The document discusses new paradigms in digital identity, including authentication and authorization as a service (AuthaaS). It describes the different types of digital identities (physical, corporate, social), and proposes a model where mobile devices can be used for multi-factor authentication and authorization. The model provides different levels of authentication from basic to strong, and allows companies to apply access control strategies across traditional IT environments and IAM solutions through services like one-time passwords and digital locks.
3. 3
Background
For many years, the way of moving an individual’s identity into the
digital world has involved the creation of a digital representation of
that individual. The manner in which this individual’s digital identity is
formulated depends on where it is to be used.
From the perspective of the public sector, the validation of
the relationship between this digital identity and the real
world identity (identification/identity proofing) is vital.
Typically, this identification process concludes with the generation of
a set of credentials which links the individual with their identity in the
digital world. This is the case of the processes that allow to register an
individual within the society by issuing a unique number or physical
token (e.g. national identifiers, social security numbers, digital certificate
passwords, etc.). This issuance, managed by public authorities,
constitutes a legally validated record,
and it can be affirmed that these
credentials correspond uniquely to a
single individual. In addition, during the
process of generating these credentials,
certain attributes, which define the
individual (such as name, surname,
date of birth, nationality, gender, etc)
will be validated. This set of identifiers,
along with the validated attributes, whilst
taking into account this 1:1 relationship
with the individual which they identify,
may be called Physical Identity.
In private companies the scenario is slightly different.
Companies have a need to validate the existence of an
individual and their attributes in order to create another
type of identity: Corporate Identity. To that end, it is
possible to delegate the physical responsibility for carrying out the
identification of individuals to the issuers of these identities. This is
the case for a service provider who, in order to convert individuals
into users of their systems or services, create their own credentials
(e.g. an online banking user, a company employee or a consumer of
services of a retail outlet). They require, to a greater or lesser degree,
the submission of the corresponding physical identities so as to
incorporate the attributes, which have already been validated, into the
new identity.
By creating these corporate digital identities, in addition to the
attributes already validated by third parties, it is possible to add
new attributes which can be validated by the service provider (e.g.
postal address, bank account or phone number) or, even, attributes
that it was not possible to validate but which have been provided by
the individual themself — now the user. This type of digital identity,
unlike physical identities, does not have a unique relationship with
the individual. That is to say, the same person may have multiple
identities with a single service provider (e.g. in the case of a provider
that identifies its users by their account number, a user may have
multiple accounts with the same provider). These digital identities
have traditionally been managed by IAM (Identity and Access
Management) systems.
With the advent of Social Media and the emergence
of Social Identities, there is no longer a need for
identification to link digital identities to a physical identity.
It is now possible for individuals to assign themselves an
identity on a Social Media site and, although they are asked to provide
attributes, there is no robust process of identification to validate the
authenticity of those attributes. The creation of an identity on a social
network such as Facebook is a case where, unlike the previously
mentioned, the information which an individual will be asked for
during the identification process is not directly validated. When a
new user joins Facebook, identification is established by requesting a
prior digital identity (i.e. an email account). It could be argued that this
identification is verified by an identification request made to the email
account provider. However, there is no certainty that this provider
actually validates the attributes of the individual.
.
Example of physical identity
with validated attributes
The Digital Identity Ecosystem
4. 4
IDAAS solutions are key factors in the evolution of traditional IAM management models
Source: Telefonica
FIGURE 1
How to obtain the best balance between usability, security and verification when authenticating and identifying users?
PHYSICAL IDENTITY CORPORATE IDENTITY SOCIAL IDENTITY
SECURITY
Physical Check
Digital Certificate
USABILITY
SECURITY
VERACITY
User/Password -
2FA (token SMS, @) -
Social Login
add
�
add
�
IAM
B2B B2C
Whilst the benefits of social identities means better usability (fewer
passwords, login and registration steps, improved and easy support)
and improved intelligence (which make it easier to use these OTT
solutions), there are disadvantages concerning privacy or identity
theft. This, in turn, is leading to hybrid models which link digital
identities generated by service providers with the identities that users
provide. This need, together with the emergence of federated identity
management, has given rise to complex scenarios in which identity
management is carried out in a fragmented and adaptable way. This
fragmentation means that now whoever issues and validates the
credentials of a digital identity does not necessarily have to be the
owner of the resource. This means being able to provide identity, as
well as its management, as a service (IDaaS).
