Over the last year or so, we’ve been hearing a lot about how identity and access management products are—for lack of a better term—getting “smarter.” For some examples, look at these articles about VMware Identity Manager, Okta, MobileIron Access, Centrify, Azure AD, or UnifyID.
While Active Directory worked fine for our on-premises applications, in the mobile and cloud era, federation, single sign-on, and more advanced identity and access management systems are rapidly becoming vital.
Today I want to look at the innovations that are making identity and access management products smarter, and what this trend means to us.
How IDaaS is getting smarter
When we think of access policies, we likely think of rules based on the user, group, app, maybe time of day, whether the app is being accessed on our network or remotely, and so on. We might lock people out of accounts if they make too many failed password attempts. We can also do audits of who has access to which apps, so we can update access as needed. All this is pretty straightforward.
But look at the ways that identity and access management platforms (or IDaaS) are getting smarter. There are way more variables that can go into access policies now:
IDaaS can get more precise location data from mobile agent apps. Agents can also check whether a device is jailbroken or rooted or look at other local attributes.
Integrations with EMM platforms (whether through identity standards, APIs, or the fact that they’re built together as one product) can add variables like whether or not a device is managed, and whether or not the device is in compliance. (Device compliance can be based on almost any EMM policy you can imagine, like passcode settings, jailbreaking/rooting, what apps are installed, or if the OS is up to date.)
Besides EMM, there are all sorts of other options for getting data to serve as access policy variables, such as integrations with cloud access security brokers, DLP platforms, or services like ThreatMetrix.
The next level is applying machine learning or artificial intelligence. It could be used for specific things like identifying impossible travel scenarios, or it could be more general and look for any anomalous user behavior patterns, possibly indicating stolen credentials, malware, or an insider threat.
More authentication options
Most of the access policies and variables I’ve outlined so far have to do with authorization, but there are plenty of advances in authentication, too. There are all sorts products that use biometric and behavioral factors, and these can be used to do continuous authentication.
One example is UnifyID, a recently launched startup from Moka5 founder John Whaley. It uses over 100 attributes—many derived from sensors on users phones and computers—to identify and authenticate users. UnifyID is in a consumer-oriented beta right now, but identity standards should make it fairly straightforward for them to create an enterprise product that can easily integrate with other IDaaS platforms.
Also remember that most IDaaS products can take care of multi-factor authentication in a variety of ways. We’re all familiar with SMS codes or emails with one time password links, but there’s also been a wave of mobile authenticator apps (you get a push notification and just tap a single button), and many of them support Apple Watch and Android Wear devices.
The result: Better UX and security
All these new variables can be used to create access policies that are often described by IDaaS vendors as adaptive, conditional, or contextual.
With these capabilities, IDaaS platforms can be a lot smarter about when to take different types of actions, such as allowing or blocking access, asking for re-authentication, stepping up authentication with another factor, or notifying an administrator.
The result is reduced reliance on usernames and passwords, and a much better user experience.
Another result is better security. According to the Verizon Data Breach Investigations Report, 63 percent of confirmed data breaches involve using weak, default or stolen passwords. Smarter identity management can help eliminate these problems.
All this sounds a bit futuristic—who would have thought that artificial intelligence would have a role in EUC management so soon? So is this realistic today? Yes, it’s pretty much all ready to go.
All of the policy option and integration examples I gave come from various IDaaS products on the market. IDaaS products can sync to your existing AD, and can federate with your cloud apps via standards like SAML. (There are now hundreds of enterprise SaaS ISVs that support SAML.) Some IDaaS platforms can control access to on-premises apps, too. And SSO in mobile apps is getting better, thanks to EMM-distributed certificates and various improvements from Google and Apple.
It’s becoming clear that this is where EUC is going. Whether you do identity as part of a big suite like VMware Workspace ONE or Microsoft EMS, or you use independent IDaaS offerings like Okta, Centrify, or Ping, “smart” identity and access management is very likely to be a part of your world in the coming years.