White Paper

The Evolution of Digital Identity by Vadim Lander, Identity Security CTO and Distinguished Engineer

Perfect Storm for IAM However, the world has moved This works when everything beyond having a single web is working perfectly, but what In today’s business landscape perimeter. In today’s multi-channel, happens when something goes driven by the need to grow and API-based, mobile-oriented wrong and there is a security differentiate, enterprises launch enterprise, no one truly owns the breach? There must be a shared new applications and services perimeter. Every business, across security capability to be able to quickly to take the lead in their different verticals and channels, take action. And there also must business domains. Enterprises consumes or produces application be a shared security service want to connect to more people to workloads that could be running platform if users are to get a expand reach and build out their anywhere, and no corporate IT consistent Single Sign-On/Single brand and they want to maintain organization can control the new Logout experience when accessing mobile presence to securely perimeter with traditional methods. resources protected by Web Access connect their customers to their Enterprises that need to sustain Management, federated via SAML services anywhere, anytime, their business or compete for in some cases and by OpenID anyplace—gaining competitive leadership are undergoing digital Connect in others. The perimeter- advantage and building customer transformation efforts to adjust to based and multi-perimeter worlds loyalty. new business realities and must must co-exist for some time with Security is one of the most critical operate in this new world defined seamless Single Sign-On and Single aspects of such initiatives. Enabling by a multitude of infrastructure and Sign-Out user experience. end users to securely access application perimeters. authorized resources, preventing In this world, enterprises have IAM Follows the Apps accidental data leakage, and solved the initial authentication The IAM system is responsible for guarding against the misuse of use cases using OpenID Connect providing omni-channel access to credentials and the hijacking of tokens exchanged for OAuth access authorized resources, it manages accounts are some of the biggest tokens, and then rely on each an aggregated view of identities concerns a business has when application to validate token claims being mapped to applications and trying to move fast to deliver on independently. systems, and it provides a platform objectives. to define and enforce identity Consider how we were accustomed to securing web applications. A typical approach was to put Figure 1: The Evolution of Digital Identity a web agent in front of a web app and in the process instantly secure the app by providing user authentication and session management capabilities. This enabled application owners to grow business by developing new web apps, and it ensured secure delivery of apps to different end users (B2C, B2B, B2E) without application developers becoming security experts. The end result is enterprises have a significant amount of resources protected by Web Access Management and federated via SAML. The Evolution of Digital Identity White Paper and access policies to achieve applications and users, while With the single perimeter no longer such tasks. A very important enabling application workloads to present, a new approach is required consideration an enterprise has is run anywhere, moving away from to manage the familiar problem in how to implement a modern IAM the central data center—and in of Who has access to What. for new initiatives, applications, and the process creating new micro- Enterprises must securely connect services. perimeters. identities and applications/data across different perimeters using Enterprises can implement security Securely providing access to modern protocols and architecture, for each application in a legacy applications under such conditions and this requires a change in how siloed way, or they can leverage a where different micro-perimeters we view IAM. modern platform approach which are in play requires enterprises gives them a shared single identity to use dynamic, session-aware, and policy view across multiple contextual access management The Need for Contextual, applications and shared services that requires as much (or as little) Omni-present IAM resulting in omni-channel alignment authentication and authorization as With the Internet being used and visibility. The combination of necessary to meet the acceptable more and more to transact a disappearing network perimeter risk. business via the local data center, and an exponential rise of SaaS apps, or public cloud, the The end result is a modern applications being developed using enterprise no longer owns or enterprise that must be able to deal modern application development controls all the connection points. with this trend to continue securely principles has resulted in While enterprises still maintain a delivering applications to end enterprises requiring a holistic look perimeter around their data center, users over any channel, anytime, at the capabilities of the IAM stack. the perimeter around the identity anyplace —while taking advantage and application is no longer in The emergence of federation, of modern devices to provide place. Enterprises must be able to cloud, mobile smartphones, and excellent user experience. With this securely connect their identities continuous evolution of connected trend firmly underway, rooted in into heterogeneous application devices are driving a paradigm enterprise Digital Transformation infrastructures, and they must be shift over the enterprise-centric efforts, application workloads able to securely connect third-party command and control mode of are leaving the central data- identities into their own application operation. center-bound perimeter, and this infrastructure. requires IAM to follow application As shown in the figure below, this workloads. The IAM architecture As mentioned previously, this results in the single perimeter and best practices have to move in results in the dramatic increase in disappearing around your that direction as well. the number of perimeters. These new perimeters are no longer Figure 2: Single Perimeter Gives Way to Microperimeters around the enterprise data center, but around the User/Session, their Devices, and their Applications.

