The Gartner Identity & Access Management Summit recently took place in London where I had the chance to speak with RSA Security identity governance and lifecycle director Steve Mowll.
As well as emerging technologies in the industry, Mowll spoke about the future, the implications of GDPR, and strategies that businesses can use to overcome the challenges to security that are emerging as a result of the rapid adoption of cloud computing.
Current trends in the industry
Blockchain was a major topic of discussion at the Summit and Mowll says it has a lot of potential to solve problems like identity proofing and dynamic access management.
“However, after two years of talk in the identity industry, it has yet to be adopted into any ‘live’ mainstream use, apart from its original use in cryptocurrency,” says Mowll.
“With the improvements in mobile tech, biometrics are becoming a much more popular and convenient option for authentication, and many companies and vendors have adopted it as a way to move away from the password. By allowing the private biometric data to reside on the user’s own device, mobile biometric authentication often removes the burden of having to manage and secure this personally-identifiable data, allaying privacy concerns.”
Mowll says analytics is also playing a huge role within authentication and identity governance and administration processes, helping to improve the decision-making process for organisations.
“These analytics are also starting to combine data from other IT Security technologies such as user activity information from the SIEM, and third party and application risk data from the GRC platform. This will help businesses to better understand what they need to do to reduce risk not just in terms of identity, but for the organisation as a whole,” says Mowll.
“These increased analytical capabilities will also allow Identity processes to become more convenient for end users. Currently, the pain of identity management within enterprise organisations continues to be felt – whether it’s new users not having the access they need when they start a new job, or risk professionals having to review thousands of accesses with no real context. Identity & Risk Analytics will soon reduce, and in some cases completely remove, these pains, and let the business get on with their day job.”
Centralised technologies for the future
Mowll believes centralised services that collect identity data points to understand identity risk in a broader context will transform the identity management industry in the future by sharing data across the whole IT security ecosystem with governance, risk and compliance.
“Using insights – from threat detection to user behaviour analytics and privileged access management – these technologies can reduce the friction within business processes (such as access request and approval, recertification and authentication), while also providing a greatly enhanced understanding of identity risk to these security functions,” says Mowll.
Mowll says who has access to what and determining whether access is appropriate has been a requirement of many regulations and standards throughout the years.
“GDPR will increase the scope of applications needing identity governance to include applications holding personal data,” says Mowll.
“Data access governance will also become more important as companies look to understand where personal data exists in their unstructured data environments and determine who has access to it. For these reasons GDPR will continue to increase the value of identity & access management as part of an organisation’s IT security practices.”
Tips for overcoming challenges
Mowll says businesses can overcome the challenges presented by third party cloud apps by demanding standard interfaces throughout identity and access management practices.
While authentication standards such as SAML are common across cloud platforms, corresponding standards for access management are not,” says Mowll.
“Many identity professionals talk about simple cloud identity management, but the reality is that many cloud services do not do not support it. This means while you can get your users onto the service, the way you manage their access is different with every vendor.”