Event Recording

Panel | What does the future hold for Identity and Access Management?

Log in and watch the full video!

Digital identities of customers, devices and services are at the core of the digital enterprise today. However, traditional IAM is riddled with complexity and siloes. Building a modern Identity and Access Management requires seamless integration and secure access of everyone and everything. This panel explores what the future holds for IAM and provides a blueprint to ensure a modern, secure and flexible identity foundation that breaks down legacy identity siloes.

Log in and watch the full video!

Upgrade to the Professional or Specialist Subscription Packages to access the entire KuppingerCole video library.

I have an account
Log in  
Register your account to start 30 days of free trial access
Subscribe to become a client
Choose a package  
For those, we haven't had the chance to watch your session before maybe we really started with a quick introduction, Leonardo, feel free for the first introduction.
Yeah. Thank you. Thank you, Christopher. Yes, indeed. Leonardo Morales is my name employee from Simmonds in Germany presenting just one minutes ago. The IM how important is it's key all on the zero trust strategy, and we will have a further look on what IMS will bring for the future.
Perfect. Paul, a few words about you.
Hi. Yeah. I'm Paul Fisher lead Analyst with Kuppinger. I spoke at the start with a general run through, on some of the options for using a manage service provider for access management and that's seed to kick off a discussion about the value of AI in am. So that was interesting.
Yeah. So let's start, maybe not within AI discussion, maybe that's something you can do in your open table round. I will join then two, because it's a fantastic topic. What is real AI and whatnot? Let's start about the first one. How much longer will password still be a focus for identity and access management? Will there always be a place for them in some environments? And I'm happy to ask this question to Leonardo because we had this from the audience.
Okay. Okay. I think it's a matter of time and also we're moving forward case by case. I see, I do see that password will be replaced for end user use cases in a very short time. We can think of in, in, in the course of the next three or five years for user scenarios, we can count on multifactor. Bio is getting rid of password this for the end user use cases, but we also do see and have the enterprise where machines machines communicate or will have non trust legacy devices and not attending those protocols and not, not able, not able to manage a multifactor, our modern authentication. We will continue dealing with passwords in that sense and thinking also on, on, on the zero trust capabilities that Pam solutions can bring in into that. I think this, this will remain quite some time. We will continue working on modern authentication also for OT and for OT and legacy systems and manufacturers. It will, it will exist coexist for, for a certain time.
Absolutely. Especially for operational technology. That's a big thing, even how you handle it, whether it's an identity as well, responsibilities and all that stuff. But this is an interesting topic, but we'll break our panel for today. Paul, your thoughts about the future of passwords in identity and access management?
Well, passwords have been with us for a long, long time, and people have been talking about the end of passwords for a long time as well. But I think Leonardo is, is correct to say that it depends on the application. So I think we are moving towards certain parts of identity access management, where we'll, we'll be able to get rid of passwords. But I think in more general areas, for example, where we in talk about end users or customers, consumers, it's very hard to wean them off passwords. There, there is some kind of high between people think that a username and a password is, is a secure way of logging into something.
The, the problem is I think that, yeah, even the alternatives pass was yet are not perfect. You know, so we talk about biometrics or facial recognition or pass fingerprinting, et cetera, but don't quite often add an extra friction to the authentication process rather than reduce it. And they don't always work either. So I think from a, from a, a user perspective from, from the end point or say that the, the human user sitting in front of an application may well still use the process of a username and a password, but we may well be able to then behind scenes actually not use a physical password to give access, we can then move, convert it somehow to a certificate or some kind of encryption, or even some variation of a blockchain, or yeah. What do we, a non fungible object, you know, there is research going around those areas that would, I think, have more potentially getting rid of passwords completely and, and throughout the whole authentication process. But I, I, I do think that we'll still be using passwords in 10 years, for example, and probably longer, but I think we are finally seeing progress in privileged access management is an area that I spend a lot of time looking at that we are gradually moving towards the end, perhaps of password vaulting and password rotation and into something a bit more sophisticated and ephemeral and just in time.
Absolutely. And I, I mean, even as a, or as a normal customer, you see usually multiple ways of password, less, whether it's sending you an email with an authentication link and you don't have to enter credentials. That's the easy example, but it depends a little bit on, on the ity here, because if your mail mail account is breached, the password is exposed somewhere and someone gets accessed and he can access everything just by clicking on those links and requesting access. So risk management is again, very interesting topic and the, the NFT or using NFTs for authentication, I'm really looking forward. What will happen in that area, whether you can use your 50 $500,000 or assume ape for accessing something because you are the owner, that's also very future stuff, but it could be that we use something like that. Next question would be how far can conventional privileged access management support the continued drive towards just in time access to dynamic resources and the new cm products coming to the market. Maybe we start with Leonardo,
Yeah. Is absolutely mass in our zero trust strategy. We, we account on identity verification, identity proving. We are convinced that we can manage the access of an identity and how trustful an identity is providing, granting them access. But we see, especially for, for the administrative operations, for OT, we need in accounting, very strong on, on time solutions, especially when we deal with shared accounts that no one's own is, is not subjected linked to the one single identity. And when there is not only about that, who has access to what is about who has done, what, who has modified things who got recorded by changing things in behind the scenes. And this is the, the, the most important part for me, not only that the time is managing the credentials for the access is also getting the control of what has been done on, on, on the operational side activities, recording video recording. And this, this will remain. This is for us, is so, so important to maintain, especially for shared accounts, which, which we use for functional services for, for functions, identities, and services,
Paul, your thoughts about,
Yeah, I kind of touched on it in my earlier answer. Suddenly. I think the Pam vendors are realizing that in the dynamic environments that we're talking about, and we talk about dream cetera, dynamic resource attachment, access management, that the traditional password vault, the password rotation, the checking in and checking out of passwords is not agile or fast enough for the type of work that's now typically being done in the cloud, particularly among developers, DevOps, those sort of people. And it would seem that we are moving towards a, just in time paradigm or just in time culture of giving people privilege access for a limited time and exactly when they wanted and, and then switched off. And we can also this, which is kind of like contradict what just in time is, but some you can actually now have just in time on a regular basis.
