Global Trends in Bring Your Own Identity (BYOID) CA Technologies & Ponemon Institute July 2014
May 11, 2015
Global Trends in Bring Your Own Identity (BYOID)
CA Technologies & Ponemon Institute
July 2014
2 © 2014 CA. ALL RIGHTS RESERVED.
Are your users suffering “registration fatigue”?
A growing number of sites areallowing visitors to login using asocial or digital identity from atrusted third party – like PayPal,Facebook, Microsoft or Google.
The technical term is “federated identity,” but most people call it Bring Your Own Identity or BYOID.
The Ponemon Institute and CA Technologies recently surveyed 1,589 IT security practitioners and 1,526 business users worldwide to understand how companies view BYOID.
3 © 2014 CA. ALL RIGHTS RESERVED.
The Promise of BYOID
Reduce complexity, improveuser experience
4 © 2014 CA. ALL RIGHTS RESERVED.
The Challenge of BYOID
I am Losing Control!
5 © 2014 CA. ALL RIGHTS RESERVED.
High interest in BYOID for online & mobile users
82% of business users responded High or Very High on
using BYOID for mobile users
79% of business users responded High or Very High on using BYOID for website visitors
Customers want and expect a simple user experience …BYOID can help
6 © 2014 CA. ALL RIGHTS RESERVED.
IT and Business look at BYOID for different reasons
Outsource password reset activities
48% 9%
Capture user attributes from external sources?
26% 95%
IT
Business
Business sees value in BYOID for gathering customer data whereas IT sees BYOID as more of a cost savings initiative
7 © 2014 CA. ALL RIGHTS RESERVED.
Different personas explored in this survey
IT User• I need to manage
customer data• I need to keep
sensitive data secure• I need to meet
compliance and policy mandates
Business User• I want to simplify
the customer experience
• I want to know more about my customers to help improve retention and drive incremental revenue
8 © 2014 CA. ALL RIGHTS RESERVED.
Are you familiar with BYOID?
Q1. What best describes your level of familiarity with the emerging trend in identity management termed “Bring Your Own Identity” or BYOID?
27 27
3428
3945
0 0
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
IT User Business User
Very Familiar Familiar Somewhat Familiar Not Familiar
9 © 2014 CA. ALL RIGHTS RESERVED.
Level of interest in BYOID?
Q2. What best describes your organization’s level of interest in BYOID?
20%
30%34%
16%
IT USER
23%
40%
23%
14%
BUSINESS USER
10 © 2014 CA. ALL RIGHTS RESERVED.
Main reasons for BYOID adoption
Q3. What are the main reasons for BYOID adoption in your organization today? (Multiple selections)
1
36
26
48
13
69
0
10
95
9
11
65
Other
To get multi-factor authentication at a low cost
To capture attributes about users from external sources
To outsource password reset activities to identityproviders
To create an identity credential that lasts beyond the user’s employment or temporary employment
To combine digital identifiers owned by each user withcorporate factors to create a stronger identity credential
IT User Business User
1
11 © 2014 CA. ALL RIGHTS RESERVED.
Control of BYOID
Q4. Who controls or “owns” digital identities in your organization?
20 16
2 5
27 28
1018
13
24
28
9
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
IT User Business User
IT IT Security Lines of Business
Marketing & Sales Data Analytics Shared Responsibility
Note: Two choices, “Research & Development” and “Other”, did not generate any response
12 © 2014 CA. ALL RIGHTS RESERVED.
Accepting digital IDs by user population
Q5. How would you rate your organization’s level of interest in accepting digital identities for any of the following user populations?
IT
Business
WebsiteCustomers
MobileCustomers
EmployeesRecruiting
Job Prospects
Contractors Retirees
2228
28148
36
439
93
2226
2814
10
41
417
84
2125
3012
12
14
22
38
15
11
12
20
34
24
10
12
25
44126
2023
3513
9
10
18
49
11
11
14
22
31
18
15
19
22
30
16
13
13 © 2014 CA. ALL RIGHTS RESERVED.
Importance of third-party validation
Q6. Please rate the following statement using the scale: “My organization would be able to offer more online services and programs if those digital identities were validated and trusted by a third party such as Google, Facebook, Yahoo Microsoft or LinkedIn.”
38
15
26
22
3330
19
29
15
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
IT User Business User
Strongly Disagree Disagree Unsure Agree Strongly Agree
14 © 2014 CA. ALL RIGHTS RESERVED.
Are you considering a trusted identity partner?
Q7a. Is your organization using or considering the use of digital identities produced by trusted identity providers such as Google, Facebook, Yahoo, Microsoft or LinkedIn?
44
40
16
IT User
30
45
25
Business User
15 © 2014 CA. ALL RIGHTS RESERVED.
