The CSO’s 4 Key Takeaways from Gartner IAM 2017

This was my first year attending the Gartner Identity & Access Management Summit and I found it to be a worthwhile investment of my time.  I’ve been saying for a couple of years now that an effective security program is inherently dependent on identity, the identity of people, the devices they use, and the context around how, when, and where they use those devices. This holds for both an internal view of security (protecting an enterprise), as well as the external view (protecting your customer-facing systems and services). I  was pleased to find this perspective repeated throughout the presentations and the vendors present at Gartner IAM (even if it’s just because it mean’s I’m not completely nuts).  

As I reviewed the notes I took in the various sessions I attended, there were a few key themes that resonated for me concerning the current and near-future state for identity-based security programs like the one my team is building at ForgeRock. This blog post is a brief introduction to those main themes, which I’ll explore in more detail with future posts in this series. These themes are:

  • There is no security in a modern enterprise without a strong identity story. Identity is the final line of defense for all applications and services, with the security of any application or service ultimately coming down to ensuring properly authenticated users can perform authorized activities, and everything else is blocked. In addition, run-time data about how identities are used is at the heart of malicious activity detection and fraud prevention mechanisms.
  • If the only option you provide for authentication is a username/password then you are not only taking on significant risk due to the likelihood of identity compromise, but customers will start to move to competitors who offer more secure authentication options with less friction.
  • Advanced analytics concepts like machine learning, neural networks, and deep learning are beginning to make as big an impact on security as they have other parts of the business, and we’re just getting started. You need to incorporate analytics into your security program, and understand how your identity vendors will enable (or hinder) the use of identity-related data as part of your cyber defense program.
  • Thanks to incidents like the Mirai botnet and the more sophisticated IoT attacks that have followed, security is a top discussion for IoT solution vendors, and IoT security is even more dependent on identity than other system, because you need to connect the identity of the devices with the identity of authorized users as well as those who manage the IoT solution. The security design for any IoT solution must have a well-developed identity story at its center.

As I expand on these themes in the future, I’ll provide some details on how the ForgeRock identity platform is being used by customers to provide actionable solutions in each area.

Steve White is VP, Chief Security Officer at ForgeRock.