eGuide IDG Enterprise is COMPUTERWORLD

presents

Identity
Management
Identity management—or identity and
access management (IAM)—addresses
the need to ensure appropriate access
to resources across increasingly het-
erogeneous technology environments
while satisfying compliance needs. But
IAM must change right along with its
environment, and the increasing num-
ber of devices taking their place in the
“Internet of Things” (IoT) will have a
corresponding effect on how compa-
nies employ their identity management
structures. This eGuide introduces the
concept of the “Internet of Identities”
and explores how it will affect IAM in
the very near future.

opinion analysis opinion opinion

The Internet of Identities Enterprises must Identity management Digital hijacking:

is coming and will bring address Internet of to-do list aligns with My identity is gone
massive IAM changes Identities challenges cybersecurity
Who owns IAM at your organization? Make security a priority in your Identity, security, and governance in
On the horizon: identity-based
If the answer is “everyone and no IAM planning. the wake of the Equifax breach.
computing and identity-based
networking. one,” you’re right—and it’s time to
take mindful action.

2 4 6 8
eGuide IDG Enterprise is
The Internet of Identities is coming and will
bring massive IAM changes
New demands for scale, security and machine learning will support massive
proliferation of internet-connected devices.
BY JON OLTSIK | My colleague Mark Bowker has a concept
called the Internet of Identities. How does this differ from
the Internet of Things? The Internet of Things is about, well,
things—devices, controllers, actuators, and the like. But these
things will perform tasks, collect data, and connect to other
devices. In other words, each device will have an identity with
multiple attributes, and each of these attributes must be un-
derstood to enable good things to occur and block bad things
from happening. Thus: the Internet of Identities.
Now, as organizations add thousands or millions of new devices
to their internal and cloud-based networks, identity and access man-
agement (IAM) technology will go through a massive transformation.
An organization’s IAM infrastructure will have to accommodate:
• Massive scale. New IAM technologies will have to support mil-
lions of devices (and users), each with its own list of attributes.
So, think of an N-by-N matrix of identity attributes. Further-
more, these users and devices may be transient—appearing
and disappearing as part of some type of business or opera-
tions process. Asset auditing alone will be a massive endeavor.
2 of 8
COMPUTERWORLD
• Privacy and security requirements. Devices need to have As organizations
hardened configurations, unique identities, multi-factor au-
thentication capabilities, and secure communications from
add thousands or
device to device. This will require new types of policy en- millions of new devices
gines and enforcement controls that are tightly integrated
with existing networking, cloud, and IAM infrastructure.
to their internal and
• Continuous intelligent monitoring. To maintain availability, cloud-based networks,
high performance, and security, the internet of identities
will require continuous monitoring. Given the emerging
identity and access
scale here, it’s safe to say that human beings won’t be able management technol-
to keep up with activities, so keeping the Internet of Iden-
tity trains running on time will depend upon an infusion of
ogy will go through a
artificial intelligence and machine learning algorithms that massive transformation.
can separate normal from anomalous behavior and then
translate all of this into actionable intelligence for carbon-
based life forms.
With all due respect to Microsoft, I don’t think you will be able to
manage and secure the Internet of Identities with Active Directory—
a technology that was originally designed to compete with Banyan
eGuide IDG Enterprise is
Vines and Novell, way back in the day. Think of AD, and multiply
it by some exponential factor. As the Internet of Identities takes
shape, Mark and I expect some pretty big changes. For example:
• Organizations will centralize IAM management and procure-
ment. IAM grew organically in the past and tended to be man-
aged by a loosely-coupled cabal of application developers,
IT operations and security folks. As the internet of identities
evolves, organizations will realize that they won’t be able to
use their existing IAM patchwork deployment to address Inter-
net of Identity scale or enable new business processes. At that
point, many organizations will make a next-generation identity
infrastructure a high priority. Firms will also create positions
for chief identity officers, experienced individuals with the
right business and technical chops to transform their identity
infrastructure and champion a new IAM strategy.
• Identity runs to the cloud. The need for massive scale,
