IAM Trends - 2017

Nulli keeps current and helps our peers in the industry do the same  by attending several conferences dedicated to identity and security. One that I recently attended and spoke at on matters related to Identity  and Access Management (IAM) was the Cloud Identity Summit (CIS)1. Trends I followed and spoke about during the CIS included:

Machine Learning: The theme of the CIS this year  was intelligent identity and focused on the rapid growth of Machine  Learning (ML) as applied to Identity and Access Management. Nulli  recognizes this massive increase in managing identities with our trademark positioning line of : Everyone. Every thing. Everywhere™. The  volume of access decisions required to be vetted by access management  software calls for a new paradigm.

IAM systems must be able to generalize and make decisions for even  unforeseen authorization conditions. The current approach of relying on  exhaustive rules tables or manual intervention is not sustainable.  Google, Microsoft or IBM, all presenting at CIS this year, now leverage  the mountain of data at their disposal to train custom ML algorithms to  provide access decisions in real-time with some impressive results.

IRM: Nulli recognized the need for a paradigm shift  that could address the increased demand for flexible and manageable  access policies. Nulli is deploying solutions based on contextual  identity relationship management (IRM) as sustained in graph databases  like Neo4j. IRM principles make rapid deployment and ease of maintenance for  relationship based policy decision points (PDP) as well as policy  enforcement points (PEP) possible within IAM strategic plans.

The European Union General Data Protection Regulation: (GDPR)  has been a hot topic this year, and has a huge impact on all IAM  businesses worldwide. Given the importance of the EU market, software  vendors can not ignore it. GDPR comes into effect May 25th 2018. These  new regulations introduce key changes to existing laws, including in brief:

  • Increased privacy for end users and privacy by design.
  • Increased penalties for non-compliance.
  • More stringent rules around consent.
  • Requests for consent must now be legible and simple and tracked.
  • Right to access: subjects can request access to their stored data at any time.
  • Right to be forgotten: subjects can request complete deletion of their user data at anytime.  

The biggest change though is probably the increased territorial scope  of the regulation. GPDR applies to any IT system handling European  personal data, regardless of where the processing actually happens. US  companies running code in US data centers will therefore have to comply  as long as they process European personal data. It is easy to see why  the Googles of this world are scrambling.

IoT: “Things” are a hot topic, with their numbers  increasing exponentially. Nulli continues to promote the development of  contextual identities to define or augment access policies for  authorization decisions. IAM platforms now provide some level of IoT  support but need to better manage authorization decisions.

Constrained Devices: Devices are generally unable  to securely access the internet due to limitations in compute power or  connectivity security. There is a rise of new Edge Compute Server  offerings that secure constrained devices by employing specialized chips  like Trustonics and ARM that provide native/embedded safe zones as well  as new communication standards like COAP  and use of “old timer” standard MQTT. Nulli is working with clients to  leverage a consolidated edge computing platform for secure  communications and identity relationship management.

IRM and Graphs: Several sessions, including my own,  were dedicated to Identity Relationship Management (IRM) and Graph  data. Nulli is leading the move to embrace graphs, like Neo4j for  securing IAM in real-world projects. Graphs are perfectly suited for the  complex authorization requirements we see nowadays, especially with  IoT. Look for information on this subject in a coming post on the Nulli  graph-based authorization data model.

Open Standards: OpenID Connect, OAuth, UMA and SCIM have wider adoption and have become mature. OAuth in particular keeps being extended  to fulfill an ever-increasing number of use-cases; see for example the  new Device Flow, Token Introspection, PKCE (“pixie”), etc… UMA 2.0 was  also announced, with various enhancements to the flows it supports (see  Justin Richer’s account here for details).

MFA and the rise of FIDO: Multi-Factor devices using the FIDO standard are on the rise, being promoted by Google and Facebook supporting Yubikeys  as a 2nd factor, among others. Second factor crypto-keys are still  currently deemed the safest way to ensure a second factor for  authentication. Numerous vendors provide a wide range of FIDO-capable  solutions, ranging from keys (USB, NFC or bluetooth) to even heartbeat  authenticators like Nymi.  Now that One Time Passwords (OTPs) are becoming easier to phish,  organizations need to be looking at new tools like these to keep on top  of security threats they face.

Professional recognition: Spearheaded by Ian Glazer, the new IDPro  organization “helps define, support, and improve the digital identity  profession globally”. IAM professionals now have somewhere to turn for  help. Expect a certification program soon – Nulli is interested to hear  more about customer requests for this level of certification and what it  would mean for a services organization to have certified IAM  professionals.

In summary, things are changing quickly and it is important to keep  up. There is a lot on our IAM plate at Nulli as we continue to update  our expertise to deliver leading specialized knowledge for our customers  and peers.

Cloud Identity Summit was created by Ping Identity  sometime in 2010, CIS has attracted more and more professionals from all  horizons every year, and grew to over 1500 attendees this year. The  Summit culminated with the announcement of its transformation in 2018  into a full-fledged conference (not just a mere summit anymore): the first Identiverse.