Post on 08-Feb-2017
What to Expect in 2017 - Predictions for Identity and
Security
2Copyright SecureAuth Corporation 2016
Today’s Speakers
ANDRAS CSERVP and Principal Analyst Forrester Research
STEPHEN COXChief Security ArchitectSecureAuth
3Copyright SecureAuth Corporation 2016
+ All attendee audio lines are muted + Submit questions via Q&A panel at any time+ Questions will be answered during Q&A at the end of the presentation
+ Slides and recording will be sent later this week+ Contact us at webinars@secureauth.com
Webinar Housekeeping
4Copyright SecureAuth Corporation 2016
5Copyright SecureAuth Corporation 2016© 2016 Forrester Research, Inc. Reproduction Prohibited 5
We work with business and technology leaders to develop customer-obsessed strategies that drive growth.
6Copyright SecureAuth Corporation 2016
Top Trends Shaping IAM in 2017
Andras Cser, VP Principal Analyst
January 18, 2017
7Copyright SecureAuth Corporation 20167© 2016 Forrester Research, Inc. Reproduction Prohibited
› You don’t want to be on CNN headline news› Security has shifted from a Director/VP/CISO/CIO IT
problem to a CEO problem›Data protection is a key concern›Mobile and IoT present new challenges› BYOD/user owned devices are here to stay
Assess the impact of cyberattacks
8Copyright SecureAuth Corporation 20168© 2016 Forrester Research, Inc. Reproduction Prohibited
› Perimeter is long gone (Can you give a laptop with VPN to every contractor and employee???)› Identity has emerged as the new perimeter›Holistic approaches for joiner, mover, leaver, attestation
and self service processes›Unified treatment of Application, Data, Endpoint, and
Network access controls
Shift identity to the center of your threat detection ecosystem
9Copyright SecureAuth Corporation 20169© 2016 Forrester Research, Inc. Reproduction Prohibited
› IAM is essential for business›General IAM future requirements› B2E IAM requirements› B2B IAM requirements› B2C IAM requirements› IAM for IoT› Forrester’s predictions
Agenda
10Copyright SecureAuth Corporation 201610
Digital transformation drives IAM
11Copyright SecureAuth Corporation 201611© 2016 Forrester Research, Inc. Reproduction Prohibited
›Digital customer experience vs Security strength› IAM must support profile and preference management› IAM must protect privacy› IAM must aid in helping protect sensitive data›Mobile/any device support› IAM must support BI
IAM is essential for today’s business and digital transformation
12Copyright SecureAuth Corporation 201612© 2016 Forrester Research, Inc. Reproduction Prohibited
›Consumer like user interface everywhere› API security and availability of IAM services as an API› Behavioral profiling built in›Multimodal and multi target IAM (SaaS and on-prem IAM
policy servers to support cloud and on-prem workloads› IAM becoming lightweight (microservices)› Privacy and security must be built in
General IAM future requirements
13Copyright SecureAuth Corporation 201613© 2016 Forrester Research, Inc. Reproduction Prohibited
›Cloud migration: It’s not longer a question of ‘if’ but more like ‘how’ and ‘when’›What data do you have?›How sensitive is your data?›Where is your data?›How do you detect anomalies in accessing data
› Users› Devices› Apps
Get a grip on cloud apps and cloud platforms
14Copyright SecureAuth Corporation 201614© 2016 Forrester Research, Inc. Reproduction Prohibited
› Encapsulate data with identity to protect it›Context, relationship and activity based provisioning,
access management› Federation built in between on-prem and cloud user
stores› Adaptive authorization to reduce recertification burden›Recertification, role management and governance are
the ultimate preemptive strike against data breaches
B2E IAM requirements
15Copyright SecureAuth Corporation 201615© 2016 Forrester Research, Inc. Reproduction Prohibited
›Native organization and relationship management is a must› IDaaS will gain adoption for access and IMG› PIM as a service to support IT administration
outsourcers and IaaS providers›Custom and dynamic trust networks
B2B (Business to partners) IAM requirements
16Copyright SecureAuth Corporation 201616© 2016 Forrester Research, Inc. Reproduction Prohibited
