Upload
forgerock
View
974
Download
1
Tags:
Embed Size (px)
Citation preview
Stop Treating Your Customers Like Your Employees
Ian GlazerSenior Director, [email protected]@iglazer
“Please continue to hold. Your call is very important to us and it
will be answered in the order it was received.”
“Your usage of this service constitutes
consent to our Terms of Service.
If you have any questions please
consult our Acceptable Use Policy.”
Identity World View Identity is at the core of every interaction
ConnectedCustomers
ConnectedEmployees
ConnectedPartners
ConnectedProducts
Business World View Customer is at the core of every interaction
DelightedCustomers
ConnectedEmployees
ConnectedPartners
ConnectedProducts
Cross-Channel
YOURCONTENTHERE
Justchangethebackgroundlayer(right-click>arrange)
Don’t have an account?
Forgot your password?
Mobile Web API
IAMTechniques
Employee-CentricIAM• Traditional• Organizationisowner&authority
• LotsofUserProvisioning
• WebAccessManagementplussomefederation
IAMTechniques
Employee-CentricIAM• Traditional• Organizationisowner&authority
• LotsofUserProvisioning
• WebAccessManagementplussomefederation
Customer-CentricIAM• Modern• Individualisowner;nosingleauthority
• ProfileManagement
• Federationandsocialsign-on
Employee-Centric Technologies Customer-centric
SystemofRecord
AttributeManagementandPropagation
IslandsofIdentity
SingleSign-On
MobileDeviceManagement
Consent
Employee-Centric Technologies Customer-centric
HR(s) SystemofRecord
UserProvisioningDirectorySynchronizationPushingAttributes
AttributeManagementandPropagation
MostlegacysystemsReducingtoActiveDirectory IslandsofIdentity
ProprietaryWAMforlegacyFederationfornewerapps&SaaS SingleSign-On
CommonMobileDeviceManagement
Impliedinemployer/employeerelationship Consent
Employee-Centric Technologies Customer-centric
HR(s) SystemofRecordInternal:CRMandLOBdatabasesExternal:SocialProviders,Banks,Universities,Governments,etc
UserProvisioningDirectorySynchronizationPushingAttributes
AttributeManagementandpropagation
ProfileManagementLookupattimeofuseandJITPullingattributes
MostlegacysystemsReducingtoActiveDirectory IslandsofIdentity Legacysystemsbutfederation-
readyappsincreasing
ProprietaryWAMforlegacyFederationfornewerapps&SaaS SingleSign-On Standards-basedfederation
Someproprietarysocialproviders
CommonMobileDeviceManagement
Uncommon,ifnotforbidden
Impliedinemployer/employeerelationship Consent Mustbegatheredandadheredto
consistently
HR used to provide the privacy coverage Identity need
Internal-facing identity system are rarely subject to Privacy Impact Assessment
Customer identity requires:
• Data retention and protection
• Persistence and respect of privacy preferences
• Attribute release consent management
Previously ignored privacy challenges
Broker social login to content portals and other 3rd party properties
Ability add and protect attributes passed to other platforms
Ability to pass entitlements
OpenID Connect unlocks many doors
• But there’s plenty of proprietary too
Security Token Services
• SAML
• OAuth 2.0
• OpenID Connect
• Proprietary
Federation Social Provider Connectivity Protocol Brokering
Federation
• Automated – via a social provider or directory service
• Manual – Self-service sign-up
• Consistent branding control throughout
Self-service control over:
• Social providers can be used
• Apps can access data
• Attributes can be used
• Marketing preferences
• Manual - Mechanisms to ask the user for a little more data
• Automated – data verification and record enhancement
Registration Services Profile Management Profile Enhancement
User Profile Management
Techniques to raise identity assurance
2nd Factors:• Can work but user experience suffers
• Adaptive access control must play a roll here
• Ideally this is recognition’s territory
Plugins for different proofing providers• Often based on geography
Two modes:• Asynchronous for offline proofing
• Synchronous for user quizzes• But mind the user experience
Integration with internal proofing sources
Assurance and Proofing
Identity Assurance Identity Proofing
Service providers have to be better neighbors
Follow Finance model of FS-ISAC
Teams to help people get their accounts back
Part of expected customer service
Attribute release consent from the social provider isn’t sufficient
Service Provider should provide generic consent management layer
Shared Signals Account Take-Over Response Consent Management
IAM-like components Not core traditional IAM services
Meaningful integration designed to create 360° view of the customer
• Sales
• Service
• Marketing
• eCommerce
• Content Management
Conversion rates
Segmentation
Usage via Channel
Behavior analysis to fuel marketing, service, sales, and recognition
Encryption and Tokenization
“Who access what data and what were the values at that time?”
• Think DAM for customer data
Integration Analytics Information Protection
Non-IAM Components Peer services
IAMTechniques
Employee-CentricIAM• Traditional• Organizationisowner&authority
• LotsofUserProvisioning
• WebAccessManagementplussomefederation
Customer-CentricIAM• Modern• Individualisowner;nosingleauthority
• ProfileManagement
• Federationandsocialsign-on