© 2015 IBM Corporation

Managing Identity from the CloudTransformation Advantages at VantisLife Insurance

Eric MaassDirector, IAM Strategy, IBM

Jim LovelaceVP of IT, VantisLife Insurance Co.

Trends

Evolutionary Themes of IAM

Technical Scope of IDM and WAMIDM, WAM, IGA, PIM, Federation,

Intelligence, etc.

IAM as a Tool of Policy EnforcementIAM as a Tool of Compliance and

Intelligence

IAM as a Project IAM as a Program

IAM as a Cost of Doing Business IAM as a Business Differentiator

IAM Infrastructure and Expertise On-

PremiseIAM in the Cloud

Evolutionary Shift of IAM

Traditional View Modern View

IAM is shifting to become an ongoing program that delivers intelligence, meets

regulatory compliance requirements, adds value differentiation, and unburdens the

organization

Expanding Ecosystem of Identities and Assets

Identity

Management

Access

Management

People Assets

Suppliers Vendors Resellers

On-Premise

Applications

Social Sites

and Identities

Partners and

Channels

SaaS, PaaS,

and IaaS

Mobile Devices,

Apps, and Identities

Challenges Our Clients Are Facing

• Constrained Budgets• Lack of funding, newly constrained IT budgets

• Limited Deployment Windows / Dependent Project Schedules• Necessity to deploy quickly, dependent project schedules being held

up on IAM

• Difficulty Acquiring and Retaining Specialized Skills• Limited availability of specialized skills in high-end IAM product

suites, certification, training, and retention

• Falling Behind on Product Versions• Inability to keep up with upgrades, patches, and general lifecycle

challenges

• Inability to Integrate Assets Quickly & Remain Agile• Growing portfolio of assets, slow to integrate

• Lack of Stability and Operations Management• Difficulty stabilizing infrastructure, tuning, and providing transparent

high-quality service levels

Overview of Cloud Identity Services

IBM Cloud Identity Services – What Is It?

• The IBM Cloud Identity Services provide clients with a unique way to acquire Identity and Access Management technologies – as a multi-tenant service, offered from the public cloud.

• The IBM Cloud Identity Services are based upon IBM’s market-leading IAM software products (e.g. ISAM, ISIM, FIM, etc), providing clients with enterprise class IAM capabilities in a cost-effective, timely, and agile cloud delivery model.

Cloud Identity Services

IBM Cloud Identity Services - Tackling Our Clients’ Most Critical Challenges

Reduce total cost of

ownershipImprove agility and flexibility

Expedite deployment Reduce skills requirements

Reduce ownership costs over

on-premises infrastructure

• Infrastructure (hardware, software)

• Personnel costs

• Maintenance, operations, support

• Soft costs (opportunity, agility, etc.)

Enable ability to act and

respond more quickly and

nimbly

• Policy and progress changes

• Asset integration

Get our clients to their desired

end state more quickly

• Start-up time / time-to-value

• Upgrade and maintenance lifecycle

• Dependency value

Reduction in need for

specialized skills

• Acquisition

• Training

• Retention

Identity

Management

Access

Management

Identity

Federation

User provisioning

Automated lifecycle management

User self-service

Role governance and compliance

Web single-sign-on

Centralized access control policy

Strong authentication

Federated SSO

Business-to-business federation

Full spectrum of IAM capabilities delivered from the Cloud

Key Statistics14M+ users

57+ countries of user origin

Millions of hourly transactions

Enterprise, B2B,and B2C users

Capabilities and Technology Comprehensive Cloud-based IAM solution built upon IBM’s

best-in-class IAM software

Global delivery capabilities provided by IBM’s market leading

Managed Security Services

Unlike competitive cloud IAM services, IBM’s Cloud Identity

Service provides deep functionality for enterprise clients

Automation and templates result in rapid integration and

faster time to value

IBM’s Cloud Identity Service provides a less expensive and faster-time-to value

alternative to traditional IAM deployments

IBM Cloud Identity Service at a glance

IAM from the Cloud

Cloud Identity Services

IBM Cloud Identity Services can be utilized to outsource an organization’s full or partial

IAM infrastructure to the cloud

Eliminates the need for the client to deploy and maintain on-premise IAM

infrastructure.

