Looking Into The Future: Trends in Identity & Access Management
Identity & Access Management is a very hot segment of the market right now. Specifically access management—as everyone has truly come to the understanding that passwords are our biggest enemy—is racing to remove them. But IAM is much more than that—it combines key areas: Secure Authentication —facilitating the multi-factor authentication in a user-friendly way, Network Security & Access Management—a part privileged access management and network policy management in a personal manner—ensuring the right people get access to the right things. Identity Management is key to make sure accounts are linked and users have transparent access across on-prem and cloud services—without knowing all the usernames and finally—analytics is a key component of IAM for the administrators and policy guardians to see what’s happening and validate usage. The industry is booming and after returning from a visit to Gartner’s annual Identity & Access Management Summit last December in Las Vegas we sat down and put together the hottest trends we see for 2020.
#1: (Network) Security and IAM are merging
The first trend is that IAM is much higher on the agenda of the security manager—even those who traditionally focus on Network Security primarily. The network is no longer a position of advantage; users can now login to data and services from anywhere, from any device. It is in fact the identity that is now the new perimeter, and your data protection depends on how securely you authenticate and authorize your users. 80% of hacking-related breaches are still tied to passwords—until we have truly going #passwordless, bad guys will just look like legitimate users!
Gartner sums it up, “Through 2021, organizations without formal IAM programs will spend 40% more on IAM capabilities while achieving less than organizations with such programs” – Not doing IAM properly has direct cost effects.
#2: FIDO2 – WebAuth
Co-invented and sponsored by big players such as Google, Microsoft, Facebook together with Swedish Yubico, the FIDO2 standard now brings the challenge / response methodology to web services. What you typically need is a browser with W3C Web Authentication API and an authenticator. Internal software versions would be supported but the focus is mostly on physical USB keys right now, storing the information securely. Once onboarded you would only authenticate yourself with the key – no password needed anymore.
There are a few catches—as it’s a Web standard the method works through the browser, and not in VPN clients for instance—not standard anyway. A second problem is that a key/device is still not personal—if I lend mine out to my sister, she can pretend to be me—no problem. Onboarding remains a challenge also still—you need to authenticate yourself in another way the first time, before tying the key to your account.
With the push by Google etc and the user-friendliness that this method brings for common internet services FIDO2 is likely to become popular in the consumer space and will provide great improvements for private logins with SaaS services. But if it will catch ground in the enterprise space remains to be seen—there are cheaper and better ways for corporate users to authenticate themselves (see trend #6)
#3: #NoPassword? Anonymous Login!
No passwords, yes that’s clear. But how about removing the username as well? It has the opportunity to greatly simplify the user-experience once again—just imagine avoiding having to type in those long usernames.
The way it works is that the terminal or service where you want to login too will instead of a user-name field show a QR code instead. The user opens their Clavister OneTouch app and scan the code—and voila, a challenge is returned, and the user authenticates with their face id or fingerprint. The user is now logged in.
The magic happening in the background is the connection between the login prompt and EasyAccess, displaying the QR code. The OneTouch app already has a trusted relationship with EasyAccess service as well, closing the loop. This login methodology will increase in popularity greatly for public terminal access we expect. It is also great for all those (government) services you login too online—and in fact the Swedish Bank-ID app does support similar functionality. Hopefully we will see more of it used shortly. It’s really a great example of coming security—experience— and simplicity.
#4: Cloud Delivered IAM … And NOT
Gartner is convinced “By 2023, 80% of midsize enterprises will use a SaaS-delivered AM tool to provide MFA across >80% of their use cases.“ and “By 2023, 40% of large and global enterprises will use a SaaS- delivered AM tool to provide MFA across >80% of their use cases. “. But on the floor, we hear different things. Read the other way around by 2023 still 60% of enterprises will prefer on-prem and if you look regionally, you will find that in Europe these figures are higher. These statistics are usually very American influenced.
That doesn’t mean IAM as-a-Service is not great. It’s fantastic—especially for midsize installations. This is a great opportunity for MSSPs; those local trusted IT service partners can deliver IAM services easily to many enterprises. With Clavister EasyAccess the MSSP receives native support for Multi Tenancy and offers a solution that is compatible with any Firewall or VPN and practically unlimited amount of SaaS services for single sign-on. It’s time to deliver MFA, SSO as a Service… locally!
#5: PAM – Privileged Access Management
Touched upon this already, PAM is projected to be the one of the most focused upon areas with a projected Compound Annual Growth Rate 2017-2022 of 17%! It focuses, among other things, on just-in-time access management, restricting access to data and critical services depending on User/Device/Location/time… and combinations thereof. It will be increasingly popular to implement On-demand approval procedures with secure authorization in order for access and rights to be validated by a superior officer or peer in the company. A little bit like those war movies where two people must turn two keys at the same time to launch a missile. Especially for network wide administrator access rights this may not be a bad idea for many corporations and would certainly have avoided famous catastrophic cyber-attacks like at Maersk a few years ago.
#6: Biometrics the norm
Passwords are bad, many of us have great smart phones with biometric authentication that we use many times daily. Already in the “Computer Security Guidelines for Implementing the Privacy Act” published 1974 the FIPS PUBS = (Federal Information Processing Standards Publications) specified in their publication #42 that there can be 3 levels of authenticating.
Type 1: with something (only) the person knows (password or passphrase)
Type 2: with something (only) the person has (USB key, smartcard)
Type 3: Something [only] the person is (biometrics, fingerprint, face-id, palm scan, voice-recognition.
Only Type 3 will provide true security that the person is who they say they are and it will therefore be the most logical secure path forward. Handing out or installing biometric identification technology can be expensive though you would think. Unless we use the existing smartphone’s trusted biometrics! The fact of the matter is that the smartphone we have in our pocket is ideal for this. Even cheaper android phones will support good biometric authentication and can serve as an access card. Gartner predicts that “By 2022, 70% of enterprises using biometric authentication for workforce access will implement it via smartphone apps, regardless of the endpoint device used” It’s time to get onboard and kill the password.
#7: Origin DOES Matter
Where do you want to host your identity? Google, Facebook, Microsoft will offer, and I’m sure Alibaba or Baidu will be happy to host. The question is more who will you trust with your sensitive data and what happens when the world changes?
European companies prefer European suppliers and a choice to keep the identity management and hosing within their own control.
Read more about Clavister’s authentication technologies and how they’ll help you join the IAM revolution