16
© 2016 IBM Corporation Vision and Strategy Mike Chung | Associate Partner IBM Security Identity & Access Management

IAM Vision and Strategy - Initial Version

  • Upload
    mike-c

  • View
    140

  • Download
    1

Embed Size (px)

Citation preview

Page 1: IAM Vision and Strategy - Initial Version

© 2016 IBM Corporation

Vision and Strategy

Mike Chung | Associate Partner IBM Security

Identity & Access Management

Page 2: IAM Vision and Strategy - Initial Version

2© 2016 IBM Corporation

DRAFTTable of contents

§ Common understanding of terms

§ Expectations and developments 2015 and beyond

• Access governance 2.0• Federation• Post-password era

§ IBM’s strategy

§ Contact details

Page 3: IAM Vision and Strategy - Initial Version

3© 2016 IBM Corporation

DRAFTCommon understanding of terms

Users

Application/System B

Business role(Function-based)

IT role (IT system group-based)

Application/System C..

Application/System A

Permissions Permissions Permissions

Attributes

Entitlements

User

Application/System B

Authentication(Verification of identity claim)

Authorization(Access to allowed resources)

Application/System C..

Application/System A

Permissions Permissions Permissions

Monitoring & audit

Digital identity

Page 4: IAM Vision and Strategy - Initial Version

4© 2016 IBM Corporation

DRAFTAccess governance 2.0: towards -as-a-service

Users

Application/System B

Business role(Function-based)

IT role (IT system group-based)

Application/System C..

Application/System A

Attributes

Entitlements

Heterogeneous group of users:• Internal employees• Consultants• Partners and suppliers• Consumers

Entitlements based on risk-based controls:• Rules and regulations• Segregation-of-duties• Security requirements• Use of resources

including licensing

Dynamic set of attributes: from static business function-based attributes to dynamic project/context/activity-based attributes

Access governance as a service:• As a managed service performed

by specialists• Fetched as a standardized service

from the cloud• Pay-as-you-go model

Increasing level of deperimeterization:• Move to SaaS• Merging-with-partners networks• Bring your own devices & ID

Complex, “invisible” ecosystem of applications:• Move to SaaS outside IT• Merging of private-social and

business applications• Control of access as part of risk

management

Basic assumption

2015 & beyond approach

Permissions Permissions Permissions

Partners and suppliers

Page 5: IAM Vision and Strategy - Initial Version

5© 2016 IBM Corporation

DRAFTFederation: decentralized approach

User

Application/System B

Authentication(Verification of identity claim)

Authorization(Access to allowed resources)

Application/System C..

Application/System A

Permissions Permissions Permissions

Monitoring & audit

Digital identity

Proliferation of digital identities:• Organization-specific IDs• Social networking IDs• IDs provided by the government• Aliases

Wide acceptance of open standards and protocols: OpenID, OpenID Connect, Oauth, SAML, SPML, SCIM

Exchange of authentication and authorization data for SSO:• Federation using SAML 2.0• Architecture of identity providers

and service providers• For web services and across the

cloud

Delegated access: authorization based on delegated access using request and access tokens without sharing credentials

Decentralized identity provisioning: from static “centralized” identity stores to preferred OpenID providers to multiple relying parties

Basic assumption

2015 & beyond approach

Hybrid environment: • Applications both on-premise as

well as SaaS• Managed services with

vendor/cloud governance• Corporate devices and BYOD

Page 6: IAM Vision and Strategy - Initial Version

6© 2016 IBM Corporation

DRAFTPost-password era: embracing complexity

User

Application/System B

Authentication(Verification of identity claim)

Authorization(Access to allowed resources)

Application/System C..

Application/System A

Permissions Permissions Permissions

Monitoring & audit

Digital identity

Ease of access required:• Seamless access to services• Privacy and security

High expectations raised on analytics: • Security big data• Integrated monitoring

of multiple service

Cloud monitoring:• Monitoring of the

cloud• Monitoring from

the cloud• Integration with

SIEM, data analytics and threat intelligence

Basic assumption

2015 & beyond approach

Biometrics combined with certificates:• Strong authentication with non-

intrusive biometrics and additional code

• Digital certificates for secure, transparent access to various resources

Secure cloud gateway concepts:• Single/limited point(s) towards

the cloud• Quality of service including

security

Compliance: • Rules and regulations more stringent

than ever• Balancing the act between privacy and

security• Dependency on third parties

Page 7: IAM Vision and Strategy - Initial Version

7© 2016 IBM Corporation

DRAFTIBM’s strategy: access-governance-as-a-service

Users

Application/System B

Business role(Function-based)

IT role (IT system group-based)

Application/System C..

Application/System A

Attributes

Entitlements

Exhaustive access governance functionality:• Access request management• Access certification• Risk scoring• SoD management• Role discovery

Entitlements based on various variables:• Static policy and

rules• Context (location,

time, concurrent sessions, etc.)

• Ad hoc

Current solutions

Focus areas of roadmap

Permissions Permissions Permissions

Partners and suppliers

Access governance as a service from IBM’s cloud:• Exhaustive range of access governance services• Full identity life cycle managed by specialists• Private or public cloud depending on customer’s

situation

Integration with (third-party) SaaS:• Access governance connectivity with

SaaS based on open standards• Provisioning and deprovisioning to/from

SaaS

Access-as-a-service from multiple locations: More data center locations in Europe outside UK

Specific and industry’s unique features:• Visual role mining• Integration with SAP• Integration with Mainframes

Page 8: IAM Vision and Strategy - Initial Version

8© 2016 IBM Corporation

DRAFTIBM’s strategy: federation including authorization

User

Application/System B

Authentication(Verification of identity claim)

Authorization(Access to allowed resources)

Application/System C..