Can integrate with enterprise applications and directories, providing equivalent

capabilities of market-leading IAM software suites.

Attractive to clients who are looking to minimize costs, time to deployment, improve

organizational agility, reduce in-house specialized skills, and plan with greater

confidence.

Attractive to green-field deployments of IAM or migrations (moving clients from

their on-premise IAM infrastructure, regardless of vendor, to the cloud).

IAM for Cloud, Mobile, and Social

Cloud Identity Services

IBM Cloud Identity Services can be utilized to bridge / extend client IAM infrastructure to

new cloud, mobile, and social use cases.

Enables clients to extend existing IAM infrastructure for new cloud, mobile, or

social use cases without the need to rip-and-replace on-premise IAM infrastructure.

Provides a cost-effective and timely solution for clients looking to garner new value

from their existing IAM infrastructure or the IBM Cloud Identity Services platform.

A New Unified and Integrated Service Management Strategy

• Globally Integrated Management• Global Infrastructure Platform

– IBM SoftLayer

• Unified Software Development Lifecycle Management

– IAM Software Development

– Cloud Identity Services Software Development

• Professional Services

– IBM Global Technology Services

Infrastructure

• Compute

• Storage

• Networks

• Cloud IaaS

Software

• IAM Software

• Development

• Testing

• Quality /

Certification

Services

• Delivery

• Operations

• Support

• Project

Management

IBM Global and Integrated Management

IBM is able to offer a completely horizontally and

vertically integrated set of services spanning

infrastructure, software, and services due to the

acquisition of Lighthouse Security Group, while

strategically integrating the company’s people and

assets into IBM’s Global Technology Services (GTS)

and Software Group (SWG).

Capabilities and Technology Overview

Capabilities - High Level Overview of the Strategic Platform

• Identity Management• User Provisioning

– 70+ App / Protocol Connectors

• Identity Lifecycle Automation

• Self Service

– User Registration

– Password Reset

– Username Recovery

– Profile Management

– Delegated User Management

– Access Request & Approval

– Recertification Approval

• Identity Governance

– Dynamic Role Provisioning

– Recertification

– Approval Workflow

• Audit & Reporting• Ad-Hoc Reporting

– 100+ Audit Event Types

– Graphical, Text, and Drill-Down

– Report Scheduling

• Audit Feed

– Semi-Real-Time Audit Event Data Feed to Client SIEM or RDBMS

Web Access Management

– Authentication

• UID/PW Forms, Basic Auth, X.509, and others OOTB

– Single Sign On (SSO)

• SSO via HTTP Headers, Kerberos, PKI X.509, Credential

Vault, and others OOTB

– Authorization

• Group, Role, and Attribute Based Authorization Policies

• URL Stateful Inspection by Proxy

Federation

– IdP and SP Capabilities

– SSO to SaaS Applications and Private 3rd Parties

– Federated Provisioning with 3rd Parties

– Security Token Service (STS) for Credential Issuance,

Validation, and Exchange – SAML, WS-Fed, Oauth,

OpenID, and others.

– Social Network Federation (Facebook, Google+, Twitter, etc)

API and Misc.

– REST API Provides Programmatic Access to All Functions of

the Service (e.g. user, role, and policy management).

– API Supports Native Mobile App Integration.

– Akamai Edge Network Integration Support

Web Access Management and Federation Use Cases

Identity Management Use Cases

Cloud Data Center Operations

On Board Services Methodology

Repeatable processes for

onboarding enterprise

customers

IBM Cloud Identity Services Framework Strategy

IBM Security Identity &

Access Management

Platform Technology

Middleware Automation and Multi-tenancy(Compilers, rules engines, controllers,

logical and physical asset management, integration layer, data access layer)

Governance and Self Service Software(Web Administration Console – J2EE and Flash / Flex UI,

self service apps – portal, registration, password reset, and username recovery)

Advanced Point-and-Click Governance

Deployment Highlights

• Public Cloud• By default, IBM Cloud Identity Services is offered as a “Public Cloud” offering –

meaning, clients will connect to it via network (e.g. site-to-site VPN and/or WAN connections) and simply use its services remotely.

