Cloud, device proliferation, bad guys forcing evolutions in identity

Identity and access management is on the cusp of changes that will help define its overall role in enterprise security, adapt it to meet new access requirements, and combine it with security tools to form protection that extends to devices, cloud services and customer identification.

This evolution was outlined Tuesday during the opening keynote at the Gartner Identity and Access Management Summit in Las Vegas.

"The undercurrent today, is that bad guys are getting in," said Gregg Kreizman, research vice president at Gartner. "Identity can't do all the security, but it can reduce the attack surface."

He cited a Gartner survey that showed 63% of their clients said they would be replacing one or more [identity] technologies in the next two years. 'The No. 1 reason was that the technology environment has changed and the incumbent solution does not meet our requirements," said Kreizman.

He said the good news is that investment in identity and access management (IAM) remains strong in the enterprise, with average spending in 2016 from $1.6 million to $3.4 million depending on the size of the organization. In the survey, 53% of respondents said they expected a budget increase for 2017.

Kreizman said change needs to happen within internal relationships, namely IAM leaders, system admins, and application developers who will have to work closely together, set expectations with C-level executives, and bring IAM interests to the table sooner.

"IAM is a continuous thing, it is not one and done," said Kreizman.

He also said that while Identity as a Service is growing, it won't be the predominant model by 2020. In addition, access management will evolve given that apps are spread across the network, the cloud, and offered as micro services addressable via APIs.

Kreizman said Gartner is preaching a bimodal model that couples "keeping the lights on" with support for growing digital business that brings agile and adaptive development along with an "experimental mode." He said identity architects and managers believe that Identity of Things will eventually be part of this program.

Other areas of change include Identity Governance and Administration (IGA), where complexity is growing with the explosion of devices, external network access by suppliers and contractors, customer identity, and hosted and cloud services.

"Suddenly you have this relationship model that is complicated and legacy ID systems are weak in this area," said Lori Robinson, research vice president in Gartner's Identity and Privacy Strategy team. "People are taking a more innovative and service oriented approach. They are not looking at IGA as something monolithic." She said changes may well foster modern, agile IGA systems.

Robinson also told the 1,500 attendees that analytics will play a bigger role going forward by supporting deeper analysis of access events, better detection controls, expanded privileged access management, and producing behavioral data for use in IAM policy.

She noted that consumer IAM capabilities would bring enterprises the ability to connect with customers, collect identity data, integrate with external systems, and manage consent and privacy.

Gartner Research Director Jonathan Care noted a convergence happening among identity proofing, authentication techniques and online fraud protection.

"They are looking like three facets of a single problem," he said. "We need to proof somebody, we need to authenticate that person, and we need to ensure, throughout the lifecycle from enrollment to retention, that we are not subjecting ourselves to unnecessary levels of fraud. We need to reduce our reliance on static data."