The New Ecosystem of Identity Access Managementv1.0

1. Summary

The saying goes, “Identity is the new security perimeter.” This changes the traditional way we think about granting users access to “granting subscribers access.” This subtle nuance is powerful. In traditional network and system design, users are granted firewall or VPN access at the perimeter where they are granted access to different resources depending on their role in the organization. In this legacy model, operations and security were bifurcated and unwieldy when new services, new employees, or contractor classes were added. It was even further complicated when a user had multiple roles or a zero trust model needed to be provisioned. Amidst this turmoil, three new requirements emerged:

1. Federated identity enabling users access across multiple identity management systems and SaaS/PaaS services.
2. A flexible identity that could evolve with their role or changing job requirements.
3. A secure identity that would provide strong authentication to include One Time Passwords (OTP) and Multi-Factor Authentication (MFA).

In this new paradigm, users (or “subscribers”) are provisioned by an identity service using biometrics or one time passwords and then the user and their device become a coherent unit. This unit is then checked by the resource requested and access decisions are granted or denied. Consider the consumer use case of Apple TV or Roku where users install the device and can download all the applications they want to be provided they are a provisioned subscriber. This is the inverse of provisioning users at the edge of the network. When coupled with an identity provisioning resource, the user is granted access. This coupling of user id and devices identity, along with the decoupling of reliance on the resource itself to make the identity decision, is what enables the subscriber model and the Identity Provider (IdP) space to be so effective. Prior to this, systems were provisioned with certificates that were coupled with a user’s identity to form an unsustainable, authorization mechanism. The problem with certificates was that they needed care and upgrading. Certificates are typically issued for months and need to be renewed. If a user authenticated infrequently or removed a directory containing a certificate, they failed. That friction was a large part of why we never saw large scale certificate authorization adoption.

But what happens when something is provisioned to a user that does more than verifying them? When that device can send messages, take pictures, and do banking? Now the business of managing identity becomes much more fluid, and it is not just on smartphones but many Smart TV’s, smart home devices, and even home routers are now part of the new identity ecosystem and authentication is about to become much easier.

The identity and access management market has been robust for years and has undergone several transformations from being proprietary to more open, but the integration points to resources such as Unix systems, legacy applications, and personal devices (BYOD) continue to present challenges.

Another powerful driver in this space is that One Time Passwords (OTP) have become a must and all of the IdP vendors we spoke to offer Multi-Factor Passwords (MFA) and OTP.  Simple username/password combinations are susceptible to replay attacks and have been the root cause of just about every major breach (including Experian, Target, and OPM). The JPMC breach in 2014, affecting 76 million households and 7 million small businesses, was a result of a server not having OTP or Multi-Factor Authentication running, even though the bank had it deployed to other servers. As modern enterprises realize that phishing attacks that result in credential reuse are behind almost every breach, the need to authenticate with a second factor has become table stakes. This, in turn, has driven the adoption of IdP’s.

In this report, we look at identity providers, review the scope of their offerings, discuss the pros and cons, and methods in which they are deployed.