Deployment timeframe
Q7b. If yes, what best describes your organization’s timeframe for deployment?
23 21
75
19 22
17 18
18 21
16 12
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
IT User Business User
Never > 24 mos 12 - 24 mos 6 - 12 mos < 6 mos Already Deployed
16 © 2014 CA. ALL RIGHTS RESERVED.
Ranking providers by organization’s interest
Q8. Please rank the following identity providers in order of interest to your organization. 1 = of most interested and 7 = of least interest. Avoid ties.
IT User Business User
PayPal – 1.87 Amazon – 1.91
Google – 2.42 Microsoft Live – 2.57
Amazon – 2.60 PayPal – 2.63
LinkedIn – 3.36 Yahoo – 3.05
Microsoft Live – 3.91 LinkedIn – 4.55
Facebook – 5.76 Google – 5.54
Yahoo – 5.79 Facebook – 6.30
17 © 2014 CA. ALL RIGHTS RESERVED.
Ranking providers by individual’s interest
Q8. Please rank the following identity providers in order of interest to you as an individual accessing other organizations or service providers. 1 = of most interested and 7 = of least interest. Avoid ties.
IT User Business User
Google – 1.82 Facebook 2.04
PayPal – 2.59 Google – 2.22
LinkedIn – 2.73 Amazon – 2.42
Facebook – 3.50 PayPal – 2.97
Amazon – 4.07 Microsoft Live – 3.13
Microsoft Live – 5.64 Yahoo – 3.44
Yahoo – 5.84 LinkedIn – 4.09
18 © 2014 CA. ALL RIGHTS RESERVED.
How does BYOID add value?
Q10. How do the creation and/or use of digital identities add value to your organization? Please select all that apply.
1
13
29
21
25
49
21
37
23
53
54
67
2
21
18
32
36
55
43
40
76
79
55
38
Other
Generates new revenues
Enables self-service processes
Enhances innovations in products & services
Decreases customer turnover (churn)
Streamlines operations & logistics
Increases customer acquisition
Increases employee/customer productivity
Increases the effectiveness of marketing activities
Delivers a better customer experience
Reduces the cost of insecurity (impersonation risk)
Strengthens the authentication process
IT User Business User
19 © 2014 CA. ALL RIGHTS RESERVED.
Measuring BYOID value
Q11a. Does your organization attempt to measure the added value resulting from the creation and/or use of digital identities?
27
62
11
IT User
59
38
3
Business User
20 © 2014 CA. ALL RIGHTS RESERVED.
How do you measure BYOID value?
Q11b. If yes, how do you measure this added value? Select all that apply.
0
14
0
56
72
8
63
1
12
78
Other
Cross-selling/incremental revenue
Brand loyalty
Risk & fraud reduction
Cost reduction
IT User Business User
8
1
21 © 2014 CA. ALL RIGHTS RESERVED.
Future value of BYOID
Q12. In your opinion, how will the added value resulting from the creation and/or use of digital identities change over the next 24 months?
47
34
416
IT User
59
26
114
Business User
22 © 2014 CA. ALL RIGHTS RESERVED.
Future cost of digital identities
Q13. In your opinion, how will the total cost incurred by your organization to create, use and maintain digital identities change over the next 24 months?
33 48
316
IT User
49
28
221
Business User
23 © 2014 CA. ALL RIGHTS RESERVED.
Features likely to increase BYOID adoption
Q14. Which of the following features would most likely increase BYOID adoption within your organization? Select all that apply.
20
30
37
56
57
73
66
11
30
27
71
37
71
33
Risk-based evaluation of account recovery processes anduser identity
Simplified password or account recovery
SMS mechanisms for user validation
Simplified user registration
Identity provider implementing fraud risk engines
Identity validation processes
Multi-factor authentication
IT User Business User
24 © 2014 CA. ALL RIGHTS RESERVED.
Added factors for added control
Q15. What factors would you add to a digital identity to increase control or scrutiny by your organization? Select all that apply.
39
52
32
24
22
44
18
66
7
2
59
25
Risk-based evaluation
Mobile device factors
Smart cards
One-time tokens
Passive factos such as geo-location
4-digit PIN
IT User Business User
25 © 2014 CA. ALL RIGHTS RESERVED.
Useful BYOID characteristics
Q16. As a BYOID relying party, what characteristics about digital identity known to the identity provider would be useful? Select all that apply.
55
31
23
45
60
56
69
49
15
15
35
55
29
62
Length of user account lifetime
Token expiration
Account recycle notification
Account suspension notification
Abuse account use
History of identity takeovers
History of password resets
IT User Business User
26 © 2014 CA. ALL RIGHTS RESERVED.
