Managing and securing identities is the new tech trajectory

The paradigm of information management and security is fundamentally changing. The old model of focusing on guarding the perimeter to keep bad actors out isn’t enough. To address the wide range of how and where employees, customers and other stakeholders are accessing information, the new center of security is identity. In other words, can your system identify and authenticate a user, know what information the user should receive, and provide the right access? And, can it do so whether the identity is a human or a machine?

Reaching an inflection point

Turits established that we’re in a period of high innovation and rapid proliferation of different types of identity technology and approaches. Currently, the information industry is oscillating between centralization and distribution, consolidation and fragmentation. He asked the panelists how their firms address the current reality.

Durand explained that the world is moving from perimeter or network security to identity security, and his firm is focused on real-time authorization and authentication and making the identity control plane more intelligent about context and risks of variables.

“It used to be that we’d put everything we’d want to protect in a place on company-issued devices and erect layers of defense to keep the unknown outside,” he said. “That world of inside and outside has been blown up by cloud computing, mobile, SaaS, BYOD (bring-your-own-device), and WFH (work-from-home) and then escalated by COVID. We now need a new paradigm for security in a distributed environment.”

Saha added that considering identity as the perimeter allows companies to distinguish what kind of identity they’re dealing with – employee, contractor, customer, or machine identity, what kind of sensitive information it has or needs access to, and what level of security needs to be in place for that identity. Saha’s company, Saviynt, manages the overall workflow associated with human and machine identities, ensuring that at any point in time, the identity is given “just-in-time access and just-enough-access.”

He says this approach allows companies to stay ahead of emerging security threats, noting that many recent breaches have begun with low-risk or low-profile identities being compromised and then being used to get access to elevated privileges on the system.

Looking at consumer-focused applications, Loonkar said, “Identity has reached an inflection point because of broad protocol support for biometrics on end-user devices reaching critical mass.” Transmit Security focuses on customer-facing applications with the goal of eliminating logins and passwords, which are both vulnerable to fraud and create frustrating user experiences. The goal is to identify a customer and offer a simple unlock experience across all their applications, and eventually have the ability for application owners to delete the passwords that customers use.

Hudson says that with the explosion of cloud-based applications that “know no place,” identity has taken over as the fundamental issue for security providers. Venafi manages and protects machine identities for over 3,500 companies all over the world. “Security is identity. If you don’t identify something, you can’t allow or deny access,” Hudson said. He also warns that bad actors are increasingly using machine identity.

What zero trust is – and how it’s applied

Turits turned to the issue of the “zero trust” model of security, and how it applies in practice. Zero trust is a model based on maintaining strict access controls that don’t trust any user, device, application or location by default, even those already inside the network perimeter. The zero trust approach operates under the philosophy of “Never trust, always verify.”

Durand says the old model of defined, guarded perimeters was “big trust,” and now companies are trying to shrink that trust, so it’s provisioned just in time and just enough. It means looking at things like how continuous authentication affects risk. “Zero trust is an embodiment of an identity control plane that reduces the blast radius of things going wrong,” he said.

Saha advocates for a balanced approach that improves the end-user experience when it comes to security and identity tools. “Security is usually presented in a nonintuitive manner to the user.” He says the question is how to reduce the end-user burden while still tightening controls and doing access review.

“Zero trust for the enterprise segment is clearly protecting employees. On the consumer side, as it relates to identity, it goes back to very basic problems that are entirely solvable,” said Loonkar. “Username and password for just about everybody has been stolen, and device ID doesn’t work that well. Eliminating username and password is entirely possible, and it’s the first thing we should focus on.”

Convergence – or further fragmenting?

Turits asked the panelists to consider whether the “swim lanes” between identity governance, access management, and privileged access management were less defined. Is the industry headed towards more integration, including with endpoint and hyperscale providers, or specialization and distinct categories? The answer more generally was – it depends on the type and scale of the company and the identities it’s dealing with.

“In a large enterprise, being broad and shallow is not an option,” said Durand. “When you’re dealing with multigenerational, hybrid IT infrastructure, there’s a requirement that anything they do be deep. It requires centrally and strongly authenticated users.”

Saha said there was a move towards synergy between ancillary products, embracing the convergence when it comes to identity governance and administration, privileged access management, managing sensitive access in large ERP platforms, and third-party access. “There is no black and white. Identity is contextual, sensitive access is more of a sliding scale.”

Hudson believes the day of the generalist is over with the increased complexity of the ever-changing nature of attacks. “More specialization is required to find out the adversaries that attack in a certain way.” He also notes that the human identity and machine identity have immense differences in scale, speed, and stakes. “If we fail our customers, you don’t fly, you don’t buy, you don’t bank, you don’t get healthcare.”

Loonkar said customer identity and employee identity are separate, and that customer identity is entering a boom stage of password-less authentication. “If one is able to build the largest company serving customer-facing applications, that’s a strategic asset that has almost infinite runway.”

The Future of Identity Security

Identity security is in a period of warp-speed innovation and application. Controls will adopt even more artificial intelligence and machine learning to create autonomous engines that make decisions about identities and access. The old methods of logins and passwords will likely become obsolete as biometrics in devices are leveraged. Cybercriminals will evolve their methods, and identity security will need to continue to stay ahead. Hudson predicts that in five years the identity security industry will be three times bigger and more diverse. Saha summed up the discussion, “Identity will be the fabric of IT itself.”

KBCM’s Technology group offers the industry insights and expert analysis to help business stakeholders understand the rapidly evolving landscape of identity governance, access management, and privileged access management. To learn more about investment and capital markets activity in the security software industry, reach out to a KeyBanc Capital Markets investment banker.