The New World of Microservices and Other Trends in Identity & Access Management
DevSecOps and the delivery of microservices, securing endpoints for the Internet of Things (IoT), and adoption of smart identity and access management (IAM) are three key challenges businesses will face in 2018 as they strive to improve program management, speed technology delivery, and scale to meet growth and regulatory requirements. The following sections examine these three information-technology challenges, and offer real-life recommendations to help organizations meet new business demands and expectations of an evolving digital ecosystem.
How DevOps Should Respond to Development of Microservices
Implementing DevOps and deploying applications in a microservices architecture has a major impact on the IAM landscape. Microservices is the concept of breaking down the application into small, dedicated pieces to accomplish rapid deployments in an agile way with minimal downtime. Simply put, traditional application architecture is neat and contained, while microservices architecture is modular and non-traditional.
The benefits of DevOps and microservices applications lie in deployment speed and agility, modularity and independence of specific processes, and scalability. The challenge is how we, as IAM and security professionals, tackle identifying, authenticating, and securing each of these components as machine identities.
There is a balance between security and speed when it comes to processing requests and transactions between microservices. To validate the source of a request, the entire authentication chain must be preserved throughout the process. This is costly and slow, so the difficult question to answer becomes: what exact information do applications need to know to verify valid requests?
Privileged access management (PAM) tools are becoming increasingly effective and necessary when it comes to identifying these service accounts and keeping them secure, but there sometimes remains a gap in integrating these microservices with the principles of identity governance and administration. The integration of security into DevOps was a discussion topic at last fall’s Gartner Identity & Access Management Summit, and the Sila subject matter experts in attendance came away from the event with these suggestions.
- The first step in bridging the microservices/identity governance and administration gap is to define strict boundaries of each component in the architecture. In doing so, we create a separation of public versus private APIs.
- The identity governance and administration need within microservices lies within the private APIs that are making the calls between services. Each private API needs to do the following: (1) know who is calling it and who it’s calling; (2) manage domain-specific identity data and enforce domain-specific policies; and (3) replicate user attributes retrieved from identity services to each of the microservices that need them.
Applying IAM principles to these private APIs and treating each process or service as an identity gives you granular access control and authentication across the entire architecture.
How to Help Secure the IoT Landscape
Identity of Things refers to all machines and services that connect to and interact with the external environment. In 2015, there were 4.9 billion IoT endpoints, and Gartner predicts that number will rise to 20.4 billion by 2020. Due to the massive scale of the IoT landscape, security professionals need to be aware of processes, technologies, and services available to secure endpoints from intrusion or misuse.
Risk is compounded as IoT devices become ubiquitous in our homes, offices, and on our streets from things like smart home appliances, internet-connected medical devices to smart parking meters and street lights. Each of these devices, based on their capabilities, introduce different levels of risk to consumers that look a lot like traditional IT risk but with some key differences. For example:
- Scale—There are millions of devices across multiple networks with tons of data
- Diversity—There are many different types of devices and providers, leading to different APIs and limited standardization
- Function: There are devices of varying function (single-purpose simple devices to complex intelligent systems), state (embedded, physical), and context
Gartner recommended that organizations working to develop and secure the IoT landscape undertake the following:
- Assist in the selection of IoT vendors and service partners by aligning them with security patterns. This condenses the security landscape of your IoT infrastructure by minimizing scale and diversity.
- Use existing mobile security standards and guidelines to drive your policy on IoT devices wherever possible.
- Become familiar with regulatory environments where your customers operate and begin to anticipate where policy may shift.
Smart IAM and Data Privacy
Smart IAM is not a new trend, but the foundation is in place for more widespread adoption of smart IAM as organizations’ security and identity governance and administration practices mature. This concept refers to applying artificial intelligence and machine learning principles to identity and access management by utilizing the massive amounts of data collected ranging from identity attributes like location and title, to specific entitlement data and access usage.
Gartner predicts that “by 2018, analytics, machine learning, and policies will automate more than 50 percent of manual access certification and approval processes.” However, all this data being collected could see a downtick based on pressures applied by consumers and regulatory agencies.
For example, the European Union’s General Data Protection Regulation (GDPR) gives consumers control over their data and limits how organizations can use that data. For example, one of the specific articles of the regulation refers to automated individual decision-making based on concerns of profiling.
Gartner suggested the following keys to maneuvering these regulations as they become more widespread:
- Understand what personal data your organization is storing, and why you’re storing it, as well as conduct privacy assessments.
- Understand the data subject’s rights so you can respond to requests, organize data by purpose, and enforce tight control around deletion of data after retention.