Ping Identity has released an interview between CEO Andre Durand and three identity and access management practitioners from two very large companies and one identity and access management focused non-profit. Durand asked questions of George Fletcher, chief architect of Consumer Identity Services at AOL, Inc., Anthony Randall, a Security Architect at Monsanto, and Michael Barrett, President of the FIDO Alliance, a non-profit dedicated to moving towards a password-less security architecture. The release has been timed to build up excitement and interest in the Cloud Identity Summit that will occur in Monterey California from July 19 to July 22. All three of the people Durand interviewed have events at this summit.
Here’s a quick summary about the upcoming event:
Now in its fifth year, Cloud Identity Summit is the world’s premier identity conference. The annual event converges the brightest minds across the identity and security industry. With tracks from industry thought leaders, CIOs and practitioners, Cloud Identity Summit serves as a multi-year roadmap to deploy solutions that are here today but built for the future.
I have also placed the interview below for your IAM reading pleasure. My take on the responses is a focus on moving away from passwords and towards a multi-factor form of authentication that still allows for a good user-experience. Another take away would be that finding a solution for the security challenges posed by our ever more interconnected world is becoming more and more urgent, as the Internet of Things connects more and more of the gadgets we use without us even knowing about it, even though those same gadgets are intimately involved in our lives.
Durand: How do you define “next-generation identity management?”
Fletcher: In next-generation identity management, recognition will be more critical than credential validation. Instead of asking, “Did they answer their password correctly?” we need to take more factors into consideration to ensure the person or device has permission to do or access what it’s requesting. As the Internet of Things becomes standard, recognizing the entity — whether it’s a person or device — will be critical to avoid trouble when determining who has access to my thermostat, for example.
Randall: Next-generation identity management is about convergence. It’s about shifting focus from back-office systems and processes to front-of-house delivery. People require online, on-demand, personalized and self-controlled interactions with their service providers. We need to deliver front-of-house information systems that represent and allow people, their devices and relationships to interact simply.
Barrett: In the past we’ve gone through several phases when it comes to identity management, from Identity Access Management (IAM) to federated, to more consumer-facing with OpenID. Now we’re moving into a maturation phase where all of these factors are coming together and strong authentication is the lynchpin. The addition of strong authentication standards will make a big difference as we define identity management for the next generation.
Durand: What are the major identity management challenges facing enterprises today?
Randall: User experience is a major challenge; expectations are access anywhere, any time, any place. There is a wide range of users, from digital natives to the elderly, and we need to simplify the interaction. Additionally, as we move more to cloud-delivered solutions we need to ensure we have the right mechanisms to maintain user privacy and user/enterprise data.
Durand: How does security need to change now that innovations in the cloud, mobile and Internet of Things pervade our everyday lives at work and at home?
Barrett: In many ways we hadn’t figured out security and identity in the unconnected world of the late 1990s/2000s, so it’s no surprise that in our hyper-connected world many companies are still struggling with the basics. With the Internet of Things, we need to have a good security model for how two things should be talking to each other and how they can be remotely controlled. Otherwise we have issues with someone being able to turn off your fridge remotely and hack your light bulbs – concerns that need to be addressed but haven’t been completely solved as technologies continue to evolve.
Durand: Do you think we can ever really do away with the password?
Randall: Passwords and PINs are likely forever. However, I think we can make big in-roads into replacements such as biometrics, recognition-based authentication and certificates. Biometrics are showing promise; they provide stronger authenticators than the password and are gaining adoption, even more so in some verticals, such as healthcare and banking. Advancements in big data have helped improve the very notion of recognition-based authentication, with data sets helping to verify who you are and what you want to do. Finally, as more enterprises deploy mobile devices, certificates are making a resurgence providing certificate-based authentication.
Fletcher: The industry is already moving in this direction and deploying a number of options. The standard way in which users interact with passwords today will definitely change. I can see the concept of passwords, “something I know,” being used in some verification flows but not as the main mechanism for authentication. Of course how long it takes to get there is dependent on making the new forms of authentication easier for the user than using passwords.
Barrett: This question is very close to home in regards to the work we’re doing at FIDO Alliance. Passwords are going to slowly die, but it’s going to be a long transition. We’re at the beginning stages of a multi-year journey where people will start to use better alternatives, such as biometrics. Over time passwords will become less prevalent, and I expect the majority of people to use other methods for day-to-day authentication.
For the MarketWatch press release of this interview, click here.