Identity and Access Management in the Era of Digital Transformation

Selvaratnam Uthaiyashankar VP – Engineering

WSO2

Identity and Digital Business

• Identity is at the heart of Digital Business

Image source: http://coranet.com/images/network-security.png

Identity Centric

• Digital Business is all about “User”– How do we know who is accessing

– Things user can access or do

– User’s preferences

– Rules User has to adhere

– Relationship with other entities

Proper identity enforcement is essential for customer experience, security, privacy

Authentication

• Direct Authentication– Basic Authentication

– Digest Authentication

– TLS Mutual Authentication

Service Providers

Authentication

Service Consumption

Image Source : http://www.densodynamics.com/wp-content/uploads/2016/01/gandalf.jpg

Digital business requires seamless integration of various systems…

Identity Challenges When Integrating Multiple Systems

• Different username, password (credential) for different systems– Preferred username is already taken

– Using same username/password might become a security risk

• Too many username, password

• Loosing possible collaborations between applications

Authentication

• Brokered Authentication– SAML

– OAuth : SAML2/JWT grant type

– OpenID

– OpenID Connect

• Single Sign-On

Service ProvidersService Providers

Service Providers

Identity Provider

Service Providers

Authentication

Service Consumption

Trust

Image source: http://savepic.ru/6463149.gif

Users Might Want to Use Their Social Identities

• BYOID

Users Might Want to Use Their Enterprise Identity

• Trust between different Identity Domains

• Identity Federation

Service ProvidersService Providers

Service Providers

Identity Provider B

Service Providers

Authentication

Service Consumption

Trust

Identity Provider A Trust

Multi-option Authentication

Identity Bus

Identity links all the systems. You just increased the risk of attack on your identity…

Often, weak link is poor user credential

https://www.infosecurity-magazine.com/news/compromised-credentials-quarter/

Multi Factor Authentication

• What you know

• What you have

• What you are

Image source: http://it.miami.edu/_assets/images/multifactor1.png

Adaptive Authentication

• Ability to change authentication options based on the context

https://3c1703fe8d.site.internapcdn.net/newman/gfx/news/hires/2013/howdochamele.jpg

Provisioning Users

• Self Service– Complete user management

– User Portal

• Approvals and Workflows

• Just In Time Provisioning

http://blog.genesys.com/wp-content/uploads/2014/07/Road-Sign-Self-Service.jpg

Provisioning Users in Multiple Systems

Access Control

• Principle of least privilege

• Role based access control

• Attribute based access control

• Fine-grained access control with XACML

http://findbiometrics.com/assets/iStock_Access-300x225.jpg

Auditing User Activities

• You might not know who will access your system (BYOID)

• Full Audit on user activities are important– Specially on User Management, Admin

operations– Who, What, From Where, When, How

• Accountability, Reconstruction, Problem Detection, Intrusion Detection

http://cdn.gocertify.com/images/Auditing%20team%20going%20over%20report.jpg

Analytics

• Understanding user behavior

• Predicting future needs

• Fraud detection

http://www.labrechedigital.com/images/analytics.png

API Security

• APIs are powering the Digital Business

• Ability to secure the API (OAuth)

• Identity delegation

https://edinversity.files.wordpress.com/2013/07/handing-over-car-keys.jpg

IoT is an Essential Element in Digital Business

• Identity Include “Things”

• Securing your IoT devices is a must

• Consider scalability of your IAM System

https://media.licdn.com/mpr/mpr/shrinknp_400_400/AAEAAQAAAAAAAAWRAAAAJDkwODMwYzIyLTA5MzktNDAwZi05ZmI4LWJkYTAyM2U4MDBlNQ.jpg

Perimeter of Your Digital Business will Increase

• Data is in cloud, mobile devices

• Borders across systems don’t work anymore

• Your Attack Surface increases– you can’t remove unused features in the cloud services

• Security by obscurity doesn’t work anymore

• Expect hacking, DoS attacks, phishing attack

• Controlling access, monitoring, analyzing and predicting attacks are the way forward

Bridging Cloud and Internal Systems

• Connectors to bridge Cloud Systems and Internal Systems– Might not be able to open ports for

outside world

http://www.stratoscale.com/wp-content/uploads/gap-1080x1080.jpg

Digital Business Requires Agility

• Should be able to connect new systems easily

• Frequent changes to external system

• Future Proof

• Needs some Identity Mediation Concepts

http://s3-us-west-2.amazonaws.com/abacus-blog/wp-content/uploads/2015/10/dog-agility.png

Digital Business Encourages Innovation

• Often, security strategy is viewed as restrictive for Innovation– Specially, when involving with public services, APIs

• Security should be transparent to the user for better user experience

https://www.gatesnotes.com/~/media/Images/Articles/About-Bill-Gates/Accelerating-Innovation/innovation_2016_article_1200px_v1.jpg

Digital Transformation Requires Cultural Changes

• More and more, business units are in control rather than IT and security teams– Yet you need to know who is

accessing, what they are accessing, etc.

• Understanding this cultural shift will reduce frustrations

http://www.leehopkins.net/wp-content/uploads/2010/11/iStock_000010822711XSmall_thumb.jpg

WSO2 Identity Server

http://cdn.ttgtmedia.com/rms/security/Gartner2014_ASA.jpg

Thank You!