So if you need access every afternoon at 2:00 PM to a certain resource, then that can be set up. So, which brings in the convenience side of it. But I definitely think that time is kind of splitting into two camps now, which, and, and many vendors have their feet in both camps. So they are, are serving the just in time market and the ephemeral access, et cetera. But they're also keeping password vaults password rotation simply because many customers actually prefer that they, they actually like having passwords in a vault and they feel it's easier to manage. It's, you know, it's, it's encrypted, it's secure. So I think we might see, so Pam for perhaps less dynamic environment. So the more traditional parts of Pam where an admin will, you know, do updates on endpoint, et cetera. And then we'll see for just in time merging a little bit overlapping with cm.
And then that becomes part of dynamic resource access management area. That there's definitely quite a lot happening in the pan market with different vendors, new entrants, new people, sort of serving, you know, specific markets rather than trying to be hand for everything. Some vendors are not bothering it, for example, endpoint privilege management, because they don't want to have agents and they don't want to then have their customers have to support those agents, et cetera. So it's, it's kind of a market which is covering all the bases, but at the same time separating, you need to slightly specialized areas.
Absolutely. Our next question, we already discussed a little bit when talking about NFTs and password, less email communication, but maybe it's worse to dive a little bit deeper and what can companies do to improve the authentication experience for customers? So it improves security, but also convince for, for them maybe louder again.
Yeah. I see, personally, as I went with situation, I see it allows a user to get rid of, of passwords and long passwords. And the complexity of passwords has, has increased also for, for different accesses. And we, with counting on one side on the one hand side was seeing the side on multifactor authentication, but is quite convenient for the user. And it is, is it has it it's complexity because of the strategy for the identity enabling of multifactor application enabled application security level. So to take the, the right decision based on the trusted identity. And, but this will, it's required for people who is, is, is not, is not going with the times of, of modern authentication and for companies where have to roll out all the mobile devices where people can use via keys or mobile phones or authentication apps to get authenticated that generate costs, especially for us in our manufacturers, we accelerate the access to our environments and to people to get, to improve their skills and get more knowledge from the, from the 365 universe. And that forced us to bring in more devices, modern authentication spend is, is an investment for, for the company itself. But on, on the one hand side, the user would get some benefits from that, with, with part of that utilization move and accelerate the business continuity. This is, is a mix, but it's the right way,
Paul, but yeah,
Well, Christopher, I guess you, you, you are talking about customers as in all of us consumers,
Yeah. So I, I think let's talk about McDonald's again, once upon a time you went into a McDonald's restaurant and you had to stand in a queue impatiently waiting to make your order, and then you had to wait again for it to be made. And then you got annoyed because people pushed in front of you, et cetera. And then recently, or a few years ago, McDonald's introduced those kiosks so that you order your own meal and you pay there. And then, and it kind of is, is suddenly it's a stress for experience. And I think I was at a conference just a few weeks ago, and we were talking all about the customer experience and we need to somehow replicate the real world experience of, of buying stuff or logging or going to a, a bank site or something else at the moment requires username password.
We need to make it as seamless and friction free as possible because that's easier said than done, which is why we still have, you know, username and passwords for various sites and why we all have different accounts for lots of different organizations online. And I think, again, I can this idea that there is some interesting work being done with, you know, digital identity in that we as individuals, you know, build up a certain footprint of what we do online and what we buy and what we visit and stuff. And the concept is that we can, that becomes a unique identity. The problem with that is I think that it's not in the control of the consumer. It's almost, to be honest to me, it's like another way of using what should be private as a way of authenticating, but there could be some mileage in creating some kind of digital identity that is controlled by the user that they perhaps decide what digital information is gonna be attached to.
That kind of, I don't know, like a snowflake, maybe that's the best way to describe it, sort of thing that it would end up being. And that's where you come into the idea of an NFT. So you would have your own unique non fungible identity, which you can then use from one site to the other, which would then get away, would do away with passwords and usernames altogether. Of course, it's early, early days, this, this identity could potentially still be stolen. So if, if your unique identity was, was stolen and they would access to everything even worse than losing just one username password for one site. So there has to be ways of encrypting that and making it completely non fungible and also cannot be altered or moved without the owner knowing. So that's bit of future gazing, but I, I think the breakthrough will probably come in consumer space of improving identity and access management, which then may then go into the commercial world.
Yeah, perfect. Already. We almost achieved the end of this panel discussion, but it's time for the actually
Christopher, just before we go.
No, I have one more question.
Oh, you do? Oh, I
Thought you had, but then you, can, you joke whatever it is. Oh, last question, please take care of the time. I think one, one to two minutes is, okay, what will identity and access management look like in 10 years from now? Will we have secure identity, decentralized and federated across private and public network? And is that the future we want Leonardo,
I do strong believe that we will, we will have decentralized entities used for the in and use our consumers. And as, as far as we see that, how accelerate it world, that one big cut of, of it represents 100 year human being is, is, is moving so fast that I, for the end user consumers in the commercial markets, I think that is, that will come in the future and finally ends up with the kind of decentralized identity. And for enterprise is something that will, will take some would take longer.
I, I think, yeah, I think we'll get there, but I think we have to ensure that the consumer, the individual has agency over whatever we come up with. So it's not organizations or big companies that are controlling identity, but is it the individual? And that can be true of commercial organizations as much as the consumer interfacing with, with enterprises. So, yeah, I think we'll, I think we'll still some real progress on, on that the next 10 years.
Absolutely. And you wanted to state something,
But no, I just, I wanted to ask Leonardo what the car was in on the picture behind him. Is it,
This is Nissan.
It's a
Nissan's hundred 50, right? That was, was I expected
370, ah,
70. Next
One. That is exactly in Sanford and the race track.
Cool. One in Holland. Okay. Thank you very much, Leonardo. Thank you very much, Paul. You're welcome. Great panel. Great input. Thank you very much and have a good day.
Thank you.
Thank you.

