Talking about the top 12 trends in identity and access management
You may have noticed that there was a lot of discussion around "identity" at the recently concluded RSA Conference, and many companies have started labeling their products as "Identity and Access Management (IAM)", talking about "identity governance", "identity context/context", "privileged access management", "privacy", "behavioral biometrics", "biometric platforms", and "human-centric security". For this trend, get used to it as much as you can!
If you think of the cybersecurity market as a planet where each segment occupies a place - endpoint security is the vast continent and threat intelligence is the archipelago - where should Identity and Access Management (IAM) fit in?
Robert Herjavec, CEO of global IT security firm Herjavec Group and a Shark Tank investor, said
"The problem with users is that they are interactive. The reason identity management is so challenging for organizations is that users will onboard, depart, get promoted, access sensitive file systems, share confidential data, send emails with potentially secret information, try to access data they are not authorized to see, or try to do things we are not supposed to do, etc. So, the whole 'once and for all' thing simply doesn't apply to us. "
But, fortunately, great IAM tools are becoming increasingly easy to use. Herjavec noted that identity governance tools such as Sailpoint and Saviynt, as well as privileged access management tools such as CyberArk, are not only easy to manage, but also affordable in terms of price for enterprises to spend.
It all happened just in time. Demand for IAM has always been high, but recent data breaches (Equifax), new compliance pressures (GDPR), and privacy breach issues (Cambridge Analytica Cambridge Analytica/Facebook) have further increased the pressure on identity security and governance. As Sarah Squire, Senior Technical Architect at Ping Identity, puts it.
"Facebook's security team is great, but terrible at identity security and governance. Also, Equifax's security is very poor. "
What forces are shaping the identity that governs the formation of this galaxy's landscape? Please continue reading.
1. KBA (Knowledge-Based Authentication) Authentication is Dead
The knowledge-based authentication (KBA) systems used by many organizations have been compromised following the data breach of Equifax and Alteryx, a data analytics firm that leaked 123 million of data from Experian, one of the three largest U.S. credit bureaus. Why should a client be allowed to verify their identity by confirming their former employer, address or mother's birthday? Because it's entirely possible that the attacker also knows this information, and may even have more, such as which magazines the subscriber subscribes to, and whether they have a swimming pool in their backyard, etc.
2. GDPR gives individuals ownership of their identity
Organizations have become accustomed to viewing anything in their databases as their own property and have no qualms about collecting, storing, transmitting, and selling users' personally identifiable information. But today, the EU General Data Protection Regulation (GDPR) changes all that as it increases the need for identity governance for organizations.
The GDPR requires organizations to obtain explicit permission from individual users when collecting or sharing personal information (an automatically checked consent box does not count as explicit permission) In addition, individuals must be able to revoke that permission at any time. Individuals have a "right to be forgotten". In addition, records of the use of identity information must be retained regardless of where the data flows to.
GDPR applies to anywhere that holds data on EU citizens, so its going to affect companies all over the world, and, as it applies to both customers and employees of businesses, it will have a significant impact on identity governance and security, both internally and externally. For example, ForgeRock, which specializes in IAM services for external users, has added GDPR dashboard functionality to their product.
The GDPR will come into force on May 25 of this year (after a 2-year grace period for the official publication of the Act) and will impose fines of up to €20 million or 4% of annual business revenues, whichever is higher, for violations of the GDPR.
Herjavec stated that
"GDPR is really creative! Like PCI, it will drive the industry, but unlike PCI, it will affect all industries. It is certain that after the EU, Canada and the US will also introduce their own versions of GDPR. "
3. Increasing demand for privacy-protecting authentication
Squire provides other examples of ways in which people need to be able to authenticate themselves while still maintaining their privacy. For example, can a bar security guard verify that someone is of legal drinking age without having to know their name? And can a government agency provide that verification information without knowing the time and location of the person's alcohol consumption?
More importantly, could social media and new website sites use such authentication methods to combat election-disrupting disinformation campaigns? For example, can a voting site verify that a person is a registered voter or a citizen of a country?
