Updated: Jul 28, 2020
Identity Management (IAM) and Identity Governance (IGA) are key to our digital existence today. A lot is changing with technology, mindset, complexity and the way we collect, interact, use and secure information has profound impact on the way we will treat IAM and IGA. These changes require today’s leaders to start thinking how future ready they are. This viewpoint is collection of thoughts on next generation trends and how it relates or impacts both IAM and IGA.
CredenceIA’s all-encompassing tailored solutions from advisory, implementation and US based L2/L3 managed services allow CISOs and their teams to focus where the attention is necessary.
Identity Past, Current and Future The basic premise and definition of an Identity will continue to evolve beyond human identities. Today’s IAM and IGA thinking is focused around managing employee and non-employee identities. With security evolving and a need to bring every identity and their management under one umbrella, identity now expands to vendor (a catch-all term that applies to any human identity that is not employee. This include external identities from vendors, contingent workers, business partner users, 3rd party business users, customers, etc.) We rely more and more on machines and devices.
More and more Internet of things (IoT) being used as integral part of doing business and the future of Identity will go beyond human to include machine IDs, IoTs, and non-human privilege accounts with elevated access. With IoTs and machine IDs which control them (including the growth and advent of Edge Computing), a need to manage certificates to prove identities will become part of managing user lifecycles. The term identity will become very broad. Any device that is network connected, having any tasks or computing done, doing data exchange etc. will need to be thought as having its own identity and will need to be managed like a human identity lifecycle from provisioning and de-provisioning.
The Future of Passwords A chain is strongest at its weakest link. In Identity Management, a Password is the weakest link in the entire ecosystem. Passwords are the metaphorical keys to the kingdom to prove identity authenticity. Single sign-on (SSO) has become mature and many market leading products do it well. As a result, the number of passwords the average user must remember has gone down. There are now fewer passwords, and the risk of a weaker password is much higher, especially considering how much damage one password can do to an enterprise.
Enterprise of all sizes struggle to keep balance between users accepted password policy vs. longer and complex (higher strength) passwords, which may be perceived to be difficult to remember. Multifactor authentication (MFA) including the Cloud MFA has been gaining acceptance, however the password-less future is not completely viable yet. There is incremental progress in a password-less future by way of push notification, universal authenticators and biometric access. The smart use of these technologies will continue increase and adapt with wider use cases. Users who have registered and authenticated with one of the universal authenticators can login to their company asset, their personal business such as banks, social media account, email, school accounts and beyond.
The future of password will rely increasingly on combination of push notification, universal authenticators, behavioral/contextual and biometric access.
Machine Learning and Artificial Intelligence in IAM and IGA
Artificial Intelligence (AI) and machine learning (ML) technologies are starting make their place in the IAM and IGA space. We are now in a transitional period. For some enterprises, the focus is to move legacy solutions to a more current and actively managed IAM / IGA solution and for others, it’s about taking the first step to move away from manual ad-hoc ways of managing identities. For the more mature enterprises, which are on the market leading IAM and IGA solutions, AI and ML should be in their strategy and focus.
The traditional identities mostly include only employees and non-employees such as contractors, vendors, business entities, etc. Access, authorization, and governance of these identities are more static (e.g., access to a user is granted to match a peer or Role, governance is reactive and follows a schedule) vs. contextual or behavioral. As identity evolves to include non-human identities, IoTs, certificates, the simple decisions of today of assigning access based on who they are, which role they work in, and what they do will no longer simple. We will see that more decisions will be made on the real-life action of an identity such as what they do personally and professionally combined.
What are these real-life action based decision? We will see that a company will monitor user access behavior for anyone who does business with it (e.g. employees, contractors, partners, vendors, even customers). On the professional side, say the high risk users will be monitored in real-time by AI and ML which can take a risk decision based on information coming from, as example, a feed from SIEM tools to determine any abnormal user access behavior (e.g. odd hours of working, too many logins, logins originating from different IP addresses, simultaneous logins coming from different IP or geography, etc.).
