Telling a friend that you’re going to an identity and access management (IAM) conference may do little to elicit their excitement. But explaining to them that some systems today already use their social feeds, news feeds and big data to assess whether their login to a favorite retail site is legitimate may do better to pique their interest–and even more so if that cloud-based assessment factors in the chic smartwatch they’re already wearing.
As promised in Part 1, here a few more takeaways from the Gartner IAM EMEA summit in London:
- Simplify authentication for your mobile enterprise by preferring STS’s. Gartner Analyst Trent Henry quoted another analyst (Mary Ruddy) as describing an STS, or security token service, aka identity provider service, as a “big gumball machine” in the sky, where you insert a token and get a gumball, and each time you insert a token you can get different gumballs. This is a great metaphor to my mind, as with identity provider models, each cloud application you access (the gumball machine in the sky) yields an authentication token (gumball) for a different application, so that mobile workers don’t have to waste time entering multiple usernames and passwords. Also, leverage behavior based analytics in your authentication (see context, context and more context in previous in Part 1), and ideally enable both browser-based and mobile app access, using a common, REST-ful approach for both.
- Trust, but verify vs. restrict and prove. Analyst Tom Scholtz explained that enterprises with a culture of a high trust will tolerate and even embrace a move from a ‘least privilege’ access model to a ‘most privilege’ one. To reduce the number of roles IT have to define and support (in IGA or authentication solutions, for example) and at the same time increase productivity and UX, users should be educated, given as much trust as possible, and only restricted when absolutely necessary—moving from a model of prevention to one of monitoring and rapid response in the event that a rule is violated. In the same way that Dutch shared space roads have proven to reduce accidents and fatalities, as they compel drivers and pedestrians to be much more alert, Scholtz argues that maximum-privilege models are more efficient, but need to be supported with education on maintaining good cybersecurity hygiene. On the other hand, in consumer-centric scenarios, the trend seems to be “restrict and prove,” where ever-evolving account takeover methods require increasingly sophisticated authentication mechanisms.
- Regarding data-in-the-cloud privacy issues, “Don’t ask if it’s legal. Ask how can I make it legal?” explicates Gartner Analyst Carsten Casper. Case in point: Data in the cloud may be stored in the US, but if it is protected using local key management, and those encryption keys are exclusively managed by employees in the EU, then you can still meet local data privacy requirements. In any event, there are four paths to compliance: (a) Political, meaning being sensitive to cyber espionage concerns in different countries, (b) Physical, meaning hosting your data in a local data center (c) Legal, meaning achieving compliance via a contractual agreement with relevant parties, and (d) Logical, meaning that via encryption and remote or local key management, as well as access controls restricting access to only remote or local data stewards.
Hope you found these takeaways inspiring and/or useful. Be sure to check out Part 1 for three other equally important IAM takeaways from the event.