Recently, I was asked to write a blog on identity and access management (IAM). But where do you start with such a topic? IAM trends seemed like a great place to me. Whether you’re a seasoned security expert, the new guy, or a business leader in another arena, you want to know what to watch in the IAM space. So, let’s explore the eight IAM trends I think we should all be monitoring this year.
Everything Old Is New Again
The elephant in the room right now is the sheer number of acquisitions that are taking place among identity vendors. The industry is swinging back towards the suite vendor model. Understandably, identity vendors do not want to be stagnant. There are a number of reasons a vendor would want to expand their market presence or grow out of a commodity market. Is this a bad thing? Hard to say.
In the heyday of suite vendors, the likes of IBM, CA, and BMC built solid solutions that solved business challenges for a great many companies. But they could never have market-leading capabilities across every product in a suite, so you, as a client, had to decide what is an acceptable loss of capability when engaging one of these vendors.
The greatest opportunities for innovation come from best-of-breed vendors competing with each other and pushing the limits of the market. Who can forget Netegrity/Dascom, SailPoint/Aveksa, and Okta/Ping? These were the days when ground-breaking changes came quickly and often, when standards were built, and when identity touched the skies. We will get there again, but as this new generation of suites rise, that innovation will slow as development funds shift their focus to integration. However, regardless of the shifting vendor landscape, your business is still your business, and solutions should be supporting you – not you bending to the solution.
We Are Surrounded
The Internet of Things
I recently watched a clip of Walter Cronkite in the ‘60s talking about the future and the role that technology would play in our lives. Technology was to be the servant of man and augment our daily lives. As a result, we could spend more time with our families and enjoy productivity never before seen – so much so that the normal work week was going to be 30 hours (I’ll take that, please). For the most part, these ideals have come true. Yet for all the benefits that we have realized, who could have predicted the challenges that would come with them?
It is easy to think of IoT in terms of the consumer – who hasn’t taken at least a small step in home automation in order to save energy or turn on lights from across the country? The reality is that IoT is more far reaching than we see. Literally everything that you interact with is driven by or housing some API that is operating with an identity context. Think beyond the consumer and imagine the compromise of a power grid, water treatment plant, or – worse yet – medical devices. Maybe it is not as frightening now that travel has dropped, but how about airplane engines?
Each device has an identifier; each interaction ideally operates within some boundaries; and each person requires training and certification to interact using that context. Think of the complexities of the interrelationship of each of those pieces; how do we manage that? The systems we use are able to handle maybe one piece of the puzzle, but the lack of a holistic view is what drives the vulnerabilities that we see today. The security of the device and the API driving it are now in the forefront, and these are the big identity problems that are set to be solved.
Alert Sarah Connor
Artificial Intelligence and Machine Learning
How can you talk about AI without a reference to The Terminator and WOPR from War Games? Humans are inherently flawed – this is not a bad thing, just a statement of being. Organizations throw huge, growing piles of information in front of them and expect them to make sense of it. The best part is that it’s often done without context or training. Did I fail to mention that many times this information is not in a human-friendly format? Can you see now why managers just blanket approve when performing access reviews?
Everyone is at fault here, from developers to implementors to the business owners. We spend all of our time making things work and precious little on documenting how it actually works. Jim needs to process orders and generate a pick list for the warehouse. Does that require the SE16 t-code, or is it SE80, or is it something else? During periodic access reviews, reviewers revert to what they know. “Jim needs access to SAP. He has not run into a problem doing his job, so what he has in this list is probably correct.” <click> YES to all. What we do not see is that Jim has more access than his peer group, and of the 10 extra entitlements he holds, only one is used every six months, and the rest are never used. Perfect time for WOPR to learn that those nine can and should be removed, so let us present this to Jim’s manager in a context that can lead to better decision making.
Old Man Rossum Was Mad
Robotic Process Automation
Nearly a century after Karel Čapek coined the term “robot” for his play R.U.R. (or Rossum's Universal Robots), the identity management world started making use of them. We have already touched on how the machines can aid man in identity governance, but what about the difficult world of Identity Lifecycle Management (ILM)? Wouldn’t it be great if all applications had a robust and well-documented API for managing identities and entitlements?
Of course it would. We could have skipped the great connector wars of the second generation of ILM technologies. Waveset, Access 360, and the like fueled the growth in the market, spurred on by the Gartner claim that “70% of all identity projects end in failure.” In the vendor world, this failure rate was initially attributed to a lack of coverage of business applications, each of which were proprietary. So they fought to see who could include the largest number of connected platforms.
