Navigate ’16 was a fantastic gathering last week. There was a lot of excitement around identity, and I met many terrific attendees and learned quite a bit during the show. One of the things that surprised me is how drastically the identity management landscape has changed over the years. I’ve been writing about information security, and a big part of that has included writing about identity management, for nearly 20 years now. The challenges are much greater, as is the importance of identity management, today than compared to any other time.
It used to be that identities were managed primarily for network and application access and other resources on a local area network, with only very large companies concerned much beyond that, such as those that operated wide area networks. And back then, most users accessed a couple dozen applications, or less. Firewalls and VPNs ruled the day. Even when Web apps and Web sites leaped onto the scene in the great e-commerce run-up leading into 2000, there were far fewer resources then, than there are today, that needed to be provisioned – even as single sign-on and the extended enterprise grabbed attention and began to grow exponentially.
With that context in mind, here are some of the lessons I learned during my week at Navigate:
Identity management must be seamless to manage
The rate of cloud adoption by larger enterprises is stunning. It’s not just the rate of adoption that is high – but the actual accelerating rate of adoption. Most of the large customers I spoke with at Navigate had significant plans to decommission their on-premises systems and move to cloud, with virtually all new deployments and services to be eyed for cloud-first implementations.
The research firm IDC predicts that by 2019 enterprises will be spending more than $140 billion on cloud services. Much of that will be spent within shadow IT, or cloud purchases made outside of the purview of IT.
This provides a huge challenge, as well as an opportunity, to enterprises. The challenge is getting these shadow IT accounts under IT’s governance when it makes sense for such access to cloud services to be managed. This could include those instances when regulated and sensitive intellectual property are being managed.
The opportunity? By identifying the cloud services users are choosing to use and accessing on their own, IT leadership gets a direct peek into the pain points employees are trying to solve, and this makes a shadow IT use the perfect time to step in, provide guidance and alternatives, and ways IT can possibly provide value to the business users.
Your users must want to actually use your toolsets
Convenience and improving end-user experience has always been a big part of identity management. Whether it’s single sign-on, or more swift provisioning of users to enterprise data and assets.
This has never been more important than now. Younger business leaders are accustomed to doing things on mobile, and have little patience for apps that force them to a desktop, or use an antiquated user interface. These young business leaders want to manage things on mobile devices, and identity management is no different. Enterprise IT needs to provide them ways to work the way they like and want to work. And when business users are enabled to work the way they want, they’re less likely to procrastinate and to also do what needs to get done. That will help to indirectly improve identity governance.
Also, with the rapid growth of all of the disparate SaaS applications and cloud services, single sign-on is more important now than it’s ever been as a way to slash end-user access frustration and eliminate friction to access the apps and resources users need.
Unstructured data is a big, growing challenge
While it’s certainly not easy to accomplish and maintain, we do know a lot about what it takes to solve many of the challenges surrounding identity and application access. What is proving to be more of a challenge for many enterprises to understand, based on many of the users I spoke with at the show, is the getting a firm grip on all of their unstructured data. Unstructured data is the data that rests in files, file shares, Microsoft SharePoint, and cloud storage services.
According to SailPoint President and Co-Founder Kevin Cunningham’s keynote, it is estimated that 80 percent of an organization’s data is in unstructured format. “A lot of this data needs to be locked up inside databases or secured by applications but it’s no longer under that protection. It’s been pulled out. Why? Because people like to share lots of stuff and it’s easy to do,” Cunningham said. “Our surveys show that one in four employees regularly uploads sensitive information into cloud storage applications like Office365 and Dropbox. This data is largely un-managed. Often they don’t know who owns it, how it got there, or who’s even accessing it,” Cunningham said.
That’s just not an acceptable status quo.
A breach isn’t failure, failing to rapidly identify one and respond is
We all know that identity plays a crucial role in defending enterprises from attack. And it does so ranging from our using username/password combinations to multifactor authentication, protecting privileged accounts, monitoring user access and more. But as I learned during SailPoint CTO and CISO Darran Rolls’ presentation, too many enterprises likely overlook the detective control a mature IAM program can provide.
Monitoring for anomalies such as privileged account abuses, unusual logons from locations or time of day, or even from unusual parts of the network are just a number of possible ways identity can be used to spot attacks. More enterprises should take better advantage of these capabilities. It’s fundamental that we think of IAM processes as being on the frontline of attack detection and prevention.
Cloud sprawl is a major enterprise pain point
During SailPoint VP of Product Management Paul Trulove’s presentation, and from conversations throughout the show, it became clear that cloud is growing much more rapidly than I had fully realized. Another change is that enterprise workers are pulling their organizations into the cloud faster than anyone had predicted, as we noted above. And according to Gartner, even the weakest areas of SaaS growth are growing at nearly 20 percent a year.
Gartner also forecasts that by 2017, 50 percent of enterprises will be using hybrid cloud. Using identity to help manage access to public, private, and cloud-based applications and platforms is top-of-mind for most of the participants I spoke with.
Identity as a honeypot
I’d not previously thought of identity as a potential offensive security tool, before. In Rolls’ presentation I learned about the concept of “IAM Sensors.” As Rolls explained, an IAM Sensor can detect attacks through two practical methods. “The first is something we call account honeypots. These are like the kinds of general server honeypots that many in security have heard about, but these are account honeypots. They’re really fake accounts with login alerts,” he explained. This could include attributes such as deliberately weak passwords.
Should anyone login to these account honeypots, alerts will be sent to the appropriate teams. The second technique is what Rolls called “file and folder tripwires.” Should anyone access or move these decoy files and folders, alerts will also be sent.
These sound like great ideas to me. Something that can identify likely attackers, and not cause too many false positives.
Also during show, I also collected a lot of great user stories, and conducted a number of interesting interviews that we’ll be sharing here in the blog. Please keep an eye out for them!