Sie sind auf Seite 1von 8

eGuide IDG Enterprise is COMPUTERWORLD


Identity management—or identity and ber of devices taking their place in the
access management (IAM)—addresses “Internet of Things” (IoT) will have a
the need to ensure appropriate access corresponding effect on how compa-
to resources across increasingly het- nies employ their identity management
erogeneous technology environments structures. This eGuide introduces the
while satisfying compliance needs. But concept of the “Internet of Identities”
IAM must change right along with its and explores how it will affect IAM in
environment, and the increasing num- the very near future.

opinion analysis opinion opinion

The Internet of Identities Enterprises must Identity management Digital hijacking:

is coming and will bring address Internet of to-do list aligns with My identity is gone
massive IAM changes Identities challenges cybersecurity
Who owns IAM at your organization? Make security a priority in your Identity, security, and governance in
On the horizon: identity-based
If the answer is “everyone and no IAM planning. the wake of the Equifax breach.
computing and identity-based
networking. one,” you’re right—and it’s time to
take mindful action.

2 4 6 8
eGuide IDG Enterprise is COMPUTERWORLD

The Internet of Identities is coming and will

bring massive IAM changes
New demands for scale, security and machine learning will support massive
proliferation of internet-connected devices.
BY JON OLTSIK | My colleague Mark Bowker has a concept • Privacy and security requirements. Devices need to have As organizations
called the Internet of Identities. How does this differ from hardened configurations, unique identities, multi-factor au-
the Internet of Things? The Internet of Things is about, well, thentication capabilities, and secure communications from
add thousands or
things—devices, controllers, actuators, and the like. But these device to device. This will require new types of policy en- millions of new devices
things will perform tasks, collect data, and connect to other gines and enforcement controls that are tightly integrated
devices. In other words, each device will have an identity with with existing networking, cloud, and IAM infrastructure.
to their internal and
multiple attributes, and each of these attributes must be un- • Continuous intelligent monitoring. To maintain availability, cloud-based networks,
derstood to enable good things to occur and block bad things high performance, and security, the internet of identities
from happening. Thus: the Internet of Identities. will require continuous monitoring. Given the emerging
identity and access
Now, as organizations add thousands or millions of new devices scale here, it’s safe to say that human beings won’t be able management technol-
to their internal and cloud-based networks, identity and access man- to keep up with activities, so keeping the Internet of Iden-
agement (IAM) technology will go through a massive transformation. tity trains running on time will depend upon an infusion of
ogy will go through a
An organization’s IAM infrastructure will have to accommodate: artificial intelligence and machine learning algorithms that massive transformation.
can separate normal from anomalous behavior and then
• Massive scale. New IAM technologies will have to support mil- translate all of this into actionable intelligence for carbon-
lions of devices (and users), each with its own list of attributes. based life forms.
So, think of an N-by-N matrix of identity attributes. Further-
more, these users and devices may be transient—appearing With all due respect to Microsoft, I don’t think you will be able to
and disappearing as part of some type of business or opera- manage and secure the Internet of Identities with Active Directory—
tions process. Asset auditing alone will be a massive endeavor. a technology that was originally designed to compete with Banyan