Squire believes that technically, these things are within reach. However, the situation has now changed, for example, smartphones can store private keys, and the current limitation is regulation. "
4. Identity governance extends to the cloud
Identity Management ProvidersSailPoint CEO and co-founder ofMark McClain stated that
"The world of governance is about who has access to what, who should have access to what, and how to use those permissions properly. But the reality is that most consumers are nowhere near the first two, let alone the third. "
SailPoint and other identity governance and management (IGA) solution providers are working to accelerate this process by providing more user-friendly cloud management tools to front-end security personnel. On the back end, however, various cloud services are exacerbating the complexity of identity governance issues, and users are starting to have more and more accounts to access more and more places, in addition to the original on-premise (on-premise) resources.
Saviynt is an IGA solution designed specifically for cloud environments and is known as the "pioneer of IGA 2.0". Others, such as Sailpoint and One Identity, support their customers through cloud migration.
Jackson Shaw, senior director of product management at One Identity, said that on-premises software in industrial control system environments tails off and that the cloud will become a considerable complicating factor in the coming years, which in turn will exacerbate the difficulty and complexity of identity governance.
5. The evolution of Identity as a Service (IAS)
As governance moves into the cloud, identity as a service is becoming more and more real. Some management providers are evolving into full-stack (full-stack) one-stop shops for all of their users' identity needs. In March of this year, Google also released a complete "identity-as-a-service" product that uses an open standard: Cloud Identity.
Vidya Nagarajan, Senior Product Manager at Cloud Identity, said
"Today, users need the freedom to be able to work from anywhere and understand what they need to do, where they need to do it and what devices they need to use in order to do a good job of controlling access to the enterprise."
Cloud Identity's list of services is extensive, with single sign-on support for SAML 2.0 and OpenID and the ability to collaborate with hundreds of external applications, including Salesforce, SAP SuccessFactors and Box, as well as G Suite applications such as Docs or Drive. For organizations using Google Cloud Platform (GCP) resources, Cloud Identity also provides additional control capabilities for managing users and groups in mixed environments across onsite and cloud infrastructures.
Cloud Identity has also designed powerful mobile device management features for Android and iOS, allowing administrators to use an integrated console to enable screen locking, device lookup, perform two-step authentication and anti-phishing security keys, and manage Chrome browser usage. In addition, administrators can get security reports and analysis on suspicious logins, user activity reports and audits, and logins to third-party apps, sites and extensions.
6. Biometrics make security easy to use
Smartphones and other mobile devices now have multiple biometric authentication methods built in by default. By adding it to the new WebAuthn standard, online biometric security becomes more feasible as a low-friction approach to strong online authentication. On April 10, the FIDO Alliance and the W3C jointly released the WebAuthn standard, which is a rather wonderful standard that allows online service providers to offer FIDO authentication through a Web browser. Currently, Google, Mozilla, Microsoft, and Opera have adopted the WebAuthn standard.
FIDO-based biometric authentication enhances the security of Web access because it employs unique encrypted credentials for each site, eliminating the risk that passwords stolen from one site could be used by another.
The proliferation of biometric devices has also provided opportunities for the rise of integrators. As a partner to leading IAM companies such as ForgeRock and Ping Identity, Veridium has created a horizontal biometric platform that enables these companies' customers to plug in any biometric authentication method - whether it's fingerprint, facial recognition or Veridium's own four-finger contactless behavioral biometrics, among others.
James Strickland, CEO of Veridium, said
"I think it would be very foolish to make people stick with just one biometric technology, I've seen how complex and difficult identity management is today and I just want to make it simpler and easier to manage."
Still, according to a recent Veridium survey, 34% of respondents are "very confident" that passwords alone are sufficient to protect data. In response, Shaw said that
"I don't think the code will be out of history probably until my grandson (born last year) retires."
7. Privileged access management (PAM) driven by power extraction attacks
Power lifting attacks have become part of targeted attacks, and even less targeted attacks often use this approach. One way to address the problem is to more closely control access and activities of privileged insiders, because, after all, once an attacker obtains these credentials, he or she is essentially considered an insider.
Privileged Access Management (PAM) is a tool designed to manage the access credentials of the most privileged users. Along with PAM solutions like CyberArk, new cloud-native PAM solutions like OnionID and Remiant are entering the market.
In addition, CyberArk is trying to limit the problem of leaked administrator credentials. Last year, the company acquired Conjur for $42 million to help developers quickly push applications without hard-coded credentials and SSH keys.
8. Unstructured data issues cause IAM to overlap with data governance and UEBA
According to a new study by Varonis, one-third of internal users are "ghost users" (i.e., active but not active) and 30 percent of companies have more than 1,000 sensitive folders open to all employees.
