This year’s Gartner IAM Conference was full of thoughtful keynotes and a reflection of things to come for IT professionals in 2017. Over 1500 professionals concerned with keeping customer and proprietary data more secure attended the conference last week, which took place in Las Vegas, Nevada, one of the riskier cities in the United States (if you like blackjack, that is).
Richard Holland of Eli Lilly had an opportunity to share how they’ve used various capabilities in their IAM ecosystem to drive the development of new medicines. He shared the impact of implementing ABAC in his talk, “Bringing IAM and ABAC from Strategy to Production, with the Business, in Medicines Development” and gave context to how ABAC works within the IAM ecosystem. He was one of many great speakers in the summit’s expert lineup.
What’s Next in IAM?
There were many interesting conversations happening last week. Below are three crucial topics we heard discussed at length across the conference floor, that we believe are the most pressing for IAM and IT executives in 2017.
1. Customer Identity and Access Management (CIAM)
When companies think about customer data, generally executive minds turn to customer relationship management (CRM) tools like Salesforce.com or Microsoft Dynamic. However, as more businesses seek to engage customers across digital platforms, as well as invite customers to use digital profiles to engage with their companies (for example, using a social media account to log in or sign up for multiple services), IT executives are seeing an extraordinary increase in the amount of sensitive data stored on their servers.
Not only does this data have immense potential when it comes to strategy and operations, it also poses a huge liability in the event of cyber attacks. Customer Identity and Access Management is blending the informed customer engagement of CRM with the data and security protocols of IAM to help companies transition into digital maturity.
2. Contextual Security
When you think about Identity and Access Management, one of the first things that comes to mind is the role of the user in question. However, as technology has evolved, security and IT professionals have been able to expand the details surrounding individuals, such as IP address and time of day (or night), to refine access to data and applications. These details are “contextual” and are a key part of the general transition from role based access management (RBAC) to attribute based access management (ABAC).
Contextual Security allows companies to grant or deny access to data based on things like geolocation, which could prevent someone from accessing intellectual property on a home computer. As the internet of things continues to present itself as a big investment opportunity, contextual security will equally grow as an answer to questions of security and ABAC is part of this!
3. Role Explosion: Transitioning from RBAC to ABAC
It used to be that a company could manage application security by limiting access based on the role of a user. An important thing to note about Gartner IAM attendees is they generally land on the conservative side of implementing brand new technologies. Typically, they are more concerned with carefully managing pressing legacy issues like role permissions that result in conflict of interest and unscalable IT needs, than they are in applying new IAM techniques to future initiatives.
However, the transition from Role Based Access Control to Attribute Based Access Control is a natural one. We cover the history of RBAC and how its functionality dovetails with ABAC in this white paper. In short, the user role is the natural starting point for IAM, but it is no longer sufficient for the complex needs of today’s digital organization. With hundreds or thousands of applications in use at modern companies, trying to manage data access with a single role requires an unmanageable amount of resource allocation – and over time has spun out of control. By adopting ABAC, these resources could be freed up to facilitate revenue generating activities instead of reacting to data confusion or vulnerability, while facilitating secure user access control across the enterprise.
You don’t have to decide between implementing ABAC at the beginning of digital transformation initiatives or at the end. You will, however, realize more benefits by using ABAC from the outset, as it can be applied top-down to manage IAM for all your apps from a centralized location. Based on what we saw at Gartner’s recent conference, though, it’s clear that the complexity of IAM will continue to increase, which will result in the value of early-stage ABAC implementation to increase exponentially.
This year’s conference was illuminating and there is still much to share. In the meantime, don’t miss our Beginner’s Guide to Digital Transformation.