2 of 8
eGuide IDG Enterprise is COMPUTERWORLD

Vines and Novell, way back in the day. Think of AD, and multiply • Security takes a bigger IAM role. According to ESG re- eBook
it by some exponential factor. As the Internet of Identities takes search, 66 percent of organizations claim that their security
shape, Mark and I expect some pretty big changes. For example: group is significantly or somewhat more involved with IAM
What’s Trending
policies, procedures, and technologies today than it was in Authentication
• Organizations will centralize IAM management and procure- two years ago. This is just the beginning, however. As the
The landscape of user authentication
ment. IAM grew organically in the past and tended to be man- Internet of Identities takes hold, CISOs will be intimately
is changing rapidly—and radically. A
aged by a loosely-coupled cabal of application developers, involved in crafting and enforcing identity policies. Look for
vanishing perimeter and the continuing
IT operations and security folks. As the internet of identities a much bigger focus on data privacy as well.
explosion of cloud-based applications
evolves, organizations will realize that they won’t be able to
and mobile devices are blurring old
use their existing IAM patchwork deployment to address Inter- The IT industry has been talking about identity-based comput- boundaries around organizations and
net of Identity scale or enable new business processes. At that ing and identity-based networking for years, but it was always networks. To keep up with the pace of
point, many organizations will make a next-generation identity more of a vision than reality. As the Internet of Identities evolves, change, lines of business are bypassing
infrastructure a high priority. Firms will also create positions this vision will come true—leading to a period of confusion, in- IT to deploy the applications they need
for chief identity officers, experienced individuals with the novation, and transformation. to meet their business objectives—and
right business and technical chops to transform their identity When will this happen? We are driving toward the on-ramp to- in the process creating more islands
infrastructure and champion a new IAM strategy. day, but the traffic on the highway is moving a lot faster than we of identity in a growing sea of shadow
• Identity runs to the cloud. The need for massive scale, think. In other words, the Internet of Identities and all that comes IT. And all of this is happening amid

perpetual connectivity, and processing power to monitor the with it are coming soon. increasingly rigorous data protection
regulation. This eBook explains how to
whole enchilada will drive large organizations to embrace
address today’s most popular authen-
cloud-based IAM services.
tication questions and ensure your
organization is prepared for the future
of authentication.

download now

3 of 8
eGuide IDG Enterprise is COMPUTERWORLD

Enterprises must address

Internet of Identities challenges
BY JOHN OLTSIK | No one owns identity at many organizations tive Directory came in through Windows servers, VPNs and The “Internet of
and identity skills are lacking. In lieu of a solution, these issues VLANs came via Cisco, authentication technologies like RSA
could lead to IoT roadblocks and security vulnerabilities. SecureID were procured and managed by security teams, and
Identities” is a trend
As November ends, everyone and their brother/sister will be so on. As a result, everyone has a piece of IAM, but no one that’s coming on
writing about their IT and security predictions for 2018. Here’s a owns it across the enterprise. ESG research indicates that IT
fast, but research
no-brainer from me—we’ll see massive proliferation of Internet of infrastructure operations (49 percent) bear the majority of
Things (IoT) devices on the network next year. Some of these will IAM responsibility, but security (31 percent), app management indicates that many
be general-purpose devices, such as IP cameras, smart thermo- (10 percent), app development (5 percent), and mobile app
organizations are
stats, smart electric meters, and the like, but many others will be management (4 percent) teams are leaning in on IAM activi-
industry-specific sensors, actuators, and data collectors. ties. Yup, when it comes to IAM, many organizations could be not prepared for
Managing the deployment, operations, and security of all considered a jack-of-all-trades and a master of none. the onslaught.
these devices will be quite challenging. Someone must figure out • IAM is a prisoner of the cybersecurity skills shortage. Secu-
network access controls, connectivity, segmentation, baseline rity teams will be responsible for Internet of Identities policy
behavior, network performance implications, and so on. enforcement, controls, and end-to-end monitoring, but this
This is where identity comes into play. Each device should oversight may be impacted by the global cybersecurity skills
have its own identity and attributes that govern connectivity, shortage. The research reveals that 27 percent of respondents
policy, and trust. My sagacious colleague, Mark Bowker, calls this do not feel they have a sufficient level of IAM knowledge, and
trend the Internet of Identities. It’s a trend that’s coming fast, but 31 percent of respondents do not feel that they have enough
ESG research indicates that many organizations are not prepared individuals with IAM responsibilities on the information secu-
for the onslaught, because: rity team. Security teams will run around like turkeys with their
heads cut off as IoT devices multiply in the coming years.
• No one owns identity and access management (IAM). IAM
grew organically over the past 20 years as organizations What will happen if organizations don’t address these issues?
deployed applications, infrastructure, and security tools. Ac- Internet of Identities applications will be deployed haphazardly,

