As November ends, everyone and their brother/sister will be writing about their IT and security predictions for 2018. Here’s a no-brainer from me: We’ll see massive proliferation of IoT devices on the network next year. Some of these will be general purpose like IP cameras, smart thermostats, smart electric meters, etc., but many others will be industry-specific sensors, actuators, and data collectors.
Managing the deployment, operations, and security of all these devices will be quite challenging. Someone must figure out network access controls, connectivity, segmentation, baseline behavior, network performance implications, etc.
This is where identity comes into play. Each device should have its own identity and attributes that govern connectivity, policy, and trust. My sagacious colleague, Mark Bowker, calls this trend the Internet of Identities (IoI). With Mark’s help, I introduced the concept of IoI in this blog, and further elaborated on the massive changes the Internet of Identities will bring in this one.
So, IoI is coming fast, but ESG research indicates that many organizations are not prepared for the onslaught because:
- No one owns identity and access management (IAM). IAM grew organically over the past 20 years as organizations deployed applications, infrastructure, and security tools. Active Directory came in through Windows servers, VPNs and VLANs came via Cisco, authentication technologies like RSA SecureID were procured and managed by security teams, etc. As a result, everyone has a piece of IAM but no one owns it across the enterprise. ESG research indicates that IT infrastructure operations (49%) bear the majority of IAM responsibility, but security (31%), app management (10%), app development (5%), and mobile app management (4%) teams are leaning in on IAM activities. Yup, when it comes to IAM, many organizations could be considered a jack-of-all-trades and a master-of-none.
- IAM is a prisoner of the cybersecurity skills shortage. Security teams will be responsible for IoI policy enforcement, controls, and end-to-end monitoring but this oversight may be impacted by the global cybersecurity skills shortage. The research reveals that 27% of respondents do not feel they have a sufficient level of IAM knowledge and 31% of respondents do not feel that they have enough individuals on the information security team with IAM responsibilities. Security teams will run around like turkeys with their heads cut off as IoT devices multiply in the coming years.
What will happen if organizations don’t address these issues? IoI applications will be deployed haphazardly, network traffic patterns will go awry, productivity and uptime will suffer, and security teams will have to scramble to catch up.
So, what’s needed? Mark is recommending that enterprise organizations:
- Assess their enterprise IAM tactics and strategies. Organizations must find the disconnects, scalability issues, process overlap, and ownership structure and then work on a 3-year project to integrate and interoperate the whole enchilada.
- Appoint an IAM committee and owner. Application developers, IT operations, and security personnel do need to work collectively on IAM but someone must steer the ship. CIOs, CISOs, and business managers must find a senior person with the right business process, IT, and security chops who can be accountable for driving an IAM/IoI strategy that promotes business enablement, operational efficiency, and security efficacy.
- Adopt an identity-centric approach to business policies. As organizations approach new business initiatives, they should make IT and security decisions based upon the individuals involved, the devices they’ll use, the locations they work from, and the applications and data they need to get their jobs done. It’s all about connecting the right people to the right tools and blocking everyone else.