twobee - Fotolia
Published: 29 May 2018
As identity and access management tools become more automated, IT pros have slightly easier jobs -- but they can't be completely hands-off just yet.
Mobile technology has spurred much of the innovation in the identity and access management (IAM) industry over the last couple of years, encouraging vendors to improve usability on mobile devices. Now, technologies such as artificial intelligence, machine learning, microservices and cloud computing are making their way into identity and access management tools -- all with the goal of making them more seamless, accessible and automated for both end users and IT.
"It's much more annoying to enter a password, particularly a long password, on a mobile device," said Mary Ruddy, a research vice president at Gartner.
Run in the cloud
One trend already taking hold is the emergence of identity management as a service, which runs identity and access management tools in the cloud, where a service provider manages the back end.
"We're seeing a lot of movement to the cloud because it's very scalable," Ruddy said.
ThoughtWorks, a software company based in Chicago, switched from an on-premises open source product to Okta's cloud-based offering in 2013 to manage its employees' identities and access. Since then, there hasn't been much to manage on a day-to-day basis from an IAM perspective, said Phil Ibarrola, TechOps head of technology at the company.
"We'll have the odd user that forgets their password, or their multifactor [authentication] gets messed up in some way, and we have to reset those types of things," Ibarrola said. "But those are few and far between."
Ibarrola doesn't mind sacrificing granular control over identity management for a more hands-off role, he added.
"When we first made that transition to cloud, there was a lot of angst around giving up control of … certain things in our infrastructure," Ibarrola said. "But I think we've been on this journey long enough to realize that that's part of transferring that risk and putting your trust in a service provider."
Still, not all identity and access management tools need to move to the cloud. There will be valid reasons for keeping some identity data on-premises, for example among banking and healthcare companies that require it for regulatory reasons.
Produactivity, a software company in Guatemala City that offers an app for employers to track employees' mobile use, runs Auth0 identity and access management software in the cloud to protect customer data. Produactivity CTO Mercedes Wyss doesn't spend much time managing the software in the cloud but can still maintain a level of control over data -- which includes its customers' employees' personal and geolocation information -- by storing it in her company's own database rather than Auth0's cloud, she said.
IAM vendors smarten up
As security threats become more complex, vendors must make their identity and access management tools smarter and more sophisticated. Through advanced analytics that incorporate machine learning, identity and access management tools can look at user behavior to make predictions and better detect anomalies. This trend is still emerging, and organizations are in the early adopter stage, Ruddy said.
Sean GroomesIT technical support analyst, The Bernard Group
Microsoft offers Azure Active Directory (AD) Identity Protection, which uses machine learning to detect suspicious user behavior. IT pros don't need to know how to implement machine learning techniques to benefit from Identity Protection. Plus, they can send Microsoft any false positives that the system detects to improve the algorithms going forward.
Other products, such as Oracle Adaptive Access Manager and RSA Adaptive Authentication, enable IT to modify the machine learning models themselves -- a capability that typically appeals to larger organizations that already experience specific cyberattacks. Experienced IT pros can tweak machine learning models to reduce false positives and gain a more granular level of control.
Identity and access management tools can also use analytics to more precisely determine when they actually need multifactor authentication (MFA) and cut down on its usage to improve the user experience. For example, an IAM system can evaluate attributes such as user location, device fingerprint and IP address and automatically grant access if the combination is low risk. An insurance company that deployed this functionality reduced its employees' usage of MFA and passwords by 90%, Ruddy said.
Mobility simultaneously complicates and simplifies multifactor authentication. IT can use mobile devices as a verification platform in multifactor authentication, either via SMS or by using the device itself as a token. Or passwordless technologies can help IT avoid multiple authentications altogether.
The Produactivity mobile app enables managers to track activity of their employees on mobile devices, and it doesn't require the manager to enter a password when accessing the app. Once Auth0 recognizes that the user is on an employer-owned phone, it prompts them to receive an email with a link that will complete the login process for them, and they won't have to log in again in the future.
The Bernard Group, a communications provider in Chanhassen, Minn., uses ManageEngine's ADManager Plus to handle MFA for end users' access to email and cloud-based applications.
"What we're going for in our environment is empowering our end users to be able to make decisions for themselves," said Sean Groomes, an IT technical support analyst at the firm. "If end users need to update their password or phone number, we want to make sure that they can do that securely."
Another way to make identity management services smarter is to modularize them, or break the system down into smaller components. Some IAM vendors, such as ForgeRock, offer identity management microservices -- which designate each component with a targeted function. ForgeRock is currently developing four identity microservices -- token exchange, token validation, authentication and authorization. The token validation microservice will validate ForgeRock-issued authentication tokens, for example, and so on.
Because these components do not need to run an embedded operating system, a microservices architecture can offer more flexibility to IAM. Microservices can run in a self-contained, stateless mode, enabling developers to use IAM services in their apps -- no matter which platform they use. The modules can also communicate with each other more via APIs, enabling IAM systems to become more intelligent.
"It used to be that one module might have some information about the system's behavior and another module information about another [behavior], and they weren't really communicating that information and leveraging it to automate more of the decision-making," Ruddy said.
Identity and access management tools must also become more developer-friendly as vendors release modularized platforms. The process of hooking up one identity module to another, for example, requires more integration work by developers -- especially if those two modules are from different vendors, Ruddy said. Because of that, vendors must offer integration capabilities using the most modern development languages.
"That might seem like a contradiction, because normally as you make things more mature, you're making them so that they're already automated and the software already does what you need," Ruddy said.
As microservices and serverless architecture -- a model in which a cloud provider dynamically distributes resources -- adoption grows, so will the adoption of cloud-based identity and access management tools that appeal to developers, Wyss said. Organizations can authenticate users of serverless applications on Amazon Cognito, for instance, a federated identity management platform that enables developers to focus on writing code instead of managing authentication.
"Using platform as a service means that we can … produce things faster," Wyss said.