Thinking about Identity Management for the RSA Security Conference

workspace_and_identity.jpgWith February behind us, the cybersecurity industry is about to experience a push toward the annual RSA Security Conference in San Francisco. I expect around 50,000 people to attend this year. It ought to be crowded, loud, and extremely passionate.

Now normally, identity and access management (IAM) is sort of a niche player at RSA. Oh sure, there are plenty of biometrics, smart card, and security token vendors present, but IAM discussions are muted by a cacophony of noise around things like next-generation endpoint security, behavioral analytics, and CASB. 

I can see why this was the case ten years ago but watering down IAM makes no sense today. Why? Allow me to relay the rationale from a CISO friend of mine. He often describes the fact that IT is becoming more and more distributed, with mobile devices on one side and public cloud services on the other. In other words, IT and security teams own and control less and less of the underlying IT infrastructure these days. 

Now, when his organization was losing control of its IT infrastructure, this CISO decided it was worthwhile to bolster control in other areas. So, in an IT world of mobility and public cloud computing, my CISO buddy firmly believes that there are now two primary security perimeters: data security and identity. 

Thus, the impetus to ramp up our IAM (and data security) discussions at RSA.

My colleague Mark Bowker owns IAM coverage at ESG and he’ll be joining me at RSA this year. Given this emphasis on identity as a security perimeter, Mark and I plan to comb the halls of the Moscone Center, focusing our RSA attention on IAM initiatives like:

  • Password elimination. While we welcome technical advances like artificial intelligence into cybersecurity, it’s worth remembering that we still log onto networks using the same method used for accessing time sharing IBM 360 mainframes back in the 1960s. Since we all walk around with unique cell phones (and phone numbers) and these devices are instrumented with biometrics, isn’t it time to make passwords history? Mark believes this is the case so he and I will be looking to speak with organizations with ongoing projects to (finally) eliminate passwords once and for all.
  • Software-defined perimeter use cases. As I’ve said before, few organizations have an SDP budget, but just about every organization has an SDP requirement. This is especially true with mobility and cloud where organizations want to provide secure/trusted access to users and devices directly to cloud-based applications and services. Typical SDP use cases include providing secure application access to business partners, eliminating VPNs, and single sign-on form heterogenous hybrid cloud environments. We’ll be chatting about this with enterprise organizations as well as SDP vendors like Cyxtera, Google, ScaleFT, Vidder, and Zscaler. 
  • Establishing a single source of truth. One of the biggest issues organizations face is that identity data resides everywhere: in authentication systems, VPNs, applications, social networks, etc. Now, this isn’t a new problem; we’ve tried to solve for years with directories, meta-directories, and federated directories but nothing has worked. Once again, we haven’t made much progress. Heck, Active Directory is around 20 years old! Mark believes a new wave of cloud-scale directories and identity standards may finally address these issues to create a federated source of identity truth. We’ll be looking to RSA meetings to see which organizations and vendors are proceeding toward this vision.   
  • Moving toward security “ownership” of identity. Everyone (security, IT operations, developers, etc.) has a little piece of identity management but no one owns identity management and that creates problems with security and operations. With identity as a new security perimeter, it’s time to build an identity abstraction layer for authentication, authorization, and auditing (AAA). Security teams should lead this effort. Several vendors like Amazon, Citrix, Google, Microsoft, and VMware have their sights on a cloud-based model but this type of identity service must also interoperate with the legacy identity mess and even offer a sensible migration path. Mark and I will be looking for leadership here.

It is also worth noting that identity management initiatives are tightly coupled with an increased enterprise focus on data privacy. Security teams play an essential role here as organizations seek to operationalize privacy policies. Hmm, seems like a good time to discuss identity management at the very least. 

More soon on our plans for RSA, only 6 weeks to go!

Topics: Cybersecurity Identity and Access Management Enterprise Mobility Cloud Services & Orchestration