Source: Telefonica
6. 6
New Models of Authentication/
Authorization as a Service: AuthaaS
Following this trend (IDaaS), in which companies or service providers
increasingly delegate certain aspects of identity management to a third
party, it is fundamental to focus on verifying that an individual is who
they claim to be and therefore authorize their access to a resource.
• User authentication must be able to validate that the credentials a
user provides have not been altered and thus enable verification that
the user who owns them is, in fact, a legitimate user of the system.
• User authorization must be able to establish how users can gain
access to certain resources, and who is authorized to do so at any
given time.
AuthaaS solutions should adapt how users authenticate, access
and interact with the business. Within this proposal the mobile
device is the key:
• Maximizes universality, allowing any user to interact anywhere
using any technology. The mobile device is the only physical device
that nowadays can be considered universal
• Maximizes usability, allowing user interactions with no barriers
(anywhere, anytime) Identification, with solutions that give the
ability to individuals, businesses and governments to trust and have
confidence in the identities of people with whom they interact. The
use of mobile device requires a SIM card which distribution is highly
regulated by the market (Telcos) and in that process a validation of
the identity holder is carried out prior to activation controlled;
• Evolving security. Mobile device allows companies to create
authentication/authoritation adaptatives schemes over traditional
IAM models
Your mobile, your identity
Source: Telefonica
FIGURE 3
Mobile devices – key factors in the search for convergence between physical identity and digital identity
3G
4G
Wifi
Network Connectivity Internet, apps and data
Camera
GPS
Screen
NFC
Bluetooth
Biometric Sensors
ID-related Technologies
SIM
(Suscriber Identity Module)
MICRO SD
(Micro Secure Digital)
eSE
(Embedded Secure Element)
Security elements
to protect user data
1. Mobile Device = Authentication Device
There are a huge number of types of credentials that are being explored in order to create a way of preserving the unchanged relationship of digital
identities. The various solutions that exist on the market today are based on something that the individual knows (e.g. passwords), something that the
individual possesses (e.g. physical tokens: smartcards, NFC tokens, etc.), something that the individual is (e.g. fingerprints, voice signature, iris signature, etc.),
or something that tells you how the individual behaves (e.g. behavioural analysis). In fact, in order to ensure the usability of authentication solutions, hybrid
systems are often devised involving several of these methods, and providing differing degrees of authentication.
7. 7
Mobile devices as authenticators:
• They act as alternative channels for the verification of access to
services (enabled for OTP service implementation – via SMS, or
automatic notification via APP). They are a good method to protect
users against malicious acts, such as phishing or identity theft.
• They provide different degrees of authentication
• Simple Authentication:
Single factor = “something I have”
• Click OK (SMS URL or SIM click OK)
• Strong Authentication:
Two factors = “something I have and something I know”
• PIN
Two factors = “something I have and something I am”
• Biometrics
2. Mobile Devices as Authorization Devices
The most frequent use of the authentication mechanisms mentioned
above is usually related to the control of access to the resources of a
system. This enables authorization mechanisms to establish how users
can gain access to certain resources, and who is authorized to do so at
any given time.
In this regard, as is the case with authentication, mobile devices can
be used as elements of interaction with users which can apply global
strategies (Mandatory Access Control – MAC) or discretionary strategies
(DAC). As a part of those strategies, different methods are defined:
RBAC, capabilities, as a couple of examples. In a complementary
manner, the use of mobile devices would enable the role of who
defines access policy to be widened, so that it is not only the owner of
the resource. This would enable the mobile user to set controls on the
use of resources when such a use is made using their credentials.
3. Mobiles Devices as Signature Devices
Mobile devices incorporated as part of business processes can
be used to perform digital signature processes, either by using a
digital certificate stored on the device itself, through the use of a
PIN encrypted in the SIM card, or by using a handwritten signature
(biometrics).
It is clear that mobile devices used as identity tokens offer
companies or service providers the following benefits:
• A secure element for the authentication and identification of
users thanks to the use of the operator’s infrastructure: mobile
network + SIM as a secure container.