Let’s look at this popular scenario: an employee sometimes works from the office where both the Mac and iPhone are connected to the enterprise’s network. During this time the employee is accessing a SaaS-based sales portal to obtain a sales presentation, and he or she is accessing the enterprise’s ERP system to submit or approve a purchase order. Occasionally, the employee works from a coffee shop using the local Wi-Fi network and sets up a VPN session to the corporate office.

The risk of exposing sensitive content to malware or some The Evolution of Digital Identity White Paper

Figure 3: Identity Is the Perimeter and Must Be Embedded Within These Dynamic management, and consistent risk Environments evaluation across all the micro- perimeters, the better equipped the enterprise is to securely connect users to their applications with the best user experience and least security exposure.

New IAM/Security Architecture Required One of the popular industry terms for such security architecture is Zero Trust Computing. Zero Trust is valuable for enterprises because it offers the ability to decouple logical application access from the physical perimeter while still other attacker is greater when the context representing the user, maintaining policy-based control the employee is working from their device, their session, and the over Who can do What. Achieving the coffee shop and addressing application with its underlying data. this requires that identity and this to adequately mitigate risk security be incorporated into requires contextual, risk-based With users and apps everywhere, the fabric of applications and authentication and authorization access must be provided based application infrastructure, in the policy to manage access: on this context including the process creating a reasonable risk, and access activity must blanket of protection around the • Where is the user and how is he be continuously monitored and enterprise assets. or she accessing the apps? From adjusted when necessary. IAM the local corporate network, via must be seamlessly embedded Zero Trust requires a new approach VPN, or via the Internet? within these dynamic environments to handle the dynamic, fast evolving business environment by • How sensitive is the application as well as protecting micro- perimeters. enabling enterprise application being accessed? Email, ERP, a developers to embed IAM into company portal, a sensitive SaaS What does this mean for the the fabric of their applications via app, and so on. enterprise? As the perimeter standards, APIs, or environments- • How risky is the user’s machine/ continues to disappear, or more specific agents. Such architecture mobile device/network? Does it correctly morphs into micro- would give the enterprise an agile have known vulnerabilities? perimeters, enterprises are finding way to meet the security needs of their transformation efforts as The identity becomes one of the it very difficult to protect corporate they convert legacy processes into new perimeters, and this identity data in the presence of micro- digitally integrated application must be validated at the right level perimeters (meaning security silos), ecosystems. of assurance to access application and they are struggling to offer a seamless and delightful user workloads—and this process must This forces IAM to undergo its own be handled in a way that delivers experience as users get bombarded with requests for re-authentication. digital transformation by replacing great user experience. For example, siloed product-centric architecture having disparate implementations The end result is that enterprises by the architecture where the IAM of authentication systems often must ensure that proper risk-based business services used to secure, results in multiple and annoying security controls are embedded manage, and provision access authentication challenges causing into the fabric of application are underpinned by a common users to dislike and, in some perimeters using a range of architecture of policy, risk, session, instances, avoid using such methodologies such as access analytics, and so on, giving applications. proxies, identity federation, native enterprises a number of substantial benefits: With the micro-perimeter paradigm security agents, and direct API now being practically the norm, this calls. The more integrated this • Business agility to securely meet means that security and underlying architecture is with regard to login emerging business requirements policy should now be based on flows, central or distributed session and customer needs. The Evolution of Digital Identity White Paper