In certain ultra high-risk business settings even the personal behavior of the user can and will be leveraged to make decisions on what they can or cannot do on professional side. There will be behavioral scores to flag high debt, patterns of gambling related activities beyond what is accepted as recreational, as well as illegal or illicit activities. As a thought, industries such as the mortgage industry, a decision (and in some cases already starting to) on granting a loan can be based according to input from AI linked to a user’s personal behaviors. After all, mortgage companies would not want to grant a loan to a rental property owner who has renters with high debt and other behavioral traits combined with their spending habits that would increase chances of them not being able to pay rent and in-turn increasing chances for the property owner to default on their mortgage. Other examples include companies taking into account high risk users corporate and personal behavioral traits to make decisions such as real-time authorization to initiate or manage treasury related transactions or having them access to other sensitive data or company intellectual property (IP) or even control social media accounts.
The lines between personal and professional will blur as more and more technology become integral part of what we do and its impact & relation to our jobs/business.
With the changing times, taking a static decision to grant individual access purely based on “he/she works in ABC department and has job duties similar to XYZ” is highly inefficient and proven to be dangerous. Similarly, we see Role proliferation to a degree that it is better to have no roles at all! Unless highly focused and governed by strict process, RBAC is not efficient nor is it static. Necessity dictates that it needs to be a dynamic decision for taking the ability that combines the static access and the user’s risk posture which changes over time. This is where ML builds baseline patterns that AI uses to allow the ability to make contextual decisions for user access request, risk profiling and real-time access decisions. In the future, roles could become obsolete as we see even in today’s context that defining a role is not an exact science but a compromise.
Efficient use of MI and AI will allow an organization to efficiently leverage their investment in IAM and IGA tools.
The Power of The Cloud
The exodus to the Cloud and hybrid (some cloud, some on premise) from typical on premise only centralized infrastructure – with no respect to of their size or vertical, to IAM/IGA Software as a Service (SaaS) providers will continue. The Cloud-based implementations offer scalability and flexibility, as well as efficiency, and in most cases, cost benefits to an enterprise that an on premise implementation can’t match. On premise implementations will continue to be fewer and fewer.
The leading IAM and IGA solution vendors are adapting or designing their products from the ground up with the Cloud in mind. This offers various features as a service. The traditional mindset for an enterprise was to have their data centers in house with control and security; however, this required quite a bit of investment both in infrastructure and staffing. Technology and threats evolve constantly. To keep up with that puts a lot of strain on budgets, capex vs. opex equations, and the rise of shadow-IT with an on-premise approach. Shadow-IT is in play, especially when organizational politics get involved and the mindset of control shifts due to the cost of security. Many breaches are from insiders or by way of lack of focus on security and lapses when the on-premise infrastructure is not properly maintained.
When budgets get cut, heads are rolling, and security takes a hit.
The Cloud based IAM and IGA solution are able to take away the pain of maintaining everything in house and keeping up with security trends/threats, and it provides ability to make scalability much faster than the on-premise approach. It’s true that few years ago that a Cloud based approach was not ready for prime-time, but that is no longer the case, especially with standardized access to/from applications by way of REST, Web Services, JDBC, etc. allowing for easier integration between The Cloud based IAM / IGA solutions with on-premise and other the Cloud applications. Directory infrastructure in the Cloud offers better flexibility to collaborate with 3rd party and such. Authentication models are evolving and getting more secure with MFA, risk based authentication, push notification, etc.
Options from leading the Cloud providers to have better infrastructure isolation to safeguard data including government data (FedRAMP). Collectively, today’s CxO feel comfortable moving to The Cloud without compromising both security and customer/business enablement and long-term goals alignment. For larger enterprises, The Cloud is most certainly better. For small and medium size business (SMB) too, we see adaptability and acceptance towards a Cloud "preferred" mindset developing.
The concept of security as a service by way of Identity as a service (IDaaS) in IAM and IGA is gaining traction and will continue to do so.
