Rakesh Tripathi: Future of Identity Management

I will try to focus for first 15 to 17 minutes of the time, just to go through and, and cover some of the future trend. So please go onto the next slide.

So yeah, this is the agenda I would like to cover today is starting from the evaluation of identity access management. Then we'll cover, of course the identity access management trend, and, and then we'll conclude on it. So next slide please. So the current trend is obviously is start with that, that how we have reached up to that stage. So I would cover into the next slide and, and take you through that.

Why entine access management has been a crown trail of cyber security, and there has been a reason based on the, the feedback we getting from, from the organizations and based on some research recently been done by foresters and the pulse security. So if you see the top challenge is still, even after many years in the, the space of identity access management journey is still 62%. Over-privileged employee access is a problem for organization. And even when we look for the, what is the top priority, do you state for identity access management?

71% of organization is still considering identity and access management as, as their top priority. Following of course, the data leakage prevention, which is from the data prevention and privacy point of view is a very critical for everyone, but you see that identity and access management is still topping the chart, which is a, a, a reason we, we need to understand that how the technology is going to support to solve some of these challenges and problem. I will take you through as few other facts as well, just, just to give things in the context.

So even at this stage 83% organization, they do not have a mature identity access management platform and, and many of the attacks and, and the breaches we are seeing, they are still related to some basic security hygiene practice related to, to the weak credential. And, and that's been the main reason for the compromises. So I thought like it's just to, to, to, before we begin the journey and looking into the evaluation of identity and access management, these are the trend I just wanted to highlight.

So please, next slide. So this is the evolution of identity and access management, just to see that how identity and access management has been evolved over the years. So what I try to do here, just to paint a two dimensional picture, just to see that how technology and the, the user base evolve as user base evolve, the technology is also coming up with the new concept of identity and access management, but how it has changed over the period. And then accordingly we'll see that the, how the trend bud lies in future.

So we started pretty much in 1970s or so when the, the computer was introduced and Unix and, and, and those platform came along, but at the time it was more perimeter based sort of a environment.

And, and the devices were more like standalone devices, and they are typically based on the access control list, the, when it comes for right indexes management point of view, there was not much to do because the exposure of, of technology and, and, and perimeter was very, very less so a normal access management practice was good enough, but as we moved along and when the, the internet became a bloom in the 1990s, then the true identity access management concept metalized.

And then we started seeing the, a lot more technology coming to support this, this as a concept at the time, if you look, the user base was also changing. So it was not only limited to the employees, but just to provide a secure and sustainable it service a lot more service provider was coming along to support this. And then that the concept concept of federated identity is, is become more important later on as we go in, in, in the journey then by the 2006 or so, even the SSO concept become quite popular just to have a better user experience to support identity and access management.

And, and at this time, one part is, is getting very, very important here. And I would, I would like to bring your attention here is that as we reaching towards the 2010, and obviously the introduction of this cloud become one key focus where the Perter, what started getting demise. So the Perter which we used to have, and the concept of identity access management, making sure that, that we secure it from, from, from the inside out was slowly Deming.

And, and, and, and, and the technology was evolving not, and not around the typical sort of client server based model you have, but it was more evolving towards the microservice based platform.

So this has been another sort of a, I would say tipping point where the identity access management slightly start moving from centralized to decentralized way, because, because of the, the, the, the, the huge adoption of the cloud platform in 2014 and 15, when the cloud started getting matured a little bit, then we have seen a trend going into that area where the, the disruption of central identity started to begin.

And then at the time it was more important to how we can stabilize this by bringing other technology, like, bring your own identity or the C and, and also the how to cover this challenge of demise of the complete parameter or the complete demise of the parameter and leveraging all these API services or so, so this is just to, and, and, and, and this time, even the user base is not only limited to, to the employee partners and also the consumer, but the new introduction of the lot of the device is also going to access your environment.

And that also can become a sort of a security problem, which it is not managed properly. So introduction of bots, introduction of the internet of the things become a challenge. So there's the last part I just want to focus here is that's where the future probably going to lies in the next few slide. I'm going to probably talk more about that area, but I just wanted to show that, and then to interconnect that, how this evolve over the time.

