Gartner Identity and Access Management Summit

Keynote: Welcome & Introductions

Keynote: Online Identities: The Persona in the Machine

Our personal identity is being changed as technology becomes the architect of our intimacies, redrawing boundaries between solitude and socialization. Our use of technological identities drives us ironically to be too busy communicating to connect in ways that really matter. Understanding the impact of our digital personas (i.e. the “persona in the machine”) on our real lives is the first step to re-balancing the way we interact as people.

Keynote: Evolving to Survive: How Cloud Computing and GRC Will Impact Your Career

The next seven years will see as much change in IT, security and IAM organizations as we experienced in the client/server revolution. Your career could be impacted, even totally changed. The early signs are there for us to see and analyze. This keynote will look at cloud computing and the GRC movement to project where you should plan to be in four years so that you can still be employed in seven years.

Keynote: Pattern Based Intelligence: Use IT or Lose Out

Pattern based intelligence, based on entity link analysis, enables discovery and analytics of fraud rings and collusive activities. It is very useful for catching internal corruption, terrorist activity, homeland security threats, account takeover, welfare and government benefits fraud, pharmaceutical fraud, insurance claims fraud and the like. For security and fraud management to be effective against rapidly evolving threats, pattern seeking must occur both within an organization (to discover internal threats, data breaches and compromised accounts) and also outside the organization (to learn of emerging threats and erect proactive defenses). Entity link analysis can combine internal and external data, both structured and unstructured, to find hidden fraud patterns by discovering relationships that would not be obvious otherwise. This has tremendous potential in many industries. For instance in the insurance industry, such analysis could uncover fake doctors setting up fake clinics and billing for fake lab tests using stolen patient insurance cards and IDs. This session brings together a group of panelists from various industries to look at how pattern based intelligence help their organizations uncover fraud or otherwise unauthorized activity.

Keynote: The IAM Markets: Trends, Market Changes and Products for Better Decision Making

Over the past decade the IAM market has grown significantly, with products and services now estimated to exceed $3B annually and with a robust annual growth rate. Gartner’s Magic Quadrant and Marketscope research has traced the evolution of the IAM market sectors over that time and has written extensively about the impacts of these products and services on the enterprise. The IAM Markets panel will bring together several Gartner analysts to discuss the results of that research, covering issues such as the following:

Keynote: The Surprising Future of Identity & Access Management

Dr. Donald McMillan graduated from Stanford University with a PhD in Electrical Engineering. In his more than 20 years in the high tech world he has worked at IBM, AT&T Bell Laboratories, and VLSI Technologies. While at Bell Laboratories, he was a member the team that developed the world’s first 32-bit microprocessor. Currently, Don is a Senior Analyst at Gartner specializing in Heuristic Risk Management. He has written the best selling book: "Tomorrow is Not What It Used to Be."

Workshop: Data Loss Prevention

Cyber security is all about managing, controlling, and mitigating risk to your critical assets. In almost every organization, your critical assets are composed of data or information. Whether it is a customer list, research plans, intellectual property, classified information, or a marketing plan, this data represents the life line of your organization and must be properly protected. Perimeters are still important and critical, but we are moving away from a fortress model and moving towards a focus on data. This is based primarily on the fact that our networks are becoming more porous, and our data is more portable. Information no longer solely resides on your servers where properly configured access controls list can limit access and protect our information. The same intellectual property that is protected on a server behind a strong perimeter can now be copied to laptops (i.e. portable servers) and be plugged into networks (i.e. hotels, airports and coffee shops) that have no firewalls or security devices in place. This means the data must be able to be protected no matter where it resides, since a compromise of sensitive data will have an impact to the company, no matter how it was stolen. Building a strong perimeter defense is a critical first step, but focusing in on protecting and controlling critical data from loss is another key step in building a strong preventive measure. Proactive security must be put in place to make sure critical information is properly protected and exposure is minimized. Topics Covered: -Risk Management -Calculating and understanding risk -Building proper risk mitigation plans -Applying proactive risk management processes -Understanding insider threat -Data Classification -Key aspects on deploying and implementing classification of critical information -Staged role out of classifying new and existing information -Managing and maintaining portable data classification -Digital Rights Management -Understanding what digital rights are -Balancing digital rights with data classification -Managing access across the enterprise -Data Loss Prevention (DLP) -Identifying requirements and goals for preventing data loss -Peeling through the hype of DLP -Identifying practical DLP solutions that work -Managing, evaluating, implementing, and deploying DLP

Healthcare Moderated Breakfast Discussion (Session Full)

Workshop: The Gartner ITScore IAM Program Maturity Assessment (Pre-registration required. End users only.) (Session Closed) (Laptop Recommended)

This interactive workshop session allows participants to work together, facilitated by a Gartner analyst, to assess their organizations' IAM program maturity using the Gartner ITScore for Identity and Access Management maturity assessment methodology and a workbook based on the ITScore diagnostic tool.

