I was recently reminded of something a CISO said to me a few years ago. This security executive mentioned that his organization was struggling to maintain tight security controls in an era of cloud computing and mobility. As a result, his organization had increased its focus in two areas: Identity management and data security. He stated, “with the rise of cloud and mobility, identity and data security are the new security perimeters.”
I mentioned this conversation to my colleague Mark Bowker who covers identity management at ESG. Mark responded that the CISO's conclusions are clearly characterized in some recent ESG research data. For example, 61% of respondents believe IAM is more difficult today than it was 2 years ago. Why are things more difficult? Survey respondents pointed to cloud computing and mobility as two primary drivers but also mentioned increasing cyber-threats, and the lack of a comprehensive IAM strategy.
Unfortunately, IAM problems may be getting worse as a function of cloud computing innovation.
Organizations continue to increase their use of cloud computing, and the technology itself continues to follow a pace of rapid innovation. Most large firms now employ heterogeneous hybrid clouds including multiple public and private cloud services and technologies. Furthermore, many firms have a mix of virtual servers, bare-metal servers, containers, and applications based upon micro-services.
So much is happening so quickly that it’s driving cloud computing chaos – massive and constant change. This flies in the face of the old cybersecurity adage that change is the enemy of security. This chaotic situation is especially pronounced with identity management, which tends to be a patchwork infrastructure that is touched by many but that no one really owns. In other words, cloud computing expansion is stressing an already brittle IAM system.
As cloud and mobile computing expose cracks in IAM, Mark is focused on a few key areas including:
- Single sign-on (SSO): Cloud computing and mobility are driving a tsunami of new applications and associated application authentication and access controls. For the most part, this really means more user names and passwords to provision, memorize, and monitor – a nightmare for users, IT operations, and security teams. Mark is carefully watching what large organizations are doing in this area including deploying new SSO technologies and working with identity-as-a-service providers like Centrify, Okta, Ping, and RSA Security. I’m collaborating with Mark to assess the impact that software-defined perimeter (SDP) technologies will have here as well.
- Multi-factor authentication (MFA). ESG research indicates that 65% of organization use some form of multi-factor authentication but only for a small percentage of their applications. Cloud and mobile computing are creating an urgency to greatly increase MFA proliferation and usage within enterprise organizations. Mark is watching MFA, especially how mobile-based biometric technologies like thumbprint readers and facial recognition could be game-changers.
- IAM centralization. When you talk about IT technology silos, identity management takes the cake as it is made up of a morass of application controls, network controls, administration tools, etc. Cloud and mobile have further exacerbated this mess as it’s not unusual for organizations to have redundant IAM technologies to manage identity in these areas. Mark believes a great IAM reckoning is coming where organizations FINALLY replace siloed technologies with centralized identity services from vendors like Google, IBM, Microsoft, Oracle, etc.
- IAM skills. Given the global IT skills shortage, it’s not surprising that 27% of organization lack the right IAM skills while 31% of organizations claim they don’t have enough IAM specialists. Mark believes this skills shortage will drive IAM automation, consolidation, integration, and machine learning.
As my CISO friend said, identity and data are the new security perimeters. It’s time that organizations realize this and fortify themselves in both areas.
Jon Oltsik is an ESG senior principal analyst and the founder of the firm’s cybersecurity service. Read more ESG blogs here.