• A link between physical identity and digital identity. Phone
numbers enable us to establish this link between identities, by
enabling the identification of an individual in services, both public
and private, thanks to authentication and the sharing of attributes.
• Global reach. Mobile devices (Smartphones) have undoubtedly
become the most used and widely adopted form of technology
which keeps digital users connected.
• More frequent log-ins by removing passwords while improving
security, at the time it improves customer insights by receiving a
persistent, unique, User ID across any device used by the same user.
• Creation of adaptive models. Mobile identity management as
part of IAM solutions enables authentication/adaptive authorization
systems to be configured based on context. This enables risk-
based policies to be defined and so improves the end user
experience (mobility, elimination of the password).
• Show innovation and leadership by supporting a “mobile first”
strategy.
Source: Telefonica
8. 8
An Integrated Vision
Based on the mobile device as the key to set authentication and
authorization, Telefonica go for a combined model Authentication /
Authorization as a Service that allows companies to:
a) Enjoy different levels of authentication (multifactor adaptive
authentication) depending on the context and the risks that the
company are ready to assume: from basic authentication to strong
authentication.
b) Be able to apply an effective access control strategy (Authorization)
across traditional IT environments and over current IAM
environments: OTP and digital latch.
c) In addition, under the same approach, the integration of the
solution with business processes will allow the Enterprise to turn the
mobile device company in a security tool to sign.
Telefónica has increased its Security offering with the generation of
brand new and innovative products focused on Identity and Privacy.
Our Identity and Access solutions adapt to the way users authenticate,
access and interact with businesses, based on a vision that maximizes
four key vectors:
• Identification; solutions that give the ability to individuals, businesses
and governments to have confidence in the identities of people with
whom they interact.
• Universality; allowing any user to interact anywhere using any
technology.
• Compliance; making security a companion for your business,
not a barrier.
• Usability; solutions that allow user interactions with no barriers
(mobility and avoiding the use of passwords).
Source: Telefonica
FIGURE 4
AuthaaS reduces complexity when authenticating and authorizing combined with Enterprise current IAM solutions.
AUTHENTICATION AUTHORIZATON AUTHENTICITY
· Seamless
· Click OK SMS Url
· Click OK SMS Applet
· SIM + Certificate
· Biometric signature
- Fingerprint
- Handwritten
· SIM Applet + PIN
· TEE + Biometrics
· SIM / SMS · Digital Latch
TELEFÓNICA SERVICE
SERVICE PROVIDER
Basic
Authentication
Strong
Authentication
Digital
Signature
Otp
Enable users to
authenticate to your
applications and to
authorize access to
resources via their phone
9. 9
Secure digital identity is now in our hands
Mobile Connect – an operator service for secure authentication and
identification:
• Uses a mobile phone for authentication (i.e. no passwords).
• Easy to use, anonymous and many uses – including second factor
authentication.
• Develops a secure way of sharing attributes – putting the user in
control.
• Leverages existing operator assets – there is no user name and
password to make a phone call or send SMS.
• Offered as APIs for service providers to integrate into their digital
services.
A digital Switch
Latch - protect your business and provide your users with an extra
security layer
• Latch lets you implement a safety latch on your online services. By
minimizing the time during which services are accessible the risk of
theft or unauthorized usage is reduced.
• Reduces the risk of attacks directed at your online services by
letting the users to lock the service account or selected features
conveniently, when they don´t want to use them.
• Independent of other authentication mechanisms, as it supports
most platforms and programming languages through APIs, SDKs
and plugins.
• Available for Android, Blackberry, iPhone, Firefox OS devices and
Windows Phone.
Sign your documents using your mobile phone
SealSign - digital and biometric signature to securely sign
electronic documents through your mobile phone
• Scalable, modular and full enterprise platform for electronic
document signatures compatible with digital certificates, biometric
systems, OTP systems and long-term archiving of signed
documents.
• Reduces costs associated with hardcopy management (printing,
digitalization, transfer, archiving).
• Improves productivity and efficiency of business processes.
• Accessible from business applications and mobile devices.
• Generates electronic documents with full legal validity.
• Possibility of service via cloud or on-premise platform to meet
enterprise needs.