• Multi-Tenant• By default, nearly all components of the IBM Cloud Identity Service is offered in a

multi-tenant manner. This means:– Clients have their own logical instances of services; they will share physical instances of

hardware and base software with other clients, leading to economies of scale.

– Client data will coexist on physical hardware, but it will be logically isolated, and appropriate access controls will prevent comingling or bleed-over between tenants.

– Clients may select optional subscription services that permit them to have completely separate LDAP directories (dedicated) where coexistence with other client directory data is not acceptable.

– Certain optional components of the system may only be deployed in a single-tenant fashion for scale, security, or other rationale.

• Integration with On-Premise IAM• The IBM Cloud Identity Service may be used completely independent of any other

IAM system, as is the case with most client deployments; however, clients may also opt to integrate the service with one or more existing on-premise IAM products or services (e.g. the Cloud Identity Service may integrate with an on-premise IDM platform to consume identity data as a Source of Record).

Client On-Ramp Process

Client On-Ramp Process

• Client On-Ramp Guide

• Master Design Artifact (MDA)

• Defines the Process

• Orients Stakeholders

• Educates Client on System Capabilities

and Options

• Captures Client Configuration Choices

• Captures Client Sign-Off Incrementally

during Process

Client On-Ramp Goals

• Educate the Client

• Clients must be educated on system capabilities, limitations, and

options to ensure they are a long-term, satisfied subscriber.

• Set Expectations

• Clients must be given a clear set of expectations including time-frame

and responsibilities.

• Coordinate All Stakeholders

• Clients must have clear insight into stakeholders, their roles, and

impact to the project.

• Control the Process

• The process must be controlled in a manner that is proven and has

risk mitigation embedded.

• Expedite Delivery of Services

• The ultimate goal is to bring the client live as quickly and safely as

possible.

Comprehensive Master Design Artifact (MDA)

Master Design Artifact (MDA)

A comprehensive Master Design Artifact

(MDA) guide within the On-Ramp process

captures all details regarding the client’s Cloud

Identity Service configuration.

Education along the way ensures the client

understands their options and system

capabilities. Sign-offs ensure agreement and

ability to move ahead.

Education and Workbook

Education Followed

by Workbook

Exercise

Education and Workbook Exercises

The guide provides client education on system

capabilities followed by workbook exercises to

capture the client’s desired configurations. IBM

staff configuration manage the workbook and

all selected options.

MDA Sign-Off Process

Incremental MDA Sign Off

Clients “sign-off” on chosen configuration

options along the way to ensure:

Client understands options chosen

IBM and client are in agreement

Progress on configurations can be

incrementally carried out in a rapid fashion

The sign-off process also protects the client

and IBM from thrashing (change in

configuration) during the on-ramp.

Operations

Highly Available Services

• Highly Available

• All IBM Cloud Identity Services are designed for High Availability, with redundancies including:

– Clutered applications

– Dual network paths (bonded NICs)

– RAID storage arrays / SANs

– Replicated LDAP servers

– Clustered RDBMS

– Multiple ISP paths

• Disaster Recovery

• All IBM Cloud Identity Services are replicated daily to off-site warm-standby Disaster Recovery (DR) systems, including:

– Full System VMs

– Configuration Data

– Identity Data

– Event and Audit Log Data

• Uptime

• The IBM Cloud Identity Services are designed for 99.9% or greater uptime.

IBM Cloud Identity Services Locations

• Sites:• Stamford, CT

• Dallas, TX

• San Jose, CA

• London, UK

• Paris, France

Client Experience – VantisLife Insurance Company

Who is Vantis Life?

