Dark Reading: 12 Trends Shaping Identity Management
April 30, 2018
In 2018, Identity and Access Management (IAM) has garnered a crucial role in ensuring organizations have strong cybersecurity practices. From mitigating insider threats to establishing proper cyber hygiene, the importance of IAM can no longer be questioned.
Our Founder & CEO, Robert Herjavec, believes that "Identity is its own solar system ... it's own galaxy". Enterprises are faced with challenges in access control, privileged access, and identity governance since users (i.e. employees) are "interactive".
Read the full article by Dark Reading to learn more about the trends shaping IAM:
As IAM companies try to stretch 'identity context' into all points of the cybersecurity market, identity is becoming 'its own solar system.'
You may have noticed the RSA Conference last week having a disproportionate number of sessions about identity, and far more companies nudging their way under the umbrella of identity and access management (IAM) with terms like "identity governance," "identity context," "privileged access management," "privacy," "behavior biometrics," "biometric platforms" and "human-centric security" splashed on their booths. Get used to it.
If the cybersecurity market is a globe, with each market segment taking its piece - one continent for endpoint security, an archipelago for threat intelligence - where would identity and access management fit?
"Identity is its own solar system," says Robert Herjavec, CEO of global IT security firm Herjavec Group, and Shark Tank investor. "Its own galaxy."
"The problem with users is that they’re interactive," he explains. The reason identity management is such a challenge for enterprises is because users get hired, get fired, get promotions, access sensitive filesystems, share classified data, send emails with potentially classified information, try to access data we don't have access to, try to do things we aren't supposed to try to do. Set-and-forget doesn't work on us.
Luckily, great IAM is getting easier to come by. Herjavec points to identity governance tools like Sailpoint and Saviynt and privileged access management tools like CyberArk, saying that now "not only are they manageable, they’re fundamentally consumable from a price point."
Not a moment too soon. The need for IAM has always been high, but recent breaches (Equifax), new compliance pressures (GDPR), and privacy revelations (Cambridge Analytica/Facebook) have increased the pressure on identity security and governance alike. As Ping Identity's senior technical architect Sarah Squire puts it, "Facebook's security team is awesome - that was bad governance. Equifax was bad security."
What forces are forming the shape of this identity galaxy? Read on for more.
Identity Verification by KBA is Dead
After a breach at Equifax and a leak at Alteryx (which exposed Experian data), the Knowledge-Based Authentication (KBA) systems that many organizations use has been compromised. Why ask a customer to verify their identity by confirming their former employers, addresses, or mother's birthdays, when attackers know all that information too - plus what magazines they subscribe to and whether they have a pool in the backyard?
GDPR Gives Individuals Ownership of Their Own Identities
Organizations have grown accustomed to behaving as though any name in a database is a name that belongs to them - collecting, storing, transmitting, buying, and selling individuals' personally identifiable information with relative impunity. The European Union's General Data Protection Regulation (GDPR) changes all that - and it amps up organizations' need for identity governance.
GDPR requires organizations to obtain explicit permission from individuals anytime they collect or share their personal information - autochecked boxes are not explicit enough - and individuals must be able to easily revoke that permission at any time. Individuals have a "right to be forgotten." Further, records must be kept of where this identity information is being used everywhere the data flows.
GDPR applies to any EU citizen data anywhere, so it affects companies across the globe, and it applies to both organizations' customers and their employees, so it will have an impact on both their governance and security of internal and external identities. ForgeRock, which specifically provides IAM for external users, added a GDPR dashboard to their product.
Enforcement actions for GDPR begin May 25 (after a two-year grace period since the act officially went into place). Those actions include but are not limited to fines of 20 million euros or 4% of annual revenue, whichever is higher.
"GDPR is really seminal," says Herjavec. Like PCI it will move the industry, but unlike PCI, it affects all industries. He says he's "100% certain" that Canada and the US will have their own version of it.
Increasing Needs for Verifiable Claims With Privacy
Squire provides other examples of where the world needs ways for individuals to provide verified claims about themselves while still maintaining their privacy.
There are the old use cases that could be made new again. For example, can a bouncer at a bar verify that someone is of legal drinking age without having to know their name - and can the government agency that might verify that information provide it without learning when and where that person is out drinking?
