#RSAC
SESSION ID: IDY-T09R
The Changing Face/Fate of Identity
Ian Glazer
Senior Director, Identity
Salesforce
@iglazer
And then,
we woke up…
Partner
Employee
Consumer
Partner
Employee
Consumer
Partner
Employee
Consumer
Partner
Employee
Consumer
Partner
Employee
Consumer
Partner
Employee
Consumer
Partner
Employee
Consumer
#RSAC
The Changing Face of Identity
Employee-Centric Identity
Right Access
Right People
Right Place
Right Time
Critical piece
of Security
Necessary partner
for Privacy
Employee Identity
=
Cost Center
Profit Center
Consumer Identity
=
Profit Center
New Stakeholders
Digital
Transformation
Sales & Marketing
Community Dev.
Customer-Centric Identity
XP
Right Experience
Right People
Right Place
Right Time
(
+ +
)
x
x
Sign-Up
Sign-In
Onward Journey
Sign-Up
Reduce Friction, Increase Customer Acquisition
Try signing up for your own
services
• How friction-free was the process?
B2C
• Social sign-up
• Progressive Profiling and Proofing
B2B
• How do you verify a supply chain
partner?
• How can that be improved?
Sign-In
Strong Test of User Experience
Avoid YAUP:
• Yet
• Another
• Username &
• Password
Standards de-risk deployments
• SAML and increasingly OpenID Connect
• Be ready for “standards—like” protocols
Brand
Hub
Brand
Brand consistency is an issue of trust
Consistency across
• Form-factor
• Lifecycle event
• Synchronous and asynchronous
Multiple brand scenarios
increase complexity
• Product line
• Line of business
• Brand Segregation
Hub
System of record for customer
Pattern #1 - IDP as a destination
• My Profile
• My Consent
• My Preferences
• Redirects are okay
Hub
System of record for customer
Pattern #2 - IDP as a directory service
• Consult IDP to verify identities exist
• No redirects to the hub
• No content in the hub
• Identity-based integration services only
Solving for Customer Engagement
3 Major Components of Customer Identity
+ +
Optimizing for Customer Engagement
2 Primary Variables of Customer Identity
(
+ +
)
x
x
But what about the Onward Journey?
The Onward Journey
The Goal of Digital Transformation
Why we “do” identity
Enrich the relationship
• Identity provides context
• Rally the business around a single
picture of the customer
• Trigger business process as the
relationship matures
The Onward Journey
The Goal of Digital Transformation
Identity provides the context needed
for every interaction:
• In-person
• Business Process
• Web
• Mobile
• API
• Connected Product
#RSAC
Connect all the things
You Must Recognize Your Customers With Every Interaction
Web
Connected
Products
Mobile
APIs
Two Standards in Play
JSON
Web Token
OAuth
Token Exchange
Two Tokens in Play
Subject Token
Actor Token
Represents the identity of the party on
behalf of whom the request is being
made
Represents the identity of the party
that is authorized to act on behalf of
the subject
Four Logical Actors
Customer & Device Registry
App / Interface
Device Backend Services
Connected Device
1. Authentication: User Authenticates using App
2. Registration: Token Exchange + Device Metadata
3. Business Process: Asset Management and Integration
Asset Tracking
ID
Name
Serial
Number
02iD00GMg
Thermostat
897349283
Business Process
4. Token Issuance: JWT minted, returned to app, …
4…and provided to the Device
5. Device sends data to backend, secured with Token
6. Backend Identifies Customer and Takes Action
What about APIs?
Along with the Access Token
Use the ID Token
Use the ID Token
Customer Identity
Identity for IoT
#RSAC
The Changing Fate of Identity
Where is Identity
in the org?
Consider the
stakeholders
IT Operations
HR
Compliance
Digital
Sales & Marketing
Community
Merge with Security?
Infuse into the Org?
Both?
Identity
Security
Privacy
ISACA
ISACA
IAPP
?
ISACA
IAPP
Identity industry
lacks a professional
organization
ID Pro
~400 practitioners
stepped forward in
the first 3 months
Networking &
Information Sharing
Body of Knowledge
Code of Practice
Certification
Get Involved!
Birds of a Feather!
Thursday 7am!!
