Nulli Update on IAM Trends
Nulli keeps current and helps our peers in the industry do the same by attending several conferences dedicated to identity and security. One that I recently attended and spoke at on matters related to Identity and Access Management (IAM) was the Cloud Identity Summit (CIS)1. Trends I followed and spoke about during the CIS included:
- Machine Learning: The theme of the CIS this year was intelligent identity and focused on the rapid growth of Machine Learning (ML) as applied to Identity and Access Management. Nulli recognizes this massive increase in managing identities with our trademark positioning line of : Everyone. Every thing. Everywhere™. The volume of access decisions required to be vetted by access management software calls for a new paradigm.
- IAM systems must be able to generalize and make decisions for even unforeseen authorization conditions. The current approach of relying on exhaustive rules tables or manual intervention is not sustainable. Google, Microsoft or IBM, all presenting at CIS this year, now leverage the mountain of data at their disposal to train custom ML algorithms to provide access decisions in real-time with some impressive results.
- IRM: Nulli recognized the need for a paradigm shift that could address the increased demand for flexible and manageable access policies. Nulli is deploying solutions based on contextual identity relationship management (IRM) as sustained in graph databases like Neo4j.
- IRM principles make rapid deployment and ease of maintenance for relationship based policy decision points (PDP) as well as policy enforcement points (PEP) possible within IAM strategic plans.
- The European Union General Data Protection Regulation: (GDPR) has been a hot topic this year, and has a huge impact on all IAM businesses worldwide. Given the importance of the EU market, software vendors can not ignore it. GDPR comes into effect May 25th 2018. These new regulations introduce key changes to existing laws, including in brief:
- Increased privacy for end users and privacy by design.
- Increased penalties for non-compliance.
- More stringent rules around consent. Requests for consent must now be legible and simple and tracked.
- Right to access: subjects can request access to their stored data at any time.
- Right to be forgotten: subjects can request complete deletion of their user data at anytime.
The biggest change though is probably the increased territorial scope of the regulation. GPDR applies to any IT system handling European personal data, regardless of where the processing actually happens. US companies running code in US data centers will therefore have to comply as long as they process European personal data. It is easy to see why the Googles of this world are scrambling.
- IoT: “Things” are a hot topic, with their numbers increasing exponentially. Nulli continues to promote the development of contextual identities to define or augment access policies for authorization decisions. IAM platforms now provide some level of IoT support but need to better manage authorization decisions.
- Constrained Devices: Devices are generally unable to securely access the internet due to limitations in compute power or connectivity security. There is a rise of new Edge Compute Server offerings that secure constrained devices by employing specialized chips like Trustonics and ARM that provide native/embedded safe zones as well as new communication standards like COAP and use of “old timer” standard MQTT. Nulli is working with clients to leverage a consolidated edge computing platform for secure communications and identity relationship management.
- IRM and Graphs: Several sessions, including my own, were dedicated to Identity Relationship Management (IRM) and Graph data. Nulli is leading the move to embrace graphs, like Neo4j for securing IAM in real-world projects. Graphs are perfectly suited for the complex authorization requirements we see nowadays, especially with IoT. Look for information on this subject in a coming post on the Nulli graph-based authorization data model.
- Open Standards: OpenID Connect, OAuth, UMA and SCIM have wider adoption and have become mature. OAuth in particular keeps being extended to fulfill an ever-increasing number of use-cases; see for example the new Device Flow, Token Introspection, PKCE (“pixie”), etc… UMA 2.0 was also announced, with various enhancements to the flows it supports (see Justin Richer’s account here for details).
- MFA and the rise of FIDO: Multi-Factor devices using the FIDO standard are on the rise, being promoted by Google and Facebook supporting Yubikeys as a 2nd factor, among others. Second factor crypto-keys are still currently deemed the safest way to ensure a second factor for authentication. Numerous vendors provide a wide range of FIDO-capable solutions, ranging from keys (USB, NFC or bluetooth) to even heartbeat authenticators like Nymi. Now that One Time Passwords (OTPs) are becoming easier to phish, organizations need to be looking at new tools like these to keep on top of security threats they face.
- Professional recognition: Spearheaded by Ian Glazer, the new IDPro organization “helps define, support, and improve the digital identity profession globally”. IAM professionals now have somewhere to turn for help. Expect a certification program soon – Nulli is interested to hear more about customer requests for this level of certification and what it would mean for a services organization to have certified IAM professionals.
In summary, things are changing quickly and it is important to keep up. There is a lot on our IAM plate at Nulli as we continue to update our expertise to deliver leading specialized knowledge for our customers and peers.
1Cloud Identity Summit was created by Ping Identity sometime in 2010, CIS has attracted more and more professionals from all horizons every year, and grew to over 1500 attendees this year. The Summit culminated with the announcement of its transformation in 2018 into a full-fledged conference (not just a mere summit anymore): the first Identiverse.