For more information see Telefonica Security Services portfolio at
https://www.elevenpaths.com/es/index.html
Source: Telefonica
10. 10
For product and go-to-market strategists at
IAM vendors and service providers:
• Expand new capabilities to account for
more complex IAM use cases involving
the management of relationships between
objects, systems and users.
Strategic Planning Assumption
By 2019, 40% of IDaaS revenue will accrue to
PaaS vendors, up from less than 5% in 2014.
Analysis
Introduction
Growth in the identity and access
management as a service (IDaaS) market
(see Note 1) outpaces that in the overall
identity and access management (IAM)
market, thanks in large part to increased
adoption of SaaS and platform as a service
(PaaS) computing models. Compared with
even a few years ago, the IDaaS market
is much more competitive, varied and
diverse. Longstanding players, such as
CA Technologies (CA), Okta, OneLogin and
Ping, compete with new entrants, including
broader platform vendors (such as Microsoft
and Salesforce) and providers with an
integrator background. This will put pressure
on IDaaS pricing in the next few years,
changing the competitive dynamics of both
the cloud and on-premises IAM markets.
Product and go-to-market strategists at
traditional IAM providers and IDaaS providers
must be aware of these changing dynamics
and adjust their market approaches
accordingly.
A Diverse, Changing and Attractive
Market
The IDaaS market is still in its early stages,
but will carry on, growing rapidly. Gartner
estimates that, over the next five years,
the average annual growth rate in the
IDaaS market will be 37%, compared with
8% for the overall IAM market. (Note that
we do not include current calculations of
the user authentication market in these
estimates. Authentication as a service is a
simple function to deliver compared with
As IDaaS adoption increases, PaaS providers
will expand their mind share, altering
the dynamics of the IAM market. As the
opportunity evolves, product and go-to-
market strategists at IDaaS and IAM providers
should highlight their uniqueness and target
skills gaps and IoT-related demand.
Impacts
• Increasing SaaS and public cloud adoption
will favor the growth and influence of large
PaaS and IaaS IDaaS players, pushing
many small pure-play IDaaS providers to
look for new opportunities.
• The evolution of enterprises’ IT
infrastructure toward mobile and cloud-
based ecosystem needs will push IDaaS
and IAM providers into expanded feature
sets and/or services, such as enterprise
mobility management.
• The proliferation of connected, networked
devices will bring major changes to the
IAM space, and this will force IDaaS
and broader IAM providers to align their
approaches with new enterprise scenarios
where access control activities will expand
to external users, devices and systems.
Recommendations
For product and go-to-market strategists at
existing stand-alone IDaaS providers:
• Exploit clients’ potential concerns
about lock-in with platform vendors to
fend off increasing competition from
cloud providers such as Microsoft and
Salesforce.
For product and go-to-market strategists at
pure-play and PaaS IDaaS providers:
• Market your IDaaS solution’s ability to
address skills shortages, the simplification
of the existing IAM ecosystem, and rapid
integration and implementation. When
organizations decide to buy IDaaS over
on-premises software, business drivers
centered on time-to-value often trump cost.
multifunction IDaaS.) Estimated total spend on
multifunction IDaaS was almost $300 million
in 2014, and we expect it to exceed $1 billion
by year-end 2018.
The IDaaS solutions market is composed
of many startups that often specialize in
IAM. This is in contrast to the traditional on-
premises IAM market, which is dominated
by big providers such as IBM, Oracle, CA and
Microsoft, which offer products that span the
security and IT space. But growing interest in
cloud-based IAM, and the sheer numbers of
smaller players in the market, have resulted
in a recent spate of mergers and acquisitions
(M&As) and market consolidation,1 which has
now peaked. Many IAM providers are less
likely to acquire in this space as a result of
prior acquisitions or internal development of
their own IDaaS capabilities.
Looking ahead, the overall IAM market will
be shaped by elements of what Gartner
defines as digital business: social media,
mobility, the cloud, data and the Internet of
Things (IoT).
• Employees’ widespread use of new
mobile platforms and devices, social
media and — most importantly — cloud
computing will characterize IAM activities
in the future. Users’ growing need for
mobile applications, for example, will
create pressure to authenticate mobile
users and support mobile applications.