Energy/Utilities Moderated Breakfast Discussion (Session Full)

Healthcare Moderated Breakfast Discussion (Session Full)

Workshop: The Gartner ITScore IAM Program Maturity Assessment (Pre-registration required. End users only.) (Session Closed) (Laptop Recommended)

This interactive workshop session allows participants to work together, facilitated by a Gartner analyst, to assess their organizations' IAM program maturity using the Gartner ITScore for Identity and Access Management maturity assessment methodology and a workbook based on the ITScore diagnostic tool.

Healthcare Moderated Breakfast Discussion

Case Study: Lessons from Molson Coors Brewing Company: Choosing and Implementing Identity and Access Management in the Cloud

Molson Coors Brewing Company (MCBC) strategy and direction has changed the needs of the technology needed to support these efforts. In recent years Molson Coors has increased joint ventures, partnerships, cross brewing relationships and has entered into greater collaboration with third parties. The company has also started heavily using SaaS applications, business processing outsourcing models and has placed greater reliance on a large contingent workforce. With these changes, MCBC needed to change its identity and access management strategy as the current system had inconsistencies across IT, inflexible with the rate of change within the and was becoming progressively more expensive to change with a staff under qualified to complete the complex IAM tasks. Come hear how MCBC researched and implemented IAM software without the complexity and cost of implementing the software on-premise.

Case Study:Identity at GE

Attestation of users, devices and even data is increasingly critical to managing and securing highly transactional and virtualized environments. With the externalization and consumerization trends such as Any Device, Cloud, Collaboration and Workforce Mobility, we must look beyond legacy identity challenges of the enterprise, resist simply externalizing internal identity processes and develop a direction where identity becomes the true network perimeter. In this case study we will review: • The history of IAM at GE • Tipping point of IAM in the enterprise • Extending IAM inside and outside the enterprise

Case Study: What Happened at RSA? Lessons Learned From an Advanced Persistent Threat Attack

The perimeter has fallen; there’s someone inside your network. They are well equipped, well practiced, and leave ghost-like traces. You’re lucky to have detected the attack; the odds are less than 10%. Welcome to the Advanced Persistent Threats Club, which over the last two years grew from a handful of military and government targets to over a hundred major corporations in virtually every private sector industry. What’s new about APTs? Why are they successful? Why are they so difficult to detect, let alone prevent? Is a new defense doctrine needed? And what should it look like? RSA top cyber security researcher will provide insights and lessons learned.

Case Study: Securing the Network Infrastructure and Enhancing Security Audits at the FERC

The potential of a cyber-attack against our nation’s utilities and critical infrastructure has gained the widespread attention of the federal government. This session will look inside the Federal Energy Regulatory Commission and its mission to protect its own network infrastructure against unauthorized access as well as the key tools used in helping FERC comply with Federal Information Security Management Act (FISMA) regulations presented. To achieve FISMA compliance, FERC deployed Network Access Control (NAC) across its entire network environment, initially in its headquarters and then to remote sites as well as to wireless devices. This was critical as FERC sites are the subject of frequent visits from non-governmental personnel, including individuals and groups from foreign nations. This session will be presented in a case study/war story format that will take attendees through FERC’s network challenges that previously made compliance with FISMA difficult.

Case Study: The New Security Prism: Solving the Puzzle from All Sides

With the proliferation of new technologies and delivery models, IAM professionals must reconcile business performance goals with regulatory requirements, consumer privacy issues, and vendor system integration. This challenge is particularly significant in the financial services sector where sensitive information is routinely targeted by cybercriminals. Keith Gordon, Senior Vice President, Fraud and Enrollments Executive for Bank of America will discuss best practices and emerging innovation in securing online and mobile banking transactions as well as the intersection of IAM strategy and overarching business, risk and technology objectives. Key topics include: authentication and authorization for online banking, privacy and security education for customers, and identity management.

Cyber-Ark Software: Ripped from the Headlines – The ‘Privileged’ Connection – Solved!

This session will focus on the recent headline making breaches and crimes, and the key role that unmanaged privileged access and accounts played in allowing insiders and external players to perpetratethese breaches. Leveraging these cautionary tales, the session discusses the expanding scope, depth and breadth of the Privileged Challenge and the correlating imperative for organizations to address these Privileged Account Activity Management (PAAM) challenges, or risk continuing to be vulnerable to similar, pernicious attacks.

