Digital business, hackers driving next wave of identity innovation

Evolving tools and challenges fostering close coupling of identity, access management with business goals

Identity and access management needs a shot of innovation at a time when enterprises are both expanding their digital business strategies and fighting off an ever-growing sophistication among hackers.

"The time is right to make a proactive and lasting change on how you approach IAM," said Felix Gaehtgens, a Gartner research director during the opening keynote Monday at the 10th annual Gartner IAM Summit in Las Vegas. "IAM should help lead the way to digital business."

The goal is to mold a modified approach to identity and access management (IAM) and install it as a fundamental part of enterprise architecture. Gaehtgens said the new attitude requires adding innovation into IAM that turns it into a skill that supports evolving enterprise processes backed by identity and access controls.

This innovation must dovetail with the growing use of digital business, which pushes security constructs into a boundary-less environment beyond the traditional walls of the enterprise network.

In this environment, enterprises are seeing an uptick in business process automation via developments like the Internet of Things explosion, mobile, and growing "shadow" IT. All of this puts into the spotlight the authentication, privileges and security controls wrapped up in IAM. To prepare for the future, IAM services must be made available as building blocks, and their use must be evangelized to developers.

Gartner research vice president Ant Allan, who specializes in user authentication, advocated for a fundamental re-consideration of the goals of information security and IAM.

"We need to accept some level of risk to achieve business success," Allan said. In doing that, the enterprise must develop the ability to bounce back from adversity.

Enterprises must realize that it's no longer true that a secure infrastructure equates to a secure business, he said. There are now too many variables that exist outside the enterprise.

Allan also said enterprises need to shift from defenders to facilitators who strike a balance between protecting the organization while still ensuring management's desired business outcomes. Also needed is a shift to risk-based thinking in place of "check-box" compliance with federal and other regulations. Another must is moving the focus from preventing attacks to a "detect and respond" strategy. "We will never have perfect protection," he said.

In addition, the enterprise has to shift from a technology focus to a people focus, providing freedom to use tools that most benefit the business. And finally, Allan said, attempts to control data needs to be replaced with the understanding of data flows so enterprises can calculate the risk involved with resources accessed internally and externally.

Brian Iverson, research director in IT leader systems, security and risk at Gartner, wrapped up the evolving enterprise landscape around IAM.

He said the norm today is not defined by servicing internal (enterprise) and external constituencies (customers, prospects, partners, contractors and suppliers). But that norm must evolve to service both constituencies equally as the exploding availability of apps drives complexity and forces IAM to scale.

"There won't be a single set of processes, but there will need to be an overarching program," said Iverson. "You must position IAM as an innovative program," he told the audience of nearly 1,400. "This is an extraordinary time to be in IAM."