• Life insurance and annuities through financial institutions

• $5 billion of life insurance in force

• $900 million in assets

• Vantis products sold by appointed bank and credit union

employees

• 85% of business processed through web-based broker-agent

portal

Our Challenges

• VantisLife experienced significant growth from 2004 thru 2007, driving the organization to change a number of ways it did business.

• Because the web accounts for Vantis’ most significant route to market, many of these changes in business process, tooling, and capabilities centered around Information Technology and our web presence.

• Vantis’ business is largely broker-based, requiring broker agents to book and manage business (e.g. policies) through Vantis’ agent portal.

• 30 bank/credit union partners in CT to 100+ nationwide

• 300 broker / agent users to more than 5,000 institutional users

• Supporting conventional IAM around Vantis’ agent portal was becoming laborious – consuming both time and limited IT resources

• Manually provisioning agent accounts

• Managing credentials manually

• Granting application access

• Maintenance of organically built IAM environment

• Authentication - labor intensive

• Buried in forms, paperwork, timeliness

Challenges – continued

• Tooling and Efficiency

• Vantis determined it needed a smarter approach to IAM

• New approach required:

– Less manual process and overhead on limited IT staff

– Ability to delegate certain identity functions to brokers and agents

(e.g. Self Registration, Password Reset, Account Management).

– Ease of implementation – no sharp learning curve or long-term

overhead for on-going skills and management of the IAM system.

• Security and Compliance

• Height of financial crisis – 2008 timeframe

• Vantis’ larger banking partners were becoming increasingly

sensitive to IT measures around security and compliance.

• Vantis wished to strategically position itself to be ready for

increased focus on security, compliance, and potential new

regulatory measures.

Decision-Making Process

• Vantis considered a number of options to address its strategic initiative of increasing security and compliance, as well as IAM tooling and efficiency:

• Organically Built IAM– Continue with organic IAM software strategy – build and maintain in-

house

• Traditional IAM Deployment– Procurement, build-out, and management of a commercial vendor on-

premise IAM solution

• Cloud IAM– Procurement and integration with a cloud-based IAM solution

• Vantis had previously built an organic IAM solution consisting of various capabilities:

• Authentication and Authorization

• User and Group Management

• Single Sign-On (SSO)

• Vantis weighed its options regarding organic, traditional commercial deployment on-premise, and cloud (Software-as-a-Service)

Our Solution

• Vantis determined its values for a next generation IAM system would be:• Total Cost of Ownership (TCO) – Vantis was seeking a cost-effective approach to IAM that

enabled the business to achieve enterprise-grade IAM while doing so on a budget

• Skills – Vantis was seeking a solution that would not force an investment in on-staff skills in complex IAM technologies

• Time-to-Deployment – Vantis had a critical time-frame with two large banking relationships dependent upon the availability of its new IAM platform

• Security – Vantis was seeking a solution that could raise the bar in its security and compliance standards, which was consequently being sought by the company’s banking partners

• Scalability – Vantis was seeking a solution that would easily grow with its rapidly expanding business, including both technical scale but also availability of features/functions that may become necessary as its business needs expanded

• Engaged IBM (formerly Lighthouse Security Group) for security review• State of existing technology – effectiveness of controls in authentication, authorization,

auditing, and identity/credential management

• Made decision to go with IBM Security Access Manager for Web (formerly Tivoli Access Manager for e-Business) and Tivoli Federated Identity Manager

• Made decision augment IBM SW with a Cloud solution (IBM Cloud Identity Service)• Provided added benefits of lower TCO, lesser on-staff skills requirement, and quicker time-to-

deployment

• Three (3) years of cloud services were deemed less expensive than initial on-premise deployment

IBM

CON

FIDE

Our Solution – continued

• Vantis Internal Discussions and Decision Criteria:• Concerns regarding being an early adopter

– IBM Cloud Identity Service (formerly Lighthouse Gateway) was only just launched

• Was the cloud secure?

• With heightened sensitivity to security (height of financial crisis), how would our partners perceive our decision?