• Multifactor and device authentication will
be particularly important, especially with
the proliferation of devices that the IoT is
likely to create.
• Providers will have to create and deploy
hybrid product features. This imperative
will be driven by the need to authenticate
access to SaaS applications by employees
and external users (such as business
partners or contractors), and the
continuing need to meet more traditional
IAM requirements.
From the Gartner Files
New Competitive Threats as the
IDaaS Opportunity Evolves
11. 11
11
Figure 1 highlights the main impacts
affecting the developing IDaaS market, and
corresponding recommendations for product
and go-to-market strategists.
Impacts and Recommendations
Increasing SaaS and public cloud
adoption will favor the growth and
influence of large PaaS and IaaS
IDaaS players, pushing many small
pure-play IDaaS providers to look
for new opportunities
Several factors are influencing the higher
uptake of IDaaS:
• Increasing use of SaaS applications in
companies, and the need to authenticate
users using these applications. This is
creating more demand for security controls
to cope with users’ changing requirements.
• The challenges posed by the complexity of
traditional on-premises IAM tools, and the
lack of suitably qualified staff to implement
solutions (especially in small or midsize
businesses [SMBs]).
• The increasing requirement for IAM in
consumer-facing applications.
Large vendors such as Microsoft, IBM and
Salesforce entered the market in 2014. These
more general providers are likely to have
a considerable influence, offering IDaaS as
part of a broader portfolio. We can expect
PaaS IDaaS vendors to capture 40% of the
overall IDaaS market by 2019. Cloud platform
players can become very competitive in this
growing market via two connected routes.
They can offer integrated “good enough”
IDaaS capabilities to both existing and
new PaaS and IaaS clients. Along with this,
they can offer discounted pricing or some
bundled cloud-based IAM capabilities at no
extra cost. Examples of this approach include
Amazon, which offers some limited cloud-
based IAM capabilities as part of its PaaS
product, or Microsoft’s free Azure AD option.
The expansion of general cloud providers
into this market is likely to push down prices,
putting further pressure on this evolving but
increasingly competitive space.
In small and midsize organizations, SaaS
models within IAM systems remain a popular
alternative. But we can expect uptake among
large organizations to increase as they try to
cope with the IAM demands originating from
new digital business requirements such as
mobility, cloud and IoT.
Source: Gartner (January 2015)
FIGURE 1
Impacts and Recommendations for Product and Go-to-Market Strategists
12. 12
Recommendations:
For product and go-to-market strategists at
existing stand-alone IDaaS providers:
• Exploit clients’ potential concerns
about lock-in with platform vendors to
fend off increasing competition from
cloud providers such as Microsoft and
Salesforce.
For product and go-to-market strategists at
broad IAM providers:
• Consider new pricing models to align
with new technology consumption
demands originating from cloud-based
IAM. On-premises providers introducing
subscription models will be able to cope
better with the pressure brought by IDaaS.
The evolution of enterprises’ IT infrastructure
toward mobile and cloud-based ecosystem
needs will push IDaaS and IAM providers into
expanded feature sets and/or services, such
as EMM
The new requirements of mobile computing
and the cloud will also change the dynamics
of the IAM market. The need to provision and
authenticate users’ access to applications
from traditional Windows endpoints to
multiplatform mobile devices will have to
fulfill users’ requirements for adaptable and
flexible functionality that can be delivered
rapidly. Providers will position IDaaS to deliver
this functionality with better time to value for
organizations that do not have the expertise
to deliver on-premises solutions.
We don’t expect market share positioning
in the overall IAM market to change
dramatically in the short term. But traditional
on-premises providers that do not also have
an IDaaS offering will come under increasing
pressure from enterprises’ growing demands
for cloud-based IAM. This will produce its
own competitive pressure, particularly as
PaaS and IDaaS providers increase their
market presence.
Recommendations:
For product and go-to-market strategists at
pure-play and PaaS IDaaS providers:
• Market your IDaaS solution’s ability to
address skills shortages, the simplification
of the existing IAM ecosystem, and
rapid integration and implementation.