perpetual connectivity, and processing power to monitor the
whole enchilada will drive large organizations to embrace
cloud-based IAM services.
3 of 8
COMPUTERWORLD
Download
• Security takes a bigger IAM role. According to ESG re-
search, 66 percent of organizations claim that their security
group is significantly or somewhat more involved with IAM
policies, procedures, and technologies today than it was
two years ago. This is just the beginning, however. As the
Internet of Identities takes hold, CISOs will be intimately
involved in crafting and enforcing identity policies. Look for
a much bigger focus on data privacy as well.
The IT industry has been talking about identity-based comput-
ing and identity-based networking for years, but it was always
more of a vision than reality. As the Internet of Identities evolves,
this vision will come true—leading to a period of confusion, in-
novation, and transformation.
When will this happen? We are driving toward the on-ramp to-
day, but the traffic on the highway is moving a lot faster than we
think. In other words, the Internet of Identities and all that comes
with it are coming soon.
eBook
What’s Trending
in Authentication
The landscape of user authentication
is changing rapidly—and radically. A
vanishing perimeter and the continuing
explosion of cloud-based applications
and mobile devices are blurring old
boundaries around organizations and
networks. To keep up with the pace of
change, lines of business are bypassing
IT to deploy the applications they need
to meet their business objectives—and
in the process creating more islands
of identity in a growing sea of shadow
IT. And all of this is happening amid
increasingly rigorous data protection
regulation. This eBook explains how to
address today’s most popular authen-
tication questions and ensure your
organization is prepared for the future
of authentication.
download now
eGuide IDG Enterprise is
Enterprises must address
Internet of Identities challenges
BY JOHN OLTSIK | No one owns identity at many organizations
and identity skills are lacking. In lieu of a solution, these issues
could lead to IoT roadblocks and security vulnerabilities.
As November ends, everyone and their brother/sister will be
writing about their IT and security predictions for 2018. Here’s a
no-brainer from me—we’ll see massive proliferation of Internet of
Things (IoT) devices on the network next year. Some of these will
be general-purpose devices, such as IP cameras, smart thermo-
stats, smart electric meters, and the like, but many others will be
industry-specific sensors, actuators, and data collectors.
Managing the deployment, operations, and security of all
these devices will be quite challenging. Someone must figure out
network access controls, connectivity, segmentation, baseline
behavior, network performance implications, and so on.
This is where identity comes into play. Each device should
have its own identity and attributes that govern connectivity,
policy, and trust. My sagacious colleague, Mark Bowker, calls this
trend the Internet of Identities. It’s a trend that’s coming fast, but
ESG research indicates that many organizations are not prepared
for the onslaught, because:
• No one owns identity and access management (IAM). IAM
grew organically over the past 20 years as organizations
deployed applications, infrastructure, and security tools. Ac-
4 of 8
COMPUTERWORLD
tive Directory came in through Windows servers, VPNs and The “Internet of
VLANs came via Cisco, authentication technologies like RSA
SecureID were procured and managed by security teams, and
Identities” is a trend
so on. As a result, everyone has a piece of IAM, but no one that’s coming on
owns it across the enterprise. ESG research indicates that IT
fast, but research
infrastructure operations (49 percent) bear the majority of
IAM responsibility, but security (31 percent), app management indicates that many
(10 percent), app development (5 percent), and mobile app
organizations are
management (4 percent) teams are leaning in on IAM activi-
ties. Yup, when it comes to IAM, many organizations could be not prepared for
considered a jack-of-all-trades and a master of none. the onslaught.
• IAM is a prisoner of the cybersecurity skills shortage. Secu-
rity teams will be responsible for Internet of Identities policy
enforcement, controls, and end-to-end monitoring, but this
oversight may be impacted by the global cybersecurity skills
shortage. The research reveals that 27 percent of respondents
do not feel they have a sufficient level of IAM knowledge, and
31 percent of respondents do not feel that they have enough
individuals with IAM responsibilities on the information secu-
rity team. Security teams will run around like turkeys with their
heads cut off as IoT devices multiply in the coming years.
What will happen if organizations don’t address these issues?
Internet of Identities applications will be deployed haphazardly,
eGuide IDG Enterprise is COMPUTERWORLD