So, so the next, the big shift we are seeing is, is the, is the, is the decentralization of the identity where we need to start looking more around the digital laser waste technology, more likely blockchain, or having like self Sonia identity. So these concept we would see in near future would have a lot more focus and our, our identity and access management trend would be also coming along to support, support this, this new way of, of managing your identity access management.

I was on early presentation and I, I, and few of the, the colleague presenter, who, who also raised a very good point when I was just listening to them. And, and it was very interesting that, that, that what is the future is going towards the, the, the, the government's involvement for making this decentralized identity as, as a trust source, where rather than organization need to manage these identity by them as they used to do. But as a user base is, is expanding how the government can, can, can also probably start supporting.

So this is the another area probably it would evolve in future where using the technology, like self identity, having the blockchain and having a, a trusted infrastructure, which is vouched by the government where the onboarding of the users and consumer is not going to be a responsibility of, of individual organization rather than they would be leveraging more from, from, from the, these trusted body. And then the, the overall journey for customer management and also including the user management would be a lot simpler when we reach up to that point. So next slide, please.

So I would like to just dive into briefly into some of these trends. I had picked up for our discussion today, or for presentation. So in the next one, please, I've got a couple of slides here. So these five area, I will probably briefly touch base with the constraint of the time we have, but I think it would be PR pretty much building on what I have said in this evaluation slide earlier.

So, so the flavor of, of the time in identity access management, there are a lot worse where we are hearing, but they are quite related. And I thought like, maybe we touch base very briefly. So we got like these five items, which we, we need to really watch in next few year that how they actually evolve and shape the identity management future. So let's go into the next slide and then we'll pick up one by one. So zero press is, is the area, which is we, we are hearing a lot.

And, and I think this is something, unfortunately, the trust is incorrectly implemented in digital world. It was actually never mean to be so, so, so, so making sure that we follow the principle of not trusting anything, but verify everything is, is, is the concept. It need to be built up. And all of our technology component process and identity and access management practices need to be adjusted accordingly. So we can support this, this model.

We, we have seen based on the recent survey that even even the geo trust as a concept brought in by a Forester researcher, his name is John kinder back in 2010, but it, it, it is, is still not up to the met UT level where we should be in last 10 years, time, only 29% organization currently have adopted this as a model, or they have got some project underway. So there is a, is still a huge gap where many organization haven't even thought about, or haven't got any project to, to, to control this, this particular area or, or problem statement.

So this is something we need to watch in near future that how this would evolve to support identity and access management paradigm. Next slide please. So this is just to build up onto the, the zero trust. So the principle of zero trust is, is start from, from, from nothing. So trust nothing but verify everything. And that's the core principle, but it is also supported by four other principle. So we can say that it's it's, you have to always identify making sure that we have a single source of identity. We make sure that we always reauthenticate.

We use technology like multifactor authentication. So that cover the, the identification part up to a level where the trust cannot be misused moving to the always control is always going to be the principle of least privilege, no matter whether it's a low risk item, but make sure that this get applied always analyze is, is, is just to ensure that all the identities are based on the, the context you established by correlation and leveraging the technology like C or so.

So your identity source is not based on just the static parameters, rather than it's based on the dynamic contextual information to support your identity use cases. And of course, we have to always secure it with the keeping the protection of the data life cycle throughout. So this is the zero trust is, is, is an area we need to need to wait and, and watch that how it, it change in near future time and how the, the existing technology can be benefit from this trust zero test as a model and how they would adopt into the practice. Next slide please.

So the behavior biometrics is the next topic is, again, as we have seen that this the market or behavior biometrics is, is the, is expected to go 462 billion pound by two, 2027 with the annual growth rate of 25%, which is used. And even we see that biometrics has been a, a technology which has supported identity access management deployment and, and with the use of mobile phones and the tech and adoption of this technology and the ease biostatic biometric has been a, a very big hit.

And, and we are seeing that many organization is, is adopting this as a, as a main mechanism to achieve a strong authentication, but there are some fundamental problem with the, with the, with the static or traditional biometric identity or physical biometric identity, is that if it is lost or stolen, then the trust of use that is also lost because you can't really replicate you, you can't really, you can't really change your, your, your biometric identity. You can change your behavior, but you can't change your biometric identity. And that's where the behavior biometrics comes in play.