Increasing the value of a BYOID provider
Q17. What additional information or services would increase the value of the BYOID identity provider? Select all that apply.
32
16
29
46
24
13
60
73
86
86
None of the above
Access to payment systems
Payment information
Validated phone number
Current shipping address
IT User Business User
27 © 2014 CA. ALL RIGHTS RESERVED.
BYOID benefits of interest
Q18. Which BYOID benefits are of most interest to your organization? Select all that apply.
1
46
45
14
48
49
57
58
74
55
11
1
62
5
56
75
78
25
25
63
21
43
Other
Access to fresh identity information
Security enhancements
Increased revenue
Simplified engagement for users
Reduced friction in user experience
Contractor on-boarding
Employee on-boarding
Indentity validation
Fraud/risk evaluation & reduction
Targeted marketing
IT User Business User
28 © 2014 CA. ALL RIGHTS RESERVED.
Importance of accreditation
Q19. How important is formal accreditation of the BYOID identity provider?
2930
2115
5
IT User
12
15
48
22
3
Business User
29 © 2014 CA. ALL RIGHTS RESERVED.
Minimum BYOID provider assurance level
Q20. What is the minimum level of assurance you would be willing to accept from a BYOID identity provider?
22
26
30
21
8
13
38
41
Provides multi-factor remote authentication only usinghard cryptographic tokens
Provides multi-factor remote authentication using sofycryptographic tokens, hard cryptographic tokens, and/or
one-time password tokens
Single factor authentication using a wide range ofavailable authentication technologies
None (no assurance necessary)
IT User Business User
30 © 2014 CA. ALL RIGHTS RESERVED.
Best use case to show BYOID benefit
Q21. What use case would you choose to demonstrate the benefits of BYOID within your organization?
21
20
17
12
30
8
11
4
29
49
Support for specific mobile initiatives
On-boarding employees
On-boarding contractors
Accepting social identities to access additional attributesthat drive targeted marketing promotions
Streamline online user registration process for newcustomer acquisition
IT User Business User
31 © 2014 CA. ALL RIGHTS RESERVED.
BYOID inhibitors
Q22. In your opinion, what is the most significant inhibitor to BYOID deployment?
0
19
34
12
21
14
1
8
19
18
23
31
Other
Loss of control
Risk & liability concerns
Lack of a compelling business case
Complexity
Cost
IT User Business User
1
32 © 2014 CA. ALL RIGHTS RESERVED.
Preferred payment for BYOID services
Q23. What is your preferred payment method for BYOID services?
0
53
26
21
2
37
17
44
Other
Single annual fee regardless of user size
Fee per transaction
Flat fee per user
IT User Business User
2
33 © 2014 CA. ALL RIGHTS RESERVED.
Conclusion:A New Value-Based View of Identity is Emerging:
Risk-based has dominated for the last decade but that is changingEvolving towards a more value/customer-centric view of identityKey is finding appropriate balance between both
Value-basedRisk-based
IT/IT Security Line of Business
34 © 2014 CA. ALL RIGHTS RESERVED.
Sample Sizes
IT User Business User Total % of totalsample
USA/Canada 570 428 998 32%
Australia 99 110 209 7%
Brazil 158 185 343 11%
France 127 148 275 9%
Germany 182 180 362 13%
India 141 152 293 8%
Italy 143 131 274 8%
UK 169 192 361 12%
TOTAL 1,589 1,526 3,115
Other demographic Info• 100% of respondents were from companies with >1,000 employees• 75% of respondents were from companies with $500M+ in annual revenue• Target titles for IT users were CIO/CISO; target titles for business users were VP/line of
business manager• Even distribution across all common vertical markets
35 © 2014 CA. ALL RIGHTS RESERVED.
For more information ….
… visit our Website to see more analysis and opinion on the
survey data.
http://www.ca.com/lpg/ponemon-study.aspx
Copyright © 2014 CA. All rights reserved. All trademarks, trade names, service marks and logos referenced herein belong to their respective companies. No unauthorized use, copying or distribution permitted.
THIS PRESENTATION IS FOR YOUR INFORMATIONAL PURPOSES ONLY. CA assumes no responsibility for the accuracy or completeness of the information.
TO THE EXTENT PERMITTED BY APPLICABLE LAW, CA PROVIDES THIS DOCUMENT “AS IS” WITHOUT WARRANTY OF ANY KIND, INCLUDING, WITHOUT
LIMITATION, ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NONINFRINGEMENT. In no event will CA be
liable for any loss or damage, direct or indirect, in connection with this presentation, including, without limitation, lost profits, lost investment, business
interruption, goodwill, or lost data, even if CA is expressly advised of the possibility of such damages.