Thinking about identity management for the RSA Security Conference

With February behind us, the cybersecurity industry is about to experience a push toward the annual RSA Security Conference — being held April 16-20 in San Francisco. I expect around 50,000 people to attend this year; it ought to be crowded, loud, and extremely passionate.

Now, normally, identity and access management (IAM) is sort of a niche player at RSA.  Oh, sure, there are plenty of biometrics, smart card, and security token vendors present, but IAM discussions are muted by a cacophony of noise around things like next-generation endpoint security, behavioral analytics, and cloud access security brokers (CASB). 

I can see why this was the case 10 years ago, but watering down IAM makes no sense today. Why? Allow me to relay the rationale from a CISO friend of mine. He often describes the fact that IT is becoming more and more distributed — with mobile devices on one side and public cloud services on the other. In other words, IT and security teams own and control less and less of the underlying IT infrastructure these days. 

Now, when his organization was losing control of its IT infrastructure, this CISO decided it was worthwhile to bolster control in other areas. So, in an IT world of mobility and public cloud computing, my CISO buddy firmly believes that there are now two primary security perimeters: data security and identity. 

Thus, the impetus to ramp up our IAM (and data security) discussions at RSA.

IAM initiatives to watch for at RSA

My colleague Mark Bowker owns IAM coverage at ESG, and he’ll be joining me at RSA this year. Given this emphasis on identity as a security perimeter, Mark and I plan to comb the halls of the Moscone Center, focusing our RSA attention on IAM initiatives like:

• Password elimination. While we welcome technical advances such as artificial intelligence into cybersecurity, it’s worth remembering that we still log onto networks using the same method used for accessing timesharing IBM 360 mainframes back in the 1960s. Since we all walk around with unique cell phones (and phone numbers) and these devices are instrumented with biometrics, isn’t it time to make passwords history? Mark believes this is the case, so he and I will be looking to speak with organizations that have ongoing projects to (finally) eliminate passwords once and for all.
• Software-defined perimeter (SDP) use cases. As I’ve said before, few organizations have an SDP budget, but just about every organization has an SDP requirement. This is especially true with mobility and cloud where organizations want to provide secure/trusted access to users and devices directly to cloud-based applications and services. Typical SDP use cases include providing secure application access to business partners, eliminating VPNs, and single sign-on form heterogenous hybrid cloud environments. We’ll be chatting about this with enterprise organizations, as well as SDP vendors such as Cyxtera, Google, ScaleFT, Vidder, and Zscaler. 
• Establishing a single source of truth. One of the biggest issues organizations face is that identity data resides everywhere — in authentication systems, VPNs, applications, social networks, etc. Now, this isn’t a new problem; we’ve tried to solve it for years with directories, meta-directories, and federated directories, but nothing has worked. Once again, we haven’t made much progress. Heck, Active Directory has been around 20 years! Mark believes a new wave of cloud-scale directories and identity standards may finally address these issues to create a federated source of identity truth. We’ll be looking to RSA meetings to see which organizations and vendors are proceeding toward this vision.   
• Moving toward security “ownership” of identity. Everyone (security, IT operations, developers, etc.) has a little piece of identity management, but no one owns identity management, and that creates problems with security and operations. With identity as a new security perimeter, it’s time to build an identity abstraction layer for authentication, authorization, and auditing (AAA). Security teams should lead this effort. Several vendors, such as Amazon, Citrix, Google, Microsoft, and VMware, have their sights on a cloud-based model, but this type of identity service must also interoperate with the legacy identity mess — and even offer a sensible migration path. Mark and I will be looking for leadership here.

It is also worth noting that identity management initiatives are tightly coupled with an increased enterprise focus on data privacy. Security teams play an essential role here as organizations seek to operationalize privacy policies. Hmm, seems like a good time to discuss identity management at the very least. 

More soon on our plans for RSA — only six weeks to go!