What is the future of identity? Where is this cornerstone of cybersecurity going in 2021 and beyond? What new roles will enterprises create and rely on to keep their data and employees safe?
These are pressing questions, perhaps the most pressing questions an IT decision-maker could ask. To get some answers, we turned to an authority in the field: Amit Saha, CEO of Saviynt. Here’s our conversation, edited slightly for clarity.
What is the Future of Identity? An Interview with Amit Saha of Saviynt
Solutions Review: Let’s start with this one: What is the future of identity?
Amit Saha: I think the future of identity involves the convergence of identity-centric technologies like identity governance and privileged access management, making it available from a singular platform.
There’s a couple of reasons for that. First, it simplifies the deployment and adoption process, which reduces both integration and implementation costs. After all, time-to-value in cybersecurity is critical. Also, it implements identity management solutions organically rather than trying to force integration.
Ultimately, it makes more features available at once, and you can turn capabilities on or off in your enterprise identity cloud. The convergence of identity governance and privileged access management enables compliance in business workflows and cybersecurity.
For example, you can place an employee on a leave of absence, and then with the converged technology, monitor their permissions. Who is using those permissions, and how, and where? Are they abusing them?
Additionally, identity platforms will become more closely aligned to business processes and evolve to keep pace with emerging priorities. That means simplifying time-consuming, manual processes so that organizations can complete workflows more efficiently with AI and machine learning — as well as supporting complex merger, acquisition, and divestiture strategies that will increase post-COVID.
SR: So you see a greater emphasis on compliance in the future of cybersecurity?
AS: Yes. Most recent breaches begin not due to hackers’ efforts but due to the fault implementation of cybersecurity. There is always some degree of human or design error, especially with so many workloads on the cloud.
Hackers can and do easily compromise the credentials, which exploit all of the gaps that appear where enterprises fail to follow compliance policies.
SR: So let’s talk about the shift to the cloud. How is it already changing cybersecurity, and what’s the next stage?
AS: First thing, identity is part of the business process. It’s part of the fabric of enterprise operations, of both cybersecurity and IT infrastructure as a whole. Identity is already part of the cloud, yet it is integral to the cloud’s future.
Part of that involves a process already ongoing; the breaking down of siloed applications and identity information centralization. But it goes further. How are cloud policies informed by identity and identity lifecycles? And how should organizations integrate the cost of identity and the cost of the cloud?
Another question for the future of the cloud and identity management is how enterprises monitor behaviors across cloud platforms and connected devices? How will identity be delivered in real-time? How will identity security data be uploaded, analyzed, and corrected?
SR: You mentioned connected devices. So this also involves the Internet of Things (IoT)?
AS: Absolutely. IoT is already increasingly coming under the identity umbrella when it was once seen as siloed devices. But enterprises are now extending their concept of identity to include the relationship between users and all devices. It requires updating the understanding and monitoring of nonhuman identities, which can — and do — mimic human behaviors and act as humans on the network.
SR: Let’s shift gears a little bit to talk about a new job title appearing in many businesses: The Chief Identity Officer. What does this mean, really? How does this role operate in a way the Chief Information Security Officer (CISO) doesn’t?
AS: I think it is very analogous to the Chief Digital Officer (CDO).
The CISO focuses on security risk and monitoring. But identity is more than just security and risk. It’s a part of the business and cloud transformation, a vital component of all processes.
The Chief Identity Officer’s role becomes apparent in tasks such as launching a new portal, and the balancing act of providing a frictionless experience for customers, while also monitoring that portal for security issues. It requires an understanding of how identity and the portal are consumed and used, the nuances of identity.
So while the CISO looks to more traditional security tools like firewalls, the Chief Identity Officer looks at the digital transformation of businesses and how identity informs it.
SR: It sounds like you’re talking about customer identity and access management (CIAM).
AS: Consumer identity requires bringing in behavioral analysis; the question lingers of how you might bring in behavioral analysis so you can monitor how users log in, from where, and what actions they do. It’s about using behavioral analysis to note malicious problems as they appear.
What will become ever more critical is the sharing of recognized malicious behaviors across platforms and tools, such as Microsoft Azure or Okta.
Before we move on, I want to talk briefly about business enterprise transformation.
SR: Please do.
AS: Under digital transformation, enterprises usually tend to open up. But given the situation with COVID-19, the transformation now focuses on moving employees to separate entities within the business as remote work continues. Identity plays a critical role here as well. It enables you to understand each temporary entity you set up for employees completely.
SR: Can you touch more on COVID, remote work, and identity?
AS: It applies to third parties like contractors as well. Security folks are collaborating with them on the same platforms as with employees, so an extra layer of assurance is necessary for their security. As long as on-premises is not available, that will remain vital, and identity plays a role there too.
Further, enterprises are already embracing remote work, so much so that it will be a mainstay, a part of the workforce even after a vaccine becomes viable. So businesses must deal with that new balance and ramp up or ramp down security depending on where a user logs in. They must also deal with the costs of operation, which will remain a consistent challenge.
SR: Finally, what is the most sinister or least appreciated threat in the threat landscape right now?
AS: Ransomware is starting to rear its ugly head. The ability to completely paralyze day-to-day operations and damage profitability is an increasingly worrying trend. Of course, remote work lends itself to greater vulnerability of both phishing attacks and ransomware attacks.
Of course, the other problem is that there isn’t an effective solution for getting rid of ransomware once it penetrates the network. Almost all enterprises end up paying off the ransomware, which just incentivizes more attacks.
This is where just-enough-access, zero trust, and innovations in cybersecurity training will come together.
Latest posts by Ben Canner (see all)
- The 9 Best Cybersecurity Courses on Udemy to Consider for 2021 - January 25, 2021
- Identity Management Experts’ Commentary on the Pixlr Data Exposure - January 21, 2021
- User and Non-User Identities in Your Network: Securing Both is the Key - January 19, 2021