I was recently reminded of something a CISO said to me a few years ago. This security executive mentioned that his organization was struggling to maintain tight security controls in an era of cloud computing and mobility. As a result, his organization had increased its focus in two areas: Identity management and data security. He stated, “With the rise of cloud and mobility, identity and data security are the new security perimeters.”
I mentioned this conversation to my colleague Mark Bowker who covers identity management at ESG. Mark responded that the CISOs conclusions are clearly characterized in some recent ESG research data. For example, 61 percent of respondents believe IAM is more difficult today than it was two years ago. Why are things more difficult? Survey respondents pointed to cloud computing and mobility as two primary drivers but also mentioned increasing cyber threats and the lack of a comprehensive identity and access management (IAM) strategy.
Unfortunately, IAM problems may be getting worse as a function of cloud computing innovation.
Organizations continue to increase their use of cloud computing, and the technology continues to follow a pace of rapid innovation. Most large firms now employ heterogeneous hybrid clouds, including multiple public and private cloud services and technologies. Furthermore, many firms have a mix of virtual servers, bare metal servers, containers, and applications based upon microservices.
So much is happening so quickly that it’s driving cloud computing chaos — massive and constant change. This flies in the face of the old cybersecurity adage that change is the enemy of security. This chaotic situation is especially pronounced with identity management, which tends to be a patchwork infrastructure that is touched by many but that no one really owns. In other words, cloud computing expansion is stressing an already-brittle IAM system.
4 IAM issues affected by cloud and mobile computing
As cloud and mobile computing expose cracks in IAM, Bowker is focused on a few key areas, including:
- Single sign-on (SSO): Cloud computing and mobility are driving a tsunami of new applications and associated application authentication and access controls. For the most part, this really means more user names and passwords to provision, memorize, and monitor — a nightmare for users, IT operations, and security teams. Bowker is carefully watching what large organizations are doing in this area, including deploying new SSO technologies and working with identity-as-a-service providers such as Centrify, Okta, Ping, and RSA Security. I’m collaborating with Bowker to assess the impact that software-defined perimeter (SDP) technologies will have here, as well.
- Multi-factor authentication (MFA). ESG research indicates that 65 percent of organizations use some form of MFA but only for a small percentage of their applications. Cloud and mobile computing are creating an urgency to greatly increase MFA proliferation and usage within enterprise organizations. Bowker is watching MFA, especially how mobile-based biometric technologies such as thumbprint readers and facial recognition could be a game changer.
- IAM centralization. When you talk about IT technology silos, identity management takes the cake because it is made up of a morass of application controls, network controls, administration tools, etc. Cloud and mobile have further exacerbated this mess, as it’s not unusual for organizations to have redundant IAM technologies to manage identity in these areas. Bowker says a great IAM reckoning is coming where organizations FINALLY replace siloed technologies with centralized identity services from vendors such as Google, IBM, Microsoft, and Oracle.
- IAM skills. Given the global IT skills shortage, it’s not surprising that 27 percent of organizations lack the right IAM skills, while 31 percent of organizations claim they don’t have enough IAM specialists. Bowker says this skills shortage will drive IAM automation, consolidation, integration, and machine learning.
As my CISO friend said, identity and data are the new security perimeters. It’s time that organizations realize this and fortify themselves in both areas.