Bring Your Own Identity (BYOI) is the enabling of employees, customers, and constituents to use their own defined identities to access organizational resources and or entitlements. This trend is being embraced and extended to use individual social media identities. Organizations that embrace BYOI save on identity management costs as well as enable better directed marketing and communications. As all new trends, the question must come up 'Does BYOI come with hidden costs or exposures?'. This deck covers the items you need to consider in order to move forward, including: 1) - Benefits of BYOI and why 2) - Potential downsides of blending organizational and personal identities? I.e: What is the potential privacy impact of using BYOI 3) - Issues that may arise with the use of non-organizational / personal identities while accessing information and entitlements? 4) - What can happen if a social identity is compromised? 5) - How can we use them securely?

1. Bring Your Own Identity (BYOI)
strategies for organizations and their impact
Matthew Ulery
Director of Product Management

2. Agenda

What is BYOI?

Why do we care about BYOI?

When to allow BYOI?

What are others doing about BYOI?
2
© 2013 NetIQ Corporation. All rights reserved.

3. What is BYOI?

Bring your own Infrastructure

Bring your own Iron

Bring your own Identity

Bring your own Improv

Bring your own Intoxicant
3
© 2013 NetIQ Corporation. All rights reserved.

4. Early adopters and providers
BYOI Trends

Social, web resource and retail
─
─
─
─

Social identity providers investing in BYOI
─
4
Use LinkedIn account to access a whitepaper
Use Amazon ID rather than creating a new retail account
Apply to a new job using LinkedIn account
NYC adopting to support constituents
Seeking greater return on their identity validation investment
© 2013 NetIQ Corporation. All rights reserved.

5. BYOD accelerating BYOI
BYOI Trends

Identity Overload
─
─
─
─
─

Merging of personal device and identity
─
─
5
Average 25 accounts per person and growing
Social Networking
Financial Accounts (bank, payment, entertainment)
Loyalty programs
etc
Collection of business and personal identities
Expect seamless experience from personal device
© 2013 NetIQ Corporation. All rights reserved.

6. 6
© 2013 NetIQ Corporation. All rights reserved.

7. Why do we care about BYOI?

Cost reduction / avoidance
─

Increase customer / constituent engagement
─
─

Reduce registration abandonment
Enable more personalized experience interactions
Emerging changes in risk
─
─
─
7
Management of identities is expensive
Risk shared with customer/constituent and identity provider
Responsibility to protect customer privacy remains
Privacy risk mitigated by reducing identifiable information
© 2013 NetIQ Corporation. All rights reserved.

8. Big Question?
Should we allow BYOI?
8
© 2013 NetIQ Corporation. All rights reserved.

9. Security Concerns
When to allow BYOI?

Strength of authentication
─
─

Strength of identity administration
─
─

How is identity validated for administration?
What is required to issue a password reset?
Compromised identity
─
─
9
Hurdles required to create the identity
Hurdles required to validate the identity
Who is responsible if identity is breached?
How can you revoke access?
© 2013 NetIQ Corporation. All rights reserved.

10. Different Identity Types
When to allow BYOI?

Customer and constituents
─
─

Privileged users
─
─
─

Employees, partners, contractors, etc.
Significant access to sensitive information & systems
Much greater level of personal identifiable information
Allow BYOI…?
─
10
Limited to no access to sensitive information & systems
Limited amount of personal identifiable information
Must balance risk and value
© 2013 NetIQ Corporation. All rights reserved.

11. NYC.GOV
BYOI Case Study
• Different
Goals / Desires / Requirements
– Residents
– NYC
– Site
Politicians
admins
Needed a Lightly secured, customer facing portal
11
© 2013 NetIQ Corporation. All rights reserved.

12. NYC Constituent Experience
BYOI Case Study
Access
Management
requirements
Secure Identity-enabled
Web Services to provide
account info
am.nyc.gov
Public
Resources
Non Identity-based
information and services,
optimized for speed
pub.nyc.gov
www.nyc.gov is a site
composed of information
from other webservices,
secure, public, and semipublic.
12
© 2013 NetIQ Corporation. All rights reserved.
Social
Access
requirements
cf.nyc.gov
Personalized Web
content, requires only
simple consumer
authentication or
NYC.ID

13. Management of public resources
BYOI Case Study

NYC Tennis Courts
─
─
─

Is this a candidate for BYOI?
─
─
─
13
60,000 permits and tickets, 500 courts
Annual permits ($100)
Scheduling courts a nightmare for NYC and permit holders
Low risk
Lower cost from web scheduling and external identity
Enables external payment collection (i.e. PayPal)
© 2013 NetIQ Corporation. All rights reserved.

14. Risk of Hacked Identity
Mat Honan, Wired Magazine

Linked many of his accounts
─
─
Social accounts: Twitter, LinkedIn
Personal: Amazon, Gmail

Hackers wanted Twitter handle

Hackers exploited weak link
14
© 2013 NetIQ Corporation. All rights reserved.

15. Risk of Hacked Identity
Mat Honan, Wired Magazine

“In the space of one hour, my entire digital
life was destroyed.”
─
─
─

15
“First my Google account was taken over, then deleted.”
“Next my Twitter account was compromised, and used as a
platform to broadcast racist and homophobic messages.”
“And worst of all, my AppleID account was broken into, and my
hackers used it to remotely erase all of the data on my iPhone,
iPad, and MacBook?”
“In many ways, this was all my fault. My
accounts were daisy-chained together.”
© 2013 NetIQ Corporation. All rights reserved.

16. Required no advanced skills
Mat Honan, Wired Magazine

Twitter linked to Gmail account
─
─
─

Resetting Apple account requires
─
─
─

Physical address & last four digits of credit card
Easy to get address
How could they get the credit card information?
Amazon and AppleID accounts linked
─
─
─
16
Google Account recovery page
Gave alternate email: m****n@me.com (hmmmm mhonan)…
Letting them know he had an AppleID
Name and email address needed to add a card to Amazon
Knowing card number allows resetting password
Now they have the credit card number for AppleID
© 2013 NetIQ Corporation. All rights reserved.

17. Key Take-aways
Balancing Risk and Value

BYOI benefits
─
─
─

BYOI risk assessment
─
─
─

Customers/constituents involved in identity selection
Security of identity beyond your control
Still must protect personal identifiable information
Must balance value against savings
─
─
17
Reduce cost of generating and managing identities
Reduce customer/constituent engagement
Enable more personalized experience interactions
What type of access does it fit?
May not be right for your organization…yet
© 2013 NetIQ Corporation. All rights reserved.

18. Q&A
matthew.ulery@netiq.com