It is based on not just the physical aspect of it, but also it utilize the, the other attributes based on the user's behavior, using things like that, how do they use keyboard, how they use the mouse, how they hold phone or devices, they, they is going to be used to define their biometric authentication.

And, and that's, I think going to be another key area for adoption of, of that identity and access management technology, and also to cover some of the, the future challenges or concern where the password has been a really problem for, for a long time, and every organization want to move away from the password. So this is the technology would probably enable password list, itus management implementation. Another good thing about behavior biometric is, is not going to rely only on, on, on, on the starting information. It would be keep on checking and updating.

It's a, it's a risk profile to ensure that it cannot be misused. And obviously the, the, it would leveraging the, the attributes based authentication rather than relying on some static information which can get obsolete or once it's is, is lost.

Then we, we do not have much control. Next slide please. So I know I haven't got much time. This is a busy slide, so I will probably run through very quickly, but I think I just want to cover that the, the essence of, of this, this pew technology, which I picked up for for today is, is, is, is discussed here.

So, so again, this internet of thing and blockchain is, is due to the cloud adoption. As we've seen, there is a huge flux in the number of device and, and the identities now organization need to worry about earlier. We were talking about in a traditional identity access management, like thousands of identity, but with the introduction of, of IOT.

Now, we, we are talking about millions that the whole interface is changing now because our applications and, and, and systems are also in the cloud for any customer to connect to, to these, these, these application is the interface is, is very minimal. Like they can just go online and they just connect directly to the, to the system. And suddenly they are also connected to your organization. And any concern in this, in, in, in, in any of this IOT device would ultimately be, become a problem for the organization.

So this is another area that how efficiently we can manage this, this, the, this, the flux of internet of things, devices, and, and how we can leverage some other technology, like say any digital waste technology, like blockchain to solve some of these problems. So just BEC, because we are talking about millions and millions of heterogeneous devices here, so how we can manage the uniqueness and then use this to support your identity, access management concept and, and, and model next slide, please.

And this, again, this identity access management and artificial intelligence is, is, is a very important for, for the, for organization to enable some proactive decision making with the help of available technology like artificial intelligence and machine learning to support and access management use cases. It, so any variance in the behavior can be identified using the AI based technology and, and, and, and adjusting your, your identity access management control just in time basis, rather than in atypical fashion, as we have been doing.

And very quickly, I just want to give a very important fact here, like say based on the, a quick report from IBM, they said that it's typically takes 314 days for any malicious attack for, from, from reach to containment. And that's the like very long time.

And, and the reason is that it is not humanly possible to respond to this incident without having AI. So this is an area probably is, is, is going to support many of the use cases where we would be leveraging the other security event, sources, get performing a correlation, and then providing this analyzed and contextualized identity information back to identity management system to, to, to, to, to make right decision and, and, and identify any anomalies. Next slide, please. And this is the last topic, which I think was very well covered in the previous, I would say discussion.

So I would not take much of the time, and I'm already pretty much I think, near the time. So again, just very quickly, I think it is the, one of the best thing probably has been done in, in recent past covering the, the area which has been overlooked. And the consumer based identity is, is something need a sort of a support where in my personal experience, we had a program where we had a lot more challenge to, to, to, to, to implement certain sort of controls required by regulation like PSD two or, or GDPR.

But if we would have had a system like cm, then, then it could have been a lot easier because our, for, especially for the customer, they, there have been a lot more silos. When we go for like say, do we have a, a, a consolidated place where we can at least understand who are our customer? And then accordingly technology can be implemented as expected by regulators, like say PST two, where the strong customer authentication needed to be implemented. And we didn't have this, this, this level of user, the consumer database or, or user base, which we would have rely on.

So adopting something like this and having this technology in hand would going to be a big support to, to deliver some of this initiative in future. So next slide, please.

So next, please. So I would probably conclude here. So it's just in, in a nutshell is identity access management will continue to evolve in a scope, or it's a scale. It's just a lot of positive innovation happening around identity access management. But the good thing is the, the technology and is also evolving and identity access management vendors are keeping very well with the introduction of this blockchain, bring your own identity.

So I am, and, and I hope this, this all will bring these thing together to solve the challenges and, and be able to provide better user and.