Professional Documents
Culture Documents
Issue 1
2 Foreward
3 A New Era for Identity and Access Management
5 Identity Management Solutions for Employees
5 Identity Management Solutions for Customers and Partners
6 What to Look for in an Identity and Access Management Solution
7 Success Stories
9 From the Gartner Files
Predicts: Mobile, Social and Federation Drive Identity and Access Management
17 About Ping Identity and Glossary
Foreward
Evaluating identity and Change is inevitable, so the best you can do is to
security solutions can think about how you see your business evolving in
be a daunting task. How the future. Future-proofing your enterprise against
do you know that what the evolving world of technology requires careful
you need now will still consideration.
be applicable in two
years? One year? As new To help you with these decisions, we gathered
technology emerges, research by Gartner that outlines the identity
you have more options trends theyre watching. Together we created
than ever. a buyers guide to help you ask yourself some
questions to evaluate your own identity needs.
Weve been in identity Wed be happy to help you identity your security
for 11 years and have seen major changes in requirements when youre ready.
thinking around identity, access management,
security and integration. Weve witnessed the Bill Dedrick
shift from users having a handful of credentials President
for applications managed and controlled in-house, Ping Identity
to an explosion of cloud-based applications
controlled beyond the reach of the IT team.
Challenge 1 - You must focus on the top line Challenge 4 You have many old systems in
without adding to the bottom line. your data center.
More than ever, your company is focused on top Your IT team understands that modifying
line revenue. As budgets for new systems shrink, an existing on-premises IAM system to
you are challenged with aligning your goals with accommodate todays agile environment is
the business initiatives that are focused on growth. expensive and time-consuming starting over
As more of your business moves online, enabling with a new system is not an option.
revenue-generating initiatives that attract and
4
Challenge 5 Multiple logins to your web and Federated SSO to SaaS applications for
mobile apps affect your customers (and the employees is now the No. 1 requirement
bottom line). identified by Gartner clients wanting
If youre like most enterprises, youve added SSO. Clients want to leverage internal
many services and applications that customers authentication infrastructures to give their
and partners need to access. If your customers users SSO to SaaS applications. There
and partners are required to maintain yet another has also been a smaller, but significant,
account, or log in for each service, chances are its increase in client needs to support consumer
impacting your user satisfaction. authentication using social media identities.
This is another use case for federated SSO
Fortunately, identity and access management or reduced sign-on (users must overtly
solutions have become more sophisticated to authenticate, but they can reuse an existing ID
help you confront these challenges. Identity has and password).
become the new security perimeter.
Excerpt from Gartner Research G00230389, Predicts 2013: Mobile,
Social and Federation Drive Identity and Access Management, Ray
With the increased pressure on businesses to Wagner, Gregg Kreizman, Ant Allan, Earl Perkins, November 30, 2012.
improve the customer experience online, secure
SSO to SaaS applications is a top priority for Source: Ping Identity
enterprises. According to Gartner:
5
Success Stories
We invite you to explore our customer use cases.
Challenge: After providing secure SSO to its Challenge: As Land OLakes adopted more
clients for years through an on-premises solution, and more SaaS applications, employees began
Truist wanted to transition to a cloud-based SSO complaining about the rising number of login
solution to improve redundancy, availability passwords. Help desk costs rose and adoptions
and security for its clients and gain operational dropped. The companys IT team set out to
benefits for its IT department. increase user happiness (and acceptance of new
applications) by adding seamless access. They
Solution: PingOne also needed a solution that could establish SSO
connections quickly.
Results:
Solution: PingFederate
Doubled clients using Ping Identity
Results:
Supports 4,000 logins every day
Reduced time and resource requirements to 6500 users empowered with secure SSO to the
applications needed to do their jobs
onboard clients
Dramatic cuts in Help Desk password reset calls
PingOne not only lets us offer secure, highly and routine IT administration
available SSO to our clients, it also lets us
onboard a new client in about 5 minutes. My Increased user adoption of their licensed SaaS
job just got easier. Katie Boswell, Director of applications
IT Infrastructure, Truist
Mobile workforce was enabled with real-time
Read the Truist story. access to Sales ordering system
Solution: PingFederate
Results:
Using techniques based on consumer Web By year-end 2015, 50% of new retail customer
fraud detection for enterprise authentication identities will be based on social network
can provide a higher level of assurance without identities, up from less than 5% today.
requiring users to use a traditional (and
expensive) higher-assurance authentication By year-end 2016, over 30% of enterprises will use
method. contextual authentication for workforce remote
access, up from less than 2% today.
The ubiquity and diversity of mobile devices,
form factors, and OSs is creating problems Through 2014, 85% of enterprises allowing
for identity and access management (IAM) employees to use their own mobile devices to
planners seeking consistent and secure access enterprise and SaaS applications will not
approaches for authenticating both employees achieve SSO.
and customers.
