Yesterday I wrote about Ping Identity and the event they host, the Cloud Identity Summit. Today I’ll continue my coverage by sharing some of what I learned about the present and future of identity management in the enterprise.
The year of cloud identity
Right now there’s a general feeling of accomplishment in the identity space, as many of the standards for enterprise identity in the cloud are complete (or nearly complete) and spreading rapidly. This was the central message of a keynote session from Alex Simons, who leads Azure Active Directory at Microsoft. But it wasn’t just him saying this or just a marketing thing—this is a widely-shared feeling that I heard from many people, both at the Cloud Identity Summit and in other conversations over the last few months.
As Alex pointed out, thanks to standards including OAuth 2.0/OpenID Connect, SAML 2.0, FIDO Alliance, OData, JSON, SCIM 2.0, and Token Binding, huge numbers of enterprise user can or will soon have seamless, password-free experiences with cloud and on-premises apps (depending on policies and support, of course).
We’ll have to dig into the specifics another time, but the result is this: For companies where identity has always meant Active Directory, now is a good time to extend identity to cloud apps, because the technology and support for it are ready.
I know there are complications, and I’m not naïve enough to think this is going to happen overnight. (One of the complications involves mobile app SSO, but I’ll cover that in a future article.) However, I think the case is clear-cut as any. Cloud app usage is expanding tremendously; better identity management has serious implications for security; and there are user experience benefits, as well.
As if the first part of this article wasn’t nebulous enough, now let’s look at the future.
Today, the state of the art in identity management is conditional or contextual access. We see this all the time in various identity products, and one example comes up with mobility—access decisions can consider whether a device is managed or unmanaged, and if it’s compliant with policies.
Like many events this year, at the Cloud Identity Summit there was a lot of talk about machine learning. For identity and access management, it has two main applications. First, with the number of decisions to be made, manually-created policies don’t scale. Just think about the increasing numbers of apps, partners, customers, devices, IoT things, and APIs that all need to be protected. Machine learning can help create and apply policies for these. Second, as we’ve covered before, machine learning can also be used to look for anomalous user behavior, indicating compromised accounts or insider threats.
What’s evolving next is continuous authentication, implemented using machine learning and a variety of factors including behavior patterns and biometrics.
A lot of people seem to be on board with this, assuming the appropriate privacy controls are in place. But one reservation I heard was “What happens if they’re measuring my behavior, but I do just one thing wrong and get locked out?” Several sessions at the event pointed out that this is where human oversight comes in. We still need to tune algorithms to avoid false positives, provide ways for users to utilize other factors to prove their identity, and make sure the overall experience is a net gain over complex passwords and old-style hardware MFA tokens.
Another part of the continuous authentication concept is that if a user starts behaving badly or is compromised, then access can be revoked and app sessions ended immediately, instead of waiting for a token to expire. Today this can be done if the identity system is integrated directly into the app, but there aren’t really any standards to do this across multiple apps, yet. (This sounds like a topic to look for at future conferences.)
The last anecdote from the show that I’ll talk mention is about biometrics. There’s a lot of skepticism—you can’t easily change your voice, fingerprint, or iris, so what happens if these systems get compromised? There was a whole panel session dedicated to this topic, but here are some of the short answers: First, a good biometric system will use a mathematical function to store your information as a template, discarding the original image or record—a one way process. (Many systems are also proprietary, limiting the potential for template for re-use.) And like anything, biometrics are not foolproof—they must be correctly implemented with best practices, and they’re only one of multiple factors.