4 of 8
eGuide IDG Enterprise is COMPUTERWORLD

network traffic patterns will go awry, productivity and up- 2. Appoint an IAM committee and owner. white paper
time will suffer, and security teams will have to scramble to Application developers, IT operations, and security personnel do
catch up. need to work collectively on IAM, but someone must steer the
6 Steps to
ship. CIOs, CISOs, and business managers must find a senior Identity
Three strategies to address IoT device person who has the right business process, IT, and security
IAM challenges chops, and who can be accountable for driving an IAM/Internet Assurance
So, what’s needed? Mark recommends enterprise organizations of Identities strategy that promotes business enablement, opera- Now that so many applications have
do the following: tional efficiency, and security efficacy. moved to the cloud, and users continue
to embrace mobility, your organization
1. Assess their enterprise IAM tactics and strategies. 3. Adopt an identity-centric approach to business policies. must work toward fully embracing the
Organizations must find the disconnects, scalability issues, As organizations approach new business initiatives, they should new opportunities this boundaryless
process overlap, and ownership structure—and then work make IT and security decisions based upon the individuals involved, world presents. At the same time, you

on a three-year project to integrate and interoperate the the devices they’ll use, the locations they work from, and the applica- must manage the risk that comes with
such openness. It’s time to shift tradi-
whole enchilada. tions and data they need to get their jobs done. It’s all about connect-
tional thinking away from authentication
ing the right people to the right tools and blocking everyone else.
as a static one-time event and move
towards a more modern authentication
strategy that doesn’t require a trade-off
between security and convenience. This
white paper provides guidance on the
six key elements to identity assurance
and how to increase security while opti-
infographic mizing the end user’s experience.

Is Your Authentication Strategy on Track? download now

Time and again, traditional authentication solutions have proven inadequate in protecting organizations from
external and insider threats. It’s no wonder: those authentication methods were built for a different time—when only
privileged users had remote access to systems via mobile devices, and the cloud was but a shadow on the horizon.
This infographic outlines the eight common authentication pitfalls and how you can make sure your authentication
strategy is on the right track.

download now

5 of 8
eGuide IDG Enterprise is COMPUTERWORLD

Identity management to-do list

aligns with cybersecurity
Large organizations want to monitor user activities, move to multi-factor
authentication, and get security more involved with IAM decisions.
BY JON OLTSIK, NETWORK WORLD | My colleague Mark • 26 percent say they will replace user name/password au- Identity and access
Bowker just completed some comprehensive research on thentication with multi-factor authentication (MFA) wherever
identity and access management (IAM) challenges, plans, possible. While monitoring users can be seen as threat
management tech-
and strategies at enterprise organizations. As a cybersecu- detection, MFA is clearly part of a threat prevention and a nology decisions are
rity professional, I welcome this data. Identity management sound risk management strategy. MFA proliferation may also
should be a major component of an enterprise risk manage- be related to GDPR or other compliance mandates.
often treated tacti-
ment strategy, yet IAM technology decisions are often treated • 23 percent say they will increase the participation of the cally or left to ap-
tactically or left to application developers or IT operations security group in IAM decisions. This supports the move to-
plication developers
staff who don’t always prioritize security in their planning. ward threat prevention and detection described above. That’s
not surprising, since user accounts are often compromised or IT operations staff
Security becomes a priority in IAM strategies
using phishing attacks, social engineering, or keyloggers.
The ESG data suggest a change in the IAM weather—large or- who don’t always
• 20 percent say they will hire more IAM specialists in the
ganizations seem to be prioritizing security as part of their IAM
cybersecurity department. Good idea—if you can find them. prioritize security in
strategies. ESG asked 273 cybersecurity and IT professionals to
The global cybersecurity skills shortage may make it difficult their planning.
identify the initiatives that will be part of their IAM strategies over
to make this happen.
the next 24 months. The data reveals:

• 29 percent say they will monitor user activities more compre- I was talking to a CISO a few years ago about the prolifera-
hensively. In other words, they will be on the lookout for account tion of cloud and mobile computing. In describing his security
compromises and insider attacks. This may also be linked with response to these two trends, he said: “When I lose control of
user and entity behavior analytics (UEBA) deployment. devices and servers, I need to make sure to establish as much

6 of 8
eGuide IDG Enterprise is COMPUTERWORLD

control as I can in two areas—identity management and data The ESG data demonstrates that some organizations are fol- newsletter
security.” So henceforth, my CISO friend plans to treat identity lowing this sagacious advice. It’s a good start. Mark and I will be
management (and data security) as new security perimeters. tracking how this trend progresses.
Newsletter: The
Power of Identity
This special report from RSA featuring
Gartner describes how digital transfor-
mation is changing the roles of identity
and access management (IAM) leaders
and how you can move from risk into
opportunity. Download this report for a
clear, actionable picture of how you and
your IAM team can adapt to accelerate
digital transformation.

download now

white paper

IDC Perspective: The Death of 2FA and the

Birth of Modern Authentication
Two-factor and multi-factor authentication are significant improvements over the use of passwords for authentica-
tion. However, the definition of multi-factor authentication was born in a different day and is based upon antiquated
technology and approaches. As technology and the world around it changes, our definition of and expectations for
authentication also need to change. IDC recommends looking beyond standard MFA and considering a modern
approach to authentication.
download now

7 of 8
eGuide IDG Enterprise is COMPUTERWORLD

Digital hijacking: My identity is gone

Wonder why your identity got stolen? Post-Equifax, this article highlights
a modern security strategy for the credit bureaus.
BY TOM KELLERMANN | September 8, 2017, will be remembered society, it is imperative that we de-commoditize the Social It’s time we awak-
as a day many Americans truly awakened to cybercrime. No longer Security number, which was never intended to be an authentica-
can we depend on the security of “our” digital identities. In March tion measure. Cyber-criminals have been profiteering with
ened to the hostility
2017, the ApacheStruts2 vulnerability was discovered and Equifax American identities for too long. Advances in technology can help of cyberspace and the
became vulnerable to a cyber-intrusion of historic proportions. create a more secure digital-to-physical identity translation. Access
importance of security
It’s important to note that data exfiltration began in May—and to data files should require real-time adaptive authentication
yet a patch was available. On September 8, 2017, the breach was checks using strong credentials with multiple factors, such as: versus efficiency.
publicly announced (90 days post-mortem), and the company was
punished by Wall Street when its stock plummeted 31 percent. • Human identity (including PII, credit, social profiles, biometrics)
As we grapple with the impact this breach has on the finan- • Environmental context (device, location, network, behaviors)
cial sector and upon our personal lives, we must accept the • Relationships (employment, background checks, certifications)
reality that there is a governance issue here that contributed to
Equifax’s lack of preparedness. For starters, the company’s CISO If deployed properly, these adaptive authentication checks
was reporting to its CIO. It’s time we awakened to the hostility could stop external and internal hackers before data is accessed.
of cyberspace and the importance of security versus efficiency. Once user attributes have been verified, they are typically bound
The CISO must be elevated to a true C-level position that reports to an authentication credential for user login. These user at-
directly to the CEO and has an enhanced security budget outside tributes need to be rechecked periodically using trusted data
of IT. From a tactical perspective, Equifax should have patched the sources. This combination of services will strengthen access con-
system in a timely manner and deployed application white-listing. trols and make it extremely difficult for hackers to steal identities
Once realization of the breach had occurred, they should have put and create synthetic identities for accessing online services.
together a hunt team to augment incident response and attack- September 8, 2017, was a day to remember—a day to remember
path mapping. that we must take back the security of our digital identities and
Now we wait for the inevitable identity theft to occur. As a challenge the corporations we trust to invest more in cybersecurity.

8 of 8