Where is Identity and Access Management headed? What do consumers need for the future, and what defines a ‘consumer’ as compared to a ‘user’?
With technology being a big part of any business, the future of IAM carries great meaning, especially as concepts like cloud solutions, IDaaS (Identity as a Service), BYOD (Bring Your Own Device), IDoT (Identity of Things) and many others get bandied about and become more mainstream. Regarding the future of IAM, both Gartner and KuppingerCole have created outlines for the direction IAM will take. Looking at Gartner‘s IAM research team, they have tried to quantify their vision and identified 5 key trends:
1. Every user is a consumer
New mobile and other non-PC architectures will shape the user access landscape.
Enterprises are demanding scalable solutions for identities and starting to embrace social media, cloud options and BYOD scenarios. This shift requires a business-driven self-service approach to simplify the added complexity that comes with allowing users some control. Faster IAM deployment, mobility options and scalability are driving new IAM solutions, pushing out old and rigid control paradigms that require technicians to maintain. With every user requiring consumer privileges, IAM architectures will need cater to the business as a whole, providing simple interfaces that work across desktop and mobile devices in order to keep up.
2. A competitive marketplace for identities
Social and business identities are converging; the line between work and private life is increasingly becoming blurred, even severed to the point where the two sides meld together for the convenience of the user and the business advantages to the employer. Social Logins from providers like Google, Facebook and PayPal have slowly been working their way into applications that are serving enterprises. Already, several healthcare, automotive, oil and gas, aerospace, defense and government infrastructures use third-party SSO identity providers to support their ID initiatives.
3. The death of least privilege
Enterprises will increasingly remove restrictions on non-critical or non-sensitive information and assets, allowing all users access to these resources. By opening up basic access to everyone, privileged access becomes easier to manage and IAM costs can be reduced. The principle of least privilege originated with government and military information security policies based on the premise that each user should only have access to the very specific systems and resources they require to complete the individual tasks they are assigned. It’s like putting keycard locks on every single door, cubicle, workstation, toolbox, machine and phone in the building, and then not providing a common room. Obviously enough, the principle of least privilege brings lot of administrative duties with it, and can be highly costly and time consuming to control. One way to be more lenient is to introduce a people-centric approach to security. People-centric security involves identity analytics and intelligence tools, like security behavioral analytics, to monitor, detect and correct user activity and behavior.
4. Attributes are “how we role”
Attribute Based Access Control (ABAC) will be the future for enterprises. Traditional Role Based Access Control (RBAC) is one-dimensional and rigid, making it unwieldy for handling the influx of devices, applications and connections through social media that can add up to ‘big data’—data so large that it requires complex systems just to read through it all. ABAC makes the needed connections automatically by looking at attribute profiles that can still include traditional roles, providing an extra layer that looks at the user first, rather than all the technical stuff. More and more new systems are supporting ABAC and systems that only support RBAC will become legacy. “Attributes will become the new currency of access control.”
5. Managing identity includes the Internet of Things
From the ISSA paper on the Gartner predictions:
The Internet of Things (IoT) links people, places, things, systems, and information sources into activity streams, deriving value for those interactions and relationships by using the context of combined “identities” (people, devices, and other “objects”), their attributes, and uses.
The internet is everywhere. No longer content with serving linked documents in a browser window, the internet has become a rich platform for doing almost anything, and it has been showing up more and more in every kind of machine, contraption, device and app mankind can come up with. For people and objects to interact properly, everything needs to have an identity: smart phones, smart lamps, smart watches, and other ‘smart’ gear, not to mention individual components of larger systems like those involved in building automation. Do an internet search on how to control your thermostat with your watch and you will quickly see that anything and everything is being networked nowadays. Managing all of these connected identities is known as the Identity of Things (IDoT). Keeping so many disparate devices running properly in an enterprise environment requires a single platform that interface with and control them all from a central location, in other words, an IAM solution that is ready for it.
As the requirements, definitions and scope of IAM continue to expand and evolve, companies that provide IAM solutions will need to update their services and tools accordingly in order to handle all that data in a simple and user-friendly manner. Many of KuppingerCole‘s fundamentals and Gartner‘s vision for what IAM will look like in 2020 are already being covered now by IDM365. By always focusing on the user and giving control to the business’s decision makers through hybrid ABAC/RBAC, we make sure users have the right access based both on who they are what they need to do. Through automation and an interface that speaks to non-techies, IDM365 is future friendly tool for identity and access management that is ahead of the curve.
Identity and Access Management 2020, by Ray Wagner
Seven Fundamentals for Future Identity and Access Management, by Martin Kuppinger