– Impact for new banking partners as well as review of our strategic shift to cloud for existing partners

• Concerns regarding how our external auditors may evaluate a decision to use cloud IAM

• Requirement for Vantis key decision makers (COO and VP of IT) to achieve buy-in on a cloud IAM strategy from its Board of Directors

Cloud Identity Services

Our Deployment Experience

• Contract Process Considerations• Service Level Agreements• Out-Year Affordability – Post initial three year

term cost considerations• Data Privacy – controls, policies, and

measures in the subscription agreement• Deployment Process

• Deployed in 6 six weeks – contract signing to go-live

• IBM / Lighthouse professional security services performed integration and configuration work in cooperation with Vantis’ application owners– Branding / look-and-feel for user-facing web

pages of the system (e.g. login, self service, etc)

– Integration of Vantis’ initial top 3 web applications

– Testing – functional and regression– User experience planning – e.g. initial self

registration of all broker agents

• Seamless transition for all users• Necessity to have a smooth on-boarding

process for brokers – simple to use, self explanatory… just plain works!

• Provided a better life experience for our users

IBM

CON

FIDE

Policy

Quotes Application

Process

Account

Mgmt.

Expansion of Services

• B2C Expansion• Vantis had initially launched its IBM CIS (Lighthouse Gateway) services for B2B –

its broker agents

• Vantis had top-down direction to begin supporting B2C use cases with its web presence (e.g. selling direct to consumer)

• Vantis quickly deployed a secondary instance of the IBM Cloud Identity Service for its consumer-facing web applications and users.

– Policy Quoting

– Application Process

– Limited Account / Policy Maintenance

• Federated SSO Use Case Expansion – Quicklife• Vantis had requirements to expand its IAM solution to begin supporting federated

use cases with multi-partner quoting platform (Quicklife)

• Vantis needed to establish ability to act as a federated Service Provider (SP)

– Ability to seamless provide quotes into third-party quoting platform (Quicklife)

– Ability to seamlessly allow Quicklife agents to SSO into Vantis agent portal (Agentweb) to continue the policy booking process

– Ability to support all federated use cases with standard SAML assertions and protocol

• Easy implementation

Future Enhancements

• Enhanced Self Service• Delegated User Administration

– Leveraging Cloud Identity Service (CIS) Self Service Portal’s delegated user administration functions

– Allowing “power users” at brokers to manage their own VantisLife agent users on our system

• Self Service Access Request– Leveraging CIS Self Service Portal to enable agents to electronically

request access to applications and/or application roles within the VantisLife portfolio of web apps.

• Identity Governance• Recertification

– Leveraging CIS recertification capability to begin pushing agents through an electronic access recertification process

IBM

CON

FIDE

An Early Success

• Utilizing IBM’s Cloud Identity Service, VantisLife was able

to:

• Deploy an enterprise class IAM solution in under six weeks

• Avoid significant costs traditionally associated with IAM

platforms

• Keep its IT staff focused on projects that enable VantisLife to be

a competitive life insurance company

• Provide its users with an intuitive, easy-to-use platform to

manage their identities and associated access to VantisLife

applications

• Position the company for future growth, including the ability to

rapidly “turn on” new IAM capabilities as demand requires

• Help “Future-Proof” the company’s compatibility with emerging

technologies, standards, and regulatory requirements

38

Engaging

Engagement Process

Initial Scoping

• Client provides IBM with an overview of project requirements.

• IBM provides client with education on Cloud Identity Services features and capabilities.

• IBM performs initial scoping of required features, user counts, integrated applications, and options.

Non-Binding Initial Estimate

• Estimate of project costs (including services and subscription) based upon initial scoping.

• IBM may present estimates as a range along with other information to help the client understand potential drivers in the estimate.

SOW Scope Workshop

• If the provided estimate is deemed accepted to the client, IBM will perform a SOW Scope Workshop.

• Half-to-full day workshop is performed at client site with key stakeholders to drill into project specifics.

• The workshop is intended to allow IBM to produce a detailed SOW and refined pricing information.

SOW

• An executable SOW is drafted and delivered to the client, along with any Terms and Conditions, for signature.