Application/System A

Permissions Permissions Permissions

Monitoring & audit

Digital identity

Enterprise-wide SSO:• Federation with on-premise

applications• Federation with cloud applications• Federation with mobile apps

Adoption of open standards:• OpenID (Connect)• Oauth• SAML• SPML• SCIM

Current solutions

Focus areas of roadmap

Cloud-based identity management:• Identity life-cycle management

supporting multiple authoritative sources of identity data

• Connected with cloud and on-premise applications

• Provisioning and deprovisioning

Seamless integration with strong authentication concepts:• X.509 Certificates-based

federation• Smartcard-based federation

Fine-grained authorization:• Control over a wide array of

cloud and mobile applications• Based on dynamic attributes• Coupled with (strong)

authentication

Further integration with access governance capabilities to cloud and mobile applications• Detection of

violations with automated actions

• Role-mining

Page 9: IAM Vision and Strategy - Initial Version

9© 2016 IBM Corporation

DRAFTIBM’s strategy: security integration

User

Application/System B

Authentication(Verification of identity claim)

Authorization(Access to allowed resources)

Application/System C..

Application/System A

Permissions Permissions Permissions

Monitoring & audit

Digital identity

Detection and identification of cloud applications:

Security data intelligence -Security big data analysis from various sources

Integration of SIEM and threat intelligence• Monitoring of the

cloud• (Near) real-time

alerts and instant response

Current solutions

Focus areas of roadmap

Compliant with stringent standards:• EU Privacy Directive• ISO27001/2• ISAE3402• PCI-DSS• HIPAA

Secure gateway service:• Single/limited point(s) towards the

cloud• Quality of service including

security• SSL offloading/DLP

Strong R&D investment in authentication technology:• Encryption• Biometrics

Page 10: IAM Vision and Strategy - Initial Version

10© 2016 IBM Corporation

DRAFTIBM’s solutions

Users

Application/System B

Business role(Function-based)

IT role (IT system group-based)

Application/System C..

Application/System A

Permissions Permissions Permissions

Attributes

Entitlements

User

Application/System B

Authentication(Verification of identity claim)

Authorization(Access to allowed resources)

Application/System C..

Application/System A

Permissions Permissions Permissions

Monitoring & audit

Digital identity

Cloud Identity Service

Cloud Enforcer

Page 11: IAM Vision and Strategy - Initial Version

11© 2016 IBM Corporation

DRAFTAlso..

§ Preparing for the rise of non-corporate IDs for business services

§ Participating actively in new and innovative developments:

• FIDO• XACML-ish concepts• Homomorphic encryption• FreeIPA

Page 12: IAM Vision and Strategy - Initial Version

12© 2016 IBM Corporation

DRAFTIBM Security: investing in best-of-breed technologies

IBM Security Investment

• 6,000+ IBM Security experts worldwide

• 1,700+ IBM security patents

• 4,000+ IBM managed security services clients worldwide

• 25 IBM Security labs worldwide

Security services

and network security

Enterprisesingle-sign-on

Mainframeand server

security

Identity management

Directory integration

Endpoint managementand security

Application security

Data management

Database monitoring

and protection

Access management

SOA management and security

1976 1999 2002 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014

Incident forensics

Secure mobile management

Cloud-enabledidentity

managementIdentity

governanceSecurity

intelligenceIBM Security

is created

Page 13: IAM Vision and Strategy - Initial Version

13© 2016 IBM Corporation

DRAFTIBM Security: latest analyst report rankings

Domain Market Segment / ReportGartner

Magic Quadrant (MQ)Market Share (MS)

Forrester Wave

IDCMarket Share

Identity and Access Management

Federated Identity Management and Single Sign-On

Leader

2014

Identity and Access Governance Leader2015 MQ / 2015 MS

Strong Contender

2013Identity and Access Management as a Service (IDaaS) Visionary

2015 MQ

Web Access Management (WAM)Leader

‘13 MarketScope, ‘15 MS

Mobile Access Management Leader, 2014 Customer Value, Frost & Sullivan

Identity Provisioning Management Leader, 2014 Leadership Compass, KuppingerCole

Security Intelligence Security Information and Event Management (SIEM)Leader

2015 MQ / 2015 MS

Leader

2015

Consulting and Managed Services

Managed Security Services (MSS)Leader

2014 MQ (NA, WW)

Leader

2014 (NA)

Leader

2014

Information Security Consulting ServicesLeader

2013

Page 14: IAM Vision and Strategy - Initial Version

14© 2016 IBM Corporation

DRAFTIBM Security: exhaustive coverage of security domains

DataPower Web Security Gateway

AppScan

BigFixMobileFirst Protect(MaaS360)

QRadar SIEM

QRadar Vulnerability Manager

Key LifecycleManager

IBM X-Force Research

QRadar Incident Forensics

QRadar Log Manager

Guardium

zSecure

Trusteer Mobile

TrusteerPinpoint

Trusteer Rapport

ConsultingServices

ManagedServices

Network

AdvancedFraud

Data

Mobile

Applications

Endpoint

Identityand

Access

Security Intelligence

SiteProtector

Network Protection XGS

Trusteer ApexQRadar Risk Manager

Identity ManagerAccess Manager Identity Governance and Intelligence

Privileged Identity Manager

Page 15: IAM Vision and Strategy - Initial Version

15© 2016 IBM Corporation

DRAFTIBM Security: global reach

monitored countries (MSS)

service delivery experts

endpoints protected+

events managed per day+

IBM Security by the Numbers+

+

Page 16: IAM Vision and Strategy - Initial Version

16© 2016 IBM Corporation

DRAFTContact details

Drs. Mike Chung RE CISSP

Associate Partner IBM Security

[email protected]

+31 6 2565 7593

+82 10 3521 7754 (South Korea)