Avatier: Shifting IAM from IT: Storefronts today, Trusted Identity Fabric™ tomorrow

Identity and access management responsibilities are often run with a discrete set of applications or even as out-of-band processes —with little to no visibility from line of business managers. What if application and network access was just another item to provision, like a security card or a computer from a storefront? What if a fault-tolerant, Trusted Identity Fabric™ transcended the network and applications managing all resources? With the human activity reduced to a series of approvals. Hear how MillerCoors and Avatier are redefining enterprise IAM.

Quest Software, Inc: End-user Panel – IAM: Keep It Simple, Keep It Real

If you could start anew, what would your ideal IAM solution look like? Forget frameworks that require rigid and costly customization. Ignore approaches that only solve specifics tasks on specific systems. Abandon manually intensive solutions requiring heavy IT involvement. Listen as real-world companies share a better way to improve security, compliance and efficiency with an integrated, modular and future-proofed approach. One that favors simplicity over complexity, configuration over customization, and business needs over IT limitations.

Oracle: Catering to Business Success with Metrics-Driven Identity Analytics

Certifying user access for thousands of users across hundreds of applications for compliance audits is undeniably complicated, time consuming and error prone. Hear first-hand from a panel of end users the key components required to ease the certification process and manage the scale and scope of it. And hear Amit Jasuja, Oracle Vice President, detail how these insights helped shape the game changing Oracle Identity Analytics 11gPS1.

RSA: Advanced Security: Intelligence, Advanced Detection and “Smart” Controls

A recent KPMG survey revealed that mature SOCs have procedures in place for standard incidents – not for Advanced Attacks. During this session we will discuss requirements for the next generation SOC with sensors that detect the subtle hints of APTs, context for added intelligence and “smart” controls that enable on-demand countermeasures.

SailPoint: Case Study: Identity Governance at CUNA Mutual Group

Hear how CUNA Mutual Group, a leading provider of financial services to credit unions, improved the accuracy and efficiency of access controls and automated their compliance and provisioning processes with SailPoint. By taking a governance-based approach to identity management, CUNA Mutual is effectively managing access risk while increasing administrative effectiveness. CUNA’s project overview will describe key success factors, including automating access request and certification processes, involving business managers, and future project plans.

IBM: Security Intelligence: An Optimized Approach for Today's Security Challenges

Technological advances in cloud adoption, mobile computing, social business, and analytics are driving innovation and breaking down traditional business boundaries. The resulting security challenges of such advances impact more than the IT department. In order to prepare effectively, an optimized approach is essential. Foundational elements, such as identity and access management, should be implemented as part of a security plan that analyzes today's security events to influence tomorrow's business decisions.

CA Technologies: Making Cloud Work for Your Organization

The business value of using Cloud services is great. We can confidently enable our organizations to capture this value if we adapt IT and Security to this distributed application model and embrace our new role as a business services brokerage function. We will discuss how to overcome the Shadow IT movement, how to evaluate security of cloud providers and how to implement a Cloud Security Broker to centrally enforce security policy across this new supply chain.

BeyondTrust : Preventing Good People From Doing Bad Things

While you work hard to keep the bad guys out, a trusted employee, contractor or partner, can cause more damage than any outside hacker could ever do. This presentation will help you prevent this nightmare scenario by showing you how “less is more” when it comes to protecting your physical, virtual and cloud-based IT assets across the extended enterprise, providing the security and governance your organization needs to succeed.

Fischer International Identity: Which Identity services should I outsource?

ABSTRACT: Cloud-based IAM is now considered a viable business model. With this model comes two critical questions that you’ll need answered: "What control should I maintain over my Identity solution?" and "What control should I relinquish?" Attend this session to learn the answers to these questions.

Authentify, Inc.: Variations to consider when considering Out-of-Band Authentication

Out-of-Band Authentication (OOBA) has been around for more than a decade. Many users are familiar with SMS OTP’s and authentication phone calls. Cyber-criminals, however, are also becoming familiar with the techniques and have developed attacks specific to thwarting out-of-band techniques. This session will discuss newer approaches to out-of-band authentication, attack vectors, considerations for successful implementations of out-of-band authentication plus Q & A with firms who have deployed OOBA.

Radiant Logic: Supporting Stronger Access Management with an Identity Service

Domain, protocol, and schema limitations are inherent in the identity management realm, making portal security initiatives a complex challenge. However, a federated identity service can mitigate risk and contribute to more effective, more fine-grained security. By building a 360° view of customers and employees—including all rights, roles, groups, and entitlements for both internal and external users—an identity service is the gateway to intelligent business decision making.