Figure 4: The New Digital IAM Architecture

• Development agility to integrate – Privacy and Consent – Risk management: Policy-based and interoperate via IAM industry Microservice: Policy-based detection of “risk” based on standards and APIs. controls over one’s personal one’s behavioral patterns and • Improved user satisfaction from information. health of systems and devices. reduced logins, elimination of – Identity Governance – Security Analytics: AI/ password overload, and timely Microservice: Policy-based ML-based detection and access. validation and confirmation of remediation of anomalies and • Reduced costs of operations and one’s privileges complying with visibility into business in terms administration. corporate policies. of what is going on. – Privileged Account • More configuration and less Digital IAM is about meeting such Management Microservice: customization to enable requirements with a holistic, yet Policy-based authorization over productivity: loosely-coupled and distributed access to sensitive accounts, – Bring your own applications: architecture delivering the following application secrets, and mission six key capabilities: Build applications rapidly and critical servers. secure with Identity Services in • Risk-based business services • Shared platform services hours using open standards for to address the needs of the to ensure consistency and fast uptake. business when the business interoperability across business – Enable multi-channel access needs it. The Zero Trust approach services: allows for visibility into users’ by leveraging REST enabled activities to enable analytics to – Policy management: Scalable, context-aware APIs that can determine the risk to applications dynamic, multi-context policy be consumed by any platform and data. language and engine. or language. It’s fully context – Session Management: Policy- aware so that a policy decision – Authentication Microservice: can be made depending on Policy-based orchestration of based orchestration and partitioning of one’s activities where and when an application asserting one’s identity using is being accessed. a variety of factors including into seamless application password-less, across different experiences. • Built on modern cloud-native types of devices. – Identity Management: User and principles of Scalability, Elasticity, Resilience, Ease of – Authorization Microservice: group lifecycle management for administrative and end user Deployment, Functional Agility, Policy-based validation of one’s and Technical Adoption: rights to resources or data personnel. whether you are a business – Using multi-tenancy to enable user or a privileged user. operational teams as providers of Identity Capabilities The Evolution of Digital Identity White Paper

– Using microservices ecosystem to model and securing enterprise applications architecture to deploy in any represent trust among and processes. This architecture public cloud, private cloud, or distributed systems and allows enterprises to embed on-premise environment via the applications standards-based identity services Kubernetes platform. Security into the fabric of their applications • Embracing and extending teams need fewer specific resulting in a much improved user existing IAM infrastructure to technical skills and resources to experience and elimination of maximize reuse and ensure manage the solution security and governance siloes. business continuity: – Using industry standard stacks – Extending existing IAM for Runtime (Kubernetes), solutions (for example, The Path Forward for Logging/Auditing/Tracing SiteMinder, API Gateway, Broadcom is in the process of (Fluent, Prometheus, Elastic) VIP, and Advanced redefining and developing a with config-time extensibility Authentication) to deliver new Digital IAM architecture to to other stacks, for Security modern authentication best address the needs of its customers Analytics (Siddhi) practices such as password- undergoing digital transformation. • Leveraging Open Standards less to existing applications Digital IAM, supporting Zero Trust to maximize productivity with existing user communities principles, enables the business and reduce interoperability without having difficult and drives new opportunities challenges: application changes through a functional, secure, and – OpenID Connect for browser- – Integrating with existing scalable architecture designed based user authentication session and audit management to address the business agility infrastructure (for example, enterprises must have to evolve – OAuth2 for securing REST API their businesses. calls SiteMinder) for comprehensive view of the session and audit This comprehensive IAM platform – FIDO for modern password-less trail across existing and new built to cloud-native specifications authentication application ecosystems is meant to be an integral part of – SAML for providing Single – Leveraging existing LDAP the enterprise security fabric. Fully Sign on for Cross Domain identity stores already based on open standards, it enables applications using Federation containing user and group rapid integration of applications – SCIM for simplified user populations using a 100% open and standards- management by defining a The architecture of Digital IAM also based solution, while extending the schema for representing users enables the enterprise’s security value proposition of the existing and groups practitioners to not only meet the solutions enterprises have already in place. The combination of – RESTful APIs for all identity business needs of the enterprise capable IAM services and ease of functions for customization and going forward, but at the same operations reduces development headless operations time extend the value of their existing identity stack already costs and prevents vendor lock-in – Standards-based JWT

