Identiverse 2019: Top 5 takeaways from the annual identity and access management industry confab
July 17 2019
by Garrett Bekker
We recently attended the 10th annual Identiverse conference (formerly known as Cloud Identity Summit), where several thousand vendors, end users and experts converged to discuss all matters related to identity and access management (IAM). Topics ranged from zero trust, password-less authentication, new identity standards like FIDO2 and WebAuthn, customer IAM, the increasing role of analytics in IAM, identity proofing/verification, and the impact of the security skills shortage on the IAM industry.
The 451 Take
Given the notable hype at other conferences like RSA, it's no surprise that it was hard to take more than a few steps before encountering zero trust in some shape or form. The early consensus on zero trust – if any – is that we are still very early in the game, and most companies are still wrestling with what zero trust means and how they might get started without completely disrupting their existing infrastructure. There was a nearly equal amount of attention around the ratification of the new FIDO2 standard, and its potential to finally move us closer to a password-less future. Like zero trust, however, FIDO2 is in its infancy, and while many device and browser vendors are on board, the next phase will be to get websites and cloud app suppliers on board. Despite all of the buzz, the elephant in the room is that enterprise adoption of multifactor authentication (MFA) remains relatively low compared with other security technologies – 51%, according to 451 Research's most recent survey data, with consumer adoption much lower, according to several recent studies.
Throughout the history of IT, authentication has relied heavily on 'shared secrets' – passwords, onetime password tokens, etc. – but there is a growing realization that shared secrets are the root of many of our current problems, particularly with respect to stolen credentials. The ultimate aim of the password-less movement is to move away from a centralized repository of passwords and secrets, which can serve as a prime target for hackers. There can be multiple ways to achieve password-less authentication, and one of the more newsworthy items at this year's conference was the recent acceptance of FIDO2 as an official standard by the World Wide Web Consortium (W3C).
FIDO2 and its subcomponent, WebAuthn, provide a way to log in to websites and web apps by eliminating centralized secret repositories and storing client credentials (biometrics, passwords, etc.) locally on devices so they are no longer a target for attackers or subject to man-in-the-middle or other common attacks like phishing. Server-side credentials or keys are unique for each site, again removing the need for central storage. FIDO2 and WebAuthn allow for a variety of authenticators, including fingerprint readers, smartphone cameras, and hardware keys like YubiKey or Google's Titan that can be used without a password or PIN.
FIDO2 now has broad support from browser providers and devices, including Chrome, Firefox, Microsoft Edge, Android and Windows 10, with Safari and Apple devices reportedly expected soon. There are also some notable FIDO2 deployments, including heavyweights like Twitter, Microsoft and Google. However, to obtain more mass appeal, FIDO2 will need to be adopted by major website and cloud application vendors – thus far Dropbox, Facebook, GitHub, Salesforce, Stripe and Twitter are on board.
We have explored the zero-trust phenomenon in recent reports on Banyan Pulse Secure, Luminate and Meta Networks (recently acquired by Proofpoint), as well as our report, Beyond the Perimeter: From 'Zero Trust' to 'Unified Access Control', in late 2018. Since the publication of that report, zero trust has gained momentum, at least in terms of awareness and vendor marketing efforts. That said, there is still a substantial amount of disagreement and confusion about exactly what the term zero trust means (only one hand went up during an audience poll of who knows what zero trust means), what are the most critical components of a zero-trust architecture, and most importantly, how enterprises should consider starting their zero-trust journey. Indeed, recent survey data indicates that only 12% of enterprises have thus far implemented zero trust – however defined – which suggests that we are still in the very early stages of zero-trust adoption.
There is agreement, however, regarding several areas:
Thanks to mobile devices, private and public clouds, SaaS apps, and more, the perimeter is becoming less relevant as a primary strategy for securing enterprise resources, and as a result, identity is becoming the new – cue various marketing catch phrases – 'perimeter/control plane/oxygen,' etc.
Zero trust is not a product, but more accurately a methodology or way of thinking about security in which nothing is trusted, breaches are assumed, and every resource should be treated as if it's on the open internet.
Most firms don't have the resources of a Google or Netflix, and for many it will be hard to scrap what they have built up over the past 10 years or more and start over, and thus 'quick wins' around greater use of MFA or saving money on password resets will be critical initially.
Many enterprises remain siloed internally – network security teams may view zero trust from a different perspective than IAM or systems teams, for example. From that perspective, greater adoption may hinge as much on cultural (or political) barriers as it does on technological hurdles.
In past reports, we have forecast the continued inroads of analytics, artificial intelligence (AI) and machine learning (ML) into a growing array of security products, and this is becoming more common within the IAM segment as well. One of the earliest applications of AI and ML was authentication, particularly in adaptive or risk-based approaches. If Identiverse is any guide, we anticipate that AI and ML will be woven more broadly across the entire IAM stack in years to come, taking advantage of an expanding range of sensors and signals that generate additional telemetry that can be used to inform more granular and accurate access-control decisions.
Much has been said and written about the chronic skills shortage facing the overall security industry. Our research has shown that nearly half (46%) of all organizations face 'significant difficulty' in hiring skilled security staff, and 80% report either 'moderate' or 'significant' difficulty in retaining them.
Difficulty in hiring and retaining skilled security staff
Information Security, Organizational Dynamics, 2018
However, the skills shortage seems to be particularly acute in the IAM industry, and many jobs simply go unfilled. Part of the problem is the considerable amount of time it takes to become reasonably proficient – five to 10 years, on average, according to one study presented at the conference, with the average time most professionals have spent on IAM over 10 years. One reason for the steep learning curve is that the IAM sector has lagged others in terms of providing training and materials and a common body of knowledge. Further, few universities offer accredited courses in IAM. In response, a new industry group has recently been formed – IDPro – with the intent of helping to both develop a common body of knowledge around IAM and facilitate its distribution via training and other materials.
Despite all of the congratulatory praise for the passage of FIDO2 and the promise of password-less approaches to authentication, it's clear that there is still a long way to go as an industry in terms of adoption of stronger authentication approaches. While many IAM specialists like to point out that 81% of breaches involve a stolen credential, the elephant in the room is that MFA adoption is still relatively low compared with other security tools like firewalls, IPS, endpoint security, and security information and event management. Survey data puts enterprise MFA adoption at 51%, whereas firewalls top the list at 95%, and that figure makes no claims about enterprise-wide adoption. On the consumer side, usage data is even more discouraging, according to several studies, including one that suggests that only 10% of Gmail users have adopted 2FA/MFA.
One of the main reasons – and a frequent theme at Identiverse – is that user experience has historically taken a back seat to technical features, hence the interest in newer approaches like password-less, biometrics and risk-based authentication. In addition, the industry as a whole has done a relatively poor job of educating consumers and developers on best practices for adopting 2FA/MFA. Studies also have shown that users generally don't fully appreciate – or care about – the risks of weaker forms of authentication.