Identity & Access Management

Adaptive Access control

0-2 years

Adaptive Access Control moves beyond access control based on a static context such as geolocation or a static risk score and leverages machine-learning and behavioral analytics to determine access based on a real-time assessment of risk.

Use cases

This technology can assess risk based on different factors of the accessing individual or device and allow or restrict access based on those factors. An example use case could be if a Wi-Fi network was operating in a public space, users could be assessed for vulnerabilities in their software, devices or other factors, then allowed or denied access to the network or resources based on that assessment. This access control could restrict access to sensitive information in the event that users are out of compliance to certain security policies.
Organizations implementing this type of technology could use it to protect data of travelling employees by allowing or restricting access to data depending on geolocation of the device. Additionally, this could prevent access to sensitive information on a stolen device that was moved out of an authorized area.

Benefits

Reduced risk of unauthorized exposure of sensitive information to vulnerable applications or compromised/stolen/lost devices.

Verticals

All verticals

Challenges

Could be cost prohibitive for organizations or complicated to integrate with systems.

Customer Identity and Access Management is a method of authentication that is used by companies to capture and manage customer profile data while providing access to specific applications and services.

This method usually combines different factors that already exist in a company, such as single sign-on, multi-factor authentication, or access management.

Use cases

  • Unified profiles: by having a single profile for a user, access can be given centrally, regardless of how the user access a specific service.
  • Regulatory compliance: more and more companies need to adhere to privacy and regulatory frameworks. Using CIAM can reduce the overhead and provide them with a centralized view of all the user information.

Benefits

Having a tailored experience based on the customer profile can help drive customer success and extend the capabilities of the offered services. It also allows for customers to manage securely their data as well as having access to self-service which greatly reduces the operational overhead.

Verticals

Healthcare, banking, retail as well as in other verticals where customer profiling brings benefits.

Challenges

Customers use many channels and methods for accessing a business’ services which sometimes is a challenge for centralizing the information under one profile. Another potential risk is the sensitivity of the processed data which can make it a high-priority target for threat actors.

Data Access Governance

0-2 years

Data Access governance (DAG) is a set of processes and tools that seek to reduce the risks associated with unnecessary access to sensitive data, wherever it may be located. As traditional Identity and Access Governance based on roles and entitlements is more mature in most organizations, the attention for many customers is turning to data. A DAG tool will discover the sensitive data where it resides, in structured or unstructured formats, and determine who has access to it. Increasingly, DAG tools are being integrated with Identity Governance and Administration (IGA) tools to provide a common tool for reviewing access.

Use cases

Data access governance can be utilized to consolidate data access management into a single pane, providing more visibility into access assessment management. Organizations with different platforms, locations, on-prem and cloud services can reduce their management tasks

Benefits

This technology can reduce risk of unauthorized data access by validating and enforcing permissions across various mediums.

Verticals

Any vertical with distributed data on different platforms, locations, on-prem and cloud services.

Challenges

Developing inventory of all assets to be cataloged and implementing a complete solution can be a large up-front investment of time and technology. Not all types of systems, especially legacy applications and datastores, will have the capability to be managed by these types of systems without services or resources needed to implement them.

Enterprise Digital Rights management

0-2 years

Enterprise Digital Rights Management (EDRM) is a systematic approach to copyright protection for digital content. EDRM is a combination of identity and access management and encryption. EDRM protects content with help of encryption by applying protection policies that specify permissions for different users and user groups, to view, edit, download, print, save or forward specified content or types of content.

Use cases

  • Protection of video-on-demand content.
  • Protection of live-streaming contents.
  • Ensure application licenses distribution.
  • Secure exchange of product information (at design phase or during M&A processes).

Benefits

In near future, EDRM solutions will likely be leveraging Blockchain and AI-based approaches, which would prove to be more effective than the existing ones. With outsourcing and vendor dependencies for services, interoperability between multiple solutions will likely prove to be the most effective solution in the future.