This still missed the mark. There are a large number of business applications in use today that do not have a good way of integrating user automation and entitlement management. Enter the robots. I am really excited about the prospects that this brings. Think about it: not only can you automate previously manual tasks, but you can have an auditable process! Sorry for the theatrics, but this is truly amazing to me. I love auditable processes. RPA can assist with a great many things, but the promise it brings to legacy application identity management is truly amazing.
The Mainframe Is Dead, Long Live the Mainframe
I have been told many times over the years that mainframes are dead. As of today, they are still around and running core business applications in a stable and economical manner. So why change them? Let me preface this next part by saying there is a huge difference between a “cloud first” and a “cloud only” initiative. Ok, let’s dive in. Now that we have cloud, there is no way you need to have the same real estate dedicated to housing your computer assets. That much is true. But there is no one-size-fits-all for cloud; that is why we have a number of XaaS delivery models.
Cloud brings promise for modernization, standardization, and savings, but not in every instance. Many organizations are finding that living with a hybrid model is the best thing for them, and they know their business better than I do. Welcome to the huge, new challenge in identity management. We have clouds from the giants like Amazon, Microsoft, Google, etc. Each of them has a different way to manage entitlements and privilege, and all are different from your on-premise systems. In the wake of the latest breaches, it would appear that the lack of effective privilege management plays a key role in allowing those breaches to progress.
So, step number one is to manage your (cloud) privileges. Your average user is not the weak point in this instance; the weight of these breaches lies on the administrative and developer communities. They need to get these accounts and entitlements under control and fully manage this access, because we have all seen what can happen if ignored. I, for one, do not want to qualify for free credit monitoring ever again.
I’m From the Government, and I’m Here to Help
Growing Privacy and Compliance Regulations
Living in the U.S., I am a bit jealous of my European and Canadian counterparts and the privacy protections afforded to them by their governments. I would absolutely love to sever all ties with some businesses, forcing them to permanently dispose of all my personal information at my request to be forgotten. We the people need to take back the control of our identities and put some real privacy protections around them, and here’s why. I am Ian, and I am a data hoarder. I am nowhere near as bad as the Amazons and Googles of the world, but that’s just because I don’t have enough room in the basement.
My point is new privacy laws are rolling out globally. If you have a solid identity management program and tie that in tightly to your data governance program (as you should), each new compliance event will be easier to address. If not, you will have the same mad dash that you had with HIPAA, the GDPR, the CCPA, and the list goes on. Data privacy by default is achievable – I have a guy who can make that happen for you. Give me a call.
Blazing Trails in Canada
Blockchain Identity and Distributed Ledgers
I must be honest, blockchain for identity has until recently has seemed like a solution in search of a problem. It is the buzziest of buzzwords, and companies are trying to shoehorn it in almost everywhere to solve every problem. I continued to think that way until I had the great pleasure to discuss blockchain with Joni Brennan of Digital Identity & Authentication Council of Canada, and now I am a believer in the measured and thoughtful use of blockchain to support identity needs.
The work of DIACC and the Pan Canadian Trust Framework shows that blockchain and distributed ledger technology has its place, and finding that place requires a collaboration between the public and private sector to make it work and work well. I would recommend checking out their work; it is top tier. I have seen promising technology coming from 1Kosmos based on blockchain, so it won’t be long before we have a market segment of IAM that is built on blockchain and distributed ledgers.
Try to Realize the Truth: There Is No Spoon
The Bottom Line
In 2008, identity was the new perimeter, a representation used to bring on board those who did not see what the future held: that cloud was a disruptive force that would forever change the game as nothing had before. The controls we invested in for our data centers would no longer be effective; we had to look to identity. Well, here we are 13 years later, and the Matrix was right. “There is no perimeter.”
Identity is your best line of defense. It touches every individual, every application, every system, every platform, and every piece of data. When someone asks why identity projects are so costly, it’s because of their reach, but they are far less costly than a breach or the mass exfiltration of data.
Who is your partner in the IAM journey? If we have learned anything in the past few years, it is that organizations that choose to go it alone end up in compromising positions, and we all get free credit monitoring again. If you are reading this, you are in the right place. Focal Point is going to be the best choice for your IAM partner. We are not the partner that will skate to where the puck is. That is for PeeWee hockey. We are going to skate to where the puck will be; that is how Great Ones are born.
Want more IAM updates in your inbox?
Subscribe to Focal Point's Risk Rundown below - a once-a-month newsletter with templates, webinars, interesting white papers, and news you may have missed. Thousands of your colleagues and competitors have signed up! You can unsubscribe at any time.