Presenter: Loren Russon, VP Product Management at Ping Identity.
As your organisation evolves on its cloud transformation journey, your identity and access management (IAM) system must allow you to navigate multiple cloud environments, managing access to mobile, API and traditional applications. Modern identity services like multi-factor authentication (MFA) and identity intelligence help deliver secure and seamless access for any user, environment and use case. Learn how to transform your IAM system to a modern, API and cloud-first hybrid solution, enabling developers, administrators and users with the self-service applications and tools they need to keep pace with the accelerating demand for mobile and cloud-based applications.
2. Digital transformation is about …
page 2
Fueling Agility
…new digital experiences.
Rent from a store.
Watch from home.
Entertainment
delivered to your
doorstep
Personalized film
recommendations
On demand
streaming
Content creation,
designed to match
user preferences
1985 1998 2000 2007 2013
“6 star experience in a 5 star world.”
3. page 3
Digital Transformation
“Technology is the fuel…
Real-time
delivery
optimization
ORION
Real-time
packaging
optimization
EDGE
Real-time full
network
optimization
NETWORK
PLANNING TOOLS
2012 2016 2018
…that funds this transformation of our business.”
David Abney, UPS CEO
20 new technologies in 2018 alone!
4. Business agility is…
page 4
Fueling Agility
AUTOMOTIVE HOTELS MUSIC SOFTWARE
Car Ownership
Personal Mobility
Real Estate Ownership
Trusted Place to Sleep
Content Ownership
Content Accessibility
Software Ownership
Software Use
…transforming every vertical.
5. Changing
regulatory
environment
Emergence of
new business of
delivery models
Evolving
economic/trade
landscape
Smart and
autonomous
technologies
More powerful
and tech-savvy
customers
Blurred lines
between the
physical and
digital world
Blurred lines
between
industries
Increasing
threat of
cyber risk
Uncertain
impact on
workforce
Potential
geopolitical
instability
Are you ready for cloud?
41% 40%
32% 31% 30%
29%
27%
24%
22% 21%
Only 20% cite being
“prepared” for the evolution of
their companies for a digital
cloud strategy.
6. IAM can help businesses…
page 6
Fueling Agility
…move more quickly & easily.
…infrastructure
for availability,
speed and
resilience.
Modernize IT Improve UX
…through self-
services tools
and interfaces
for users,
admins and
developers.
Reduce Risk
…to ensure high
quality of
service,
standardization
and
compliance.
8. Reasons to Modernize
page 8
MODERNIZE IT
Support diverse range of new,
modern apps
Scarce IAM resources with
pressure to contain costs
Increasing demand for IAM
scale and reliability
Support multiple
deployment models
Workforce Customers
99.999%
Require HA
On Prem Hybrid Private &
Public Cloud
New Mobile
App
New Partner
App
New SaaS
1
3
2
4
9. Moving to the Cloud
page 9
Modernize IT
5-10 Years Ago Today In 5-10 years
10. Moving to the Cloud Isn’t Easy
page 10
MODERNIZE IT
PUBLIC/PRIVATE
CLOUD
On-Premises
IT manages their cloud
deployments
IT manages their
on-prem infrastructure
§ Individually creating and
configuring cloud resources
§ Complex orchestration of
services, instances, and
dependencies
§ Repeatedly deploying for
different users and use cases
§ Constantly managing,
monitoring, and tuning for
performance at scale
11. Cloud Automation Landscape
page 11
MODERNIZE IT
IaaS Provider Containerization Orchestration
O/S Storage Networking Logging
AWS Azure Google
Kubernetes
OpenShift
Swarm
Cloud Formation
Load Balance
Routing
DNS
VPN
Relational
File System
Graph
Directory
Linux Windows
RHEL SUSE
Distributed Unified
Performance ExceptionUptime
Rocket
Docker
AMI
….
Configuration
Puppet
Chel
Ansible
OpsWorks
….
Monitoring
….
Stackdriver
CloudWatch
12. Deployment Spectrum | IAM Industry
page 12
Fueling Agility
A more complex form of customization allows administrators to build a
solution from a limited number of pre-determined options or configurations.