Questions and More Information

• Contact:

• IBM Security

– Eric Maass

Director, IAM Strategy

emaass@us.ibm.com

– Ed Terry

Cloud Identity Sales Leader

eterry@us.ibm.com

On the web:

http://www-935.ibm.com/services/us/en/it-services/security-

services/cloud-identity-service/

Notices and Disclaimers

Copyright © 2015 by International Business Machines Corporation (IBM). No part of this document may be reproduced or

transmitted in any form without written permission from IBM.

U.S. Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with

IBM.

Information in these presentations (including information relating to products that have not yet been announced by IBM) has been

reviewed for accuracy as of the date of initial publication and could include unintentional technical or typographical errors. IBM

shall have no responsibility to update this information. THIS DOCUMENT IS DISTRIBUTED "AS IS" WITHOUT ANY WARRANTY,

EITHER EXPRESS OR IMPLIED. IN NO EVENT SHALL IBM BE LIABLE FOR ANY DAMAGE ARISING FROM THE USE OF

THIS INFORMATION, INCLUDING BUT NOT LIMITED TO, LOSS OF DATA, BUSINESS INTERRUPTION, LOSS OF PROFIT

OR LOSS OF OPPORTUNITY. IBM products and services are warranted according to the terms and conditions of the

agreements under which they are provided.

Any statements regarding IBM's future direction, intent or product plans are subject to change or withdrawal without

notice.

Performance data contained herein was generally obtained in a controlled, isolated environments. Customer examples are

presented as illustrations of how those customers have used IBM products and the results they may have achieved. Actual

performance, cost, savings or other results in other operating environments may vary.

References in this document to IBM products, programs, or services does not imply that IBM intends to make such products,

programs or services available in all countries in which IBM operates or does business.

Workshops, sessions and associated materials may have been prepared by independent session speakers, and do not

necessarily reflect the views of IBM. All materials and discussions are provided for informational purposes only, and are neither

intended to, nor shall constitute legal or other guidance or advice to any individual participant or their specific situation.

It is the customer’s responsibility to insure its own compliance with legal requirements and to obtain advice of competent legal

counsel as to the identification and interpretation of any relevant laws and regulatory requirements that may affect the customer’s

business and any actions the customer may need to take to comply with such laws. IBM does not provide legal advice or

represent or warrant that its services or products will ensure that the customer is in compliance with any law.

Notices and Disclaimers (con’t)

Information concerning non-IBM products was obtained from the suppliers of those products, their published

announcements or other publicly available sources. IBM has not tested those products in connection with this

publication and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM

products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products.

IBM does not warrant the quality of any third-party products, or the ability of any such third-party products to

interoperate with IBM’s products. IBM EXPRESSLY DISCLAIMS ALL WARRANTIES, EXPRESSED OR IMPLIED,

INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A

PARTICULAR PURPOSE.

The provision of the information contained herein is not intended to, and does not, grant any right or license under any

IBM patents, copyrights, trademarks or other intellectual property right.

• IBM, the IBM logo, ibm.com, Bluemix, Blueworks Live, CICS, Clearcase, DOORS®, Enterprise Document

Management System™, Global Business Services ®, Global Technology Services ®, Information on Demand,

ILOG, Maximo®, MQIntegrator®, MQSeries®, Netcool®, OMEGAMON, OpenPower, PureAnalytics™,

PureApplication®, pureCluster™, PureCoverage®, PureData®, PureExperience®, PureFlex®, pureQuery®,

pureScale®, PureSystems®, QRadar®, Rational®, Rhapsody®, SoDA, SPSS, StoredIQ, Tivoli®, Trusteer®,

urban{code}®, Watson, WebSphere®, Worklight®, X-Force® and System z® Z/OS, are trademarks of

International Business Machines Corporation, registered in many jurisdictions worldwide. Other product and

service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on

the Web at "Copyright and trademark information" at: www.ibm.com/legal/copytrade.shtml.

Thank YouYour Feedback is

Important!

Access the InterConnect 2015

Conference CONNECT Attendee

Portal to complete your session

surveys from your smartphone,

laptop or conference kiosk.