12 Trends Shaping Identity Management
As IAM companies try to stretch 'identity context' into all points of the cybersecurity market, identity is becoming 'its own solar system.'
![](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/blt488da0d0569f188b/64f0d756b532f68462d1f2a3/01Cover.jpg?width=700&auto=webp&quality=80&disable=upscale)
(Image by DRogatnev, via Shutterstock)
Identity Verification by KBA is Dead
After a breach at Equifax and a leak at Alteryx (which exposed Experian data), the Knowledge-Based Authentication (KBA) systems that many organizations use has been compromised. Why ask a customer to verify their identity by confirming their former employers, addresses, or mother's birthdays, when attackers know all that information too - plus what magazines they subscribe to and whether they have a pool in the backyard?
(Image by jörg röse-oberreich, via Shutterstock)
GDPR Gives Individuals Ownership of Their Own Identities
Organizations have grown accustomed to behaving as though any name in a database is a name that belongs to them - collecting, storing, transmitting, buying, and selling individuals' personally identifiable information with relative impunity. The European Union's General Data Protection Regulation (GDPR) changes all that - and it amps up organizations' need for identity governance.
GDPR requires organizations to obtain explicit permission from individuals anytime they collect or share their personal information - autochecked boxes are not explicit enough - and individuals must be able to easily revoke that permission at any time. Individuals have a "right to be forgotten." Further, records must be kept of where this identity information is being used everywhere the data flows.
GDPR applies to any EU citizen data anywhere, so it affects companies across the globe, and it applies to both organizations' customers and their employees, so it will have an impact on both their governance and security of internal and external identities. ForgeRock, which specifically provides IAM for external users, added a GDPR dashboard to their product.
Enforcement actions for GDPR begin May 25 (after a two-year grace period since the act officially went into place). Those actions include but are not limited to fines of 20 million euros or 4% of annual revenue, whichever is higher.
"GDPR is really seminal," says Herjavec. Like PCI it will move the industry, but unlike PCI, it affects all industries. He says he's "100% certain" that Canada and the US will have their own version of it.
(Image by Good_Stock, via Shutterstock)
Increasing Needs for Verifiable Claims With Privacy
Squire provides other examples of where the world needs ways for individuals to provide verified claims about themselves while still maintaining their privacy.
There are the old use cases that could be made new again. For example, can a bouncer at a bar verify that someone is of legal drinking age without having to know their name - and can the government agency that might verify that information provide it without learning when and where that person is out drinking?
More importantly, though, could social media and news sites use it to fight disinformation campaigns used to sway elections? Could the site verify that someone is a register voter or a resident of a certain country, for example?
Technologically, these things are within are reach, says Squire. "Here's what changed," says Sarah Squire, senior technical architect of Ping Identity, holding up a smartphone. "These can store private keys." The limits now, she says, are regulatory.
(Image by jorgen mcleman, via Shutterstock)
Identity Governance Extending to the Cloud
"The world of governance is about who has access to what, who should have access to what, and are they using it correctly," says Mark McClain, CEO and co-founder of identity governance provider SailPoint. "Most customers are so far away from the first two, they shouldn't even worry about the third yet."
SailPoint and other identity governance and administration (IGA) solution providers are accelerating that process by giving security pros more user-friendly cloud-based admin tools on the front end. On the back end, however, cloud services are just complicating the governance problem, with users having more and more accounts to access in more and more places, in addition to their on-premise resources.
Saviynt is an IGA solution specifically for the cloud, and says it's "pioneering IGA 2.0." Some others, like Sailpoint and One Identity are instead supporting customers through cloud migrations.
"There's going to be a very long tail on on-prem software," says Jackson Shaw, senior director of product management at One Identity, pointing out its importance to industrial control system environments especially. "The cloud is going to be a tremendous complicated factor for years to come ... It really complicates governance.
(Image by notbad, via Shutterstock)
The Evolution of Identity as a Service
As governance moves into the cloud, identity-as-a-service is becoming real. Some governance providers are becoming full-stack one-stop shops for all your identity needs, and in March, Google released its full "identity-as-a-service" product, which uses open standards: Cloud Identity.
