The Death of Passwords and Three Other Trends at the Gartner IAM Summit

If passwords aren’t dead yet then they’re certainly on their deathbed, as a third wave of authentication solutions like analytics and biometrics becomes ascendant. That was one of four key trends in evidence at the recent Gartner Identity & Access Management (IAM) Summit 2016, which emphasized the alignment of security, risk, privacy and IAM to help businesses succeed in the digital landscape. The following examines the key trends that dominated speaking sessions and conversation on the exhibit floor.

The Third Wave of Authentication is Coming

The demise of passwords was a key theme at Gartner 2016 in December. By 2019, the use of passwords and tokens for authentication will drop to 55 percent due to the introduction of what Gartner calls “recognition technologies”. Gartner describes passwords and tokens as the first and second waves in the authentication space. These include one-time-password tokens, smartphones as tokens, and the use of short message service (SMS) as a second factor for authentication. Organizations that rely only on second-wave authentication methods should consider moving to the third wave of authentication.

Per Gartner, analytics and biometrics will dominate the third wave. It will mix mobile, PC, analytics, and continuous authentication to offer better user experience and resilience than legacy methods. Analytics will help to distinguish a person from a machine, a legitimate person from an attacker, and will also be able to distinguish one legitimate person from another. Authentication will also move into the BYOI (bring your own identity) space. The goal is to move toward a trusted identity capabilities model using identity corroboration combined with dynamic risk assessment.

Gartner recommends the following: go directly to third-wave authentication and skip the second wave if not already there; take a comprehensive view of authentication that is not constrained by legacy thinking; use trusted identity capability models; and identify tools that deliver those capabilities.

Security is Critical to Cloud Adoption

As organizations continue to expand their footprint in the cloud, cybersecurity remains top of mind for many CISOs as they attempt to protect their internal users and external customers from ever-evolving security threats. As such, they need a strategic plan to transform their current security model to respond to threats and changing business demands regardless of whether their digital presence is via cloud infrastructure (Infrastructure as a Service) or through web-based portals for consumer outreach.

  • Create a security organization structure focused on communication, education and agility that reflects the organization’s mission and allow for dynamic risk assessment and agile incident response.
  • Prioritize data security governance by identifying risk-appropriate controls based on risk classification and continuous auditing and monitoring
  • Develop an adaptive security architecture that focuses on continuous response rather than simply incident response.

Gartner spelled out the key components of a successful cybersecurity program. They are:

Understanding User Behavior Requires Security Analytics

​​​​​​​Another trend at the Gartner IAM conference was the use of security and user behavior analytics to leverage data and provide insight into threats and vulnerabilities. User behavior analytics focuses on how access is being used—a question that typical IAM programs fall short of answering—so gaining this perspective necessitates connecting disparate data sources such as application logs, identity information and network activity.

The material benefit of analytics is realized when it provides depth and context to access management decisions, and helps to answer these questions. Is the access requested consistent with peer usage? Is the access being used anomalous behavior and thus suspicious? What is the risk of granting the requested access to this user?

It quickly becomes apparent that analytics engines can eventually perform traditional IAM functions such as complex workflow paths, role-based access control (RBAC) and attribute based access control (ABAC) based decisions, and even data classification. They are all are possible when analytics is used to evaluate and mitigate the risk that comes with granting and controlling access.

Consumer IAM is Key in Driving Digital Transformation

​​​​​​​In addition to concentrating on the usual enterprise IAM content, Gartner emphasized the role of consumer IAM in digital transformation. This digital consumer experience focuses on connecting with the user through a registration and authentication process that collects data such as user profile and user preference. Businesses can use the data to focus on retaining customers through engagement and loyalty, customer identity analytics and marketing integration.

Gartner sessions also focused on driving business results and improving customer experience using customer journey analytics. Customer journey analytics is the process of tracking and evaluating how an end user employs available channels to interact with an enterprise to identify the end user and optimize the end user’s experience with the enterprise. The results are increased customer satisfaction, lower cost to serve and increased customer retention.