IDaaS
• Mass adoption
• Limited options
• Consume service
IAM Software
• Many option
• Limited adoption
• Tailored services
Identity Application
(SaaS-Offering)
Identity Platform
(PaaS Offering)
Identity-Managed
(IaaS-Offering)
SaaS
Multi-Tenant
offering
IT manages their
on-prem infrastructure
Data Center
Single-Tenant
offering via Partners
Hosted/MSPPaaS
Single-Tenant, Multi-
Environment
offering
Identity-Delivered
(Data Center Offering)
13. Value of Deployment Model
page 13
Fueling Agility
IaaS
SaaS
PaaS
Consume
• Configure for common use cases
• Deploy for Global availability
• Develop for rapid consumption
Pre-Configure
• Configure for custom use case
• Deploy for Vertical industry requirements
• Deploy for Regional/Geographical availability
• Develop for automating complex configurations
Tailor
• Configure for specific use case
• Deploy for single customer requirements
• Develop for simplifying and reducing costs
14. Choose the Best Fit Model
page 14
MODERNIZE IT
• Choose optimal IAM deployment
model:
• IDaaS: multi-tenant
• IaaS: single-tenant cloud-
automated software
• MSP: managed Services in the
cloud through partners
• On premise: software
• Balance customization, control
and management resources
• Leverage common platform,
training and management tools
IDaaS
PRIVATE
CLOUD
On-Premises
IT manages their cloud
deployments
IT manages their
on-prem infrastructure
Single-Tenant
offering via Partners
Managed Service
Multi-Tenant offering
15. Challenges with Cloud Only
page 15
Modernize IT
Cloud
Password Sync
Agent
3rd Party products for
OAM/SM/RSA/IBM IWA
Agent
LDAP
Agent
AD
Agent
RSA MFA
Agent
On-prem apps xN.
SSO on-prem only
supported on
windows and IIS.
SCIM
Agent
SCIM Server.
Not supplied by vendor.
Radius VPN
Agent
Requires 10 installs & 20 servers to maintain for failover, as pictured.
Common enterprise customers would have to install 78 servers to support their standard environments.
On-Premises
Port?
389 636
IIS req
443
N connections
Port must be open
16. The Bigger Picture
page 16
MODERNIZE IT
IDaaS
Microsoft
Amazon
Private Cloud
Google
On-Premise Enterprise
Modern IAM platform
spans your entire hybrid
IT and multi-cloud
infrastructures
17. Secure Enterprise Bridges
page 17
Modernize IT
§ Authentication Bridge for
on-premises SSO & policies
§ Data Bridge for bi-
directional sync of user
profile data
§ Authorization Bridge for
controlling access to API &
Web-based on-premise
applications
Sync with on-
premises directories
RDMBS
Authentication
Bridge
SSO to on-
premises apps
Authorization
Bridge
Access security for on
prem apps and APIs
Data Bridge
18. Bridge to Azure AD
page 18
MODERNIZE IT
Azure AD &
App Proxy
On Premises
-or-
Private Cloud
Remote User
Application
Headers
Azure Application
Proxy Connector
On-Prem User
OIDC
> 20 Protected
Apps
URI Access & Session
Management
1
3
2
4
5
1
6Authorization
Bridge
19. LARGE INSURANCE COMPANY
page 19
MODERNIZE IT
§ Faster time-to-market for mobile and
smart watch applications
§ IAM solution for hybrid IT supported
migration of resources to the cloud
§ Adapt faster to threats with risk-based
authentication with ThreatMetrix
§ Implement OIDC and OAuth standards
to integrate new apps faster
26. USER SELF-SERVICES | CONSENT
Feature Overview
• Extension of self-service
profile
• User sees list of consents in
order to decide whether to
revoke or exercise other
rights
• Includes description,
purpose, context, third
parties
• Revoke a consent
• Initiate other rights covered
under GDPR (review,
rectification, data removal)
• Single Page Application
(SPA) for simple deployment
Build trust and retain customers by giving
transparency and control over data privacy.
28. IT Pressured to do More
page 28
IMPROVE UX
CISO (1)
Less Downtime
with
Less Budget
More Apps
Lower SLA
Simpler Visibility
Faster Troubleshooting
Dev Leads
(300)
IT Ops (15)
SSO Apps
(1000)
AuthN
Policies (80)
Ping
Runtimes
(12)
IAM Team (4)
29. IT Enables Business to Do More
page 29
IMPROVE UX
More Apps
Lower SLA
Simpler Visibility
Faster
Troubleshooting
SSO Apps
(1000)
AuthN
Policies (10)
Ping
Runtimes
(12)
Meet Compliance
Standardize
Policies
IAM Team (4)
CISO (1)
Dev Leads
(300) IT Ops (15)
30. Enable the Right Roles
page 30
IMPROVE UX
IT Ops
Developers
IAM Admins
Streamlined workflows
to accomplish tasks
appropriate to IT-
related role
Edit AuthN
Policies, Apps,
Environments
Edit specific
Apps
Edit
Environments,
monitor Apps,
Policies
31. Template Driven Application Control
page 31
IMPROVE UX
Authentication
Policy Tree –
Internal Users
SAML
Connection
Defaults
Configure in
Product
OIDC Policy
Access Token
Manager –
High Security
OAuth
Scopes and
Attributes
Save as
Template
Internal Users SAML Template High Security OIDC Template
Add Application
based on template
Time
Tracking
App
HRPortal
Finance
Reporting
Engineering
Services
Deploy Applications
to Environments
Dev STG PROD
......
