Story image

RSA Security director dissects identity & access management industry

13 Mar 2018

The Gartner Identity & Access Management Summit recently took place in London where I had the chance to speak with RSA Security identity governance and lifecycle director Steve Mowll.

As well as emerging technologies in the industry, Mowll spoke about the future, the implications of GDPR, and strategies that businesses can use to overcome the challenges to security that are emerging as a result of the rapid adoption of cloud computing.

Current trends in the industry

Blockchain was a major topic of discussion at the Summit and Mowll says it has a lot of potential to solve problems like identity proofing and dynamic access management.

“However, after two years of talk in the identity industry, it has yet to be adopted into any ‘live’ mainstream use, apart from its original use in cryptocurrency,” says Mowll.

“With the improvements in mobile tech, biometrics are becoming a much more popular and convenient option for authentication, and many companies and vendors have adopted it as a way to move away from the password. By allowing the private biometric data to reside on the user’s own device, mobile biometric authentication often removes the burden of having to manage and secure this personally-identifiable data, allaying privacy concerns.”

Mowll says analytics is also playing a huge role within authentication and identity governance and administration processes, helping to improve the decision-making process for organisations.

“These analytics are also starting to combine data from other IT Security technologies such as user activity information from the SIEM, and third party and application risk data from the GRC platform. This will help businesses to better understand what they need to do to reduce risk not just in terms of identity, but for the organisation as a whole,” says Mowll.

“These increased analytical capabilities will also allow Identity processes to become more convenient for end users. Currently, the pain of identity management within enterprise organisations continues to be felt – whether it’s new users not having the access they need when they start a new job, or risk professionals having to review thousands of accesses with no real context. Identity & Risk Analytics will soon reduce, and in some cases completely remove, these pains, and let the business get on with their day job.”

Centralised technologies for the future

Mowll believes centralised services that collect identity data points to understand identity risk in a broader context will transform the identity management industry in the future by sharing data across the whole IT security ecosystem with governance, risk and compliance.

“Using insights – from threat detection to user behaviour analytics and privileged access management – these technologies can reduce the friction within business processes (such as access request and approval, recertification and authentication), while also providing a greatly enhanced understanding of identity risk to these security functions,” says Mowll.

GDPR

Mowll says who has access to what and determining whether access is appropriate has been a requirement of many regulations and standards throughout the years.

“GDPR will increase the scope of applications needing identity governance to include applications holding personal data,” says Mowll.

“Data access governance will also become more important as companies look to understand where personal data exists in their unstructured data environments and determine who has access to it. For these reasons GDPR will continue to increase the value of identity & access management as part of an organisation’s IT security practices.”

Tips for overcoming challenges

Mowll says businesses can overcome the challenges presented by third party cloud apps by demanding standard interfaces throughout identity and access management practices.

While authentication standards such as SAML are common across cloud platforms, corresponding standards for access management are not,” says Mowll.

“Many identity professionals talk about simple cloud identity management, but the reality is that many cloud services do not do not support it. This means while you can get your users onto the service, the way you manage their access is different with every vendor.”

Enterprise cloud deployments being exploited by cybercriminals
A new report has revealed a concerning number of enterprises still believe security is the responsibility of the cloud service provider.
Ping Identity Platform updated with new CX and IT automation
The new versions improve the user and administrative experience, while also aiming to meet enterprise needs to operate quickly and purposefully.
Venafi and nCipher Security partner on machine identity protection
Cryptographic keys serve as machine identities and are the foundation of enterprise information technology systems.
Machine learning is a tool and the bad guys are using it
KPMG NZ’s CIO and ESET’s CTO spoke at a recent cybersecurity conference about how machine learning and data analytics are not to be feared, but used.
Popular Android apps track users and violate Google's policies
Google has reportedly taken action against some of the violators.
How blockchain could help stop video piracy in its tracks
An Australian video tech firm has successfully tested a blockchain trial that could end up being a welcome relief for video creators and the fight against video piracy.
IBM X-Force Red & Qualys introduce automated patching
IBM X-Force Red and Qualys are declaring a war on unpatched systems, and they believe automation is the answer.
Micro Focus acquires Interset to improve predictive analytics
Interset utilises user and entity behavioural analytics (UEBA) and machine learning to give security professionals what they need to execute threat detection analysis.