2017 Predictions: Identity and Security

What to Expect in 2017 - Predictions for Identity and

Security

2Copyright SecureAuth Corporation 2016

Today’s Speakers

ANDRAS CSERVP and Principal Analyst Forrester Research

STEPHEN COXChief Security ArchitectSecureAuth


+ All attendee audio lines are muted + Submit questions via Q&A panel at any time+ Questions will be answered during Q&A at the end of the presentation

+ Slides and recording will be sent later this week+ Contact us at [email protected]

Webinar Housekeeping

mailto:[email protected]

5Copyright SecureAuth Corporation 2016© 2016 Forrester Research, Inc. Reproduction Prohibited 5

We work with business and technology leaders to develop customer-obsessed strategies that drive growth.


Top Trends Shaping IAM in 2017

Andras Cser, VP Principal Analyst

January 18, 2017

7Copyright SecureAuth Corporation 20167© 2016 Forrester Research, Inc. Reproduction Prohibited

› You don’t want to be on CNN headline news› Security has shifted from a Director/VP/CISO/CIO IT

problem to a CEO problem›Data protection is a key concern›Mobile and IoT present new challenges› BYOD/user owned devices are here to stay

Assess the impact of cyberattacks


› Perimeter is long gone (Can you give a laptop with VPN to every contractor and employee???)› Identity has emerged as the new perimeter›Holistic approaches for joiner, mover, leaver, attestation

and self service processes›Unified treatment of Application, Data, Endpoint, and

Network access controls

Shift identity to the center of your threat detection ecosystem


› IAM is essential for business›General IAM future requirements› B2E IAM requirements› B2B IAM requirements› B2C IAM requirements› IAM for IoT› Forrester’s predictions

Agenda


Digital transformation drives IAM


›Digital customer experience vs Security strength› IAM must support profile and preference management› IAM must protect privacy› IAM must aid in helping protect sensitive data›Mobile/any device support› IAM must support BI

IAM is essential for today’s business and digital transformation


›Consumer like user interface everywhere› API security and availability of IAM services as an API› Behavioral profiling built in›Multimodal and multi target IAM (SaaS and on-prem IAM

policy servers to support cloud and on-prem workloads› IAM becoming lightweight (microservices)› Privacy and security must be built in

General IAM future requirements


›Cloud migration: It’s not longer a question of ‘if’ but more like ‘how’ and ‘when’›What data do you have?›How sensitive is your data?›Where is your data?›How do you detect anomalies in accessing data

› Users› Devices› Apps

Get a grip on cloud apps and cloud platforms


› Encapsulate data with identity to protect it›Context, relationship and activity based provisioning,

access management› Federation built in between on-prem and cloud user

stores› Adaptive authorization to reduce recertification burden›Recertification, role management and governance are

the ultimate preemptive strike against data breaches

B2E IAM requirements


›Native organization and relationship management is a must› IDaaS will gain adoption for access and IMG› PIM as a service to support IT administration

outsourcers and IaaS providers›Custom and dynamic trust networks

B2B (Business to partners) IAM requirements


›Organization and relationship management› Profile management plus self services, not just security›MFA as a service, move to push notification from SMS

messages›Continuous authentication based on behavioral

biometrics›Wearables for MFA

B2C IAM requirements


›Massive scale›Devices are the new kid on the block

• Lifecycle, authentication, biometrics, API› IAM systems have to handle people, apps, systems and

devices›Manage consent in IoT environments explicitly – this is

to protect data and privacy› Authorization v2.0

IAM for IoT requirements


› Today’s environments are 10x-100x bigger than what we had even 4-5 years ago› 11 billion mobile devices› 50-100 billion IoT connected devices (Forrester est.) –

hard to patch, easy to attack›Using IoT devices to perpetrate DDoS attacks has

already been demonstrated in the Dyn DNS breach

Assess scale


› IAM suites becoming much more loosely coupled than today› IDaaS will do provisioning, governance and attestation, not

just SSO› B2C will spawn a new class of customer management

services› Fraud management and IAM / access control integration is

key› Behavioral profiling is to expand to certification and access

request management

Forrester’s predictions


Move from Signatures and Rules to Behavioral Profiles


forrester.com

Thank you

Andras [email protected]

SecureAuth 2017 Predictions Stephen Cox, Chief Security Architect


Consolidation Amongst Security Vendors

+ Too many security products– Too many alerts, too much to digest– Not enough budget

+ Products need to address multiple challenges– Provide actionable alerts, not just data– Help protect, detect and respond

+ Example: Analytics as a Feature– Behavior analytics: product or feature?– UEBA may disappear as a standalone

market segment


Identity Becomes a Pillar of Security

+ Everest sized mountain of data cultivated from breach analysis

– Screaming for wider adoption of risk based authentication techniques

+ Stolen credentials are too easy to get– Obtained on dark web, used to quietly log

in to an organization + Solving the visibility problem

– Identity currently a blind spot for many organizations

– Adaptive Authentication helps protect, detect and respond against breaches


the password has become a "kind of a nightmare”

Prof. Fernando J. Corbato


dThe End of the Password

d

+ Passwords are a completely broken technology+ Not just buzz - it is happening, and fast!+ We have the technology to do this today


Fallout from the Yahoo Breach

+ What it means to the end of the password+ The impacts in the security community+ Large credential databases a gold mine to

aggressive threat actor groups


Another (Re)Emerging Threat - DDoS

+ DDoS is back! – Poorly protected IoT devices are

to blame– The Rise of Thingbots - David

Hobbs (Radware)+ Doesn’t mean fewer attacks

leveraging stolen credentials– DDoS a tactic, not a goal

+ Still relates to identity!– The “default password” issue– Poorly protected web properties

Lauren Tank


+ Can achieve MFA without a password – Something you have, something you are– Analyze risk - identity is a pillar of security

+ Leverage the push-to-accept approach+ Increase security without impacting user

experience!– Good for verticals with difficult and demanding

stakeholders

It’s Time To Go Passwordless

Visit www.secureauth.com

The intellectual content within this document is the property of SecureAuth and must not be shared without prior consent.

http://www.secureauth.com/

2017 Predictions: Identity and Security

Software

Transcript of 2017 Predictions: Identity and Security