Most organizations struggle to implement a consolidated identity management system that is easy for end users to navigate. However, soon, identity management tools will improve an outdated market.
Although identity and access management (IAM) products have been around for some time, many are ill-equipped to handle an influx of device diversity, user access methods and application variety. Further, many organizations implement little or no upgrades to already installed systems. Fortunately, methodologies are on the horizon -- although it will take several years for them to fully play out.
The current identity management market
Currently, most companies use username and password credentials determine corporate access, but these methods are often susceptible to phishing and other attacks. A number of companies, particularly in high-security industries, such as finance, government and healthcare, use additional multifactor authentication tools, such as RSA SecurID, which significantly enhance the level of security and limits credential theft. However, most end users find these tools cumbersome, and they often push back on their use.
identity management tools that use biometrics for fingerprint, facial or voice recognition are now on the market, but security for these methods is questionable for high-security environments. Biometric systems need to store comparison data, which can be hacked.
Some advanced biometrics systems, like on the iPhone X, add security to otherwise rudimentary capabilities. Adding security measures, such as facial recognition, is a good step, but there needs to be much more.
Components such as keystroke analysis, voice and speech recognition, location, and time of day should determine whether end users can access corporate systems. And the more of these components IT pros can use simultaneously -- preferably without affecting the end user -- the better.
A breed of identity management tools
Over the next two to three years, I expect to see many organizations implement a level of identity management that relies less on user actions and more on known things, places and experiences. Today, there are multiple systems, such as SailPoint, that use artificial intelligence to deterministically support identity management.
The ability to have the equivalent of SecurID built directly into the end user's device at the chip level on newer generation PCs and smartphones adds a deterministic component to verify that an end user is on a registered device that can't be replicated for nefarious purposes. The ability to see an end user's location -- for example, calendar or social media integration can tell you if the user should be in New York and not in Chicago -- adds another component to whether that end user is actually the end user.
Identity management tools that can access profile and policy information prepopulated by IT -- often through connection with corporate directory information -- can ensure that the apps an end user is trying to access are truly available to him, and that he is using them for the right purpose. And, finally, the ability to monitor network traffic and determine if the packets that the end user sends are uncompromised provides yet another identity point that the enterprise AI system can analyze.
All of this interaction is complex, but it is the only way to realistically implement identity management tools when a plethora of new device access points will be coming in the next few years. For example, the integration of autonomous vehicles, smart things and kiosks into identity management will make mobile and BYOD look like a walk in the park.
How to implement new identity management tools
IT administrators should start thinking beyond usernames and passwords. They should take advantage of enhanced biometrics and other security features that are built into modern devices and operating systems -- not just to log in to the device itself, but to log in to enterprise apps. Each tool may be imperfect by itself, but IT should combine several methods to make modern identity management far safer than the traditional reliance on usernames and passwords.
The future of authentication means leaving passwords in the past
Next, IT should implement a system that includes an AI-based access and control mechanism that makes intelligent decisions about who, what and where. Many options exist as a service, and IT should evaluate those tools for their capabilities to enhance corporate security. And, if an organization has a current IAM vendor, they should look at which enhanced offering that vendor is making available. IT should also switch to a cloud-based service if the organization is currently using an on-premises tool.
Finally, IT should look for products that are acceptable to end users. If IT deploys a system that end users dislike, it can waste money and be ineffective.