More importantly, though, could social media and news sites use it to fight disinformation campaigns used to sway elections? Could the site verify that someone is a register voter or a resident of a certain country, for example?
Technologically, these things are within are reach, says Squire. "Here's what changed," says Sarah Squire, senior technical architect of Ping Identity, holding up a smartphone. "These can store private keys." The limits now, she says, are regulatory.
Identity Governance Extending to the Cloud
"The world of governance is about who has access to what, who should have access to what, and are they using it correctly," says Mark McClain, CEO and co-founder of identity governance provider SailPoint. "Most customers are so far away from the first two, they shouldn't even worry about the third yet."
SailPoint and other identity governance and administration (IGA) solution providers are accelerating that process by giving security pros more user-friendly cloud-based admin tools on the front end. On the back end, however, cloud services are just complicating the governance problem, with users having more and more accounts to access in more and more places, in addition to their on-premise resources.
Saviynt is an IGA solution specifically for the cloud, and says it's "pioneering IGA 2.0." Some others, like Sailpoint and One Identity are instead supporting customers through cloud migrations.
"There's going to be a very long tail on on-prem software," says Jackson Shaw, senior director of product management at One Identity, pointing out its importance to industrial control system environments especially. "The cloud is going to be a tremendous complicated factor for years to come ... It really complicates governance.
The Evolution of Identity as a Service
As governance moves into the cloud, identity-as-a-service is becoming real. Some governance providers are becoming full-stack one-stop shops for all your identity needs, and in March, Google released its full "identity-as-a-service" product, which uses open standards: Cloud Identity.
In a blog, Vidya Nagarajan, senior product manager of Cloud Identity wrote: "Today, [users] need the freedom to work from anywhere, and understanding that context - what they need to do, where, and with what device - is what should guide enterprise access."
Cloud Identity's list of services is extensive. Wrote Nagarajan:
"Cloud Identity’s single sign-on supports SAML 2.0 and OpenID, and works with hundreds of applications out of the box, including Salesforce, SAP SuccessFactors and Box as well as G Suite apps like Docs or Drive. And for organizations using GCP resources, Cloud Identity provides additional controls for managing users and groups across their hybrid on-premises and cloud infrastructures.
"Cloud Identity includes robust mobile device management for Android and iOS with many features like account wipe and passcode enforcement automatically enabled for users. Admins can use one integrated console to implement screen locks, find devices, enforce two-step verification and phishing-resistant security keys, and manage Chrome Browser usage. They also get security reports and analytics for things like suspicious logins, user activity reports and audits, and logins to third-party apps, sites and extensions."
Biometrics in Everyone's Hand Making Good Security Easy for Users
"I've always been a big believer that ease of use will trump security every time," says One Identity's Shaw. "But we haven't had a market maker that could change passwords" until recently.
Smartphones and other mobile devices have multiple biometric authentication methods built in by default now. Add that to the new WebAuthn standard, and biometric security online becomes much more viable as a low-friction method of strong authentication online. The WebAuthn standard, which Ping Identity's Squire calls "absolutely fantastic," was announced April 10 by the FIDO Alliance and W3C and enables online service providers to offer FIDO authentication through web browsers. Google, Mozilla, Microsoft, and Opera are all on board.
Biometric authentication based on FIDO enhances secure web access because it uses unique encrypted credentials for each site, eliminating the risk that a password stolen from one site can be used on another.
The proliferation of biometric devices is also giving rise to companies that help pull all of them together. Veridium, which is a partner of the major IAM companies like ForgeRock and Ping Identity, has created a horizontal biometric platform that makes it possible for those companies' customers to plug in whatever biometric authentication method they want - be it fingerprint, facial recognition, or Veridium's own four-finger touchless behavior biometrics.
"I think it would be silly for people to hold themselves to one kind of biometric," says Veridium CEO James Strickland. He says he just wants to make identity management easier. "I've seen how much of a pain it is. I don't want another crusade."
Still, in a recent survey from Veridium, 34 percent of respondents were "very confident" that passwords alone can protect data sufficiently.
"I think my grandson [born last year] will retire before the password," says Shaw.
Privilege Escalation Pushing for PAM
Privilege escalation has become part-and-parcel of targeted attacks, and even not-so-targeted attacks. One way to address that is to keep closer control over the access and activity of privileged insiders, since after all, an attacker is essentially an insider once they have those credentials.
