2. 12 years of expertise in IAM
35+ projects:
Strong Authentication,
Identity Management,
Access Governance,
Information Protection.
Proud member of a versatile team of 25+ expert
consultants ready for innovation To keep in touch
https://twitter.com/IdentityMonk
https://ca.linkedin.com/in/jflombardo
Chaining identity blocks to boost your
UX and KYC strategies
3. “Engineering is not the art of building devices;
it’s the art of fixing problems.”
- Yonatan Zunger
"I checked it very thoroughly," said the
computer, "and that quite definitely is the
answer. I think the problem, to be quite
honest with you, is that you've never actually
known what the question is.”
― Douglas Adams, H2G2
6. Things can act as any of them
Employee
Partner
Customer
Ambassador
of my
Brand
Favored
for using
my Brand
Strategic
to my Brand
Strategic
to its Brand
Join for
the love
of my Brand
Influence
for the love
of my Brand
7. Goals of Customer-IAM
Better User
Experience
Efficiency
Cost
Governance
One set of credentials
Single Sign-on first
Backup/step-up
mechanisms if necessary
Reduce support calls for
access requests
Reduce support calls for
credentials loss/forgetting
One place to know who
accesses what
Easy to onboard new services
and new users
Better insights for
better improvements
Cross device consistent
Privacy
Consent to use data
Protection of data
Control and traceability
of usage of data
8. Goals of Employee-IAM
Better User
Experience
Efficiency
Cost
Governance
One set of credentials
Single Sign-on first
Backup/step-up
mechanisms if necessary
Reduce support calls for
access requests
Reduce support calls for
credentials loss/forgetting
One place to know who
accesses what
Easy to onboard new services
and new users
Better insights for
better improvements
Cross device consistent
Privacy
Consent to use data
Protection of data
Control and traceability
of usage of data
14. More than one set
of credentials
SSO is difficult
SSO is not possible
More than one
place to know who
accesses what
Application
on-boarding is
specific and costly
Integration costs
are repeated
Can we
stay
like
that?
15. No difference
between
applications and
services
Identity chaining
Only one
recipe for
integration
Use standards
and APIs
One Access
Manager acts as
Access Broker
Only one place
to know who
accesses what
One role model
to control
access to
applications and
permissions
Each population
has one set of
credentials
Specific
integration is
on the last
mile
Use standards
according to
context
16. Can we
do even
better?
Partners are employees of their own company…
Customers are more than individuals and are
employees of their own company…
1
2
18. Identity Chaining (Meshed)
My individual
customers through
Social Login
My strategic
customer
through delegation
My strategic
partner
through delegation
Partners of my
strategic partner
integration
Bi-directional
relationship
19. Contractualized:
• To seal a trust relationship and SLAs
• To make each partner accountable
• To match assurance level (e.g. NIST 800-63-3)
• To comply with regulations (GDPR)
3
3 pillars of success
Built on top of APIs & standards:
OIDC, OAuth 2.0, SAML 2.0, SCIM
(+PAM ext.)
1
Oriented towards operating costs
and risks reduction
2
21. UX gains from Identity Chaining
Enable
Bring Your Own Identity
strategy…
User are created/updated based on
user data at authoritative link
Consent is mandatory for any data
brought in/sent out our broker
Progressive profile can be easily
enforced based on services &
applications accessed
22. UX gains from Identity Chaining
Each party can contribute to…
…or transform…
…with dynamic data
transformation…
…or map the information
23. UX gains from Identity Chaining
Step-up can still be enforced as
close as possible to our services &
applications
For efficient step-up methods and
policies use SP800-63-3 (AAL, FAL)
… with
“Bring Your Own Token”
Authentication is carried out as
close as possible to the user
24. KYC gains from Identity Chaining
A good starter for Identity
Relationship Management…
… and complex Cross-Tenancy
scenarii
Easy to enable Account Linking
A central repository for all
possible customer types
25. A corner stone to
the Customer lake
CRM
License
Lifecycle
Who is entitled to what?
Who uses what?
Billing
KYC gains from Identity Chaining
BI /
Marketing
Order management
Who accesses through what?
26.
27. Privacy gains from Identity Chaining
Central PII and consent
management (UMA)
Traceability on acquisition and
usage
Consent is mandatory for any
data brought in/sent out our
broker
Receipt in case of control/audit
Central protection of PII
and consent within
customer lake
API oriented for CRUD operations
upon consent and scope
Prevent PII storage at services /
applications
28. Be ready for ripples
GDPR is just a first step…
Russia Data Privacy Laws are
operational
Australia Data Privacy Laws are
operational
<Insert your country> Data Laws
are coming
China Data Privacy Laws are drafted
29. That centrally govern different type of actors
and their data
Whom we empower by giving them choices and
consent control
In order to enhance our Business, Security and
Compliance
Chaining of Identity Blocks: a simple model and strategy
33. Centralized
Federated
User Centric
Self Sovereign
User control
Low
High
LowHigh Portability
Based on Christopher Allen, stages of online identity
http://www.lifewithalacrity.com
What you
considered too obsolete
and did not capitalize on
What you hoped to see
and what Blockchain
hopes to solve
34. User control
Low
High
LowHigh Portability
User Centric
Self Sovereign
Centralized
Federated
Based on Christopher Allen, stages of online identity
http://www.lifewithalacrity.com
Need Decentralization
What you
considered too obsolete
and did not capitalize on
What you hoped to see
and what Blockchain
hopes to solve
Need Trust
35. David Birch, Director of Consult Hyperion:
• Blockchain is not for storing digital ID
• Still an issue for managing the private key
• Should be managed by trusted party (e.g.
Banks)
http://dutchblockchainconference.com/2016/06/20/david-birch-hyperion/
Steve Wilson, VP Constellation Research
• There is no ID in the blockchain
• An intermediary is still needed
• See project MDAV for CCICADA
https://www.youtube.com/watch?v=dzetCrresXM
36. User control
Low
High
LowHigh Portability
User Centric
Self Sovereign
Centralized
Federated
Based on Christopher Allen, stages of online identity
http://www.lifewithalacrity.com
Need Decentralization
What you
considered too obsolete
and did not capitalize on
What you hoped to see
and what Blockchain
hopes to solve
Need Trust
Meshed
Controlled via:
Linking of
accounts
Consent to share
Portable through
the Trust
framework
…
37. Frédéric Parthenais
VP Consulting and Sales
fparthenais@facilite.com
+1 514-262-2328
Jean-François Lombardo
Digital Identity Principal Director
jflombardo@facilite.com
+1 514-778-5565
Put on your CIAM strategy
with those badges (on us)