Federated SSO will be the predominant new SSO
Federated SSO to software as a service (SaaS) technology needed by 80% of enterprises through
applications for employees is now the No. 1 2016.
requirement identified by enterprises wanting
SSO. ANALYSIS
Gartners security analysts have developed a set
Recommendations of key identity and access management (IAM)
Determine if the combination of power-on predictions for 2013 and beyond. Chief information
password and X.509 device authentication is security officers (CISOs), network managers
reasonable and appropriate across all enterprise and other enterprise decision makers should
mobile remote access use cases. consider these forward-looking Strategic Planning
Assumptions when allocating resources and
Retail customer services enterprises should selecting products and services.
weigh the benefits of accepting social identities
for customer registration and login against the What You Need to Know
risks posed by their lack of identity proofing Every year, Gartner analysts offer their predictions
and weak authentication. on what they see as the key issues facing the
10
market spaces they cover. Gartners security token authentication methods (OTP apps
analysts have once again developed a set of for smartphones or out of band [OOB]
Strategic Planning Assumptions for IAM the authentication) in the first case; X.509 smart
security discipline concerned with enabling the tokens in the latter dont migrate well for
right individuals to access the right enterprise many reasons:
resources for the right reasons. Poor user experience (UX) in most cases
(and users UX expectations are higher on
IAM continues to mature as a strategic discipline
mobile devices)
and as a set of technologies. However, the
maturation process has been complex, difficult and Depreciated assurance in the case of
expensive for many enterprises. Major changes phone-as-a-token methods
to the IAM markets and environment during the
next few years will come mainly from adoption Difficulty in, and cost of, technical
of cloud services and mobile devices, as well as integration of X.509 smart tokens
the increasing use of social identity by enterprise
participants. IAM decision makers should consider Pragmatism is driving enterprises to implement
Gartners predictions for 2013 and beyond when methods that may not be classically strong,
making strategic investment and implementation but which are technically feasible, lower cost
decisions. and provide better UX. Most MDM tools can
provision and validate X.509 credentials to the
Strategic Planning Assumptions devices, and since there are multiple reasons
to use MDM tools anyway, exploiting them
Strategic Planning Assumption: Through 2015, to provide device authentication is a facile
50% of enterprises allowing BYOD for external decision (in both senses of the word). In the
employee access will use only power-on passwords absence of widely available and proven mobile
with X.509 device credentials for authentication. apt authentication methods, this approach will
likely dominate for the next two to three years.
Analysis by: Ant Allan, Gregg Kreizman
Market Implications:
Key Findings:
The combination of power-on password
The rise of mobile computing creates multiple
and X.509 device authentication doesnt
challenges for enterprises, especially where
provide the 2FA that is seen as the norm
BYOD policies are in effect, which obliges the
for remote access and that is demanded by
enterprise to support a wide range of hardware
many regulations (such as PCI Data Security
and mobile OSs. Apple iOS, Google Android and
Standard [DSS]) and auditors: (1) the X.509
RIM BlackBerry are dominating, and Microsoft
credentials are associated with the device, not
Windows 8 is in the offing, and various mobile
the user (although concatenation is possible by
OS versions (some vendors are still shipping
explicitly associating the user with the device);
hardware with Android 2) exist. One particular
(2) the power-on password and X.509 device
challenge lies in user authentication, to the
authentication are evaluated at different times
device itself weak, short numeric passwords
(leaving the enterprise open to an opportunistic
are the default and to networks and
attack where someone gains possession of an
downstream applications. Stronger power-on
employees device after power-on login). Thus,
passwords can be enforced by mobile device
enterprises may be exposed to greater risk than
management (MDM) tools, which Gartner
they are from PC-based remote access with
recommends should be used to manage all
conventional 2FA in place.
mobile devices, including BYODs, connecting
to enterprise networks. One way of mitigating this risk may be to use
network segmentation, enforced by MDM
Enterprises face multiple challenges when
or network access control tools, to restrict
trying to implement higher-assurance
access to sensitive, critical and high-value
authentication methods. Those that are
assets from mobile endpoints. However, such
commonly used for workforce remote and
restrictions may not always be acceptable for
local access typically one-time password
operational or business reasons. Nevertheless,
(OTP) hardware tokens or phones-as-a-
11
This deferment will also allow time for For increasingly many Internet users, social
the market to establish workable patterns, networks are the Internet. Using login with
if not best practices, for integrating user Facebook (or other popular social networks)
authentication and SSO technologies with lowers friction, and thus improves the UX for
mobile applications, especially resident mobile customer registration and subsequent login:
apps (RMAs), in contrast to mobile Web apps
(although adoption of HTML5 might, by then, For registration, required personal
allow troublesome RMAs to be avoided). information can be imported from the
users social profiles, reducing if not
Recommendations: eliminating form filling
Enterprises must determine if the combination For login, using the social network identity
of power-on password and X.509 device means that users dont have to remember
authentication is reasonable and appropriate yet another rarely used password and dont
across its mobile remote access use cases. have to go through convoluted password
For higher-risk use cases, enterprises must reset processes if they forget them.
