CIO Perspectives with Mark Settle: The Future of Identity-Based Security Management

“CIO Perspectives” is a white paper series by Mark Settle that explores the top-of-mind technical issues confronting today’s CIOs and IT leaders. Mark is a seven-time CIO most recently at Okta, a three-time CIO 100 award winner, and a two-time book author. His most recent book is Truth from the Valley, A Practical Primer on IT Management for the Next Decade.

End user identity has become the primary security perimeter of every modern enterprise. Business-critical IT resources are accessed by employees and customers through an unpredictable and ever-changing mixture of corporate, public and private networks and devices. Identity authentication is the primary line of defense in this complex digital landscape. Stringent management of end user authorizations provides the second defensive barricade.

End user authorizations are defined in terms of the resources they can access, the actions they can take, and the entitlements they hold to selectively exercise approved actions within specific resources. Very few security vendors differentiate access permissions, action privileges and entity entitlements in a consistent fashion, creating unnecessary confusion about the specificity and effectiveness of the authorization controls provided by their solutions.

Conventional identity-based security safeguards have been provided by vendors specializing in Identity and Access Management (IAM), Identity and Governance Administration (IGA) and Privileged Access Management (PAM). Dominant vendors in each of these categories have been aggressively extending their capabilities into adjacent domains leading to the emergence of multifunctional platforms providing a blend of IAM/IGA/PAM capabilities.

At the same time venture capital firms have been investing billions of dollars in new identity-based safeguards that offer specialized capabilities in such areas as biometric authentication, identity verification, self sovereign identity, device identity, digital rights profiling and authorization customization. These niche services provide enterprises with the ability to construct bespoke authentication and authorization procedures that are customized for their business operations and tailored to the needs and expectations of their customers.

This report defines authorization controls on end user behavior in precise terms to ensure that buyers of identity-based safeguards fully understand the capabilities and limitations of the tools they are purchasing. It also envisions two very different technical strategies for leveraging future innovations in identity-based security management.

📚 Download the full white paper here.