored Session: Radiant Logic’s Role in the Future of IAM
• Discussion, Q&A
©️ TechVision Research Corp. 2020 - All Rights Reserved 46
ZT: Gone Is The Secure Network Perimeter
The Digital Economy blends customers, suppliers, organizations.
Cloud, Mobile, BYOD, IoT create a fluid network perimeter
©️ TechVision Research Corp. 2020- All Rights Reserved 47
Putting Cybersecurity in Context
Identity-based cybersecurity controls are key to addressing the rapidly expanding threat surface
Authentication of people &
devices is central to anywhere
access and personalization of
services
Applications need to be secure,
beginning with the writing of code
– real time protection
Data will need to be secured at the
workload level so it can run in any
private or public cloud
Ops
DevSecOps: Enable and Secure while not slowing down the development process
Identity & Access SecurityApplication Security Data Security
Increased
Threats
Dev
Customer Engagement
Interact with more customers,
partners and devices
Cloud Adoption
Increase speed and lower
costs
Internet of Things
Device to device
communication, massive
volume
Application Growth
Massive growth in applications,
mostly on mobile platforms
Driver
s
Implication
s
Expanded “Threat Surface” with Increased Vulnerability Exposure
Sec
©️ TechVision Research Corp. 2020- All Rights Reserved 48
49
Governance & Provisioning
Enabling the lines of business to make decisions about
appropriate access and enforcing those decisions
Privileged Access
Control administrator access and system accounts plus deep forensic monitoring
Authentication
Providing greater Identity Assurance and Proofing
through Strong Authentication
Authorization
Enforcing Authorization policies ensuring
appropriate access to critical resources
Behavioral Analytics
Provides insight into normal operations and
brings attention to anomalous activity
Identity-based Cybersecurity Controls
Facilitating understanding of the relationships and determining the appropriateness of the activities
©️ TechVision Research Corp. 2020- All Rights Reserved 49
50
Example: Identity-based Zero Trust Template
©️ TechVision Research Corp. 2020- All Rights Reserved 50
Agenda
• Background and Workshop Objectives
• The Digital Enterprise: Digital Transformation and Identity Management
• The Future of Identity Management: The Top 12 IAM Trends
• The Art of the Possible: Architecting your Future-State IAM Foundation
• Zero Trust and Frictionless Security
• IT Governance and Administration
• Sponsored Session: Radiant Logic’s Role in the Future of IAM
• Discussion, Q&A
©️ TechVision Research Corp. 2020 - All Rights Reserved 51
Preparing for the Digital Enterprise: Start with
Identity Governance• Single biggest problem and most costly area in most large IAM programs
• Governance is the most significant IAM challenge and the trends we’ve defined will make it
harder
– New object types, relationships
– New identity consumers
– Lack of hard perimeters
– Management of hybrid environments, disconnected/federated identities, big data, context ,complex relationships
• Why is governance so hard?
– It involves people; people to people is the hardest to govern
– Getting harder given the points above
• New Governance Models
– Centralized policies/controls/visibility
– Leveraging AI/ML/Analytics
– Assumes base-level understanding of all connected data/identities
– Goal is to automate 80% and focus on 20% that isn’t easily automatable or represents anomalous activity/requests
– Support for self-service
©️ TechVision Research Corp. 2020- All Rights Reserved 52
Access Governance
• Provides a mechanism for collecting current entitlement
state
• Provides an entitlement catalog for organizing and
entitlement definitions and mappings
– Listing what is assignable
– Describing what these entitlements actually do
• Facilitates entitlement ownership and accountability
• Provides process for reviewing and certifying entitlement
entries
• Provides a self-service mechanism for requesting access
Time of Change Operations
What does appropriate access look
like?
