When it comes to security, identity is the new perimeter.
It’s a concept we spend a lot of time talking through within the KNOW community. The tools companies use to determine that the right people are accessing their systems have changed dramatically over the past several years. These changes are largely driven by a change in workforce composition, the prevalence of bring-your-own-device policies, and migrations to cloud-based enterprise architecture. There’s a lot to keep track of, and it’s no longer enough to simply pour resources into walling off internal digital assets.
In the run-up to KNOW 2020, we’re taking it back to basics. Join us as we look at the fundamental components of Identity and access management (IAM), the dynamics that have shaped the market we know today, and the emerging challenges we’ll be debating at this year’s show.
Julie Andrews says that the beginning is a very good place to start and who are we to argue? IAMrefers to the whole set of processes and technologies that ensures that the right people can access the right business assets at the right time for the right purposes.
It’s a deceptively simple definition, but IAM involves a complex web of both positive and negative assurances. It means that the right people can always get correct digital resources to facilitate their necessary job functions as a result of effective IAM protocols and that the wrong people can never get access to information they shouldn’t.
Broadly, a holistic IAM strategy encompasses several functions to accomplish that goal:
- Data classification - Understanding where and how sensitive company resources are stored so that access can be governed accordingly.
- Directory Management - Maintaining a roster of digital identities - of individual users, groups, devices, and organizations - that have access to a company’s digital resources.
- Identity Management - The ability to modify attributes of digital identities in the directory to make sure they’re dynamically correct over time.
- Authorization and Provisioning - Assigning appropriate access privileges to digital identities with particular roles or attributes.
- Access Management - Making sure authorized, correctly provisioned digital identities are able to securely gain access (via multi-factor authentication, single-sign-on structures, and/or identity federation, for example) to the actual services and resources they need to do their jobs.
- Monitoring, Auditing, and Reporting - Ensuring that a company knows how resources are used and by whom, can detect and respond to unauthorized access, and update policies and directories as needed.
IDaaS and the Market Today
So how has the approach to this set of IAM use cases evolved, especially as enterprises shift their assets to the cloud? Here’s a quick timeline:
Pre-digital - Before enterprises shifted online, IAM was a purely physical process governing who had the ability to access, view, and handle information in hard copy. Physical perimeter security was the focus. Think: restricted areas, guards, badges, or limitations on copying or transporting printed material.
Post-digital, pre-cloud - As digital processes came to dominate enterprise business processes, IAM evolved into a set of processes assigning digital rights to particular users of an organization’s internal network and servers. Here the focus shifted to digital perimeter security: keeping the bad guys out. Solutions centered around passwords, firewalls, VPNs other cybersecurity tools to protect internal data centers
Cloud era - Enterprise data and asset storage and processing are increasingly decentralized. The prevalence of cloud-based servers and third-party applications means that IAM is no longer just about perimeter security. Instead, it must center around reliably creating and provisioning identities. In this shifting information security context, a tech-agnostic framework for IAM is necessary to help keep companies and their employees focused on an effective overall strategy.
The result is Identity-as-a-Service (IDaaS): identity and access management functionality that relies on cloud-based technologies for speed and reliability. It’s a booming business: the IDaaS market is projected to top $27 billion by 2027, growing at a CAGR of 26%.
IDaaS at KNOW
In short, IDaas is going to feature prominently in KNOW programming for years to come. This year in particular, there are a few questions that we can’t wait to ask our speakers about:
- In any given week, the average company has 181 distinct third-party vendors accessing its digital resources. Those third-parties can be a critical vulnerability - just ask Target. How can companies effectively gauge the risk of those relationships and mitigate ongoing threats?
- Two-thirds of employees use a personal device in the workplace, and 87% of businesses depend on employees leveraging business-related apps from their smartphones. The way companies do business has changed in a profound way, putting employees at the front lines of enterprise security. How can organizations effectively design user experiences to keep business assets safe when the lines between home and office are blurred?
- GDPR has ushered in a new era for sensitive data storage. How can companies effectively monitor their systems to keep tabs on digital assets and steer clear of compliance violations?
Last year, experts from Duo, IBM, Ping, Okta, and more weighed in on how to tackle questions like these, and we’re looking forward to hearing their take on where we’re heading next.