Identity and access management is still a booming market – but are we doing it right?
According to research firm MarketsandMarkets, the global market for IAM was $7.2 billion last year. By 2020, it will reach $12.78 billion, it said. That represents a 12.2 per cent compound annual growth rate.
Identity management has evolved significantly in the last couple of decades. When it started, it consisted mainly of shunting lists of usernames and passwords between isolated systems. Then directories came along, and enabled organizations to share them across different applications. Those directories began documenting privileges, so that different members could have access to different sets of applications. They also started adding authentication data via digital certificates.
Since then, the product category has become a lot more complex, layering additional functions such as access governance, which provides compliance reporting on who is accessing what, and helps companies to ‘mine’ data about which roles its employees have. Privileged account management helps companies to keep a close eye on how accounts with lots of access are being used.
A broken model
But some experts are unhappy about how identity management has evolved. Paul Simmonds, CEO of the Global Identity Foundation (GIF), is a former CISO at Astra Zeneca, and was also a core member of the Jericho Forum, a project within the Open Group that explored how security needed to evolve as corporate boundaries shifted.
Simmonds thinks that identity is still broken in 2016. Organizations still use identity management systems that authenticate users entirely or not at all, he warned.
“What missing is a global framework to allow good risk-based decisions that match my risk-appetite for this particular transaction,” he said.
So, maybe a company is happy for a customer to access some functions related to their account if they’re logging in with an unknown device in a part of the world where they aren’t normally travelling, but would give them more access if they were logging in from their home, using fingerprint authentication on a mobile device the company knew. That would help companies to manage their operational risk.
“The best people at this, the banks doing e-banking, bolt on enough stuff to keep their losses below four per cent,” he said. “But this is proprietary.”
Simmonds speaks in detail about GIF’s own approach to ID management, which he calls Identity 3.0, here:
Simmonds sees proprietary ID management as a core problem. Companies are still using ID management frameworks that handle everything from issuing to authenticating an ID. The company using an ID (such as your employer) issues and controls all of the data that it uses to identify you. Simmonds warns that this makes it difficult to use your single identity across multiple organizations.
Instead, he recommends splitting identity management into identity, entitlement, and access management. Authoritative sources can issue and attest to certain attributes (a government might confirm a person’s date and place of birth and eye colour, say). Entities such as people who want to be identified can pass those attributes to other entities (such as a companies) that want to identify them. Entitlement systems provide privilege rules based on the attributes provided and the level of risk allowed.
This would make it easier to create global systems for identity, moving us away from our current password-based hell, in which we manage multiple insecure login credentials for individual sites. It also paves the way for identity management in the Internet of Things, where other entities need to identify themselves to each other. The day is soon coming when devices, organisations, code and agents all need to prove who – or what – they are to each other.
Are we there yet? Not by a long shot. It would require some governmental involvement to get it moving. The U.K. and U.S. governments are trying to establish ID systems, with their Gov.UK Verify and the National Strategy for Trusted Identities in Cyberspace, respectively. In Canada, the
In Canada, the Digital ID & Authentication Council of Canada continues to work with the Canadian government on establishing a Canadian digital identity framework, although there haven’t been any updates to its website in over six months.
The question is, will these initiatives learn from the past, or make the same mistakes?