Admin Approval?
33. Benefit of Enabling the Business
page 33
IMPROVE UX
Business Need
Standardize policy
Simplify IAM
handshake
Delegate with limited
risk
Decrease new app
deployment time
Application Owner TaskIAM Admin Task
Create standard templates for
authentication policy
Use standard templates to build
my app policies
Enable internal clients with user
access in portal
Self service ability to manage
only apps I am responsible for
Approve deployment to
production environments
Modify, test, and promote apps
between environment tiers
Visibility of app policies across
their life cycle to help app owners
Manage my apps across their life
cycle without IAM bottleneck
36. 6016 Ping Identity Corporation. All rights reserved.
API SECURITY TODAY
Access Control and WAF
Tokens, Authentication/Authorization/Attack Signatures
Rate Limiting
Client throttling, quotas
Network Privacy
SSL/TLS
THE MISSING PIECES
Data, Application, System Attacks
APTs, Data Exfiltration, Deletion…etc.
API DoS/DDoS Targeted Attacks
Compromised API Services Access
Login/OAuth/Authentication Attacks
Credential Stuffing, Fuzzing, Stolen Cookies and Tokens
37. CLOUD-FIRST AND MOBILE-ONLY TAKES
FLIGHT WITH PING
§ Mandate to move all apps
to the cloud including SaaS
and Azure cloud
environment, but existing
access security would not
suffice
§ Difficulty securing APIs for
mobile apps using unified
access security solution
§ Modern access security
solution for cloud apps and
APIs
§ Proxy server and agents
deployed
§ Support for open
standards
CHALLENGE SOLUTION
§ Centralized policy-based
control of all apps and APIs
§ Ability to accelerate move
to the cloud - securely
BENEFIT
37
017 Ping Identity Corporation. All rights reserved.
38. Manage IAM Your Way!
page 38
Fuel Agility
Amount of use case
customization
Desired control over
security posture
Availability of internal
IAM resources
Choose cloud, on prem
hybrid IT, or MSP
• Multiple cloud and on-
premises deployment
options
• Balance range of IAM
capabilities for diverse
enterprise needs
• Leverage common platform
services and management
tools
Manage IAM how and
where you want
39. • AuthN Adapters
• Server Integration Kit
• SaaS Connectors
• Password Validators
• MFA Connectors
• Cloud ID Connectors
Public Cloud Managed Service
LDAP
Built For Hybrid IT
On-Prem Private Cloud
• MDM Integrations
• HSM Integrations
• Datastore Integrations
• Token Processors
• Token Generators
• Client SDK’s
Unmatched Extensibility
Broadest Standards Support
MFA for
Consumers
MFA for
Employees and
Partners
Access Security
for APIs
Threat detection
with AI/ML
Enforcement of
User Consent
API-based
Consumer Identity
Services
Administrative
Capabilities
Directory
API
SCIM
OAUTH OIDC
WS-FedSAML WS-Trust
API-First
41. page 41
Disclaimer
Unpublished Work of Ping Identity, Inc. All Rights Reserved.
This work is an unpublished work and contains confidential, proprietary, and trade secret information of Ping Identity, Inc. Access to this work is
restricted to Ping Identity employees who have a need to know to perform tasks within the scope of their assignments. No part of this work
may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without
the prior written consent of Ping Identity, Inc. Any use or exploitation of this work without authorization could subject the perpetrator to
criminal and civil liability.
General Disclaimer
This document is not to be construed as a promise by any participating company to develop, deliver, or market a product. It is not a
commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. Ping Identity, Inc.
makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied
warranties of merchantability or fitness for any particular purpose. The development, release, and timing of features or functionality described
for Ping Identity products remains at the sole discretion of Ping Identity. Further, Ping Identity, Inc. reserves the right to revise this document
and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All Ping Identity
marks referenced in this presentation are trademarks or registered trademarks of Ping Identity, Inc. in the United States and other countries.
All third-party trademarks are the property of their respective owners.