As companies move their infrastructure to the cloud, there are a number of unique challenges with modernizing identity management. At the forefront are concerns about keeping systems secure while still enabling access for end users that need it.
With this in mind, we asked a panel of industry leaders to talk about challenges facing enterprise IT professionals today, including problems they’ve already encountered, how the latest technologies might influence product development, and how they are preparing for the future. Our panelists included George Fletcher, Identity Architect at Oath; John Bradley, Senior Architect at Yubico; and Grant Dasher, Software Engineer at Google.
Here, we’ve pulled highlights from our insightful conversation on the current state of identity and security. To hear all of their detailed responses, watch the full Oktane 17 video here.
Upcoming core challenges
As systems shift to the cloud, there are increased challenges in modernizing authentication from on-premise legacy systems. Each panelist spoke to what they suspect those core challenges are. Bradley discussed moving on to federated ID standards like OpenID Connect and OAuth, which he found more companies were prioritizing. He also found in his experience that as momentum for these technologies take off, there’s less of a need to serve “old-world” SAML authentication.
Fletcher followed-up with the idea that the focus on security needs to change from just looking at them externally. There needs to be more oversight internally, with more emphasis on zero-trust protocols on every transaction – much like we’re seeing with Google’s BeyondCorp. Dasher added to this point, emphasizing that VPN-centric based models will no longer work in the future, especially with mobile devices. Enterprises can no longer rely on the network the user is currently connected to for evaluating their authorization policies. Instead, each user and each device needs to be managed.
How user account recovery flows need to change
A discussion of user account recovery flows incited a strong reaction from every panelist – there’s lots of work to be done in this area. Bradley started with an observation that implicit federation via email is the current accepted way to recover accounts. But what if your Facebook account was compromised because your Google email was compromised? Bradley suggests there needs to be better signaling between identity providers in order to solve this problem instead of relying on token bindings.
Dasher added to that idea, saying that identity providers are in a unique position to use the information they’ve collected about the user to verify them. Google for example, may have pictures and emails unique to data owners. Similarly, Facebook has a friend graph they can use to validate a recovery.
Finally, Fletcher suggested that the “all-or-nothing” concept of access needs to move towards tiered access levels during account recovery. This means that as you validate your account more and more, you’re gradually granted more and more pieces of the original account. The final account recovery step for an enterprise company could be a login from the physical office.
Leveraging the blockchain for authentication
All three panelists were wary about the future of blockchain technologies and how they may be applied. On the surface, blockchains seem to be the perfect match for identity management needs – a distributed, unchangeable, and accessible ledger storing transactions seems like the perfect policy backbone. While it is still mostly applied to digital currencies, the panelists were unsure how it might solve authentication problems in the future. However, the technologies need to be built in a way that is both sustainable and useful.
Fletcher took issue with how current users are still reliant on third parties to manage their wallets in this pseudo-private environment. Someone else will always know who’s participating in certain transactions. And while Dasher accepts the strong need from the digital community for a decentralized entity, blockchain may not be the right technology to achieve it. At the very least, blockchain is a step forward but not a viable replacement for existing tools. For all three panelists, the current model of federated identity still has more mileage for today’s model of secure identity management, and companies can still take advantage of that.
How can enterprises prepare for the future?
As more services and data are moved, the cloud is being pushed further down the enterprise chain – the great migration is not slowing down. Dasher is looking forward to the fundamental rebuilding of security foundations, which he says is a once-in-a-generation problem to solve. Existing technologies alone are not going to be able to solve these problems for their massive amounts of data. Enterprises must continue moving their company to the cloud so they may quickly adopt viable solutions. Moving forward, Bradley also suggests that companies must take ID-centric security models seriously, again focusing on what the user and the device are trying to do. They should also try to focus more on proof of possession to validate access rather than relying on bearer tokens.
The panel closed with some questions from the audience about the viability of embedding authorization devices into people themselves. Bradley’s initial response: “well, obviously you’ve never worked in a sawmill” incited laughs from the audience. On a serious note though, he expressed significant privacy concerns with similar existing technology such as RFID that can track you wherever you go, even if those devices cannot be physically lost. Another question was about the viability of AI to enable trust. The panel remarked that the growth of computers have massively enabled novel neural network architectures, and existing continuous learning and login challenges are a good step forward. However, there’s a substantial amount of computer science research and engineering problems that must be resolved first. For example, when should AI be injected into the authorization flow to enable machine learning and build trust? More importantly, how can it be injected in a way that's not going to slow down the user while still capturing enough information to make decisions?
Even all of this only covers a narrow snapshot of our entire conversation. We’re both excited and optimistic about what’s coming in the identity management landscape. For more, watch the full video here, or get in touch with us and find out how Okta we can help ensure you’re set up for the changes ahead.