This is particularly true in those cases
where IDaaS is used to address and
replace ineffective deployments. When
organizations decide to buy IDaaS over
on-premises software, business drivers
centered on time to value often trump cost.
• Bear in mind that business drivers
often determine how cloud-based IAM
capabilities are deployed. These drivers
include time to value, movement to
operating expenditure (opex) over capital
expenditure (capex), and reducing duplicate
IAM infrastructures rather than cost.
The proliferation of connected,
networked devices will bring major
changes to the IAM space, and this
will force IDaaS and broader IAM
providers to align their approaches
with new enterprise scenarios
where access control activities will
expand to external users, devices
and systems.
New IoT-based challenges to IAM will arise
because of the following key factors.
• A huge number of new devices will be
deployed, with identities that have to be
managed.
• There will be a wide variety of device
types, some smarter than others. Most
IoT devices are expected to use different
protocols, so proxies will be needed to
manage them. IAM tools will have to find a
way to interface with these proxies.
• People and things will have multiple
relationships, with each other and with
various services. IAM will become more
about managing relationships among
people, services and things.
The added complexity caused by these
factors will bring a set of new problems
to organizations. Being able to apply an
effective access control strategy across
traditional IT environments and IoT
infrastructures will become crucial, to avoid
potential security breaches. Product and
go-to-market strategists at IDaaS providers
will have to determine which competencies
and strengths they can use to meet these
new requirements, and how well-positioned
they are to compete in this evolving scenario.
Based on this assessment, they can consider
and develop a new IAM strategy to align
with new enterprise scenarios. This is
especially pertinent because there will be a
push to expand the focus of the approach to
a more complex set of relationships involving
users, systems and devices. Potentially, in the
long term, the entire competitive landscape
may change, with new players, such as
traditional asset management vendors,
becoming competitors.
Ownership of devices may not reside within
the organization that interconnects with them,
and IoT devices may not be operating within
the enterprise’s boundaries. This is likely to be
the biggest challenge to face. And it should
make a cloud-based IAM approach more
suitable to catering to the needs of an IoT
environment, because of its greater flexibility
and potential for faster implementation.
13. 13
13
Source: Gartner Research, G00260800, Ruggero Contu, Gregg Kreizman, 30 January 2015
Recommendations:
For product and go-to-market strategists at
IAM vendors and service providers:
• Expand new capabilities to account for
more complex IAM use cases involving
the management of relationships between
objects, systems and users.
For product and go-to-market strategists at
pure-play IDaaS providers:
• Expand your capabilities for internal IAM
and privileged account management
(PAM) delivered via hybrid solutions or
entirely from the cloud. This will require you
to invest in development or acquire small
identity governance and administration
(IGA) or PAM providers.
Note 1
IDaaS
Identity and access management as a service (IDaaS) is a subset of IAM.
Vendors in the IDaaS market deliver a service that is predominantly cloud-
based, in a multitenant or dedicated and hosted delivery model. This service
brokers core identity governance and administration, access and intelligence
functions to target systems on customers’ premises and in the cloud.
For product and go-to-market strategists at
pure-play and PaaS IDaaS players:
• Consider the short-term opportunities
created by the demand for external identity
management requirements to allow access
by contractors, vendors and other external
users, especially around PAM.
Evidence
1
Examples of such activity include IBM’s
purchase of Lighthouse Security Group,
Intermedia’s purchase of SaaSID, and EMC/
RSA’s purchase of Symplified’s intellectual
property.
14. 14
Telefonica Business Solutions, a leading provider of a wide range of
integrated communication solutions for the B2B market, manages
globally the Enterprise (Large Enterprise and SME), MNC (Multinational
Corporations), Wholesale (fixed and mobile carriers, ISPs and content
providers) and Roaming businesses within the Telefonica Group. Business Solutions develops an integrated,
innovative and competitive portfolio for the B2B segment including digital solutions (m2m, Cloud, Security, e-Health
or Digital Marketing) and telecommunication services (international voice, IP, bandwidth capacity, satellite services,
mobility, integrated fixed, mobile, IT services and global solutions). Telefonica Business Solutions is a multicultural
organization, working in over 40 countries and with service reach in over 170 countries.
https://twitter.com/TelefonicaB2B
About Telefonica Business Solutions