Edge Computing is still in its nascent stage. However, in next few years there advent will be a lot of emphasis to adapt to Edge computing to come. The amount of data that gets generated by each of the connected device or in industrial settings is already enormous (as example, autonomous car typical generates 4 TB of data a day or a plane engine generates 5 TB of data a day). If this data can't be used, it defeats the purpose of data collection. Today, due to latency and other computing limitations such as bandwidth constraints or cost of moving the huge data to central infrastructure for processing (cloud or on-premise) is not practical. As a result, most of these data is not completely used. As Edge Computing evolves, there will be more distributed and decentralized computing to happen outside of the central cloud (or on-premise / hybrid model). This will alleviate the issues related to latency, cost and "instantaneous" processing of data and taking action.
Today, a security camera or a sensor is primarily sending data to a cloud or on-premise central infrastructure. The privacy is the main concern to make sure access to a security camera is secure. With Edge Computing there will be more “intelligent” computer with capability to take decision that has real-life impacts. The same security camera could in future could be part of Edge Computing network and near instant data processing will have applications both in industry, law-enforcement, national security and surveillance. Another example, an oil company using Edge computing device to control a high pressure sensor and shut-off valve when pressure goes beyond safe limits. Similarly, autonomous car which makes real-time decision. There are countless more applications and use cases where Edge computing will benefit, overarching point is as network connected device leverage Edge computing, these devices will have much more access to home or company network and privileges.
In all these cases, unauthorized access and manipulation of the Edge Computing device has implications. Therefore, access, authorization, governance and risk profiling of these Edge Computing devices and management of it will be a real security challenge that will need re-think and in some cases redesign of solution.
PS: In future, a more detailed Edge Computing and IAM/IGA viewpoint is coming from us.
Blockchain got prominence in late 2018 and 2019 as "next the big thing" in every situation where trust is necessary. IAM is no different; however, it’s early for the collective mindset to adapt to Blockchain for many use cases. This is because Blockchain relies on a decentralized model of trust, which is then polar opposite to the mindset of a centralized trust model which builds them foundation for an identity.
The Identity crisis: Today, an identity needs to be verified by a centralized authority before service can be consumed. It is too early for an identity to exist in decentralized model. As Identity evolves, Blockchain will see more inclusion in the mainstream of based IAM solutions and in those scenarios involving collaboration. Once companies start to trust distributed model of identity and inter-company trust model on identity verification, it won’t be long for Product companies to react and offer options. In the future, a separate blog will written on this topic.
Audit and Proof of record: Where we see Blockchain gaining most is where chain of custody for transactions are required. Yes, from every technology we touch an audit trail by way of logs generated, and combining such logs creates a pattern or proves something happened conclusively. For a determined privilege user, though, modifying or deleting such logs is a piece of cake. Blockchain changes this as no one can change a “chain” once committed. Digital signature/footprint changes when a chain is attempted to be modified.
Enterprises are considering having their own private Blockchain infrastructure to prove data completeness and authenticity. This said, the cost and benefits of a private Blockchain needs to be taken into account, and once the cost of such private or semi-private infrastructure (e.g. cost sharing among financial, insurance, healthcare sector or likeminded enterprises), the adaptation and expanded use of Blockchain will come.
Some obvious use cases are in financial, insurance and healthcare verticals where high risk, high value and high trust transactions occur involving money, PII or health records.
Make sure your organization is future ready
Follow the three-step process to assess organizational maturity to reap the benefit of any of the future state IAM. It is not prudent to start leveraging Blockchain while you don’t have a leading IAM or IGA solution in place. You’re still dealing with spreadsheet based reviews and ad-hoc fragmented technologies. Here are the steps for self-evaluation to ensure your organization is ready for the next revolution in IAM and IGA space
Enterprises on Legacy IAM or IGA solution or fragmented management: Consider moving to leading technologies which are either already offering or are more inclined to offer the next generation in features discussed in this viewpoint.
Enterprises on leading solutions: Consider incorporating SIEM data and IoT data to expand Identity, adopt password-less authentication or start exploring use-cases which could benefit from AI/ML and/or Blockchain.
Want to discuss further?
We are the only boutique firm that offers customized and streamlined options from plan, build and operate. We help customers with advisory, full service implementation service, unique Identity Governance (IGA) & Non-employee/Vendor Access Management (VAM) QuickStart and managed services. Please send email or fill-out the contact form here.