Identity as a service has long been viewed as a major growth market, yet a number of obstacles are holding back...
At the Cloud Identity Summit 2016 this summer, Ping Identity CEO Andre Durand talked about the potential for identity as a service to help address security issues as enterprises rely more heavily on cloud services and mobile devices. IDaaS as a market is still relatively small; Gartner earlier this year reported that IDaaS implementations represent just 10% of all IAM implementations in the enterprise. But Gartner also predicted that IDaaS deployments will increase to 40% by 2019.
In an interview with SearchCloudSecurity, Durand discussed how the IDaaS market has evolved and why several technological and business issues are holding back adoption. He also talked about enterprise data breach fatigue, how social media giants like Facebook and Twitter have influenced the IDaaS market and why enterprises are becoming more focused on identity and access management today. Here are excerpts from the conversation with Durand:
You've talked a lot about identity as a service recently. Is that going to be the standard in the future, and if so, how will it be used and deployed?
Andre Durand: There's two ways to look at it. Identity as a service is actually somewhat misnamed. It's really identity infrastructure as the service today, not identity as the service. Logging in with Facebook is actually identity as a service because you are logging in with a Facebook identity. That's identity as a service. Somebody else's identity is being used wherever you want to use it. IDaaS as the way it is portrayed today in the business or enterprise market, all we've done, really, is offer software as a service. But the identity is not a service. Enterprises are still going to put their identities into the software as a service. So it depends on where in the pyramid you're servicing. Is it consumers? Is it SMB? Is it enterprises? Consumers are already at identity as a service. SMB is more at the identity software, or identity software infrastructure as a service. And the enterprise, depending on the use cases of the identity, at the top of the pyramid, will be the one that [has] the most legacy systems to accommodate and integrate, and [enterprises] have the most to lose. So for all those reasons, the top of the pyramid will probably move slower.
Does that mean that we are going to see companies like Facebook, Twitter and other companies that say, 'You can use your login'? Are they going to be competing in the identity as a service space?
Durand: Absolutely. And that was the original business I thought I was getting in. Fourteen years ago I thought I was building a consumer identity service. That's why it was called PingID originally. And I realized that I can't build an identity service if my identity can't talk to anything. We had to build software to connect identity before you could build an identity service to go anywhere. It's kind of like this: We didn't have the internet until we had routers. We had to route packets first, then put up a web server. Here we had to install identity infrastructure that was federated, and then we can run an identity service. It's a 15 to 20 year round trip.
Does this mean we're going to have more players in this market? Are you going to see more identity infrastructure as a service providers and more companies doing consumer IDaaS?
Durand: Yes. I think it bifurcates between enterprise identity and consumer personal identity. I think that personal identity is already at identity as a service. It's close to it. And I think IDaaS in the enterprise is going to be, as I said, software first, and then identity later because the liability shift for the enterprise is very different. The consumer is just signing up for a service. For an enterprise to actually take somebody else's identity and use it in their context, there has to be relationship of liability if the service provider did it wrong. What if the identity provider that's offering up Andre's identity as a service in the enterprise does it wrong, and it's not me? The company's liable for what that did. There's got to be an agreement on liability there. That's a complicated, sticky wicket, which is why the enterprise identity as a service is not going to be quick.
So, for example, Blizzard Entertainment recently formed a partnership with Facebook where gamers can use their Facebook logins to sign up for or sign into Blizzard games like World of Warcraft. But if someone's Facebook account gets compromised and the login is used to get into Blizzard games and start making unauthorized purchases, who is liable?
Durand: You're on the topic. Who's liable? Because in theory, the identity provider is liable. But the question is are they really liable or are they indemnified? That's the issue. For a game, it's one thing. For a business with real money, it's another thing. We're going to have to solve the business problem of liability shift in order for identity as a service to be reasonable in the enterprise. And that's not a trivial deal.
There seems to be an increased focus on identity and access management lately. Do you feel there's been a change in the collective consciousness of, not just the enterprises, but the users and the security teams that they need to start getting identity right?
Durand: I think they recognize that their environments are changing, and they're seeing that the traditional ways in which they provided security [are] also changing. They recognized those ways have become a little less relevant. And that happens. And as we've said for the last four or five years, the big drivers of that change are cloud and mobile. Cloud and mobile are just changing the topology of things that we want to protect.
What about on the threat side? Is that moving the needle?
Durand: No doubt. Every company that I talk to is terrified that their systems are not in a position to detect, prevent or protect, or see a breach. We talk about network breaches all the time. But 78% of the breaches are really identity breaches. So we talk about network protection, but we experience identity breaches. And that's the disconnect.
Are enterprises concerned about specific types of threat actors, such as nation-state hackers or APT groups, or are they more concerned about the effect of a preventable breach on their brand?
Durand: I guess I can't speak for the mindset of the individuals because I'm not one of them. But at least from what I hear and observe in the conversations, there is a genuine fear of damaged reputation, and what a breach of confidence and confidentiality of personal information would mean to their brand reputation. And that's a board room concern because now you are talking about the public's perception of good will and the value of a brand. And there's nothing like destroying the value of a brand that's so hard-earned in such a short period of time because of a breach.
Do you think if the Target breach happened today, would the reaction be different because of how it happened? Specifically, that it involved compromised identity of a third-party vendor for Target? Because that element seems to have been overshadowed, and I'm not sure the general public is aware of that detail.
Durand: I think that's right. They don't know why or how or what. It's hard to say. Are we as a society being desensitized to a breach a day, and then all of a sudden it's just not as big a deal? You're really just saying, 'Well, everyone gets breached, and sooner or later it was just going to be their turn.' It's hard not to say that humans don't recalibrate to normal. There's actually a well-known biological state called homeostasis, and it's that humans adjust to the current conditions and they only notice change. If the current conditions are a breach a day, what they would notice is when the breaches stopped, not because there's a breach a day. It does seem like there is less news associated with yet another breach today than there was a year and a half ago to two years ago. Now there are even terms like, 'It's not if you've been breached, it's only whether you know.' They're not even saying, 'It's a matter of time.' They're really saying, 'You've been breached. You just don't know it.' There are those [who] know they've been breached and those [who] don't know they've been breached, and no one in the middle. I think that's all just recognition of a changing threat landscape.
Editor's note: Stay tuned for part two of SearchCloudSecurity's interview with Ping Identity CEO Andre Durand.
Find out about the pros and cons of cloud-based identity services
Learn about best practices for cloud identity and access management
Discover how to secure cloud credentials and prevent breaches