Verticals

With online streaming platforms gaining popularity in recent years. Enterprise Digital Rights Management is becoming important to publishers of electronic media to keep their platforms profitable by making sure that there are no gaps in protection policy.
Beyond Media content distributors, any industry embracing Digital Transformation is keen to adopt EDRM to avoid the illegitimate use of their Intellectual Property.

Challenges

  • Scalability.
  • Conversion of usage policies into access rules.
  • Interoperability across multiple solutions.
  • Impact on user experience.

ID Analytics

0-2 years

ID Analytics is the introduction of machine learning and behavioral analytics into IAM processes. ID analytics builds on adaptive identity by utilizing machine learning to determine more specific risks based on trends and data patterns. The analytics will not only look at what a user has access to but how they are using the access to determine real-time risk and use this information in IAM processes such as access governance to deliver business value and improve end-user experience.

Use cases

  • Identify behavior that has been unseen in the wild.
  • Identify an anomaly, report to an analyst, and apply security control to data access depending on the assessed risk.
  • In high security organizations, this can provide visibility into zero-day threats and can provide active intelligence to analysts.

Benefits

  • It can provide insight into potential threats and identify anomalies in behaviors.
  • Based on these analytics, active security controls can be implemented providing faster response to potential threats.
  • Enhance Access rights security reviews as well as recertifications and reconciliation of rights over complex infrastructures with thousands of applications, users and objects.

Verticals

Public sector, defense, technology, telecommunications

Challenges

  • Cost
  • Scalability
  • Potential slowed-down
    access when risk is being
    applied to all access requests.

Saas IAM

0-2 years

Besides its functionalities, IDaaS brings the IAM capabilities deployed as a SaaS. It helps ensure that users are who they claim to be and give them the right access. IDaas covers features like: Single-Sign-On, Multi-Factor Authentication, PKI, biometric, and self-service user account management (password recovery).

Use cases

  • Enhanced Authentication in the process of user authentication (with capabilities to support MFA, SSO, biometric, PKI) ;
  • Consolidate authentication sessions and provide centralized logging for increased risk mitigation.

Benefits

  • Protection against theft and unauthorized use of identity credentials/ securing identities, by enforcing stronger policies about credentials and log-in session ;
  • Being a Cloud-based solution, it will help your organization increase savings.

Verticals

Banking; Finance; Automotive; Manufacturing; Government; Education; Information Technology; Transporting; Healthcare System

Challenges

SaaS product versions do not yet have feature parity with on-prem versions.

Trusted Third party Access

0-2 years

Trusted third-party access refers to the processes and assessment procedures of the trusted third-party of an organization (e.g. business partners and suppliers) before granting least privileged access to internal applications and data on-premises or in the cloud. The validation of the third-party often involves independent audit of their systems and how the third-party manages the roles and access privileges of its own employees.

Use cases

Trusted third-party access can meet the challenge of validating and enforcing security controls at third-party organizations. These processes and assessment procedures consolidate requirements for security control implementation.

Benefits

This type of certification and interfacing between security systems to validate controls can reduce the time required in auditing third-parties for data access and can reduce risk to exposure of data at third-party level by consolidating and communicating requirements.

Verticals

Healthcare industry, manufacturing, resource and services, telecommunications and any others that transmit or allow access to sensitive data to third-parties as part of their regular operations.

Challenges

Challenges to adoption of this concept for validation of third-parties is agreement among parties in various verticals to appropriate controls from both a security perspective and the financial impact of implementation. Additionally, the vast number of current requirements is difficult to consolidate into a single system and may require different levels of effort for various verticals.

Unified identity Security

0-2 years

There is a growing trend for consolidation among technology vendors to offer multiple services from the same vendors. This includes core functions such as IGA, SSO, and PAM as well as other functions such as CIEM or trusted third party access.

Use cases

  • IGA
  • SSO
  • PAM
  • CIEM
  • Third party access

Benefits

The ability to obtain more technologies from a single vendor, providing better integration and a more seamless user experience.

Verticals

All verticals are affected by this and could benefit. Buying all components from a single vendor is particularly appealing to the Small Businesses due to simpler integration, reduced cost, and fewer vendors to deal with at the expense of some functionality.

