Iden%ty@Scale  

Angle  on  Iden%ty  Data  for  scaling  

Growth  •  Organiza%ons  offering  more  consumer  Web-­‐  and  mobile-­‐based  services  

•  2.4  billion  internet  users  on  the  planet  •  1.75  billion  smart  phones  •  Six  fold-­‐growth  in  Mobile  e-­‐commerce  thru  2017  •  IoT  50  billion  devices  in  2020  

IAM  industry  is  catching  up  •  IAM  technologies  con%nue  to  enable  •  Tools  and  technologies  are  improving  •  New  standards  for  mobile,  cloud  +  API  economy  •  And  new  ways  of  doing  things  

Directories  for  Authen/ca/on  -­‐  Stores  iden/ty  

(And  some  authoriza%on)  

Databases  for  authoriza/on  -­‐  Also  stores  iden/ty  

 

=  Hundreds  =  Few  

Security   Business  IT  

Iden%ty  Data  Management  is  lagging  behind  

Current  state  applica%on/Service  Silos  

Disconnected  IT  Roles  created  for  each  individual  applica/on/service  

New  database  for  each  applica/on  containing  iden/ty  and  applica/on  roles  

And  we  keep  hearing  about  context  

•  XACML  •  OpenID  Connect  •  UMA  

Name  Brand  Informa%on  Market  Segment  Billing  Status  Licensing  &  Cer%fica%on  Role  Contact  informa%on  Account  Status  Devices      

Consent  Loca%on  Organiza%on  Iden%fiers  Interac%ons  Agreements  Product  subscrip/ons  Authorized  Acct  Rela%onships  

But  we  have  a  lot  of  informa%on  about  our  customers    

We  don’t  use  it!  

Business  context  o]en  remains  in  back-­‐office    systems  

Front  of  house   Back  Office  

Directory  Services  

-­‐  Iden%ty  -­‐  Email  Address  -­‐  Group  

OIen  no  user  context  

-­‐  Iden%ty  -­‐  authoriza%on  

-­‐  Iden%ty  -­‐  User  context  

Customer  

CRM  

Integra/on    Services  

Spend  lots  $$$  doing  the  same  things  over  -­‐  Iden%ty  -­‐  authoriza%on  

Targets  

“Killing  IAM  in  order  to  save  it”  •  Need  to  beder  define  and  describe  business  rela%onships  and  

context  for  online  ac%vity  •  Create  single  user  views  for  mul%ple  services  

Parental  Controls  

Back  to  the  Future  •  Directories  store  informa%on  once  for  many  applica%ons  and  services  to  use  

•  Business-­‐oriented  object  based  systems  with  security  and  distribu%on  

X  User  Iden%ty  /  Authoriza%on  

Build  Namespace  according  to  objects  and  func%ons  –  Not  hierarchies  

OU=  En/tlements  

OU=  Devices  

OU=  Profiles  

OU=  Names  

OU=  Roles  

OU=  Users  

OU=  Products  

OU=  Configura/on  

Mgt  

OU=  Preferences  

OU=  Apps  

OU=  Addr  Books  

Tie  users  to  objects  using  GUIDs  to  create  rela%onships  

Adding  it  all  up  

=  

+  Business  Context   Rela/onships  

Scalable  +  contextual  Iden/ty  Data  Model  

Well  designed  informa%on  sets  provide  business  efficiency  and  scale  

System  Scale  

Self-­‐Managed  CRM  /  Billing  

Directory  NameSpace(s)  

Updates  /  Reads  

Reflected  in  informa%on  objects  

Single  user  view  VMs  

VMs  VMs   VMs  

Provides  a  ready-­‐made  recipe  for  cloud  

Single  user  view  -­‐  with  context  

Iden%ty  Bridge  

Portable  context  

Beder  prepared  for  paradigm  shi]  •  An  API-­‐centric  methodology  relies  on  well  managed  and  

described  informa%on  about  users  •  Requires  closer  integra%on  with  data  architecture  

Services   Services   Services   Services   Services  

Web  Services  

Updates  Self-­‐service  

Self-­‐subscribing   Names   Users   Devices   Products   Profiles  Roles  

Addr.  Books   Apps   Prefs   Config.  

