identity beyond employees: how customer experience impacts your iam practices

Identity Beyond Employees:How Customer ExperienceImpacts Your IAM PracticesEve Maler, Principal AnalystMay 28, 2014

Customer experienceis not monolithic

© 2014 Forrester Research, Inc. Reproduction Prohibited 3

Users are escaping captivity

Benefitin

sharingcredentials

Degree offreedom to

walk away fromrelationship

Baseline

Greaterbenefit

Largebenefit

None (captive) Some at cost A lot



Benefitin

sharingcredentials

Degree offreedom to


Baseline

Greaterbenefit

Largebenefit


Regular employee

Contractor

Privileged employee

Employee of partner



Benefitin

sharingcredentials

Degree offreedom to


Baseline

Greaterbenefit

Largebenefit


Regular employee

Contractor

Nonpaying affiliate

Paying affiliate

Privileged employee

Employee of partner



Benefitin

sharingcredentials

Degree offreedom to


Baseline

Greaterbenefit

Largebenefit


Regular employee

Contractor

Nonpaying affiliate

Paying affiliate

Bank customer

Privileged employee

Payout beneficiary

Employee of partner



Benefitin

sharingcredentials

Degree offreedom to


Baseline

Greaterbenefit

Largebenefit


Regular employee

Contractor

Nonpaying affiliate

Paying affiliate

Bank customer

Privileged employee

Social network

user

Retail customer

Payout beneficiary

Employee of partner



Benefitin

sharingcredentials

Degree offreedom to


Baseline

Greaterbenefit

Largebenefit


Regular employee

Contractor

Nonpaying affiliate

Paying affiliate

Bank customer

Privileged employee

Social network

user

Retail customer

Service-paying

customer

Payout beneficiary

Employee of partner


But the Internet has become a bad neighborhood


We see the disproportionate targeting of credentials in the data

Source: December 30, 2013, “Market Overview: Employee And Customer Authentication Solutions In 2013, Part 1 Of 2” Forrester report


What do customers experience when security goes bad?

› A few: major consequences such as identity theft




› Many: loss of trust in the brand




› Many: loss of trust in the brand

› Everyone: an involuntary password reset flow


What do customers experience on a good day?

› Onerous account registration forms

› Those @%@#$ password policies…

› …that are both hard to choose and hard to remember…

› …and usually aren’t even secure

› Those @%@#$ security questions


When user self-service fails…you pay

› In CSR costs

› In user experience friction

© 2013 Forrester Research, Inc. Reproduction Prohibited

Source: Google - The New Multi-screen World: Understanding Cross-platform Consumer Behavior, August 2012

People cross devices to accomplish a single goal


“Mobile first” means IT security has less room to maneuver than ever

› Business owners want in-app registration and login.




› Individuals demand user experiences with a clear purpose.




› Individuals demand user experiences with a clear purpose.

› Security task flows on mobile devices feel different.

Responsive design for CIAMenables security and experience


Typical external users and IAM needs in a franchise-type business

21

External

Managed Unmanaged

Sole Group

• Retail customer• Requires self-registration• Can be inactivated

• All partners• Must follow per-country

regulations• May need high

assurance

• Multi-employee partner• Complex record

structure• Needs delegated

administration and entitlement management

• Sole proprietor partner• Simple record structure


• Optional• Optional• Optional

Possible segmentation of identity sources

22

Unified IAM framework

RP interface

IdP interface

• Other partners

IdP interface

• Retail customers

RP interface

IdP interface

IdP interface

RP interface

• Managed by cloud broker

• Social IdPs

• Employees• Some partners

• Natively managed


Ways CIAM is unique

› CX can have a direct impact on the top line› Multiple customer-facing properties› Complete lack of mobile device security controls› Scale and volume, along several dimensions


Source: May 22, 2014 “Introducing Forrester's Customer IAM Security Maturity Assessment Model” Forrester report

What engagement channels are you providing?

…and what is the importance of each?


Source: May 22, 2014 “Introducing Forrester's Customer IAM Security Maturity Assessment Model” Forrester report

What life cycle elements now become relevant?

…and what authentication role does each channel serve at each moment?


Security best practices that areusability-friendly: leveraging context

User identification

based on something they . . .

Know.

Have.

Are.

Do.


Usability Deployability Security

Memorywise-Effortless

Accessible Resilient-to-Physical-Observation

Scalable-for-Users

Negligible-Cost-per-User

Resilient-to-Targeted-Impersonation

Nothing-to-Carry Server-Compatible Resilient-to-Throttled-Guessing

Physically-Effortless

Nothing-to-Provision-to-User

Resilient-to-Unthrottled-Guessing

Easy-to-Learn Mature Resilient-to-Internal-Observation

Efficient-to-Use Multiple-Purposes Resilient-to-Leaks-from-Other-Verifiers

Infrequent-Errors Available-Offline Resilient-to-Phishing

Easy-Recovery-from-Loss

Resilient-to-Theft

No-Trusted-Third-Party

Requiring-Explicit-Consent

Unlinkable

Risk-based techniques improve “UDS”


Security best practices that areusability-friendly: leveraging mobile

As a secondary channel

›True OOB authentication

›Contextual fairy dust with device identification and reputation


Security best practices that areusability-friendly: leveraging mobile

As a secondary channel

›True OOB authentication

›Contextual fairy dust with device identification and reputation

As a primary channel

› In-app integration for seamless authentication

›Contextual fairy dust to strengthen the singular channel


31

Usability best practicesthat cost nothing to remember:clarity and context sensitivity


35

Usability best practicesthat cost nothing to remember:

feedback

Sew together experiencesthat maximize success


People use multiple touchpoints at once

Source: Google - The New Multi-screen World: Understanding Cross-platform Consumer Behavior, August 2012


So, prepare for channel-jumping

› Unify back-end records so that the user experiences no latency in “what you know” about him




› Leverage contextual cues to enable a channel to be “in-band” for primary tasks and “out-of-band” for authentication tasks




› Leverage contextual cues to enable a channel to be “in-band” for primary tasks and “out-of-band” for authentication tasks

› Match session length to the entirety of the risk: the nature of the transaction, channel, user…


IT and the business are expected to work hand in hand


So, negotiate!