Challenges

Many customers already have technology in place and favor a best of breed approach, but this is changing.

Zero password authentication

0-2 years

Passwordless authentication is a type of identity verification of a user or process that does not require to log on the system with passwords, eliminating the associated usability and security issues. This form of authentication usually presents users with the options of either logging in simply via a referral hyperlink, biometric recognition, or special token that is delivered via text message or email. It is based on different other factors such as biometric, single sign-on, and risk. This comes as an extension to the IAM framework and is not meant to replace or eliminate the use of user/password combination but to make authentication more seamless and transparent.

Use cases

  • Enhanced user experience: by using multiple biometric signatures, a user can have a quick and seamless authentication experience;
  • Behavioral biometrics: a user/password combination does not provide a real-world identity for the user. This can be addressed by using behavioral biometrics in conjunction with a user ID.

Benefits

By using Zero Password authentication, the user authentication experience is enhanced and made easier which in turn gives better security. At the same time, there is a reduction in the total cost of ownership as user/password interactions decrease in number.

Verticals

Targeted verticals are the ones who heavily rely on standard user authentication, such as healthcare, banking, or public sectors.

Challenges

Zero Password technology involves having additional weighted factors in the decision process for providing authentication. These weights can be sometimes misread or not trained well. At the same time, biometrics tend to have slight deviations through time which involves using an adaptive biometric system which takes that into account.

Adaptive ID & Access Governance ​

2-5 years

Adaptive Identity and Access Governance provides automatic enforcement and fine-tuning as well as management of Identity and Access policies. Instead of defining a fixed set of policies and rules to manage the identity and access provisioning, a dynamic policy management process will be put in place which constantly refine the policies based on the continuous risk assessment of the contextual data relates to user management, access patterns and provisioning requests. The refinement of dynamic policies will produce better identity and access certification campaigns through automation and demonstrate compliance on demand.

Use cases

Organizations with compliance requirements including auditing and incident response requirements can implement adaptive ID and access governance to manage processes around granting and revoking access. Organizations with shifting compliance requirements like those with employees that move departments or locations frequently can grant and deny access to resources without needing services to do so.

Benefits

With transient staff populations, organizations can manage large scale identity pools that have shifting responsibilities and roles. By utilizing machine learning and behavioral analysis, organizations can reduce staff time to manage different access requirements and focus on anomalous behavior.

Verticals

Public sector, defense, finance, healthcare

Challenges

  • The lack of implementation skills necessary and need for augmented support.
  • Organizations with these types of requirements may not have the required financial support to implement these types of controls or the security program maturity to have visibility over automated security controls.

API Access control​

2-5 years

Application Program Interface (API) is a set of protocols specifying how software components should interact and provide the required application function. API Access Control is a security measure to protect sensitive service and resource by establishing the trusted identities of the API consumer and granting the correct level of access. There are centralized API management solutions which provide API Access Management function using claims or token-based approach.

Use cases

Organizations can provide microservices utilizing APIs that are secure and have access controls built-in. Devices and applications can have identities and provide an authorized interaction between these microservices and eliminate the use of tokens and other information passed over the request that could be used in various types of attacks.

Benefits

Secure APIs are accessed via the requests and built-in identity access management to determine authorized access is limited. True identity and access management of API authorization can reduce risk of man-in-the-middle attacks, hijacking of API keys, and replay attacks. By issuing identities to applications, devices and individuals, a more zero trust-centric approach can be provided.

Verticals

Any organization utilizing APIs to interact with applications.

Challenges

Organizations may not use standardized APIs and this could be a limitation to integration into these systems. A lack of a protocol could be difficult to implement true identity and access management for the API and not session management.

Dynamic provisioning​ ​

2-5 years

Dynamic provisioning is an automated approach to grant a user access to IT resources and data based on the risk assessment of the access request. A behavior analytics platform with machine learning capabilities will be used to constantly monitor user behavior and dynamically assess and adapt risk score to enable real-time response to access requests and anomalies. Dynamic provisioning will eliminate the need of manual approvals, password authentication and re-certification.