Lighthouse Security Group: IAM-as-a-Service: Market Trends and Realities

Identity and Access Management as a Service (IAMaaS) is the cloud-based alternative to traditional IAM, offering organizations lower costs, quicker deployment times, improved business agility, and strong service level agreements. IAMaaS provides a compelling strategy for extending IAM to growing user communities and unconventional assets such as SaaS applications, social networks and mobile devices. This session will explore the benefits and realities of IAMaaS to help organizations make informed decisions regarding adoption of cloud-based IAM.

Hitachi ID Systems: Designing and deploying a Global-Scale, Fault-Tolerant Privileged Access Management System

Idan Shoham, CTO, will present an informative session on how to design and deploy a global-scale, fault-tolerant privileged access management system.

BiTKOO: Discover cloud identity as a service from soup to nuts

Learn a whole lot of what is new in identity as a service and zero-code XACML identity and access control with Doron Grinstein, CEO of BiTKOO. Gone are the days requiring developers to roll out their own security code. Discover the latest developments in security for your applications and services, and avoid the hassle, inefficiencies and costs associated with writing your own code for authentication, authorization, federation, session management, delegated administration, audit trail and access reporting.

Aveksa: Automating Access Governance Case Study: Cricket Communications

In this presentation, Andy Walker of Cricket Communications, a leading provider of innovative and value-driven wireless services, will discuss how by automating Access Governance processes, his company has been able to: • Increase visibility and control of user access • Reduce the cost of managing access • Reduce the risk caused by improper access • Improve audit readiness and achieve continuous compliance • Empower the business to make accurate and timely access decisions

Analyst User Roundtable: IAM in Energy and Utilities: Current State & Requirements for the Future (Pre-registration required. End users only.)

As the energy and utilities market evolves, operational technology (e.g. industrial control systems) and information technology are converging. Compliance regulations are being actively applied internationally to create levels of assurance around IAM and security. This round table brings together end-users from oil and gas, refining, electric and water utilities (to name a few) to discuss the current state of IAM in their respective enterprises and requirements for the future.

Analyst User Roundtable: Justifying IAM to the Business: Successes & Failures (Pre-registration required. End users only.)

IAM business justification remains a problem for many enterprises—it is often difficult to express IAM benefits in meaningful business terms. This results in reduced program scopes and in some cases an inability to address original business requirements for IAM. This round table allows end-users to share experiences, both successes and failures, in justifying IAM to the business.

Analyst User Roundtable: IAM and the Public Sector: Issues and Best Practices (Pre-registration required. End users only.)

International federal, state, and local government has vital IAM needs for employees, citizens, and partners. This round table brings together end-users from the public sector to discuss IAM issues and concerns, deployment lessons and practices, and organizational impacts as a result of IAM use.

Analyst User Roundtable: Reality of IAM and Security for Cloud Computing Environments (Pre-registration required. End users only.)

What is true vs. what is hype when it comes to the role of IAM in making cloud computing applications a reality for most enterprises? There are several use cases that have IAM being delivered from private and public cloud environments, IAM supporting enterprise access to cloud environments. This round table allows end-users to share their early experiences with IAM and the cloud.

Analyst User Roundtable: Role and Entitlement Management (Pre-registration required. End users only.)

Identity and Access Governance (IAG) is a broad topic that includes role life cycle management and has significant implications for externalized authorization as well. How roles are used in an enterprise and how entitlements are enforced is an increasingly significant question as alternative means for delivering IAM become more realistic. This round table enables a discussion around the use of roles and the implementation of fine-grained authorization in the enterprise.

Analyst User Roundtable: IAM in Health Care: Lessons Learned & Best Practices (Pre-registration required. End users only.)

The health care industry is one of the most volatile and dynamically changing environments worldwide today. IAM requirements for patients, staff and partners are evolving and issues such as privacy are major areas of concern. This round table brings together end-users from the health care and related industries to discuss IAM lessons learned and practices developed for more effective implementations.

Analyst User Roundtable: Impact of IAM on Active Directory and Vice Versa (Pre-registration required. End users only.)

Microsoft’s Active Directory is a pervasive element of IT infrastructure in enterprises today. It plays a key role in storing identity and access information for a number of IAM purposes. But how is IAM impacted by Active Directory’s part in the identity data model? This round table provides an open forum to discuss how Active Directory is used in the enterprise today and what lessons can be learned from the experience.