Recently, I had the pleasure of attending SailPoint’s Navigate ’16 identity management conference. I’ve always been interested in the identity management aspect of security. Many of the first wave of identity management vendors launched around 1999, when I started covering information security as a full-time focus. These vendors dealt with all of the identity challenges that we deal with today—provisioning employees and partners to the resources they need efficiently and effectively, keeping systems secured by making certain people can only access the right data and resources, improving user experience through efforts such as single sign-on, managing privileged accounts, and all the other associated challenges.
While much of identity management is the same, it’s also quite different in how the challenges have evolved. Today there are more systems with identities to manage. As the number of devices increase, that will grow exponentially over the years ahead. Plus, with agile development methods and approaches to IT management such as DevOps, technology development is moving much more quickly. Finally, IT has much less centralized control now over users than it did 16 years ago.
Here’s how the rapid expansion of cloud and devices are creating a greater need for identity governance.
Identity Management and Cloud Growth
I thought managing identities was as complex as it was going to get when corporate LANs erupted into intranets and the web. At the time, re-tooling and scaling directories made for LANs/WANs to the web and web-based services was a challenge. But today, the burst of cloud-based systems, both private and public cloud and software as a service (SaaS), coupled with the many existing on-premises and web-based systems, have made identity management efforts more complex than ever.
According to the most recent Bitglass Cloud Adoption Report, 48 percent of enterprises now use a cloud-based productivity suite, up from 28 percent in 2014. In EMEA, 59 percent are adopting cloud suites, as are 61 percent in APAC, compared to 48 percent in North America.
There’s no doubt cloud-based services have increased the number and nature of how identities are created, managed, deleted and governed. And the security of these data and resourced likely comes down to how well identities are managed.
The Long Shadow Within IT
As I mentioned above, there is a lot less (like it or not) centralized control in enterprise technology today. More users are bringing their own devices, as we know, and more business managers and users are procuring their own cloud services, from storage and infrastructure to cloud platforms and SaaS applications.
According to an CIO.com article published last year, CIOs vastly underestimate extent of shadow IT, analysis by Cisco Systems found the typical enterprise has up to 22 times more cloud services running than it believes. The CIOs surveyed estimated their enterprises were running about 51 cloud services. Reality? There were 730 cloud services running.
I’ve always argued that Shadow IT should be embraced, not fought. It is a way to see what users need and the services they want to use, and it’s a way to engage with users. That’s not to say IT needs to—or should—let Shadow IT be a free-for-all. It shouldn’t. IT needs to manage the types of devices users can select, the services they can use and the data that can be used in those services, not to mention the regulatory and policy compliance checks. None of that goes away.
But identity and access is a great way for CIOs and IT to help users safely embrace Shadow IT.
The Challenge of Managing Device Identity
It’s not just human identities and applications and services. There are more and more IoT devices whose “identity” and set of privileges must be managed as part of enterprise systems management, data, privacy, security and availability. Gartner expects there to be 21 billion connected Internet of Things (IoT) devices by 2020.
Again, identity is central to managing access and the privileges IoT devices have, as well as auditing use and activity.
Gartner agrees: “IAM leaders must reconsider how traditional approaches to cybersecurity and IAM work in a world where devices and services are so abundant, in so many different forms and positioned at so many different points within the IT ecosystem,” said Earl Perkins, research vice president at Gartner.
Based on conversations at the show, it’s also top of mind with most CIOs.
The Scale of Cloud Services Challenges Identity
The dramatic growth of apps and cloud services are taking its toll. Years ago, securing apps meant throwing up some firewalls, setting up a virtual private network and providing access control to applications and networked resources. But with the explosion of apps, cloud services, devices and data, such approaches are antiquated. We didn’t know it then, but that was about as simple as security was going to get.
All of this requires incredibly well-scaled identity management efforts. In addition to the traditional seasonal or event-driven surges in identity management issues, companies could see surges from devices or users accessing systems at all times and from anywhere. Scaling with this requires identity management and directories eventually to be in the cloud. While most enterprises are hybrid now—unless they formed in the past 10 years—there is plenty of legacy, on-premises and cloud needing management.
However, in a decade, there will be many more large enterprises fully in the cloud, and identity management technology will follow.