Use cases

Identity and access management for large organizations can implement dynamic provisioning to perform functions that would normally require human interaction. This technology would allow people within a large organization to perform various identity management on their own and be allowed to do so through behavioral analysis for approvals.

Benefits

  • reduce time necessary for management functions such as password resets, access to certain resources and more.
  • by not requiring human interaction for granting and denying of access to resources, it can provide a more secure environment that validates need for access and identifies unauthorized access attempts.

Verticals

Verticals with third-parties and many organizations including healthcare, education, and utilities.

Challenges

Efficiency and accuracy are the key challenges to adoption. Systems that use machine learning must learn behaviors to apply risk and these tasks can take additional time and financial support.

IAMaaS (Full Service IDaaS)​​

2-5 years

Besides its functionalities, IDaas brings the IAM capabilities deployed as a SaaS. It helps ensure that users are who they claim to be and give them the right access. IDaas covers features like: Single-Sign-On, Multi-Factor Authentication, PKI, biometric, such as facial recognition and fingerprint. Also self-service user account management (password recovery). The full-service offerings will include Identity Governance and Administration, Single-Sign-on/Multi-Factor Authentication, and Privileged Access Security capabilities and will at least have feature parity with the on-prem versions of each. The general trend is towards consolidation of functions into an integrated service and offered in an “as a service” model.

Use cases

  • Enhanced Authentication in the process of user authentication (with capabilities to support MFA, SSO, biometric, PKI)
  • Create a behavior of your users authentication sessions, for a better risk mitigation.

Benefits

  • Protection against theft and unauthorized use of identity credentials/ securing identities, by enforcing stronger policies about credentials and log-in session.
  • Being a Cloud-based solution, it will help your organization increase savings.

Verticals

Banking; Finance; Automotive; Manufacturing; Government; Education; Information Technology; Transporting; Healthcare System.

Challenges

Customers may already have a technology that is different from the one the service provider has pre-integrated into the IAMaaS platform.

IDoT (IAM for IoT)​ ​

2-5 years

Identity and Access Management for Internet of Things (IoT) refers to the management of the identity and access of highly connected digital or smart devices. The cybersecurity challenges around IDOT include credential abuse, risks of using default passwords, data loss through eavesdropping and consent management to sensitive data. IDOT will need a flexible identity lifecycle approach and a secured enrolment process for devices. Effective security controls such as encryption, authentication and authorization also need to be set up to safeguard access to personally identifiable information (PII).
Mapping the data produced by an IoT device is based on its identity. As there are many IoT devices generating sensor data – from data monitoring the health conditions of hospital patients to financial data being routed from and to IoT assets, the authentication technique should ensure a reliable and secure communication between objects in an IoT environment. With PKI offering such identities, the IoT ecosystem can be based on authentication and establish secure communication between devices, services and users.

Use cases

  • device/edge/server authentication for end-to-end security roles/rights management ;
  • secure communication by enabling TLS handshakes, for example ;
  • network/application access control ;
  • data protection through encryption ;
  • data integrity through digital signature, code signing, etc.

Benefits

  • PKI or KMS make it possible to choose whether a device should get a Digital ID that will be trusted by the rest of the network/users/applications or not.
  • they also guarantee that it will be possible to revoke identities once they have been given to an object because it is compromised, misbehaving or obsolete.
  • ensure trust continuity between the device production environment and the final user environment.
  • guaranteeing interoperability between different stakeholders. In cooperative intelligent transport systems (C-ITS), only digital certificates compliant with the security standards, generated by a compliant PKI can be trusted and used by the whole ecosystem. In this specific use case, they even guarantee the privacy of the users through the pseudonymization of the digital certificates used by the end-entities.

