Mark McClain on the Big Trends in Identity
In a recent conversation with SailPoint CEO and co-founder Mark McClain, we discussed some of the challenges identity teams face when it comes to the new frontiers in identity. In this conversation, we dig a little deeper for trends that Mark sees brewing under the surface.
Here we tackled blockchain and access management, trends in authentication, Zero Trust, artificial intelligence (AI), and emergent risks of IoT.
Our conversation follows.
What impact do you see regarding blockchain and identity management? What areas will it have the largest impact?
I think we’re seeing that at the edges, at least when it comes to our part of the environment, which is identity governance. Darran Rolls spoke about this in his talk at Navigate this year. And I agree with his view that blockchain is more likely to gain momentum in the area of authentication. The idea of using a shared digital ledger as a way to authenticate seems like a likely outcome when it comes to the commercial deployment of blockchain technology that is viable.
Still, I don’t see blockchain gaining traction in identity governance anytime soon. I think there will be a need to govern blockchain-oriented applications and blockchain-oriented technologies. And the most likely blockchain applications now will be new ways to manage financial data.
One of the trends we’ve noticed is the heavy focus on strong authentication recently. It’s like the old information security analogy about the hard network exterior and the soft gooshy interior.
The gumball. Yes. I think that the industry’s big term right now—one that Google popularized—is Zero Trust. That’s the view that there really isn’t an effective perimeter defense anymore. Everybody is always considered an outsider and, therefore, must always be strongly authenticated for everything. That’s loosely the Zero Trust concept. Everybody’s non-trusted, so you have to strongly authenticate for everything. Our primary push back regarding Zero Trust is that it technically requires a lot of rewiring of a lot of legacy applications. I don’t know how quickly enterprises are going to do what is needed to be done across their environments.
There’s a reason that the vast majority of applications are secured by a password. If you look at the bulk of applications inside enterprises today, they’re absolutely not Zero Trust. They’re behind a firewall and, therefore, people assume they’re safe and they don’t require strong authentication. I think we are a long way away from that being a fundamental shift in the IT landscape.
What I think people are doing today is starting to apply multi-factor authentication to their most critical systems and data. This is why I think Zero Trust is coming. The percentage of password-only secured websites is coming down as more people use multi-factor authentication. It’s just going to take longer within the enterprise than many expect.
Where do you see the state of AI in the security industry right now?
IT teams are constantly trying to do more with less, and there’s this thought that by bringing in these technologies it will make the enterprise more efficient. But there’s always a learning curve that has to be worked through. When it comes to AI, in the short run, the learning curve might make enterprises less efficient. But that will be temporary.
Eventually, enterprises will figure it out. They will figure out where and how to effectively apply AI. Still, I think in the short run, AI and machine learning are not increasing efficiency a lot. I think there’s a hill there that we’ll get over in the next few years, as people get more comfortable with a lot of those technologies. Over time, however, it’s going to prove very powerful.
Do you think software vendors will get better at making AI more accessible to enterprises? Currently there’s too much of an expectation for application developers to be data scientists.
I think that’s right. And I think AI will come faster from within the vendor community than it will from within organizations. This is because vendors are going to look for ways to leverage AI capabilities, and it will bring benefits across all of their clients. And there’s certainly a lot of pressure on software vendors to figure out how to leverage AI technologies, for sure.
Without a doubt, using AI technologies is going to get easier for enterprises in the upcoming years.
There’s a lot of conversation around IoT being an attack vector. Do you see IoT being a risk for enterprise data breaches any time soon?
What adversaries attack is always changing. It was once the network layer, then they targeted operating systems. Soon it moved up to applications and then out to web applications. These relatively new devices are certainly an extension of the enterprise attack surface.
That’s why I do think that IoT is a threat vector. I don’t know that I would predict with high confidence that you will see a well-known breach that’s attributed to bots next year, but I think it’s a matter of time. I do think we will see breach activity related to bots sometime in the near to mid-term; I just think it’s another attack surface that will be exploited somehow, someway.
The bad guys are too good at what they do, and they’ll find a way to get to enterprises through vulnerable IoT.