Govern
The "Atomic Elements" of Identity and Access
Governance
54
Credential(s)
Entity
Attributes
PoliciesEntitlements
Roles
Identity
Rules
Attributes
Entitlements
©️ TechVision Research Corp. 2020 - All Rights Reserved
Access Review & Certification ProcessCollection Mechanisms
Resources
Access Governance
Refine Data
Distribute Data
Review Access
Certify Access
Return Data
Remediate
Gather Data
Entitlement
Catalog
Attestation Report
Directory
Manual
Database
Application
Connector
or
Role Definitions
Data
Classifications
Access Review & Certification Process
Access Governance 2020+
Attestation Report
Role Definitions
3rd Wave AI and
Machine Learning
Collection Mechanisms
Resources
Refine Data
Distribute
Data
Review Acces
s
Certify Acces
s
Return Data
Remediate
Gather Data
Entitle
ment
Catalog
Directory
Manual
Database
Application
Connectoror
Data
Classificatio
ns
©️ TechVision Research Corp. 2020- All Rights Reserved 56
Identifying Capabilities for Each Service (e.g.,
Access Governance)
©️ TechVision Research Corp. 2020- All Rights Reserved 57
How the Capabilities can be Deployed
Deployed via SaaS Only Can be Deployed via SaaS or On Premises
Deployed On-Premises Only
Near Term
Mid Term
Long Term
Focus on new User and
Administrative Interfaces being
served from the cloud
Leverage existing on-premise
deployments, using SaaS
based services to augment
and modernize customer
experience
Agents and Connectors
deployed on-premises to serve
applications that remain in
customers’ local data-centers,
remotely managed by SaaS
services
Full suite of identity services
delivered as a service, managing
SaaS applications and remotely
managing applications that
remain on-premise
With virtual appliance packaging,
single instance per tenant SaaS
deployments are possible
Virtual appliances can be
deployed on-premise or in IaaS
Fleshing out fully elastic multi-
tenant versions of our identity
services
Package “SaaS first” offerings
into single instance, self
contained virtual appliances
Begin to ween customers off
traditional on-premise
deployments in favor of SaaS
offerings and/or virtual
appliances
Promote SaaS offerings as
preferred deployment option,
but keep appliances as a fall
back for redundancy/disaster
recovery or slow SaaS
adopters
©️ TechVision Research Corp. 2020 - All Rights Reserved 58
59
Types of Vendor Relationships
SaaS
Direct
Sales
Packaged
Software
Direct
Sales
Perpetual License
Subscription
Resellers
Leverage a Broader Sales Force
Systems Integrators
Leverage a Broader Deployment Force
Managed Service Providers
Leverage Someone Else’s Infrastructure
©️ TechVision Research Corp. 2020 - All Rights Reserved 59
Agenda
• Background and Workshop Objectives
• The Digital Enterprise: Digital Transformation and Identity Management
• The Future of Identity Management: The Top 12 IAM Trends
• The Art of the Possible: Architecting your Future-State IAM Foundation
• Zero Trust and Frictionless Security
• IT Governance and Administration
• Sponsored Session: Radiant Logic’s Role in the Future of IAM
• Discussion, Q&A
©️ TechVision Research Corp. 2020 - All Rights Reserved 60
Radiant Logic’s Role in the Future of IAM
Wade Ellery, Radiant Logic
Gary Rowe and Doug Simmons, TechVision Research
9/10/20
The World of Access is Expanding
Identity is the New Perimeter
Driver 1: Federation/Access Management
Driver 2: Hosting and syncing identity to the cloud
The Challenges of a Fragmented and Distributed Identity System
The integration and architecture of on premise IAM and cloud-based IAM systems will be critical decision points for most
organizations
While Federation Organizes Access, Identity Integration is Often
Required
Attributes are key
The Move to the Cloud: The Hybrid World is Full of Opportunity but
will Compound the Challenges
As Federation and the Cloud Grows, There Will be More Than One
Integration Point and Hub
Data centers on prem
The Solution:
An Identity Integration Hub Service on Virtualization & Synchronization
• With the extension of federation and the integration to the cloud, the requirements for
different levels of identity integration, views and storage have increased.
• In turn this will require a multiplication of “identity hubs” (ex. AWS, Azure, Google Cloud)
at different levels (on prem, regional, national), and the “pipes” (ex. AD-Connect) and
logic to keep them in sync.
• The solution: A federated identity and directory service based on integration &
synchronization
SaaS ApplicationOther Directory or Identity Repository
Consuming Application
Consuming Application
Identity Integration and Services Working in Concert
Directory Environment
Database
NormalizedShared View Identity
Orchestration Service
Identity Aggregation Service
Multiforest/MultidomainEnvironment
Hierarchical view
Geographical view
Identity Services API
Virtualized Aggregated
ViewAuthentication Service
Authorization Service
API Gateway
©️ TechVision Research Corp. 2018- All Rights Reserved
First Step
Identity Aggregation – Dynamic View Generation
On Premises Application SaaS Application
Other Directory or Identity Repository
Consuming Application
Consuming Application
Hierarchical viewGeographical view
PEPPDP
PEPPDP
PEPPDP
PEPPDP
©️ TechVision Research Corp. 2018- All Rights Reserved
• The service creates the view of the identity data that best suits the needs of the
consuming application
Connectors
Application Interface
Persistent View
Join
Second Step
Identity Orchestration – Sharing Changes
Application Database DirectoryEmail
Resources
Directory Database Application OSSaaS Application Devices
Persistent, Replicated Identity
Repository
…
Remote Connectors Local Connectors
Bidirectional Change Events
Activity
Auditing
Consuming
Applications
NormalizedSharedView
Join Engine
The Join Engine manages the data sharing relationships between connected systems.