› Hammer out agreement on formal levels of risk› Map tasks and channels to them› Seek the highest security maturity scores for the

most important tasks and channels


Source: May 22, 2014 “Forrester's Customer IAM Security Maturity Assessment Model” Forrester tool

So, negotiate!

› Hammer out agreement on formal levels of risk› Map tasks and channels to them› Seek the highest security maturity scores for the

most important tasks and channels

Deregister device

We allow users to deregister a device explicitly. Yes

We authenticate users before allowing this task to proceed.

Yes

We keep track of devices that have been associated with a user.

Yes

We notify the customer in an email or SMS text message if a device has been deregistered.

No

A customer can have only a limited number (e.g., 10) of registered devices across all channels.

No

Thank youEve Maler

+1 425.345.6756

[email protected]

@xmlgrrl

THE IDENTITY INDUSTRY IS EXPLODING

NEW PARADIGM IN SECURITY

Single-point access to applications within the firewall

– Proprietary

– On-premise

– Web only

– Single domain

Legacy Security Model

Cloud, Social, Mobile & Data drive a new approach

– Open standards

– Hybrid, datacenter and cloud

– Web, API and mobile

– Federated by default

Next-Gen Identity Model

76% of Network Intrusions Exploited Weak or Stolen Passwords (1)

Traditional Identity Management not Working

(1) Verizon Data Breach Investigations Report 2013

THE CONNECTED CUSTOMER

Single Channel

Multichannel

Multiple Identities

Omnichannel

Customers experience a single type of touch-point

Customers see multiple touch-points acting independently.

Customers see multiple touch-points as part of the same brand.

Customers experience a brand, not a channel within a brand.

Confidential — do not distributeCopyright © 2014 Ping Identity Corp. All rights

reserved. 49

EMERGING IDENTITY LAYER

Simplify access

Manage identities

Single customer

view

Connect apps

Scale and grow

OPEN ACCESS

IDENTITY WEAKNESSES EXPLOITED

~110M

accounts jeopardized

~5M usernames &

phone numbers

stolen

~7M

passwords stolen

~250Kpasswords

stolen

~38M

usernames &

passwords stolen

~318K

accounts hacked

~50M

usernames &

passwords stolen

~50M

user accounts

compromised

2013 was the most historic year for cyber attacks

Several prominent brands experienced high profile data breaches

Hundreds of millions of usernames, passwords and accounts were jeopardized

Stolen social media credentials fetch more than credit card numbers on cybercrime black markets

Secures Access to Any App, on Any Device from Any Location

Enterprise Grade

Flexible Hybrid Deployment

Committed to Open Standards

Web, Mobile, and API

Committed to Open Standards

Web, Mobile, and API

Simple to Advanced Use-Case Support in a Single Platform

CENTRALIZE CONTROLPing Identity – Ushering in the New Era of Identity

SINGLE CUSTOMER VIEW

TODAY’S IDENTITY PROTOCOL LANDSCAPE

SAML

LDAP

X.509

MODERN IDENTITY PROTOCOL STACK

OAuth 2.0

MODERN IDENTITY PROTOCOL STACK

OpenID Connect SCIM

OAuth 2.0

Security for APIs

APIs FOR IDENTITY

OpenID Connect SCIM

Security for APIs

User Authentication API

User Management API

APIs FOR IDENTITY

Security for APIs

User Authentication API

User Management API

APIs FOR IDENTITY(Not identity-enabled APIs)

FUNDAMENTAL TENETS TO SCALE

• No more passwords

• Automate as much as possible– Eliminate IT Administrative overhead

– Application registration is dynamic

• Ease of use– Effortless self service

– Developer-friendly

– IT-friendly

– User-friendly

IMPACT EXPERIENCE AND REVENUE


reserved. 62

For a more detailed analysis on the Total Economic Impact of Ping solutions,please join us for a webinar on September 26 at 11am ET.https://www.pingidentity.com/about-us/event-detail.cfm?customel_datapageid_1455=71219

$12M $21M $45MIncremental revenue from faster time-to-market following M&A activity

Incremental revenue from reduced application dropout rates

Incremental revenue from white-labeled apps

Copyright © 2014 Ping Identity Corp. All rights reserved. 63

Half of the Fortune 100

4 of the 6 Largest US Banks

8 of the 10 Largest Biopharmas

3 of the 5 Largest Healthcare Plans

CUSTOMER SUMMARY GLOBAL LEADERS & INNOVATORS

1,000+ global

customers

98%customer

satisfaction

93%customerretention

SI, TECH & SAAS PARTNERS

Offices: Denver, Boston, Vancouver, London, San Francisco, Halifax, Tel Aviv, Tokyo

Employees: 350

Founded: 2002

COMPANY BACKGROUND

STANDARDS BODY PARTICIPATION

THE IDENTITY SECURITY COMPANY

WHAT IS ACTIONABLE?

• Apps and devices need a modern identity protocol stack

– Starts with OAuth 2.0, OpenID Connect and SCIM

• No more passwords– Federated access by default

• Ease of use means automate everything– Or enable self-service as a backup

Thank You


reserved. 65

Eve Maler+1 425.345.6756

[email protected]@xmlgrrl

Jeff Nolan+1 650.430.3947

[email protected]@jeffnolan

identity beyond employees: how customer experience impacts your iam practices

Technology