Identity is core to the digital economy. It allows many to participate in modern society, from socializing and online banking to streaming music and purchasing goods. In fact, whatever you are doing right now most likely requires a login. Even better, the future of digital identity will unlock basic services and necessities for 1.1 billion people that lack formal identification, such as healthcare and education which many in developed nations take for granted. For businesses, identity is critical for security in dictating which assets, whether people or “things,” have access to what.
While emerging technologies, like blockchain, are eyecatching, the reality of identity and access management for enterprises to support these experiences is challenging. The breadth of coverage quickly balloons when you consider the identity roster of employees, third parties, customers, IoT, and cloud infrastructure. Identifying, authenticating, and authorizing at the scale of millions can bring IT systems and administrators to their knees.
There’s a lot at stake. Consumers expect a customer experience that is easy and seamless, but building an optimal experience is a balancing act that includes tradeoffs to the extent of security you can provide. The employee experience is just as important. How can you be seen as an innovative company when you require three different log-in portals with separate credentials to file an expense report for $3? With privacy regulations (e.g. GDPR) that threaten hefty fines for non-compliance, as well as breaches stemming from insiders with excess privileges or cloud infrastructure with loose access policy configurations, security pros straddle the hard choice of “damned if you do, damned if you don’t.”
The difficulties in this ecosystem have us thinking about the areas where startups can make an impact to increase security, yet reduce the burden to consumers, employees, and administrators alike. However, we’re wary of piling on “security bandaids.” Despite the increase in security budgets (1, 2), security teams are trying to rationalize their security stack, without adding more technical debt. CISOs that we speak with aim to be smart with their investments and avoid an “expense in depth” strategy. Identity and access management is a prime example of an area that has gotten worse due to, as the CISO of a healthcare organization put it, accumulation of “sins of the past.”
When digging into the areas that are foundationally changing identity and access management, the areas that we are most excited about are:
Traditional identity verification and KYC solutions are increasingly losing their effectiveness due to the prevalence of compromised identities for sale in underground markets. Compounding this with the underserved population of younger generations and internationals that don’t have a robust credit history, enterprises are at risk of both increased fraud and holding up legitimate opportunities.
We are seeing a shift towards identification tools that are bringing in more contextual digital data for more informed risk decisions. Startups, like Socure*, are easing the customer account opening process by tapping into customers’ digital exhaust such as their social and web presence, so that businesses ranging from banks to eCommerce can increase consumer acceptance while improving fraud capture.
Another area we’re exploring is stopping bot traffic that lead to malicious activity like account takeover, content infringement, and DDoS. Startups, like Unbotify, Distil Networks, and WhiteOps, combat bots that impersonate human activity through behavioral biometric identification and randomized tests.
An important component is flexibility and ease of deployment. Companies, like Socure, can wipe out billions of dollars of fraud with a simple API call. As organizations continue to understand that their core competency is not in building massive fraud detection infrastructure for themselves, the more consumable solutions make all the more sense.
Risk-based, continuous authentication
We’ve all been bothered by reprompts for authentication. At the same time, authentication rules tend to be static rather than adapting to changing user conditions. Also the more enterprises can limit the use of passwords, the better. We’ve been looking at different solutions that assess the varying levels of risk based off of user context that help determine if re-authentication is needed and/or what the complexity of the challenge should be. Context can include factors such as role, device state, application risk, location, and time. The idea is to prompt high risk users with step up authentication, while lessening the asks for lower risk activity. This ongoing process can continuously authenticate users’ sessions, so that they are only prompted when necessary to maintain a convenient user experience.
Behavioral biometrics startups, such as BehavioSec and Biocatch, analyze the way users behave through keystrokes, mouse movements, specific handling of the phone, and other actions, to determine if a person is who they “act” like they are. Lately, applications of this technology have been more on the consumer application end, targeted towards financial services and insurance.
On the enterprise side, companies like TwoSense are exploring how behavioral biometrics can serve as a second factor of authentication that can reduce the amount of authentication interruptions. I’ve heard some forward thinking security leaders leverage open source solutions to accomplish some of these tasks, like Netflix’s Stethoscope that probes device state which ends up feeding a broader trust risk engine.
Centralized access policy management
Another area of interest is enabling least privileged access across users, devices, and machines. This not only lowers the risk of insider threats and accidents, but also provides for speed in identity governance across an enterprises’ technology environment. As policies are inherited and not checked against their usage or need, we are finding excess privileges abound. Adding to the complexity, policy can exist across SaaS applications, datacenter infrastructure, network devices, and endpoints.
Startups like Cloudknox, Orkus, PlainID, and Styra, are tackling this head on to provide a unified place to create and manage policy across applications and hybrid infrastructure. It’ll be interesting to see how this affects role-based access control (RBAC) and the delegation of privileges as these tools look to provide the right amount of privileges based on access and need. Along with the creation of smaller roles, how can enforcement be done at scale?
Machine to machine identity
An emerging area that we’re tracking closely is workload identity and security. As microservice adoption increases in the enterprises, so does the need to address security implications for distributed systems. Services operating in heterogeneous environments must have authentication, communication, and access control with one another. Prabath Siriwardena’s write up nicely sums up what happens in this high velocity environment, as well as the identity standards used.
Authenticating and authorizing the machine to machine traffic in this new paradigm can be challenging, but we’re excited to see where it is headed. The open source project SPIFFE is tackling this by creating identity semantics for workloads and the company Scytale is helping organizations begin to use it. Other startups like BanyanOps and Cloudentity are utilizing a service mesh approach to providing identity for workloads.
What’s fascinating about startup development in IAM is how it will change the face of future architecture design when applications are run in untrusted locations. A guiding principle we’ve been following is zero trust, coined by former Forrester analyst John Kindervag and further popularized by Google through their implementation of BeyondCorp. Essentially, since the traditional corporate perimeter has disappeared, all traffic should be considered public and untrusted, and be treated as such. In the context of identity and access management, security leaders are aiming to get a handle of all identities, provision the right type of access, and sustain the best customer and employee experience.
We’re already seeing companies move to this approach. VPN-less access to corporate resources is an increasingly common trend and innovations in this area from companies, like ScaleFT and Duo Security, are showing promise. We’re excited to see how this changes traditional IAM technology domains, such as privileged access management, and how this can give more control to administrators and customers for granular control of resources and data.
If you’re building a company that is changing the identity experience, we want to hear from you. Please reach out via email at kelley[at]work-bench.com or on Twitter at @kelleymak.
*Work-Bench portfolio company