WASHINGTON, D.C. — Identity access management is at a crossroads.
Organizations want to modernize legacy identity infrastructure by implementing a more flexible, mobile-ready identity management system without disrupting security.
At identity and security conference Identiverse, the gap between legacy systems and contemporary identity access management systems was apparent among guests and during the main keynote, given by Andre Durand, CEO and founder at Ping Identity in Denver. Ping Identity was a conference sponsor.
In this Q&A, Durand talks about common challenges associated with identity access management, what artificial intelligence can bring to identity management and how managing identity within a workforce has changed as end users become more mobile.
What are some of the challenges IT admins experience when they implement an identity access management framework?
Andre Durand: Large enterprises are very distributed and the identity management landscape is fairly complicated. There’s a lot of customization and fragmentation in identity systems. Identity systems are mission-critical. They can never go down, but they must be modernized, and that’s a challenge a lot of organizations face.
The first step is modernization of legacy infrastructure. There was a certain amount of consolidation and cleanup over the last 20 years — and it’s foundational. Once you have that, the second step is to layer on intelligence. A lot of organizations are in the middle of the cleaning up process and modernizing legacy systems and putting in a foundation for [multifactor authentication].
It seems like identity management and security management are merging.
Durand: Identity hasn’t been absorbed by security, but it’s becoming more important inside the security conversation. We anticipate spending to shift away from traditional security tech toward identity-based technology like [multifactor authentication].
Is this idea of hybrid IT, where infrastructure is both in the cloud and on premises, the way organizations will manage identity moving forward?
Durand: I don’t know if it’s preferred, but it’s required. I showed in the keynote that 22% of an enterprises’ workload is in the cloud. That means 78% of them are still on premises. By default, if you want identity to be the single pane across all applications and not have two identity systems, you need to be hybrid. Hybrid IT is the reality, and you need an identity management system to talk to all the applications no matter where they reside.
What role does AI play in identity access management?
Durand: Identity management is about connecting the dots — connecting users through a device to an application or resource. Invisibly, there’s an identity management system under the covers that checks if you have access to this application.
What it’s not doing today is looking at the full context of the access to an application or resource. It’s not looking at all the various signals related to user behavior to say have we seen this before and to see if it looks risky. We have that with credit card transactions.
The number of signals available to us is significantly larger than the number of signals we’re taking advantage of today. We’re going to be using all of these signals, collect them over time and build out algorithms to sense anomalies. Right now, we build out the rules and the reaction is binary — if and then.
Policies aren’t going away, but there will be a blending of those with machine learning to gain better security and catch those anomalies.
How has mobility affected identity management in the enterprise?
Durand: Organizations want to make sure employees can access the things they’re supposed to be able to access. If they’re on their phone off the network, it’s best practice to have strong authentication to the company when they want to gain access. Something as simple as a Box account — an employee may use DropBox as a consumer, but the company uses Box. But companies don’t want corporate material dragged into Dropbox. How do companies know employees are moving things to Box and how do companies know what employees can access? That’s all identity management.
How do the gig economy and a generation of employees that move from job to job affect identity management?
Durand: Identity management, in the perfect world, would be automated. If you work at a company, HR would put you into Workday, for example. That HR system would automatically provision your identity into the company’s identity provider. Your identity automagically pops up where it needs to be.
Someone will look at your roles and membership to see what you can access. From a user experience point of view, you join and your identity goes where it should go and you get your single sign-on [SSO] portal.
SSO allows you into those apps. When you leave, companies can deprovision you and that removes you from those applications. When it’s working properly, it should just be one click for HR.