2019 was Integral Partners sixth year attending the annual Gartner Identity and Access Management Summit in Las Vegas, and as always it was interesting to compare Gartner’s perspective on identity with what we see “in the wild” while working directly with clients and vendors.
Gartner IAM is THE place to keep a thumb on the pulse of product roadmaps, market trends, and business drivers. Extensive Gartner analyst interviews with customers and vendors result in a valuable resource of data and the ability to identify key market movement and high value initiatives. While Gartner analysts interview hundreds of enterprise IAM customers, they lack experience in the hands on, day to day effort required to deliver the vendor solutions they review and promote. Gartner analysts can be removed from the on-the-ground experience of IAM deployment and operations. Their high level approach often overlooks foundational challenges of understanding operational and organizational complexity.
As we have seen over the years, the disconnect between recommending and delivering often results in promoting ‘what should work’ versus ‘what actually does work’ . For example, do you have the non IT organizational support for mandatory business process change to ensure you pass your compliance audit or your periodic user attestation? Is the specific IdaaS functionality needed actually available in the current release or will you need to reset your deployment plan until the functionality is released in the next few quarters? Is the privileged functionality currently available in your existing IGA solution suitable for your needs or is a specialized PAM investment required? Answering these questions requires more than just data and trends; it demands first-hand experience and an understanding of business context.
Here are our 2019 Gartner IAM Summit takeaways, in a nutshell:
- Though identity is more important than ever, organizations are still struggling with the fundamentals and how to communicate IAM’s business value outside of IT.
- Gartner has established any IGA solution not available in the cloud eliminates a vendor from Magic Quadrant consideration.
- Zero Trust is a principle and not a methodology so Gartner has created CARTA (Continuous Adaptive Risk and Trust Assessment) as a response to today’s “anytime, anywhere, anyone, anything” access challenges.
- Machine learning, artificial intelligence, and automation will mean more apps are connected with more speed from more locations producing more access and identity information. Analyzing this information to inform security decisions will be more important than ever.
- Passwordless authentication, multi-factor authentication (MFA), biometrics and decentralized identity are continuing to mature while adding additional security.
- User experience counts: customer identity and access management (CIAM) is driving solutions to become more seamless and frictionless, both for consumers and employees.
Let’s take a deeper dive into these trends to flush out what they might mean for you.
A Focus on Fundamentals
The Summit’s opening keynote was about business communication—how to talk about IAM in a way that illustrates its relevance, and how to represent the interests of various stakeholders in a language that business leaders value. We thought this was an interesting example of how many organizations are still mastering the “fundamentals” of IAM, including how to successfully represent its benefits to the business. Effective IAM programs require internal supporters who avoid jargon, explain technical acronyms as concrete needs, and articulate IAM strategy in the context of critical business drivers.
Cloud Is Here
As organizations move to the cloud, failure to adopt a cloud strategy is proving to be a competitive disadvantage. Gartner’s Magic Quadrant for Identity Governance and Administration now requires vendors to have a viable cloud IGA offering, and has even dropped former leaders that do not provide a cloud option. But is the cloud really ready for identity? IGA in the cloud requires customers to make a choice between configuring or customizing: either configure your processes around a multi-tenant cloud app, or purchase on-premises technology that’s adaptable to your own processes. Which option you choose will depend on business process complexity, your appetite for change, and the economy of scale that makes sense for your business.
First there was “trust but verify,” then came Forrester’s “Zero Trust” framework, and now Gartner has introduced CARTA: Continuous Adaptive Risk and Trust Assessment. CARTA addresses HOW organizations can verify and enforce identity based on time, place, and context. Rather than requesting a single authentication point or password, CARTA takes an “intelligent gatekeeping” approach, asking users to continually confirm their identity through cross-referenced data points and granting access based on least privilege. This shift to adaptive access means that roles won’t matter as much and investing in role definition will yield less ROI, and it aligns with how identity has become so embedded with security and risk.
Machine Learning and Artificial Intelligence
In 2020 we’ll continue to see the expansion and adoption of machine learning, artificial intelligence, and analytics in IAM. SailPoint will be productizing its AI offering for scalable consumption and Saviynt is beginning to generate sufficient user datasets to yield intelligence on recertification actions. It’s true that most companies are still so focused on building their identity management foundations, they’re not yet in a position to get value out of identity intelligence. But by the end of the year, the proliferation of collective intelligence tools will provide a wealth of information that can impact decision making and provide relevant value.
IAM is trending away from passwords as antiquated and insecure, and focusing more on adaptive access. Gartner dedicated an entire track to MFA and decentralized identity because it’s exploding in use. Where SSO depends on a single point of authentication, MFA, biometric authentication, and decentralized identity management seek to mitigate the risk of identity fraud by verifying user credentials across multiple, distributed, or unique data points.
As IAM solutions have evolved from back office administration to front end engagement for user self service, the importance of consistent design and simplified user interface has increased dramatically. Several trends are driving this: the proliferation of workflow and help desk applications such as ServiceNow, which are causing users to demand a more streamlined, integrated experience; and the focus shift to Customer Identity and Access Management (CIAM), which applies IAM policies to customer data with commensurate B2C expectations around user-friendliness. IGA vendors are responding with better-designed and more intuitive apps that can educate and guide users, improve self-sufficiency, and increase compliant usage.
Over the past 15 years, identity has evolved from an IT-centric administration and compliance tool to a critical foundation of the modern digital enterprise, impacting a rapidly expanding definition of users. Beyond managing “heartbeats,” today’s IAM means governing and managing applications, processes, bots, devices, contractors, and third parties to help the business meet its goals, plan thoughtfully for the future, manage change, and engage users and stakeholders. The good news is that in 2020, identity is considered a “must-have investment” essential to secure, expand, automate, and enhance a company’s business outcomes—irrespective of industry.
Identity is not a one-size-fits-all process, and even mature companies still struggle with IAM as a program of ongoing integration. The hard part of identity isn’t evaluating or deploying a solution—it’s understanding the strategic value of technology within the context of how your organization operates. This requires experience and perspective, so you can apply the necessary resources for measured success, and it demands communication and discipline to promote continuous improvement.
A major benefit of Gartner’s IAM summit comes from the practical perspective of identity practitioners at the event who are from companies facing similar challenges and objectives as yours. With each Summit, we hear validation that Integral Partners knows and understands the business challenges, market trends, and regulatory drivers that affect IAM strategy for today and in the future. We look forward to seeing you at Gartner 2020.