Bring Your Own Identity (BYOI)strategies for organizations and their impactMatthew Ulery Director of Product Management

© 2013 NetIQ Corporation. All rights reserved.2

Agenda

What is BYOI? Why do we care about BYOI? When to allow BYOI? What are others doing about BYOI?

© 2013 NetIQ Corporation. All rights reserved.3

What is BYOI?

Bring your own Infrastructure

Bring your own Iron

Bring your own Identity

Bring your own Improv

Bring your own Intoxicant

Sometimes shown as BYOId

© 2013 NetIQ Corporation. All rights reserved.4

Early adopters and providersBYOI Trends

Social, web resource and retail─ Use LinkedIn account to access a whitepaper─ Use Amazon ID rather than creating a new retail account─ Apply to a new job using LinkedIn account─ NYC adopting to support constituents

Social identity providers investing in BYOI─ Seeking greater return on their identity validation investment

© 2013 NetIQ Corporation. All rights reserved.5

BYOD accelerating BYOI BYOI Trends

Identity Overload─ Average 25 accounts per person and growing─ Social Networking─ Financial Accounts (bank, payment, entertainment)─ Loyalty programs─ etc

Merging of personal device and identity─ Collection of business and personal identities ─ Expect seamless experience from personal device

© 2013 NetIQ Corporation. All rights reserved.6

© 2013 NetIQ Corporation. All rights reserved.7

Why do we care about BYOI?

Cost reduction / avoidance─ Management of identities is expensive

Increase customer / constituent engagement─ Reduce registration abandonment─ Enable more personalized experience interactions

Emerging changes in risk─ Risk shared with customer/constituent and identity provider─ Responsibility to protect customer privacy remains─ Privacy risk mitigated by reducing identifiable information

© 2013 NetIQ Corporation. All rights reserved.8

Big Question?

Should we allow BYOI?

© 2013 NetIQ Corporation. All rights reserved.9

Security ConcernsWhen to allow BYOI?

Strength of authentication─ Hurdles required to create the identity─ Hurdles required to validate the identity

Strength of identity administration─ How is identity validated for administration?─ What is required to issue a password reset?

Compromised identity─ Who is responsible if identity is breached?─ How can you revoke access?

© 2013 NetIQ Corporation. All rights reserved.10

Different Identity TypesWhen to allow BYOI?

Customer and constituents ─ Limited to no access to sensitive information & systems─ Limited amount of personal identifiable information

Privileged users ─ Employees, partners, contractors, etc.─ Significant access to sensitive information & systems─ Much greater level of personal identifiable information

Allow BYOI…?─ Must balance risk and value

© 2013 NetIQ Corporation. All rights reserved.11

NYC.GOVBYOI Case Study

• Different Goals / Desires / Requirements– Residents

– NYC Politicians

– Site admins

Needed a Lightly secured, customer facing portal

© 2013 NetIQ Corporation. All rights reserved.12

NYC Constituent ExperienceBYOI Case Study

Social Access

requirements

Secure Identity-enabled Web Services to provide account info

Non Identity-based information and services,optimized for speed

Access Management requirements

Public Resources

Personalized Web content, requires only simple consumer authentication or NYC.ID

www.nyc.gov is a site composed of information from other webservices, secure, public, and semi-public.

am.nyc.gov

pub.nyc.gov

cf.nyc.gov

© 2013 NetIQ Corporation. All rights reserved.13

Management of public resourcesBYOI Case Study

NYC Tennis Courts ─ 60,000 permits and tickets, 500 courts─ Annual permits ($100)─ Scheduling courts a nightmare for NYC and permit holders

Is this a candidate for BYOI?─ Low risk ─ Lower cost from web scheduling and external identity─ Enables external payment collection (i.e. PayPal)

© 2013 NetIQ Corporation. All rights reserved.14

Risk of Hacked IdentityMat Honan, Wired Magazine

Linked many of his accounts─ Social accounts: Twitter, LinkedIn─ Personal: Amazon, Gmail

Hackers wanted Twitter handle

Hackers exploited weak link

© 2013 NetIQ Corporation. All rights reserved.15

Risk of Hacked IdentityMat Honan, Wired Magazine

“In the space of one hour, my entire digital life was destroyed.”

─ “First my Google account was taken over, then deleted.”─ “Next my Twitter account was compromised, and used as a

platform to broadcast racist and homophobic messages.” ─ “And worst of all, my AppleID account was broken into, and my

hackers used it to remotely erase all of the data on my iPhone, iPad, and MacBook?”

“In many ways, this was all my fault. My accounts were daisy-chained together.”

© 2013 NetIQ Corporation. All rights reserved.16

Required no advanced skillsMat Honan, Wired Magazine

Twitter linked to Gmail account─ Google Account recovery page─ Gave alternate email: m****n@me.com (hmmmm mhonan)…─ Letting them know he had an AppleID

Resetting Apple account requires─ Physical address & last four digits of credit card─ Easy to get address─ How could they get the credit card information?

Amazon and AppleID accounts linked─ Name and email address needed to add a card to Amazon─ Knowing card number allows resetting password─ Now they have the credit card number for AppleID

© 2013 NetIQ Corporation. All rights reserved.17

Key Take-awaysBalancing Risk and Value

BYOI benefits─ Reduce cost of generating and managing identities─ Reduce customer/constituent engagement─ Enable more personalized experience interactions

BYOI risk assessment─ Customers/constituents involved in identity selection─ Security of identity beyond your control─ Still must protect personal identifiable information

Must balance value against savings─ What type of access does it fit?─ May not be right for your organization…yet

Q&Amatthew.ulery@netiq.com