In a blog, Vidya Nagarajan, senior product manager of Cloud Identity wrote: "Today, [users] need the freedom to work from anywhere, and understanding that context - what they need to do, where, and with what device - is what should guide enterprise access."
Cloud Identity's list of services is extensive. Wrote Nagarajan:
"Cloud Identity’s single sign-on supports SAML 2.0 and OpenID, and works with hundreds of applications out of the box, including Salesforce, SAP SuccessFactors and Box as well as G Suite apps like Docs or Drive. And for organizations using GCP resources, Cloud Identity provides additional controls for managing users and groups across their hybrid on-premises and cloud infrastructures.
"Cloud Identity includes robust mobile device management for Android and iOS with many features like account wipe and passcode enforcement automatically enabled for users. Admins can use one integrated console to implement screen locks, find devices, enforce two-step verification and phishing-resistant security keys, and manage Chrome Browser usage. They also get security reports and analytics for things like suspicious logins, user activity reports and audits, and logins to third-party apps, sites and extensions."
(Image by TarikVision, via Shutterstock)
Biometrics in Everyone's Hand Making Good Security Easy for Users
"I've always been a big believer that ease of use will trump security every time," says One Identity's Shaw. "But we haven't had a market maker that could change passwords" until recently.
Smartphones and other mobile devices have multiple biometric authentication methods built in by default now. Add that to the new WebAuthn standard, and biometric security online becomes much more viable as a low-friction method of strong authentication online. The WebAuthn standard, which Ping Identity's Squire calls "absolutely fantastic," was announced April 10 by the FIDO Alliance and W3C and enables online service providers to offer FIDO authentication through web browsers. Google, Mozilla, Microsoft, and Opera are all on board.
Biometric authentication based on FIDO enhances secure web access because it uses unique encrypted credentials for each site, eliminating the risk that a password stolen from one site can be used on another.
The proliferation of biometric devices is also giving rise to companies that help pull all of them together. Veridium, which is a partner of the major IAM companies like ForgeRock and Ping Identity, has created a horizontal biometric platform that makes it possible for those companies' customers to plug in whatever biometric authentication method they want - be it fingerprint, facial recognition, or Veridium's own four-finger touchless behavior biometrics.
"I think it would be silly for people to hold themselves to one kind of biometric," says Veridium CEO James Strickland. He says he just wants to make identity management easier. "I've seen how much of a pain it is. I don't want another crusade."
Still, in a recent survey from Veridium, 34 percent of respondents were "very confident" that passwords alone can protect data sufficiently.
"I think my grandson [born last year] will retire before the password," says Shaw.
(Image by Julia Tim, via Shutterstock)
Privilege Escalation Pushing for PAM
Privilege escalation has become part-and-parcel of targeted attacks, and even not-so-targeted attacks. One way to address that is to keep closer control over the access and activity of privileged insiders, since after all, an attacker is essentially an insider once they have those credentials.
Privileged Access Management (PAM) is specifically for managing the access credentials of the most privileged users. Along PAM solutions like CyberArk are new cloud-native PAM solutions entering the market like OnionID and Remediant.
CyberArk is also trying to limit the problem of leaked admin credentials. The company acquired Conjur last year for $42 million in order to help developers push apps quickly without hard-coding credentials and SSH keys into them.
(Image by Jiw Ingka, via Shutterstock)
Unstructured Data Problem Causing IAM Overlap with Data Governance, UEBA
Recent research from Varonis (which is not an identity management company) found that one-third of internal users are "ghost users" - inactive, but enabled - and 30% of companies leave more than 1,000 sensitive folders open to all employees.
As SailPoint's McClain says, the IAM industry has largely been focused on access to applications. But with filesystems exposed this much and Gartner projecting that 80% of all data will be unstructured by 2022, focusing on application access isn't good enough. SailPoint, an identity governance company, is aiming to solve that problem as well, which is causing an overlap with data security / governance companies like Varonis and user and entity behavior analytics providers like Forcepoint, which dubs itself a "human-centric security" company.
"You want a unified picture, a system of record, a magic spreadsheet in the sky," says McClain. "Everwhere [a user] has an ID, her permissions, her entitlements. Her desired state and her actual state need to be in sync."