Verticals

All Verticals

Challenges

  • The administrative tasks related to certificates management with the certificate requiring to be updated and maintained.
  • Secure identities and Authentication have to be considered during the whole lifecycle of the IoT device starting with the manufacturing. Devices with insecure chipsets and IDs without authentication are not an exclusion.
  • Costs and lack of maturity. IoT security is still often considered as a non-essential cost compared to the strong market. Pressure for new usages and additional data at low prices. This is a challenge as digital IDs require security infrastructures and management during the whole life of the devices.
  • Limited computation power and energy : Secure cryptography algorithms require computation power and IoT like simple sensors may not have such power. Managing cryptography may also cause higher power consumption, a critical aspect for IoT devices that must last several years with one battery.
  • Lack of standardization and communication protocols : The high quantity of communication protocols (proprietary, industry specific, etc.) directly affects the efficiency of IoT deployments and, indirectly, the possibility to create simple digital ID management systems.
  • The increase of compute capabilities outside of the cloud will bring increased complexity to the “edge”: this complexity is by nature less controlled and more exposed to security threats.
  • Secret protection Digital IDs are based on secrets that must be protected in an appropriate way. Private keys of digital certificates or symmetric keys must ideally be stored in secure elements. If this is not possible, trusted zones of processors may be used even if they are less secure. If the secrets are not secured at all, it may affect the whole trust environment and a security analysis must determine the related risk.

Continuous Authentication & authorization​ ​

5+ years

Continuous Authentication and Authorization is the use of biometrics and behavior analytics to provide continuous verification of the actor behind a requested action and is a key tenet of Zero Trust. This can be achieved via techniques such as facial recognition or monitoring the normal cadence of interaction with an input device such as a mouse or keyboard to confirm that the actor performing the action is the same actor that was initially granted the access. The objective is to prevent one user from signing in then letting another user sit at their computer and impersonate them.

Use cases

Access to applications or other resources.

Benefits

Transforming authentication and authorization into a continuous activity as opposed to a discrete event. If the risk associated with access changes, then additional controls can be applied such as requesting a reauthentication or stepping up to a require a stronger form of authentication.

Verticals

All Verticals

Challenges

  • Where application access is direct between the user and the application, the application would need to support this feature.
  • Continuous verification will require biometric authentication such as facial recognition or the analysis of the cadence of interaction with the keyboard. These technologies are not widely deployed by default and feasible solutions are just starting to enter the marketplace.
  • Concerns regarding privacy are causing some to resist this concept. While the technology is not too far away, concerns regarding privacy and fears about “Big Brother” watching every move will indeed slow down the adoption.

Distributed​ ledger for IAM & self sovereign identity​​​​

5+ years

Also known as Decentralized Identity, Self-Sovereign Identity is the use of blockchain technology to give the owner of an identity responsibility and control over the use of their identity information.
This new approach implies superseding the traditional central authority with a distributed ledger which gives overall control of data access to the end user. In other words, in applying the decentralized identity approach, where there is no central authority in play, the end user takes strategic control at the center of the board, selecting what and with whom they share their data at all times.
Some key concepts of a Decentralized Identity are:

  • Decentralized identifiers (DIDs) are a new type of identifier to provide verifiable, decentralized digital identity. These new identifiers are designed to enable the controller of a DID to prove control over it and to be implemented independently of any centralized registry, identity provider, or certificate authority.
  • Verifiable Credentials provide a standard way to express credentials on the Web in a way that is cryptographically secure, respecting privacy, and machine-verifiable. It also allows the credential owner to generate zero-knowledge proof of the credential, providing them with a privacy preserving mechanism for sharing data.
  • Decentralized Key Management System (DKMS) cryptography is one of the pillars on which the blockchain technology is based hence it is imperative to have a standard which defines cryptographic management for decentralized environments where a central authority is not available.

Use cases

  • Verify education level by confirming that the owner of an identity attended a University and whether or not a diploma was received
  • Allow an identity owner to control what data can be shared with a Healthcare Marketplace

Benefits

Moves the control of identity data to the owner of the identity rather than a third party.

Verticals

Social Services

Healthcare

Education

Challenges

  • The compute and resource requirements, which create scalability challenges
  • Determining who owns and pays for the infrastructure and issues the IDs.

