Identity's Third Wave - Security
The Gartner Hype Cycle while a bit of an oversimplification, is a great tool to understand the evolution of a product or solution space. Gartner describes the hype cycle by placing "visibility" on the "y" axis and "time" on the "x" axis. Visibility of the solution space is greatest early on during the "Peak of Inflated Expectations".
The identity space’s inflated expectations and unfulfilled promises revolved around enterprise-wide fine-grained provisioning. Many of us truly believed that we could automate application access to thousands of servers with little or no need for manual intervention. We embarked on intensive role engineering exercises only to find that businesses were too dynamic and complex to really deliver on that promise.
Less would have been more and that’s what the value proposition became when two new vendors changed our value proposition to simply being able to answer, “who has access to what?”. I don't know whether I should be more grateful to them for simplifying things or to Senator Sarbanes and Representative Oxley for being the knights in shiny armor that mandated this capability for SOX sensitive applications. Regardless, our goal became to aggregate identities, report on them, and allow them to be reviewed and certified. And sure, we automate provisioning, but now with more realistic expectations.
Are we in the Hype Cycle’s “Plateau of Productivity”? Gartner thinks so and I do, too. Let me illustrate by stating that Identropy currently has 17 active Identity Governance and Administration (IGA) projects and all are on task and under budget. That’s a lot of productivity, but are we in a plateau of low visibility? How could we be, when identity has a new more valuable and much more well-funded business driver - information security?
Identity becoming a “Cyber” or “InfoSec” solution is the new wave that is going to drive our solutions into a broader market, but are we going to once again enter the dreaded “Trough of Disillusionment”? I don’t think so. The solutions that address identity security are nothing new and not overly complicated to deploy. What gets in the way of execution are organizational challenges that revolve around people, policies, and procedures. The technology is not complex and IGA program managers and services providers have been overcoming the organizational challenges for quite some time, so what is it going to take to put identity at the center of security?
Forrester posed this question to two hundred IAM decision makers and identified "Four Elements of IAM Maturity". They found that companies that suffered fewer breaches have a well-developed identity assurance capability, limit lateral movement, grant least privileged access and carefully monitor privileged users.
This is basically what the vendors in the Privileged Identity Management space have been doing for quite some time. The challenge remains that IGA is 70% about people and processes and only 30% about technology. In other words, these tools should be integrated into the policies, procedures, and technology that comprise an organization’s IGA Program.
When security infrastructure is integrated into an IGA Platform the identity platform contextualizes the information gathered by the security tools. In other words, events are linked to identities that usually span accounts or events. When accounts or events in the environment become suspect, the security tools feed this information to the IGA platform which can remediate the issue and mitigate the risk of a breach. The IGA platform can force a password reset, step up the user’s authentication, or even disable the suspect accounts. This integration deepens and broadens the value of IGA platforms.
The value of placing identity at the center of a security or cyber program is not insignificant. Forrester says that the most mature IAM companies are saving 40% on IAM costs and are half as vulnerable to breaches.
Why wait to integrate your security tools into your IGA platform? You probably have much of this infrastructure in-house, already, but Forrester believes that it is worth considering moving to an integrated, unified platform for functions such as Multi-Factor Authentication, Single Sign On and Privileged Identity Management. There could be significant savings in vendor consolidation and these savings could fund the integration and policy analysis process.
The third, security-driven wave of identity offers a huge value proposition while potentially funding itself through vendor consolidation. Perhaps it is time, now that IGA has become much less of a challenge, to consider how we can leverage it to solve the deficiencies of perimeter-based security.
* Gartner IAM Hype Cycle Image shared from a publicly available website.