Ask any security professional their top three concerns, and identity is likely a response -- if not the top worry. Digital transformation and the evolution of identity in the workplace -- spurred by decentralization, cloud adoption and remote work -- have exposed the fact that identity and access management has outgrown traditional security protections and poses major risks. Adaptable and agile security architectures with a spotlight on identity are a necessity to keep employees and their organizations safe.
IAM is positioned as the first and last line of protection against credential-based attacks. Thus, many digital identity trends -- such as identity as a service and cloud infrastructure entitlement management (CIEM) -- are essentially about security as well. This is also the case in reverse -- security trends, including zero trust and cloud access security brokers (CASBs), are fundamentally about IAM.
The rate of cloud IAM and security innovation has produced a rapidly changing market for buyers. To parse through vendor hype and discern the value of these technologies, Carla Roncato, analyst at Enterprise Strategy Group, a division of TechTarget, shared her insights. Roncato researches identity management, access management, data security and privacy and works on open identity standards with the OpenID Foundation.
Here, Roncato explains why identity is the crux of cloud security and privacy and lends her identity-centric perspective to examine emerging cloud IAM trends.
Editor's note: This transcript has been edited for length and clarity.
You're an evangelist for open identity standards at the OpenID Foundation and have described yourself as an 'identerati' in a blog post. Beyond having a neat title, what do those roles entail?
Carla Roncato: Identerati people want a more harmonious use of open standards. What you need to know about identity is that it has to work for everyone. Interoperability is so important to identity work that there is less market competition about who has a better protocol. Like privacy, identity evangelists work together toward a greater good on a societal and cultural scale, rather than for an individual company. It is our responsibility to infuse privacy into identity protocols [and] design implementations and reference architecture. With privacy by design, users don't have to make a choice about privacy because it's already baked in.
The use of open standards has not been completely successful in traditional security, but it's getting better. The digital identity community has proven capable of creating democratic consortiums to serve multiple geographies and industries without being bureaucratic. We want to improve something that benefits everyone for the use and access to digital services. We reach out to developers to make sure they adopt these standard protocols correctly and compliant with the security needed for the identity system.
Privacy crusaders are quite visible on issues such as consumer technology and legislation. It's interesting to see that there's a rich identity version of that behind the scenes.
Roncato: They're closely related. Identity is the instantiation of the intent of privacy law. In many cases, identity is the first step in instantiating laws about the collection of personal information to perform a transaction. Identity evangelists try to create a more mutually beneficial arrangement between two parties in a transaction. For example, we explore the balance between a consumer and a service provider that asks to collect their information for marketing reasons. Nobody loses in a privacy-enabled scenario.
Privacy-enabled transactions sound great, but is identity anywhere close to achieving that?
Roncato: Yes, it is achievable if we bake it into everything we do. Over time, it should become the norm. It is challenging because many for-profit companies consider customers and their data as part of the profits. So, companies may feel privacy measures hurt their money and business model because that data is so valuable.
Unlike many security professionals on this issue, you sound optimistic. Why is that?
Roncato: Identity is quite different from security: It's not about chasing the bad actor; it's about promoting the right behavior. Even though I'm aware of the bad actors, I'm here to make it great for the rest of us, which is why I can stay optimistic.
Also, I've seen what's been accomplished and how it has exceeded expectations. It didn't take as long for large financial institutions, healthcare companies and universities to adopt these identity standards and principles. At first, these organizations didn't completely understand them but were receptive, and now, it's paying off. Standards can reduce complexity by coalescing the most commonly desired actions in an authentication experience across all types of services and industries. Today, people buy standards-based identity products and services because they are the de facto and they serve a public good. I liken them to car airbags -- now that we have airbags available, we won't drive a car without them.
Many organizations have to maneuver a contention between security and usability. Where does identity fit into that dynamic?
Roncato: You can see how it plays out when you open Yelp on your mobile device, for example. You can use your Facebook account to sign in and avoid creating a unique Yelp account -- it becomes cumbersome to remember logins for every application. So, identity is less about security than it is about ease of use and making access easier for the user, not for the bad guys.
How has the growth of cloud adoption affected digital identity trends?
Roncato: Identity touches all parts of the technology stack, including infrastructure, data and application layers, as well as the user. The cloud has not created more complexity for identity insomuch as it has delivered on the promise of high availability, distributed identity. We can't have citizen access to services at the scale of billions without the cloud. For example, say India had a universal identity program and wanted all its citizens to be able to register to vote or register for healthcare. Supporting 1 billion people would be expensive and difficult to scale and create problems since the database would require high availability and reliability. Addressing all of these concerns would be impossible without cloud.
To see how cloud has democratized distributed identity, look at the abundant use of WhatsApp or TikTok. Without a distributed identity system, these applications may not have been used on the same global level. Otherwise, there would be local-, regional- or country-level access to consider; service interruptions; problems with replication and synchronization; and other issues. Cloud has expanded the possibilities of large-scale experiences.
What challenges has the cloud introduced to IAM?
Roncato: The cloud has introduced challenges around privileges and entitlements. It uncovered the risks of giving too many people too many privileges to too many things. It was relatively easier before the cloud because the issue of sprawling privileges was more limited to your own environment, as opposed to the wider world. Much of the security focus has turned to privilege creep and how to reduce it.
The amount of market consolidation and innovation can contribute to customer confusion about whether to invest in CASB, CIEM or other cloud IAM products. What do buyers need to know about these digital identity security trends?
Roncato: CASB is important for cloud identity and security because of its access control component. There are many standards and protocols used for authentication, authorization and permissions. Confirming whether those policies are adhered to is done through policy decision points and policy enforcement points, which is where CASB comes in. A CASB takes information about the authentication session, which is a user token, and information about the authorization session, which is an access token. It understands policies and acts as a decision point. It knows what the entity, person or service is permitted to do and makes sure the policy is enforced in such a way that a user would never notice during sign-in.
CIEM is a brand-new category in Gartner's 'Hype Cycle for Identity and Access Management Technologies' report. This entitlement product addresses problems that arose from the widespread uptake of cloud as a development platform. When cloud adoption started, especially with developers in AWS, no one had decided on the level of access the developer should have in the first place. AWS provided developers the ability to sign in but did not provide a way for companies to know which developers had access to which parts of the development environment. Millions of developers have been building applications in the cloud since then, but most companies still don't know the level of access that dev or DevOps teams have. CIEM is used to determine who's allowed to access compute and storage or start virtual machines in development where something isn't built yet or it's in continuous delivery.
This CIEM example illustrates the way innovation works. Innovation happened when people reflected on the risks of privilege creep and realized, 'I should have known which developer was doing what, with what and for how long.'
That reminds me of how nation-state actors used a backdoor for access in the SolarWinds supply chain attack.
Roncato: Exactly. The SolarWinds attack was the most brilliant -- and horrible -- example of a delivery of a payload that I've seen in a while. Attackers used a backdoor to access the development environment and deliver a signed piece of malware. It bypassed security because it was trusted by the development process. Because it had assured delivery, it went out as an update to 18,000 customers. It was a devastating integrity compromise, meaning the entire system was affected, including the development environment, delivery system and clients.
Speaking of trust, what does the zero-trust model mean to identity experts?
Roncato: The philosophy of zero trust is aligned with the philosophy of privacy. The zero-trust model assumes everyone is untrustworthy and requires them to be verified and given access based on the principle of least privilege.
But trust is not a bad word. Conceptually, trust is similar to how we define 'reasonable doubt' in law. There will always be some element of trust in infrastructure, including the internet, in order to build anything. Thus, there is no such thing as absolute security.