In his closing keynote, Gartner Vice President Homan Farahmand summarized the outlook for identity and access management by saying, “Runtime Authorization is key to enable identity-first security.” There was no better key learning for me from this conference. Given its prominence in many presentations and discussions, it’s evident that Runtime Authorization will become the new standard for the identity strategy of companies with leading security practices.
The Gartner IAM Summit usually brings together a unique mix of practitioners, decision makers, vendors and experts. This year was no different, but compared with the past few years I’ve attended, the event felt more intimate and focused on key trends and actionable program insights.
Here are our 5 top takeaways from the Summit:
Identity Has a Seat at the Security Table Put another way, the era of identity-centric security is here. As businesses continue their digital transformations and become increasingly cloud-based and adopt zero-trust architectures, security teams face a growing threat landscape. Advanced teams are rapidly turning to solutions that secure access through identities rather than through firewalls and IP restrictions. As one expert said, “Whether companies realize it or not, every business is an identity business.”
More Standardization Is Required While some standards like OCSF, CAEP and OPA were recognized, sessions led by Gartner often included a call for vendors and customers to agree on more standards of practice and terminology to make the Cybersecurity Mesh Architecture a reality. Without standardization across the ecosystem, zero trust architectures cannot consistently deliver desired outcomes. Given the complexity of identity management initiatives, it is impossible for customers to have their entire program requirements met by only one vendor, or a group of vendors that use each others’ APIs. With improved standardization, the entire identity ecosystem will be able to reach a new and improved level of maturity that will benefit customers and business outcomes.
Be Pragmatic About Zero-Trust After years of immense fixation and overuse from vendors, it was great to hear John Watts, Vice President at Gartner, point out how flawed the understanding of zero-trust architectures have become. The line we loved from the presentation, “Zero Trust is actually Zero Implicit Trust. It is a security paradigm that replaces implicit trust with continuously assessed contextual trust.” So in order to adopt Zero Trust, companies should not merely buy a product purely because of its claim to tackle this overused term, but instead teams should create a shift in their security mindset to a real-time and contextually-based trust. To implement this, they should define a strategy for how to implement this data-informed approach and then undertake initiatives to fulfill that vision.
API Access Control Takes Center Stage Most of the communication with online services now is using APIs. Gartner Director Erik Wahlström’s session on API Access Controls made evident how much needs to be done to secure APIs, since the current state of API security is pretty basic (47% of APIs use hard-coded passwords!). Compounding the problem is that popular new tools like GraphQL do not have security built-in to them and cloud-native apps have inconsistently built features like token exchanges.
Runtime Authorization Is Critical to Identity-First Security Throughout the conference, a theme emerged on the limitations of relying exclusively on existing group-based access controls, which focus on propagating entitlements to apps at admin time and having those apps make runtime decisions themselves. In his closing keynote on the Outlook of Identity Access Management, Gartner Vice President Homan Farahmand identified three key trends, including this observation that runtime authorization is the future of access management approaches. Runtime authorization makes the application a Policy Enforcement Point (PEP), which can talk to an independent Policy Decision Point (PDP), which then references key business data from systems of record as context at the moment of runtime, to process complex policies and provide an answer on individual data access at runtime. This approach is continuous, consistent and informed by required context to provide just-in-time access as required.
As a provider committed to evolving the authorization ecosystem, the Gartner IAM Summit validated that the best security outcomes will be delivered when products interoperate well with each other through standardized approaches. It was great to hear so many Gartner analysts share our view of the future of identity management and validate the business need for runtime authorization!