Stay Connected

KuppingerCole on social media

Related Videos

Webinar Recording

Erfolgreiche IAM-Projekte: Von Best Practices Lernen

Häufig beginnt die Suche nach einer Identity-Lösung mit einem ganz konkreten Schmerzpunkt im Unternehmen. Ein nicht bestandener Compliance-Audit wegen überhöhter Zugriffsberechtigungen, technische Probleme, wegen komplexer Systeme frustrierte User und eine…

Event Recording

The Role of Managed Security Service Providers (MSSPs) In Your Future IAM Application Landscape

Trying to “do identity” as a conventional IAM or Security workload with in-house resources and vendor platform deployments may not satisfy identity and access today’s requirements for IaaS, PaaS, databases and other cloud infrastructures. There are now a growing number of…

Event Recording

The IAM Fabric and How It Integrates With Your Cybersecurity Program

Architecture, operating model and governance are key viewpoints for every business as a whole and its subdomains as well. Depending of size of the organization, information security may be managed as single domain or divided into multiple subdomains. Viewpoints and domains are still static…

Event Recording

Identity Management and its key role in the Zero Trust strategy

Since any resource access is subjected to a “Zero Trust enabled” step-by-step process, where  policy engines define and enforce the appropriated access level, apart from device, network, identity systems and resources, we need also a “ZT enabled” identity…

Event Recording

Expert Chat: Interview with Neeme Vool

KuppingerCole CISO Christopher Schuetze engages in a fun discussion with Swedbank's Neeme Vool on what the future holds for Identity and Access Management.

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00