determine if it is feasible and acceptable to end
users to block access from mobile devices or if Enterprises also benefit through a fall in the
implementing other controls (such as granular number of abandoned registrations (because
activity monitoring) will sufficiently mitigate new customers balk at form filling) and logins
the risks; otherwise they must bite the bullet (because returning customers have forgotten
and demand the use of more traditional their passwords). Login with preferred social
higher-assurance authentication methods. This network identities makes it easier for customers
could be what theyre already using for PC- to browse and buy especially where
based remote access or something different. merchant is present on other social networks
Bold enterprises might implement emerging, (such as Facebook and Pinterest). Thus, using
candidate mobile-apt authentication methods social network identities significantly helps
in the short term, but which of these are truly enterprises to attract and retain customers.
viable will likely not be clear for two to three
years. The use of social network identities can
lower customer administration costs this
Related Research: can be a business enabler, making profitable
services that wouldnt be if they had significant
Supporting Mobile Device Authentication and overheads. Gartner sees a small but growing
Single Sign-On to the Enterprise and Cloud number of enterprises taking this approach,
enabled by specialist vendors (such as Gigya
Market Trends: The Impact of Mobile Computing and Janrain) that prepackage support for a
on User Authentication broad range of popular social networks and
integrate other social network capabilities (such
Good Authentication Choices: Evaluating Phone- as gamification). Basic user attribute collection
as-a-Token Authentication Methods (for registration) and authentication with social
identities are also being supported by Web
access management products.
12
Customers without a social network identity 2012 Strategic Road Map for Business Gets
may feel marginalized and disenfranchised, Social
and may switch to less heavily socialized
merchants. Enterprises must ensure that
nonsocial customers are well looked after. Strategic Planning Assumption: By year-end
Enterprises will also need to find a way of 2016, over 30% of enterprises will use contextual
managing social and nonsocial identities; authentication for workforce remote access, up
some of the specialist vendors already from less than 2% today.
provide this capability. A niche, but important,
requirement comes from potential customers Analysis by: Ant Allan
(such as dissidents and refugees) who need to
compartmentalize their identities.
13
Authentication Process for determining and validating user identity for both on-premise and cloud solutions.
Authorization Process for determining what the user can do. Authorization can be based only on user identity
but in most cases requires additional attributes (such as role or title) about the user.
Cloud identity management system On-premises or cloud-based hardware or software that administers user
identities and access to on-premises or cloud-based information and computing resources. Capabilities might
include identity synchronization, provisioning, de-provisioning and the ongoing management of user attributes,
credentials and entitlements.
Cloud identity Established identity from sites such as Facebook, Google, LinkedIn, Salesforce.com or Twitter
that can be used for website registration and login purposes.
Distributed computing environment Environment in which user accounts, identity management services or
applications are dispersed across on-premises and cloud-based environments.
Federated identity a standardized way for companies to share user and machine identities among disparate
authentication and authorization systems and across corporate boundaries.
Identity management management of individual identities, authentication, authorization, roles and privileges
within or across system and enterprise boundaries.
Identity management as a Service (IDaaS) Software-as-a-service (SaaS) offering that provides identity
management capabilities (e.g., access, provisioning) for a variety of user cases (e.g., employees, partners,
customers) and types of applications (e.g., on-premises, cloud).
Open standards Non-proprietary formats or specifications approved by a recognized standards organization or
accepted as the de facto guidelines by the industry. Key identity and access management standards to look for
include:
LDAP lightweight directory access protocol SAML security assertion markup language
OAuth open authentication SCIM Simple Cloud Identity Management /
REST representational state transfer System for Cross-domain Identity Management
2013 Ping Identity Corporation. All rights reserved. Ping Identity, PingFederate, PingOne, PingEnable, the Ping Identity logo, and Cloud Identity Summit are registered trademarks,
trademarks or servicemarks of Ping Identity Corporation. All other product and service names mentioned are the trademarks of their respective companies.
Executive Buyers Guide to Identity Security Solutions is published by Ping Identity. Editorial content supplied by Ping Identity is independent of Gartner analysis. All Gartner
research is used with Gartners permission, and was originally published as part of Gartners syndicated research service available to all entitled Gartner clients. 2013 Gartner,
Inc. and/or its affiliates. All rights reserved. The use of Gartner research in this publication does not indicate Gartners endorsement of Ping Identitys products and/or strategies.
Reproduction or distribution of this publication in any form without Gartners prior written permission is forbidden. The information contained herein has been obtained from
sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. The opinions expressed herein are subject to
change without notice. Although Gartner research may include a discussion of related legal issues, Gartner does not provide legal advice or services and its research should not
be construed or used as such. Gartner is a public company, and its shareholders may include firms and funds that have financial interests in entities covered in Gartner research.
Gartners Board of Directors may include senior managers of these firms or funds. Gartner research is produced independently by its research organization without input or influence
from these firms, funds or their managers. For further information on the independence and integrity of Gartner research, see Guiding Principles on Independence and Objectivity
on its website, http://www.gartner.com/technology/about/ombudsman/omb_guide2.jsp.