The IAM industry is largely concerned with access to applications. However, as file system exposure continues to expand, Gartner predicts that 80% of all data will be unstructured by 2022, so focusing only on application access is clearly not a good enough approach. As an identity governance company, SailPoint's goal is to solve this problem, which leads to overlap with data security/governance companies like Varonis and user and entity behavior analytics providers like Forcepoint.
McClain stated that
"You want a unified view, a system of record, a magic spreadsheet. But the fact is that users have their own IDs everywhere, as well as their own user permissions and rights. The user's desired state and its actual state need to be synchronized. "
9. Risk-Adaptive Continuous Authentication of Identity and Behavior Biometrics
A growing number of companies are using behavioral biometrics to address attacks that occur after legitimate logins. Companies like BioCatch are applying the technology to prevent session hijacking to combat online fraud. Several other companies are using such behavioral biometrics to detect anomalous behavior of users inside their systems to counter lateral movement of attackers on their internal networks.
Tom Kellermann, chief cybersecurity officer at Carbon Black, said incident response has been failing for years, as evidence of secondary infections has shown. Dynamic adaptive authentication is the answer to that problem, where user devices and networks must challenge some less unusual response to biologically identify the user, such as taking a selfie with a digging nose.
Kellermann points to ID Data Web as an example of such an adaptive identity security product, which uses multiple sources to verify the accuracy of a given identity and then provides renewed authentication - popping up an authentication challenge and asking the user to respond only if a risk is detected
BioCatch builds user profiles that contain data about their biometric behavior - but not their identity. It can detect anomalous behavior and thus be able to stop bot hosts or attackers before illegally transferring funds.
These risk-adaptive "step-by-step" authentication tools are also touted as a way to reduce friction - users may not even need to go through the login process unless a risk is detected.
Squire explained that the goal of "zero sign-on" is to automatically extract the unique behavior of the user through behavioral biometrics and automatically verify your identity. For example, if you have a unique way of holding your phone, then without scanning your face or fingerprints, behavioral biometrics can automatically pass authentication by that unique behavior.
10. IoT expands the boundaries of machine identity
The IoT greatly expands the number of machine identities that need to be managed and gives the average consumer the responsibility of setting up, managing, and protecting those machine identities and regulating how machines communicate with each other. As more and more devices are connected to the Internet, the hub-and-spoke approach - in which the user's personal smartphone is the hub to unlock all devices by radiating to the periphery - will eventually no longer scale.
Identity Management is making some progress, but it is yesterday's problems that they are addressing, and they have not been resolved to date. It is also important to note that devices, bots, and IoT devices all require access to compute and data resources today, so they must all be included in the context of identity governance as well.
11. Blockchain-based digital identity
Blockchain, a distributed ledger platform, is being widely used to provide digital identities. On the business side, SecureKey, based on the IBM blockchain, is Canada's first digital identity network dedicated to regulated industries. Shocard, on the other hand, is a blockchain-based IAM and single sign-on (SSO) solution for enterprises.
Evernym is a credit union digital identity platform that is not built on blockchain, but on the open source distributed ledger platform Sovrin. One of the ways Sovrin works is called "self-sovereign identity," which is a personal legal identity where each person can choose what information he or she wants to reveal. If you are a member of the Sovrin network, you can build and maintain your own portfolio of identity statements. You can pick and choose which data to share in any given situation. With a portfolio of identity statements, you can gradually own, build and control your online identity. Avoid the risk of giving someone unauthorized access to your bank and credit accounts, as those accounts will never be identified unless through a statement of identity posted by you.
Currently, Accenture and Microsoft have joined forces to create a blockchain-based identity infrastructure to help the United Nations provide legal identification to more than 1 million people around the world who do not have official identification, such as refugees.
Also at this year's RSA Conference, the U.S. Department of Homeland Security Science and Technology demonstrated an identity management tool called "Verified.Me" that also uses blockchain technology to separate login functions from attribute delivery.
12. Professional development pathways for identity management
In June 2017, IDPro was founded, a not-for-profit professional membership organization incubated by the Kantara Project and dedicated to identity and access management practitioners.
The organization aims to build the IAM body of knowledge to support professionals in the field and ensure that identity and access management is "widely accepted as an important and dynamic partner for privacy and information security", in addition to developing a certification mechanism.
*Reference source: darkreading, compiled by Michelle, republished from FreeBuf.COM