Web  

Making  progress  

=  Hundreds  of  iden//es  

We  s%ll  need  to  move  away  from  this  

DBs  

Single  Iden/ty  

Towards  this  

CRM  /  Billing  $$  

Next  Steps  •   Get  a  handle  on  the  number  of  iden%%es  out  there  •   Use  tools  to  discover,  map  and  clean  up  duplicate  iden%%es  

•   Use  Tools  to  understand  which  applica%ons  are  using  which  iden%ty  stores  

VDS  

•   Create  a  taxonomy  of  applica%ons  that  require  authen%ca%on/authoriza%on  and  the  condi%ons  for  access  (e.g.,  Gold  subscriber,  all  users,  certain  users)  

VDS  

Next  Steps  

$$  •   Use  the  context  in  the  systems  you  own  and  build  a  richer  set  of  user  context  •   CRM/Billing  systems  don’t  sign-­‐in  users  

•   Build  systems  that  represents  the  business  context  of  users  and  what  they  do  •   Needs  to  be  scalable,  distributed  and  secure  

•   Transi%on  authen%ca%on  to  new  tools  •   Work  with  app  owners  to  lifecycle  current  apps  •   Use  new  tools  to  build  new  apps  

VDS  

When  you  get  back  to  the  office  •  Understand  vision  for  customer  centricity  •  Start  cleaning  up  the  iden%ty  silos  that  cause  a  disconnected  view  of  the  customer  

•  Change  legacy  mindsets  and  look  to  beder  combine  iden%ty  with  data  architecture  

•  Correlate  insufficient  technology  investments  to  current  problem  sets  

•  Build  the  business  case  and  understand  dimensions    

Ques%ons?  

Anthony  Randall  Security  Architect  –  IAM  anthony.randall@monsanto.com  

Back-­‐Up  Stuff  

There  is  a  lot  of  valuable  context  informa%on  in  billing  systems  and  CRMs  that  can  replace  IT  security  groups  

Name  Brand  Informa%on  Market  Segment  Billing  Status  Licensing  &  Cer%fica%on  Role  Contact  informa%on  Account  Status  Devices      

Consent  Loca%on  Organiza%on  Iden%fiers  Interac%ons  Agreements  Product  subscrip%ons  Authorized  Acct  Rela%onships  

CRM  /  Billing  

$$  Applica/on  iden/ty  silos  

Graph  databases  offer  another  way  to  depict  the  same  core  problem  

Is  it  a  storage  and  scale  problem…  Or  the  method  we  use  to  represent  informa/on?  

 

VS  

Requirements  and  Processes  Business   User   Solu%on  

Vision  Goals  and  drivers  Legal  and  Regulatory  Use-­‐cases  Product  Defini/on  

Simple  to  use  Fast  Self-­‐service  Self-­‐controlled  Online  trust  Customer  support  Parental  controls  Privacy  control  Personaliza%on  

Massive  scale  Millions  of  users  Mobile  Op/mized  Cloud-­‐based  Ensure  data  privacy  Secure  Support  social  IDs  Integrated  Federated  

Account  crea%on/registra%on  Product  Management  Provisioning      

Processes  Context-­‐driven  access  Account  Management    User  lifecycle  Mgt    

Configura%on  Mgt  Business/Decision  Support  Customer  care      

Model  for  Scale  

Namespace,  business  objects  that  provide  specific  func%on  and  context;  Can  be  scaled  independently  according  to  need  

SaaS

CRM

3Rd Party

Billing

Administration Tools

Self-Service Tools

Identity Information Service

Provisioning

Self Service Admini

strati

on

Product Mgt Tool

Data Tools

Provisioning

Synchronization

Service Access/ Policy Information

Point

AuditAuthoritative Sources

People

Products

NameMgt

Devices

Servers

SaaS Satellite Information

SaaS

Profiles

RoleDef.

eMail

SF.com

NameMgt

Config.Mgt.

<new>@service.comSingle User

View

AddrBooks

Policies

Registration/Account Creation

Prefs

Registration/Account Creation

MDM

Business Context