Figure 5: The new Digital IAM architecture embeds standards-based identity services into the fabric of applications

Data Center Data Center The Evolution of Digital Identity White Paper by using proven industry standards workloads leveraging Zero Trust principles to integrate IAM business logic into • Web and Web Services into all user activities. It delivers a custom applications using open authorization to manage shared, risk-based security service APIs. transactional risk and meet platform for identities to get a regulatory compliance consistent SSO/SLO experience The platform’s scalable and secure across existing and new application back-end infrastructure is capable • Common session management paradigms. It enables the business of being deployed anywhere the infrastructure for continuous to gain necessary governance organization chooses, including on- monitoring and partitioning of capabilities required for a multi- premise data centers, cloud-data identity activities with seamless cloud, multi-perimeter world. It centers, or a hybrid combination. SSO across different application integrates with Symantec’s security The platform securely connects ecosystems solutions to both harden network identities to applications - it needs • Cyber protection for overall security by providing deeper to be everywhere and it needs to security and enhanced risk identity context and leverages be easily consumed by developers assurance via optional integration additional insight provided by who are not security experts. with Symantec’s CASB, Proxy, security controls to make IAM The platform becomes the glue VIP, and SAC solutions decisions more meaningful. that enables enterprise’s digital transformation: Conclusion In the ever fragmented world, • Common data model for Digital IAM, made up of IAM The shift to modern architectures modeling “Access” to unify and Business Services underpinned by based on multiple perimeters such simplify the lifecycle of IAM shared security services, allows as Cloud, Mobile, API, and so on, relationships currently requiring enterprises to gain visibility into requires a modern, integrated, and presence of multiple, siloed the user’s activities, uses smart open Digital IAM architecture to solutions analytics to determine the risk enable the enterprise to securely imposed by the user, and allows/ • Based on Zero Trust principles achieve its business initiatives while restricts/manages user activities with built-in risk-based policy managing the business risk and accordingly while enabling user infrastructure complying with regulations. satisfaction across different • IAM as Big Data to provide built- channels. The Digital IAM architecture lets in Security Analytics for anomaly enterprises embed standards- detection and remediation It enables the enterprise to securely based identity capabilities into the connect any user, from any device, • Omni-channel authentication fabric of their applications—driving to any application while offering for Identity Assurance across enterprise agility, maintaining a seamless user experience and native and federated application adequate risk controls, and keeping enterprise assets secure.

Disclaimer Certain information in this paper may outline Broadcom’s general product direction. This presentation shall not serve to (i) affect the rights and/or obligations of Broadcom or its licensees under any existing or future license agreement or services agreement relating to any Broadcom software product; or (ii) amend any product documentation or specifications for any Broadcom software product. The development, release and timing of any features or functionality described in this presentation remain at Broadcom’s sole discretion.

THIS PAPER IS FOR YOUR INFORMATIONAL PURPOSES ONLY. Broadcom assumes no responsibility for the accuracy or completeness of the information. TO THE EXTENT PERMITTED BY APPLICABLE LAW, BROADCOM PROVIDES THIS DOCUMENT “AS IS” WITHOUT WARRANTY OF ANY KIND, INCLUDING, WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NONINFRINGEMENT. In no event will Broadcom be liable for any loss or damage, direct or indirect, in connection with this paper, including, without limitation, lost profits, lost investment, business interruption, goodwill, or lost data, even if Broadcom is expressly advised in advance of the possibility of such damages.

For product information and a complete list of distributors, visit our website at: broadcom.com Copyright © 2020 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries. Broadcom, the pulse logo, Connecting everything, and Symantec are among the trademarks of Broadcom. SED-EDI-WP100 April 20, 2020