Download
network traffic patterns will go awry, productivity and up- 2. Appoint an IAM committee and owner. white paper
time will suffer, and security teams will have to scramble to Application developers, IT operations, and security personnel do
catch up. need to work collectively on IAM, but someone must steer the
6 Steps to
ship. CIOs, CISOs, and business managers must find a senior Identity
Three strategies to address IoT device person who has the right business process, IT, and security
IAM challenges chops, and who can be accountable for driving an IAM/Internet Assurance
So, what’s needed? Mark recommends enterprise organizations of Identities strategy that promotes business enablement, opera- Now that so many applications have
do the following: tional efficiency, and security efficacy. moved to the cloud, and users continue
to embrace mobility, your organization
1. Assess their enterprise IAM tactics and strategies. 3. Adopt an identity-centric approach to business policies. must work toward fully embracing the
Organizations must find the disconnects, scalability issues, As organizations approach new business initiatives, they should new opportunities this boundaryless
process overlap, and ownership structure—and then work make IT and security decisions based upon the individuals involved, world presents. At the same time, you

on a three-year project to integrate and interoperate the the devices they’ll use, the locations they work from, and the applica- must manage the risk that comes with
such openness. It’s time to shift tradi-
whole enchilada. tions and data they need to get their jobs done. It’s all about connect-
tional thinking away from authentication
ing the right people to the right tools and blocking everyone else.
as a static one-time event and move
towards a more modern authentication
strategy that doesn’t require a trade-off
between security and convenience. This
white paper provides guidance on the
six key elements to identity assurance
and how to increase security while opti-
infographic mizing the end user’s experience.

Is Your Authentication Strategy on Track? download now

Time and again, traditional authentication solutions have proven inadequate in protecting organizations from
external and insider threats. It’s no wonder: those authentication methods were built for a different time—when only
privileged users had remote access to systems via mobile devices, and the cloud was but a shadow on the horizon.
This infographic outlines the eight common authentication pitfalls and how you can make sure your authentication
strategy is on the right track.

download now

5 of 8
eGuide IDG Enterprise is
Identity management to-do list
aligns with cybersecurity
Large organizations want to monitor user activities, move to multi-factor
authentication, and get security more involved with IAM decisions.
BY JON OLTSIK, NETWORK WORLD | My colleague Mark
Bowker just completed some comprehensive research on
identity and access management (IAM) challenges, plans,
and strategies at enterprise organizations. As a cybersecu-
rity professional, I welcome this data. Identity management
should be a major component of an enterprise risk manage-
ment strategy, yet IAM technology decisions are often treated
tactically or left to application developers or IT operations
staff who don’t always prioritize security in their planning.
Security becomes a priority in IAM strategies
The ESG data suggest a change in the IAM weather—large or-
ganizations seem to be prioritizing security as part of their IAM
strategies. ESG asked 273 cybersecurity and IT professionals to
identify the initiatives that will be part of their IAM strategies over
the next 24 months. The data reveals:
• 29 percent say they will monitor user activities more compre-
hensively. In other words, they will be on the lookout for account
compromises and insider attacks. This may also be linked with
user and entity behavior analytics (UEBA) deployment.
6 of 8
COMPUTERWORLD
• 26 percent say they will replace user name/password au- Identity and access
thentication with multi-factor authentication (MFA) wherever
possible. While monitoring users can be seen as threat
management tech-
detection, MFA is clearly part of a threat prevention and a nology decisions are
sound risk management strategy. MFA proliferation may also
be related to GDPR or other compliance mandates.
often treated tacti-
• 23 percent say they will increase the participation of the cally or left to ap-
security group in IAM decisions. This supports the move to-
plication developers
ward threat prevention and detection described above. That’s
not surprising, since user accounts are often compromised or IT operations staff
using phishing attacks, social engineering, or keyloggers.
who don’t always
• 20 percent say they will hire more IAM specialists in the
cybersecurity department. Good idea—if you can find them. prioritize security in
The global cybersecurity skills shortage may make it difficult their planning.
to make this happen.
I was talking to a CISO a few years ago about the prolifera-
tion of cloud and mobile computing. In describing his security
response to these two trends, he said: “When I lose control of
devices and servers, I need to make sure to establish as much
eGuide IDG Enterprise is COMPUTERWORLD