The Normalized Shared View maintains the common state of the shared data between connected systems
… ©️Tech
Visio
n R
esearch C
orp
. 20
18
-All R
ights R
eserved
Simplify/Extend Your IdP Deployment with a Federated Identity
and Directory Service
Federation approaches such as OpenID Connect, OAuth and SAML are critical
Use of identity data abstraction/virtualization will become more important
The Identity Integration Challenges Seen in the “Real World”
– No Unicity of Identity Across All Data Sources
Identity and Context Virtualization Process
FID Based on Virtualization: Local Systems Publishing to a Logically
Centralized Directory (Manage Globally, Act Locally)
• Acting as an abstraction layer between applications and the underlying identity silos,
virtualization isolates applications from the complexity of back-ends.
RadiantOne Federated Identity and Directory Service:
A System Made of Two Parts
• RadiantOne Federated Identity and Directory Service is made of two
main parts:
– An integration layer based on virtualization for:
• Identity aggregation and correlation
• Mapping and translation logic
• Advanced distributed join
• Group rationalization
• Modeling application-specific virtual views
– A storage layer (HDAP)
• Based on big data technologies
• Used as persistent cache
• Fully LDAP v3 compatible with a modern architecture
Integration
Layer
HDAP
Storage
What is HDAP?
• HDAP is the RadiantOne Big Data directory
– a Next-Gen LDAP v3 compliant directory driven by Big Data and Search Technology
• This highly-available version of LDAP offers better performance and increased scalability.
• Beyond LDAP, HDAP supports other protocol such as SQL and ADAP (REST interface to
LDAP)
Use of identity data abstraction/virtualization willbecome more important
Cluster, Leader, and Follower Deployment
• LDAP is a good protocol, but it is not web based. The closest thing to a web service
for LDAP is provided by DSML, which is XML based, and outdated. The new trend is
to deliver information via a REST interface.
• The usage of HDAP can be very broad. One crucial capability of LDAP is the ability
to navigate and discover context about any given subject or identity. Navigating a
directory is a form of graph and contextual discovery that allows you to have
progressive disclosure of information. This is key in security, and elsewhere, but
LDAP doesn't support the web service interface for delivering that information.
• Putting all this capability that exists in LDAP into a REST interface, opens LDAP to
the web.
ADAP: a REST Interface to LDAP/HDAP
Syncing to Different Clouds (Azure AD and AWS)
AD LDAP
Federated Identity and
Directory Service
DatabaseActive
Directory
LDAP
Directory
+ AD Connect
RadiantOne Creates Global Profiles that can be Provisioned to Each
App (and then Kept in Sync)
Integrating identity to Sync to the Cloud
• Integrate and Modernize your identity and directory infrastructure
• Leverage virtualization/integration/synchronization and a modern directory
storage to deliver a common identity service for:
– Access Management/Federation
– IGA
– Linking and provisioning your identity infrastructure on the cloud (Azure AD, AWS)
Conclusion
TechVision Recommendations• Consider the 12 future state directions for IAM within your
reference architecture and future state portfolio
• Invest in a consistent governance model but understand it requires:
– Cleaning up your existing environment; in particular as you prepare for proper migration to the cloud
– Automate 80%-90% of governance, focus on the anomalies
• The “Identity of Everything” is the roadmap to navigating and creating digital business opportunities
• Begin to iterate with new approaches/technologies such as password-less authentication, decentralized identity and verifiable claims
©️ TechVision Research Corp. 2020- All Rights Reserved 83
TechVision Recommendations• Systematize your collection of requirements, understanding
of current state and development of your reference architecture in the context of the new Digital Enterprise
• Expect your future-state enterprise IAM model to be more open, adaptive, flexible, scalable, and include many new objects—internal and external
• …but understand that legacy systems, hybrid environments, conflicting governance models and messy data must be cleaned up, managed and orchestrated to move to the next generation of IAM
• The right IAM model and execution will securely enable a Secure Digital Enterprise
©️ TechVision Research Corp. 2020- All Rights Reserved 84
Thank You!
Sept. 20-23 2021