Pragmatic Futures for IAM: Meeting Business Needs at the Nexus of Forces

Gartner Identity & Access Management Summit 2013

11 – 12 March | London, UK | gartner.com/eu/iam

© 2013 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. or its affiliates.For more information, email info@gartner.com or visit gartner.com. 1

TABle oF CoNTeNTS

2 Key Take-Aways

3 The Audience

5 Keynote Sessions

6 Top 10 Most-Attended Sessions

7 Sponsors

9 Post Event Resources

SAve The dATeThe Gartner Identity & Access Management Summit 2014 will take place on 16 – 17 March in London, UK.

We hope to see you again!

TrIP rePorTThe annual Gartner Identity & Access Management Summit was held on 11 – 12 March 2013, at the Park Plaza Westminster Bridge. This report summarizes and provides highlights from the event.

overviewIn 2013 the Summit brought together over 400 attendees to learn from and network with a range of end users giving case studies, key solution providers on the showfloor and in sessions, and with the Gartner analyst community. Led by the Summit Chair, Ant Allan the Summit took in over 40 presentations, roundtables and workshops furnishing attendees with the latest thinking on their strategy, tactical approaches, and key needs for 2013-14.

The Nexus of Forces — mobile, cloud, information and social — brings new challenges and new opportunities for IAM. CISOs and IAM leaders have to extend their vision to include the Nexus. This is not just a strategic goal but a tactical imperative: The impact of the Nexus of Forces is clear now and underlies the trends Gartner has seen in client engagements across multiple IAM activities and markets of the past year.

Meanwhile, CISOs and IAM leaders must keep sight of the needs of day-to-day operations and the demands of governance, risk management and compliance. Furthermore, the obligation remains to deliver meaningful, business-focused results. To efficiently deal with all these seemingly diverse commitments and to effectively orchestrate the necessary technology, tools and techniques — and to so with lasting success — CISOs and IAM leaders must establish and sustain an enduring IAM program with sound governance processes.

Park Plaza Westminster Bridge, London, UK

Ant Allan speaking at the Gartner Identity & Access Management Summit 2013

Gartner Identity & Access Management Summit 201311 – 12 March | London, UK | gartner.com/eu/iam

2

Key Take-Aways

Best Practices for IAM Program Management and Governance

•Createawell-craftedvisionandarticulateitinlightofstrategicbusinessneeds.Continuously re-evaluate this.

•EstablishanIAMprogrambasedaroundtheactivitycycleandthe“pillarsofIAM.”

•EstablishsoundformalgovernanceprocessesandfunctionsforIAM

•Thisshouldbeincorporatedwithininformationsecuritygovernanceframeworks,butmayrequire discrete entities at some levels.

Bring Your own 4G: how Secure Are the Mobile and Wireless Networks You Use for Business?

•Ensuresecuresetupofwirelessnetworks.

•MaintainVPNorapplication-levelsecurityforsensitiveapplications,through2015.

•Correlatewirelesssecuritywiththemobilepolicy.

•Useastandardwirelessproviderand4G,wherepossible.

dealing With Advanced Threats and Targeted Attacks

•Adjustthevulnerabilityassessmentscheduletoremediationcycles

•Initiatesecurityhardeninginitiativesandevaluateapplicationdevelopmentprocesschanges to security testing to earlier phases of the development life cycle

•ExtendyourSIEMdeploymentforearlybreachdetection

•Balancespendingamongmitigation,shieldingandmonitoringbasedonpracticallimitations of mitigation for specific IT components

enabling Mobility Securely by Protecting Mobile Applications on Smartphones and Tablets

•Fixasmanyofthebarriersaspossible.Fixingevenonemakesasubstantialdifferencetoyour success.

•Giveupontheideaoftrustingtheplatform.Secureyourappsassoonaspossible.

•Recognizethereisnotasinglesolutionthatworksforeveryone,andmultipleapproachescan coexist.

•Don’twaitforstandards—acttactically,ratherthanstrategically.

3

Get the Plumbing right: directories for Internal and Cloud Services

•Thinktacticallyandstrategically

•Maintainaservicecatalog

•Anticipateandplanfornewrequirements:

– Mobile devices

– Cloud XaaS

– Mergers/Acquisitions

•Minimizeandconsolidate(butnottoomuch)

•Maintainanabstractionlayer

•Embracethepoliticsofcontrolandautonomy

IAM at the Nexus of Cloud, Mobile and Social

•Partnerwithbusinessleaderstoincludesecurity/IAMassessmentsaspartoftheplanning process when procuring cloud-based business application services.

•UnderstandyourcostsforprovidinginternalIAMfunctions,andyourabilitytoobtainandretain staff as a prelude to comparative shopping for cloud-delivered IAM.

•Planformobileuserusecasesthatwillincludeemployee-orconsumer-owneddevicesand direct access to SaaS.