Download
control as I can in two areas—identity management and data The ESG data demonstrates that some organizations are fol- newsletter
security.” So henceforth, my CISO friend plans to treat identity lowing this sagacious advice. It’s a good start. Mark and I will be
management (and data security) as new security perimeters. tracking how this trend progresses.
Gartner
Newsletter: The
Transformative
Power of Identity
This special report from RSA featuring
Gartner describes how digital transfor-
mation is changing the roles of identity
and access management (IAM) leaders
and how you can move from risk into
opportunity. Download this report for a
clear, actionable picture of how you and
your IAM team can adapt to accelerate
digital transformation.

download now

white paper

IDC Perspective: The Death of 2FA and the

Birth of Modern Authentication
Two-factor and multi-factor authentication are significant improvements over the use of passwords for authentica-
tion. However, the definition of multi-factor authentication was born in a different day and is based upon antiquated
technology and approaches. As technology and the world around it changes, our definition of and expectations for
authentication also need to change. IDC recommends looking beyond standard MFA and considering a modern
approach to authentication.
download now

7 of 8
eGuide IDG Enterprise is
Digital hijacking: My identity is gone
Wonder why your identity got stolen? Post-Equifax, this article highlights
a modern security strategy for the credit bureaus.
BY TOM KELLERMANN | September 8, 2017, will be remembered
as a day many Americans truly awakened to cybercrime. No longer
can we depend on the security of “our” digital identities. In March
2017, the ApacheStruts2 vulnerability was discovered and Equifax
became vulnerable to a cyber-intrusion of historic proportions.
It’s important to note that data exfiltration began in May—and
yet a patch was available. On September 8, 2017, the breach was
publicly announced (90 days post-mortem), and the company was
punished by Wall Street when its stock plummeted 31 percent.
As we grapple with the impact this breach has on the finan-
cial sector and upon our personal lives, we must accept the
reality that there is a governance issue here that contributed to
Equifax’s lack of preparedness. For starters, the company’s CISO
was reporting to its CIO. It’s time we awakened to the hostility
of cyberspace and the importance of security versus efficiency.
The CISO must be elevated to a true C-level position that reports
directly to the CEO and has an enhanced security budget outside
of IT. From a tactical perspective, Equifax should have patched the
system in a timely manner and deployed application white-listing.
Once realization of the breach had occurred, they should have put
together a hunt team to augment incident response and attack-
path mapping.
Now we wait for the inevitable identity theft to occur. As a
8 of 8
COMPUTERWORLD
society, it is imperative that we de-commoditize the Social It’s time we awak-
Security number, which was never intended to be an authentica-
tion measure. Cyber-criminals have been profiteering with
ened to the hostility
American identities for too long. Advances in technology can help of cyberspace and the
create a more secure digital-to-physical identity translation. Access
importance of security
to data files should require real-time adaptive authentication
checks using strong credentials with multiple factors, such as: versus efficiency.
• Human identity (including PII, credit, social profiles, biometrics)
• Environmental context (device, location, network, behaviors)
• Relationships (employment, background checks, certifications)
If deployed properly, these adaptive authentication checks
could stop external and internal hackers before data is accessed.
Once user attributes have been verified, they are typically bound
to an authentication credential for user login. These user at-
tributes need to be rechecked periodically using trusted data
sources. This combination of services will strengthen access con-
trols and make it extremely difficult for hackers to steal identities
and create synthetic identities for accessing online services.
September 8, 2017, was a day to remember—a day to remember
that we must take back the security of our digital identities and
challenge the corporations we trust to invest more in cybersecurity.