›Organization and relationship management› Profile management plus self services, not just security›MFA as a service, move to push notification from SMS
messages›Continuous authentication based on behavioral
biometrics›Wearables for MFA
B2C IAM requirements
17Copyright SecureAuth Corporation 201617© 2016 Forrester Research, Inc. Reproduction Prohibited
›Massive scale›Devices are the new kid on the block
• Lifecycle, authentication, biometrics, API› IAM systems have to handle people, apps, systems and
devices›Manage consent in IoT environments explicitly – this is
to protect data and privacy› Authorization v2.0
IAM for IoT requirements
18Copyright SecureAuth Corporation 201618© 2016 Forrester Research, Inc. Reproduction Prohibited
› Today’s environments are 10x-100x bigger than what we had even 4-5 years ago› 11 billion mobile devices› 50-100 billion IoT connected devices (Forrester est.) –
hard to patch, easy to attack›Using IoT devices to perpetrate DDoS attacks has
already been demonstrated in the Dyn DNS breach
Assess scale
19Copyright SecureAuth Corporation 201619© 2016 Forrester Research, Inc. Reproduction Prohibited
› IAM suites becoming much more loosely coupled than today› IDaaS will do provisioning, governance and attestation, not
just SSO› B2C will spawn a new class of customer management
services› Fraud management and IAM / access control integration is
key› Behavioral profiling is to expand to certification and access
request management
Forrester’s predictions
20Copyright SecureAuth Corporation 2016© 2016 Forrester Research, Inc. Reproduction Prohibited
Move from Signatures and Rules to Behavioral Profiles
21Copyright SecureAuth Corporation 2016
forrester.com
Thank you
Andras Cser+1-617-613-6365acser@forrester.com
SecureAuth 2017 Predictions Stephen Cox, Chief Security Architect
23Copyright SecureAuth Corporation 2016
Consolidation Amongst Security Vendors
+ Too many security products– Too many alerts, too much to digest– Not enough budget
+ Products need to address multiple challenges– Provide actionable alerts, not just data– Help protect, detect and respond
+ Example: Analytics as a Feature– Behavior analytics: product or feature?– UEBA may disappear as a standalone
market segment
24Copyright SecureAuth Corporation 2016
Identity Becomes a Pillar of Security
+ Everest sized mountain of data cultivated from breach analysis
– Screaming for wider adoption of risk based authentication techniques
+ Stolen credentials are too easy to get– Obtained on dark web, used to quietly log
in to an organization + Solving the visibility problem
– Identity currently a blind spot for many organizations
– Adaptive Authentication helps protect, detect and respond against breaches
25Copyright SecureAuth Corporation 2016
the password has become a "kind of a nightmare”
Prof. Fernando J. Corbato
26Copyright SecureAuth Corporation 2016
dThe End of the Password
d
+ Passwords are a completely broken technology+ Not just buzz - it is happening, and fast!+ We have the technology to do this today
27Copyright SecureAuth Corporation 2016
Fallout from the Yahoo Breach
+ What it means to the end of the password+ The impacts in the security community+ Large credential databases a gold mine to
aggressive threat actor groups
28Copyright SecureAuth Corporation 2016
Another (Re)Emerging Threat - DDoS
+ DDoS is back! – Poorly protected IoT devices are
to blame– The Rise of Thingbots - David
Hobbs (Radware)+ Doesn’t mean fewer attacks
leveraging stolen credentials– DDoS a tactic, not a goal
+ Still relates to identity!– The “default password” issue– Poorly protected web properties
29Copyright SecureAuth Corporation 2016
+ Can achieve MFA without a password – Something you have, something you are– Analyze risk - identity is a pillar of security
+ Leverage the push-to-accept approach+ Increase security without impacting user
experience!– Good for verticals with difficult and demanding
stakeholders
It’s Time To Go Passwordless
Q & A
Visit www.secureauth.com
The intellectual content within this document is the property of SecureAuth and must not be shared without prior consent.