Technical Insights: Making It Work: Identity and Mobility

•Implementadequatecertificateenrollmentprocessesforenterpriseusers:

–Don’tusedevice-basedSCEPenrollment!

–YouwillneedanMDM(orMDM-like)product

•ProtectyourMDM“push”credentials:

– Certificate/Private key for Apple Notification Service

–GoogleC2MDservicepassword

– Risk of unauthorized access and denial of service

•KeepacloseeyeonNFCdevelopments:

–Thereissomuchpotentialforenterpriseidentity!

•GetyourADgroupsright:

–Devicepolicymanagement,credentialing,andsecurefileaccessdependonit

The AUdIeNCe

The Summit attracted over 350 attendees, from 29 countries including 19 European nations represented. The core of the audience was naturally from the UK, with the next highest groupings coming from Germany, Austria and Switzerland followed by Benelux, Nordic, France and the Middle East. In terms of industries represented the key sectors were government and public sector, financial services and manufacturing with a range of other sectors then present. The best represented job titles continuedtobeDirector/ Manager of Information Security / Security and variations there of with a presence from Risk, Compliance, and Security Architects.

Gartner Identity & Access Management Summit 201311 – 12 March | London, UK | gartner.com/eu/iam

4

Fighting Threats With layered Security and Improved Identity Proofing

•Establishanoverarchingidentityproofingandfraudmanagementframeworkforyourorganization that includes multiple layers.

•DeployLayer1endpoint-centricandLayer2navigation-centricsolutionstostartwith.

•Integratemobileapplicationsintoyourfraudmanagementframeworktoensureacohesive strategy, and shared user and account profiles.

•Recognizethatthethreatlandscapecanquicklychange,pointingtotheneedforalayered approach and comprehensive framework.

Good Authentication Choices for Smartphones and Tablets

•Setinternalexpectationsearlyaboutwhatappscanbeonpersonaldevice,andwhichcan’t

•BuildafoundationforgoodIAMbymatchingtherightbaselinefordeviceorappsecurity

•PlanforUXbeingabarriertomeetingregulatoryrequirementsonmobiledevice—lookto balancing in ease of use

Technical Insights: A Magic 8 Ball in the Sky: Federated, distributed and Cloud externalized Authorization

•Beforeselectinganauthorizationmechanismandarchitecture:

– What is the coarseness of the decisions?

– How expressive of policy language is needed ?

– Is the application externalized authorization-aware?

– Where can subject attributes be found?

Ways to Achieve More With less in Your IAM Program

•Prioritizeyouridentity-relatedneeds.Whatcanrealisticallybeaccomplishedthrough“traditional”methodswiththebudgetthatyouhave?

•Determinewhatmightnotbeaccomplishedduetolackofbudget(orotherfactors)?

•Putonyourthinkingcap,grabalistofwhatyouhave,andfindawhiteboard!

5

Keynote Sessions

Gartner Keynote: The Socialization of Identity

Using social network identities can significantly help enterprises to attract and retain customers(abusinesspriorityforCIOs).Using“loginwithFacebook”(orotherpopularsocialnetworks)lowersfriction,andthusimprovestheuserexperience(UX)forcustomerregistration and subsequent login. Enterprises also benefit through a fall in the number of abandoned registrations and logins. Login with preferred social network identities makes it easier for customers to browse and buy — especially where the merchant is present on othersocialnetworks(suchasFacebookandPinterest).

The use of social network identities can lower customer administration costs — this can beabusinessenabler,makingprofitableservicesthatwouldn’tbeiftheyhadsignificantoverheads. Gartner sees a small but growing number of enterprises taking this approach, enabled by specialist vendors that prepackage support for a broad range of popular social networksandintegrateothersocialnetworkcapabilities(suchasgamification).Basicuserattributecollection(forregistration)andauthenticationwithsocialidentitiesarealsobeingsupported by Web access management products.

All enterprises offering consumer-facing services, as well as government agencies offering citizen portals, should assess the benefits of accepting social network identities for customer/citizen registration and login, and weigh these against the risks posed by the lack of identity proofing and weak authentication for social network identities. Potential cost savings may be offset by the cost of mitigating these risks, say via fraud detection and preventionmechanismsandstep-upuserauthenticationmethods.(Butsuchcontrolsmaywellbeneededanyway!)

This assessment should also consider alignment with other business use of social networks; while it can be independent of other initiatives, greater value can come from exploiting synergies.

Gartner Closing Keynote: Maverick: Kill off Security Controls to reduce risk

Traditional security controls are increasingly ineffective and obstructive in a world where rapid technology change is driving business strategy. A radically new approach is required.

