More threats, less visibility, and a cloud that’s growing faster than security teams can keep up: the urgency around getting identity and access management (IAM) right has never been higher. That’s why the Gartner Identity & Access Management Summit came at such an important time.
If there was one message at the Summit, it was that cloud identity risk is growing faster and becoming more of a threat for every sector and we have to act now to protect ourselves and our data.
Here are five must-dos on the heels of the conference:
#1. Prioritize security over convenience
Security starts with identity. It’s always been the first line of defense and organizations’ foremost cybersecurity asset.
And with more resources moving beyond corporate networks and into the cloud, identity will only become more important to security leaders. With security becoming a board-level topic now permeating across every aspect of an organization, organizations will look to invest in security to support their current and go-forward needs.
While they may be inclined to use a good-enough point solution, that’s short-sighted at best—and a major security liability at worst. Gartner sees IAM consisting of three key functions: access management, identity governance, and privileged access management (PAM). Each of these three categories is evolving rapidly as more and more workloads move to the cloud. That change is leading Gartner to advise organizations to prioritize integrated IAM platforms that work across all three functions.
Doing so will allow businesses to support their current and go-forward needs, adapt to emerging security risks, and lay the foundation for zero-trust architecture. The key to making the right choice is to evaluate your specific use cases and plan accordingly. Organizations should prioritize security over convenience as they look to strengthen their long-term security posture.
#2. Kick passwords to the curb…
Having an integrated IAM platform helps address immediate business needs. It also helps organizations make progress against longer-term goals, including two of the most important topics at Gartner IAM: passwordless and zero trust.
Even before the rapid growth of cloud services (and the resulting rise in risk), passwords have proven themselves completely insufficient at cybersecurity. This year, Verizon found that 82% of breaches involved the human element, which includes the use of stolen credentials. But that’s just this year: the same report found that passwords were one of the leading cases of all data breaches every year for the last 15 years.
Passwords must go. Gartner expects that more than half of the workforce will be passwordless in the next three years, up from just 10% today. They also expect that FIDO2 will dominate the market as the go-to standard for passwordless authentication.
There’s good reason for Gartner to be bullish about the rapid growth of passwordless authentication, which is safer and less expensive than passwords; moreover, with new FIDO2 standards and more passwordless authentication methods, it’s simpler than ever to find something that makes authentication easier for users. Organizations just need the right passwordless capabilities in mind when searching for vendors and to look for instances where they can use FIDO protocols.
#3: …and welcome in zero trust
Even if you accept that passwords are too risky, it can be difficult to think of what to use in their place.
Gartner urges organizations to move to zero trust, a new cybersecurity paradigm that asks security teams to never trust and always verify every user, request, resource, and device on your network.
Moving to zero trust also changes any lingering dependency on passwords. Remember, zero trust asks users to always verify, not to always authenticate. If you’re always verifying access, then you reduce the instances when users must authenticate.
When users do need to authenticate, then they should use passwordless options like QR codes, FIDO, or biometrics. For even smarter and safer authentication, organizations should embrace risk-based authentication and continuous adaptive trust (CAT), which use machine learning to baseline and react to user behavior in real time. Gartner predicts that CAT approaches can reduce account take-over by nearly a third. That’s a massive improvement.
#4. Going with Cloud-Based IAM? Make sure it’s resilient
Security services now account for nearly 25% of all security spending, and identity is no exception.
Whether you call it SaaS IAM, cloud-based IAM, or identity as a service (IDaaS), there are several good reasons to go with identity in the cloud: managed identity platforms can reduce costs and complement your security team.
If you’re going with identity as a service, then you need to make sure it’s resilient: authentication platforms need to be able to handle diverse access requests across diverse user types and complex IT estates. In other words, your IAM platform needs to work however and wherever your users do.
Sometimes, that means ensuring that your users can authenticate even if they’re offline. If your employees can’t connect to the internet, then they still need some way to authenticate to continue working. Remember, security is just as much about letting the right users in as is it is keeping the wrong users out.
To find the right balance, look for a vendor that can provide an offline failover mode that allows users to authenticate even in the absence of an internet connection. Doing so can ensure that your users can work securely and productively, while also ensuring that threat actors don’t abuse multi-factor authentication fail-open protocols.
#5. Control who has access to what
The highest-attended breakout session focused on identity governance. And it wasn’t just attendees who are interested in governance: a majority of some of Gartner’s highest-rated vendors are offering or expanding into either identity governance and administration (IGA) or PAM.
Why all the sudden interest in governance? It’s another result of the growing number of cloud identities and security teams’ need to address cloud risks. As more resources and users move from on-premises to hybrid or cloud deployments, security teams are losing visibility into who has access to what, why they need access, and what they can do with it.
While many organizations understand why IGA is important, they don’t necessarily know how to scope an IGA solution. We believe there are six essential components to finding a governance solution that can deliver the right level of access efficiently—and manage it effectively.
Final thought: keep identity constant
The many changes transforming technology and cybersecurity all underscore the few constants that endure from one shift to the next. The Gartner IAM Summit demonstrated just how important identity is—and how essential it will continue to be.
We’ve detailed some of the ways that identity will continue to act as the bedrock for all cybersecurity in a new report, Lessons from the Future of Cybersecurity. The report bears out many of the main themes we heard at the Gartner IAM Summit and imagines the ways that identity will continue to shape cybersecurity.
Download the new RSA report, Lessons from the Future of Cybersecurity.