#RSAC
One Fate We Must Prevent
No one wants to
build a system that
can be used to harm
others
No one wants to
build a system that
can be used to harm
oneself
If your identity
repository is of value
to you
Then your identity
repository is of value
to an attacker
Meet Our Attackers
Bulk
Single
Row
Bulk Attackers
SELECT * FROM EMPLOYEES_t
Wants:
• All the data
Possible Goals:
• Identify everyone in a region who
shares
• Medical condition
• Ethnic heritage
• Employer
• Set up a spear phishing attack later
• Set up oppression campaign
Single Row Attackers
SELECT * from CUSTOMERS_t WHERE email = ‘[email protected]’
Want:
• Data specific to a single subject
Possible Goals:
• Take control of a celebrity's mobile
phone
• Dox an adversary
• Make an ex-spouse's life hell
But there is a third
kind of attacker
The Person Who Has
Your Job Next
Successor Attacker
SELECT * from IANS_ILL_FATED_COLLECTION_OF_PII_t
Want:
• To do their job as they see fit
Possible Goals:
• Promotion
• Continued employment
• Receive a payment
Successor Attacker
≃
Compromised User
These attackers can
weaponize
identity systems
Weaponization
Identity systems
are neutral
Their applications
are not
ID Pros have to
step up
Goals for Identity System De-Weaponization
1. Defend against all attacker types
2. Strike a balance between protection and utility
3. Achieve greater transparency
4. Promote data provenance
Maturity Model for De-Weaponization
1: Managed
0: Baseline
2: Defend
Against
Successors/
Ourselves
3: Defend
Against Bulk
Attacks
4: Defend
Against
Single Row
Attacker
5:
Transparent
Access Control
Data
Management
Identity
Governance
Disciplines
for DwMM
Data
Protection
Audit
Access:
• 2FA for Admins
• No Developer access to production data
• No Program-lead access to production data
Data Protection:
• No insecure data transfers
• No insecure data staging
• Data encrypted in transit
Audit:
• Audit all admin system changes
• Audit user access to systems
Identity Governance
• Segregation of admin duties
• No “Read All” for admins
• No “Modify All” for admins
Access Control
• Explicit delegation for System-to-System access
Data Protection
• Selective encryption and hashing
Access Control
• 2-Person Rule for data extracts
Data Management
• Query governors to prevent “large” extracts
Audit
• Audit all CRUD operations
Access Control
• No self-referential multi-factor access to data about the data
subject
• Don’t ask KBA questions whose answers live in the dataset
Data Management
• Behavioral query governors
• Apply machine learning to query behaviors
Data Management
• Data provenance bound into data
• Relationship Context Metadata
• Data without provenance must be assumed to be fraudulent
Audit
• Make “public” who is querying the data
• “Public” will depend on the industry, geography, and legal
regimes
• Flip the Panopticon
1:
Managed
2: Defend
Against
Ourselves
2FA for Admins
Segregation of admin
duties
No developer access to
production data
No program-lead access
to production data
No insecure data
transfers
No "Modify All" for
Admins
Audit all crud operations
Selective data encryption
& hashing
4: Defend
Against
Single Row
5:
Transparent
No self-referential multifactor access to data
about the subject
Data provenance bound
into data
Behavioral query
governors
Make "public" who is
querying data
Query governors to
prevent large query
extracts
Explicit delegation for
System-to-System
access
Audit all admin system
changes
Audit user access to
systems
2-Person Rule for data
extracts
No "Read All" for Admins
No insecure data staging
Data encrypted in transit
3: Defend
Against
Bulk Attacks
Do no harm.
Prevent the fate
no one wants
Deweaponize:
Protect
identity systems
Professionalize:
Embrace
our changing fate
Synthesize:
Connect
all the Things
Digitalize:
Embrace
Customer Identity
Normalize:
Reinforce
Employee Identity
#RSAC
Your Fate is in Your Hands: What to do Next
Become part of CISO org
But split the team and have half work with CIAM
Connect all the things
Explore Actor Token pattern for IoT
Use ID Tokens to bridge API surfaces
Get involved with ID Pro
kantarainitiative.org/digital_identity_progressional
[email protected]
Achieve Level 1 on the De-Weaponization Maturity Model in 6 months
Aim for Level 2 in 12 months
114