Impeding the ability of the majority of users to exploit technology in furthering business objectives, just in order to prevent the bad intentions of a small minority of individuals, makes no business sense. Employees that have no stake or input in security controls and policies are alienated, having no trust in security practices. By adopting a people-centric approach to security, enterprises can reduce overall risk while simultaneously reducing the number of preventative controls. Giving users more personal responsibility, while holding them directly accountable for their actions, requires that he security team offer a more supportive role.

People-centric security PCS represents a major departure from conventional security strategies, but it reflects the reality that current security approaches are increasingly difficult to manage in the rapidly evolving environment Gartner defines as the Nexus of Forces. While changing a security strategy carries its own risks, security leaders should consider adopting elements of PCS as an early starting point for longer term transformation of their security programs.

Ant Allan Research VP

Tom Scholtz VP Distinguished Analyst

Gartner Identity & Access Management Summit 201311 – 12 March | London, UK | gartner.com/eu/iam

6

Top 10 Most-Attended Sessions

•Best Practices for IAM Program Management and Governance Ant Allan, Research VP

•BringYourOwn4G:HowSecureAretheMobileandWirelessNetworksYouUseforBusiness? Dionisio Zumerle, Principal Research Analyst

•DealingWithAdvancedThreatsandTargetedAttacks Mark Nicolett, Managing VP

•EnablingMobilitySecurelybyProtectingMobileApplicationsonSmartphonesandTablets John Girard, VP Distinguished Analyst and Dionisio Zumerle, Principal Research Analyst

•GetthePlumbingRight:DirectoriesforInternalandCloudServices Andrew Walls, Research VP

•IAMattheNexusofCloud,MobileandSocial Gregg Kreizman, Research VP

•TechnicalInsights:MakingItWork:IdentityandMobility Trent Henry, Research VP

•FightingThreatsWithLayeredSecurityandImprovedIdentityProofing Avivah Litan, VP Distinguished Analyst

•GoodAuthenticationChoicesforSmartphonesandTablets Eric Ahlm, Research Director and John Girard, VP Distinguished Analyst

•TechnicalInsights:AMagic8BallintheSky:Federated,DistributedandCloudExternalizedAuthorization Ian Glazer, Research VP

•WaystoAchieveMoreWithLessinYourIAMProgram Ray Wagner, Managing VP

7

Sponsors

Premier

Platinum

TM

Silver

R

Gartner Identity & Access Management Summit 201311 – 12 March | London, UK | gartner.com/eu/iam

8

radiant logic launches First on-Premise Identity Bridge Based on virtualization

Airbus Discusses the Value of Identity Virtualization at 2013 Gartner IAM Summit

The recent rise of cloud applications mobile devices have posed serious challenges for Identity and Access Management practitioners, while the fragmentation of identity systems has frustrated efforts to meet those growing needs. At the 2013 Gartner IAM Summit, Radiant Logic demonstrated how it is uniquely positioned to meet these evolving demands with the release of radiantone 6.1,theindustry’sfirstcompleteon-premisesenterpriseidentityprovider.ThereleasebundlesRadiantLogic’sCloudFederationServicewithitsmarket-leadingVDS,delivering a standards-based federated identity and access management solution.

The newest version of the radiantone Cloud Federation Service includes:

•SupportforSAML2.0,OpenIDConnect,andOAuth2.0

•SupportfornewtrustedidentityproviderssuchasFacebook,Microsoft,andMyOpenId

•Theabilitytoindicatetheauthenticationlevelrequiredtoaccesscertainapplications

•Supportforoverfortynewrelyingparties,makingitsimpletogetsinglesign-ontoalmostanynewcloudapplication

ThereisahostofnewfeaturesinthenewVDSaswell:

•SupportforSCIM,REST,andSPMLprotocolstoenablerobustbulkuserprovisioningoperationstocloudapplications

•BettersupportforcloudapplicationssuchasSalesforce,Office365,andGoogleAppsforunifiedaccessandprovisioning

Also at the Gartner IAM Summit, Frederic Fenoglietto, IAM Architect, highlighted how Airbus used RadiantOne to improve performance and service. He demonstrated howRadiantOneVDS’enabledAirbustorationalize and transform data, and eventually retire legacy directories.

Learn more about Radiant Logic, a2012GartnerCoolVendor,at www.radiantlogic.com

TM

9

Post event resources

recommendations Summary

A recommendations summary containing of all of the key recommendations from the Gartner analyst sessions is available for download from Agenda Builder. Please look for the “RecommendationsSummary”file.

learn more with relevant research

Want to learn more about the topics that interest you most? Turn to the end of each session presentation for a list of related Gartner research notes. Select Gartner research is available on demand at gartner.com.

Gartner has you coveredView the full Gartner Events Calendar! � The World’s

Most Important Gathering of CIos and Senior IT executives

CoNNeCT WITh GArTNer IAM

Connect with Gartner Business Process Management Summit on Twitter and LinkedIn.

#GartnerIAM

GartnerIAMXchange