(Image by Optura Design, via Shutterstock)
Risk-Adaptive Identity and Behavior Biometrics for Ongoing Verification
More companies are using behavior biometrics to address the problem of attacks that occur after a legitimate login. Companies like BioCatch are applying the technology to prevent session hijacking to fight fraud online. Others are using behavior biometrics to detect anomalous behavior by internal users within a corporate network to fight lateral movement.
"[Incident response] has been failing for years, as evidence of secondary infections show," says Tom Kellermann, chief cybersecurity officer of Carbon Black. "Dynamic adaptive authentication is the answer. The user device and network must challenge the key to biometrically identify with challenge response - e.g. take selfie and pick your nose."
Kellermann points to ID Data Web as one example of this kind of an adaptive identity security product that uses multiple sources to verify that an identity is accurate and then provides ongoing identity verification - requesting a challenge and response only when a risk has been detected.
BioCatch builds profile of users that contains data about their biometric behavior - but not their identity. It can detect anomalous behavior (in navigation, for example) and thus shut down a bot or an attacker before a fradulent transfer of funds is made.
These risk-adaptive, "step-up" authentication tools are also being touted as a way to reduce friction - users may not have to go through a log in process at all, unless a risk is detected.
Squire talks about the goal of "zero login" - the way you hold your phone is distinct enough that if behavior biometrics picks it up and authenticates you automatically without stopping to ask you to scan your face or thumbprint.
(Image by Kuttelvaserova Stuchelova, via Shutterstock)
IoT Pushes the Edge for Machine Identities
"[Identity management] is going to very much fail the IoT," says Bruce Schneier, CTO of IBM Resilient and fellow at Harvard University's Berkman Klein Center for Internet and Society.
The Internet of Things vastly expands the number of machine identities to manage, and puts regular consumers in charge of setting up, managing, and securing those machine identities and the way those machines communicate with one another, says Schneier. The hub-and-spoke approach, with an individual's smartphone as the key to unlock everything will ultimately not scale as more devices become connected to the internet.
Schneier says the identity management companies are making strides, but, "They're solving yesterday's problems. And we haven't solved [those] yet."
SailPoint's McClain acknowledges that machines, robots, and IoT devices all need to access computing and data resources now, and must also fall under the purview of identity governance.
(Image by ProStockStudio, via Shutterstock)
Digital Identities Built on Blockchain
Distributed ledger platforms like Blockchain are being used widely for providing digital identities. On the business side, SecureKey, built on the IBM Blockchain, is the first digital identity network in Canada specifically for regulated industries. Shocard is a blockchain-powered IAM and SSO solution for enterprises.
Evernym is a digital identity platform for credit unions which is built not on Blockchain, but rather on Sovrin, an open-source distributed ledger platform. (Sovrin is built for the self-sovereign, decentralized exchange of "verifiable claims.")
Accenture and Microsoft teamed up to create a blockchain-based identity infrastructure for a United Nations effort to provide legal identification for the over one million individuals worldwide with no official identity documents, like refugees.
At the RSA Conference last week, the Department of Homeland Security's Science and Technology arm demoed Verified.Me, an identity management tool that separates login capabilities from attribute delivery using blockchain.
(Image by dencg, via Shutterstock)
Identity Organizing for Professional Development
June 2017 marked the launch of IDPro, a nonprofit professional membership organization, incubated by the Kantara Initiative, exclusively for identity and access management practitioners.
The organization aims to curate an IAM body of knowledge, support pros in the field, ensure that identity and access management are "globally seen as vital and vibrant counterparts to privacy and information security," and according to Squire, the group hopes to develop a certification too.
(Image by ESB Professional, via Shutterstock)
Identity Organizing for Professional Development
June 2017 marked the launch of IDPro, a nonprofit professional membership organization, incubated by the Kantara Initiative, exclusively for identity and access management practitioners.
The organization aims to curate an IAM body of knowledge, support pros in the field, ensure that identity and access management are "globally seen as vital and vibrant counterparts to privacy and information security," and according to Squire, the group hopes to develop a certification too.
(Image by ESB Professional, via Shutterstock)
(Image by DRogatnev, via Shutterstock)
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024