Privileged Access Management (PAM) is specifically for managing the access credentials of the most privileged users. Along PAM solutions like CyberArk are new cloud-native PAM solutions entering the market like OnionID and Remediant.
CyberArk is also trying to limit the problem of leaked admin credentials. The company acquired Conjur last year for $42 million in order to help developers push apps quickly without hard-coding credentials and SSH keys into them.
Unstructured Data Problem Causing IAM Overlap with Data Governance, UEBA
Recent research from Varonis (which is not an identity management company) found that one-third of internal users are "ghost users" - inactive, but enabled - and 30% of companies leave more than 1,000 sensitive folders open to all employees.
As SailPoint's McClain says, the IAM industry has largely been focused on access to applications. But with filesystems exposed this much and Gartner projecting that 80% of all data will be unstructured by 2022, focusing on application access isn't good enough. SailPoint, an identity governance company, is aiming to solve that problem as well, which is causing an overlap with data security / governance companies like Varonis and user and entity behavior analytics providers like Forcepoint, which dubs itself a "human-centric security" company.
"You want a unified picture, a system of record, a magic spreadsheet in the sky," says McClain. "Everwhere [a user] has an ID, her permissions, her entitlements. Her desired state and her actual state need to be in sync."
Risk-Adaptive Identity and Behavior Biometrics for Ongoing Verification
More companies are using behavior biometrics to address the problem of attacks that occur after a legitimate login. Companies like BioCatch are applying the technology to prevent session hijacking to fight fraud online. Others are using behavior biometrics to detect anomalous behavior by internal users within a corporate network to fight lateral movement.
"[Incident response] has been failing for years, as evidence of secondary infections show," says Tom Kellermann, chief cybersecurity officer of Carbon Black. "Dynamic adaptive authentication is the answer. The user device and network must challenge the key to biometrically identify with challenge response - e.g. take selfie and pick your nose."
Kellermann points to ID Data Web as one example of this kind of an adaptive identity security product that uses multiple sources to verify that an identity is accurate and then provides ongoing identity verification - requesting a challenge and response only when a risk has been detected.
BioCatch builds profile of users that contains data about their biometric behavior - but not their identity. It can detect anomalous behavior (in navigation, for example) and thus shut down a bot or an attacker before a fradulent transfer of funds is made.
These risk-adaptive, "step-up" authentication tools are also being touted as a way to reduce friction - users may not have to go through a log in process at all, unless a risk is detected.
Squire talks about the goal of "zero login" - the way you hold your phone is distinct enough that if behavior biometrics picks it up and authenticates you automatically without stopping to ask you to scan your face or thumbprint.
IoT Pushes the Edge for Machine Identities
"[Identity management] is going to very much fail the IoT," says Bruce Schneier, CTO of IBM Resilient and fellow at Harvard University's Berkman Klein Center for Internet and Society.
The Internet of Things vastly expands the number of machine identities to manage, and puts regular consumers in charge of setting up, managing, and securing those machine identities and the way those machines communicate with one another, says Schneier. The hub-and-spoke approach, with an individual's smartphone as the key to unlock everything will ultimately not scale as more devices become connected to the internet.
Schneier says the identity management companies are making strides, but, "They're solving yesterday's problems. And we haven't solved [those] yet."
SailPoint's McClain acknowledges that machines, robots, and IoT devices all need to access computing and data resources now, and must also fall under the purview of identity governance.
Digital Identities Built on Blockchain
Distributed ledger platforms like Blockchain are being used widely for providing digital identities. On the business side, SecureKey, built on the IBM Blockchain, is the first digital identity network in Canada specifically for regulated industries. Shocard is a blockchain-powered IAM and SSO solution for enterprises.
Evernym is a digital identity platform for credit unions which is built not on Blockchain, but rather on Sovrin, an open-source distributed ledger platform. (Sovrin is built for the self-sovereign, decentralized exchange of "verifiable claims.")
Accenture and Microsoft teamed up to create a blockchain-based identity infrastructure for a United Nations effort to provide legal identification for the over one million individuals worldwide with no official identity documents, like refugees.
At the RSA Conference last week, the Department of Homeland Security's Science and Technology arm demoed Verified.Me, an identity management tool that separates login capabilities from attribute delivery using blockchain.
Originally posted on darkreading.com