Generative Identity​ ​

5+ years

An Entity is not defined by its identity, rather Identity is a notion assigned to an Entity. Third parties recognize an Entity (identify) based on its observable properties (attributes), interactions (relations), behavior (physics), allowing to establish its role within the observable universe. Eventually, after iterations, based on above described, a certain degree of trust is established between the parties. Generative Identity concept approaches Identity Domain from the opposite perspective, aiming to build an entity’s identity in a given environment starting from a zero-trust context. For commercial use, the concept has direct benefits in Identity Tokenization (blockchain), it mitigates the limitations of onboarding contexts and enhances the capability of online contracting of services (banking services, signing contracts, operation guarantee provisioning).

Use cases

Given the redundancy and distribution of identity data storage, generative identity offers new possibilities for identity recovery and for transaction proofing (contracting services, tokenization).

  • For identity recovery (due to imminent actions, disaster or other non-imputable reasons), based on a given set of historical transactions, an Entity’s Identity can be restored out from collective memory, which is always globally always available. Generative Identity eliminates the disadvantages of blockchain because interactions are associative, not inclusively in the identity concept.
  • In terms of interaction management, Generative Identity is a great candidate to stipulate and restrict access to protected resources (assets) by smart contracting between any given configuration of identities (groups, individuals, multi-layered organization) as an interaction is not limited by the number or topology of participants. Such an approach opens the gates for automation of many judicial verifications and proofing. This means that contracts can be signed globally with same level of trust and same level of financial costing, opening new commercial possibilities and market niches.
  • Given the technological evolutions in IoT, Generative Identity can ensure consistent interactions and transparency in the IoT ecosystem.

Benefits

  • Reduced transactional cost by cut-off of bureaucracy
  • Technology standardization enforces global and local policies with regards to human rights, including rights of privacy and transparency
  • Restorative – all transactions (interactions) are stored in a global network, always available
  • Regenerative – identities and security context can co-exist in a loose-coupled across different technological and social layers whereby innovation can spring up independently at any layer.

Verticals

Financial services

Healthcare

Public sector

Security

Media & Telecommunication

Challenges

To push Generative Identity, a global infrastructure needs to be available and standardized. A generative identity is universal hence mechanisms for global identity proofing, require legislation adaptation and global standardization in terms of ethics and physics.

Prescriptive IAM​​​​​​

5+ years

Prescriptive IAM is an IAM solution that includes machine learning and behavioral analytics to provide real-time risk assessments and anomaly detection. The solution is also able to automate the triggering of actions based on the results of the analytics. These actions can include making policy and configuration changes, provisioning access changes that the analytics determined were necessary, or interfacing with an orchestration engine to automate external tasks.

Use cases

  • Access request and fulfillment
  • Identity and access governance
  • Dynamic birthright provisioning

Benefits

  • Reduction of the level of effort required to manage and maintain the IAM solution ongoing.
  • Improved end-user experience due to a reduction in time to gain access to resources as well as a simpler process for requesting access.
  • Reduction in risk because the policy and configuration are adjusted and currency is maintained based on risk.

Verticals

All verticals

Challenges

Customers will need to trust the decision-making by the machine learning to realize the full benefits of a prescriptive solution.

UMA (User-Managed Access)​

5+ years

User-Managed Access is a profile of OAuth 2, which is an industry-standard protocol for authorization. It enables the person to manage access regarding personal digital resources. Being helped by an interface, the owners of the personal resources can control, allow, deny and delegate access based on the requesting parties.

Use cases

  • IoT – Intelligent Refrigerated Shipping Containers
  • Giving K-12 Students Control of Their Data
  • Users Managing Delegated Access to Online Government Services
  • Patient-Mediated and -Directed Health Data Sharing
  • State Health Information Exchange
  • Secure sharing of Higher Education Achievement Reports
  • Management and Sharing of Personal Accessibility Needs and Preferences
  • Any use case where privacy concerns exist regarding access to personal data, e.g. GDPR

Benefits

UMA gives your customers and employees a convenient way to determine who and what gets access to personal data, for how long, and under what circumstances.

Verticals

All verticals

Challenges

The main challenge is that best practices are missing.