When on briefings and inquiry workshops there are often emerging themes that start to spring up repeatedly. Perhaps every few months, perhaps under different projects, using different terms and stories and perhaps from unexpected people or teams.
There has been one theme over the past 12 months or so that is difficult to ignore: not only how identity based security has left-shifted into the thinking of information leaders to being a first–class citizen in the technology arsenal, but how identity is moving into a new territory. The territory of autonomy.
But before I start on that, I want to ground this point of view of to where the majority of identity and access management services where often classified – to that of automation. So I’m thinking of some basic examples such as:
- Automation of account creation in the B2E space
- Automation of access request rules for new employees
- Automation of access review for compliance reporting
- Automation of threat detection rules creation for adversarial activity hunting
- Automation of activity analytics in order to find abnormal behaviours
There are many other areas where we have witnessed the script to commercially integrated maturity path.
Now, that basic maturity example could readily be applied to many other more generic workflows and business processes. A level of understanding, stabilisation then commercial specialism takes place in order to improve productivity, reduce cost and deliver emerging use cases. However identity has certainly taken on some different characteristics over the past 5 years.
The emergence of identity as a revenue generator (think consumer identity), identity as a security fabric (think authorization for zero trust, contextual security), identity as a business enabler (think gig-economy, B2B2X, partner identity) and identity for workforce empowerment (think distributed access, user centric sharing, API-first access).
With the changing role of identity comes new responsibilities, stakeholders, measurements and metrics.
So where does the idea of autonomy start to emerge in this growing landscape of identity importance? The origins of commercial identity innovation where very focused on the workforce – mainly as there was a market (driven by the market correction tools of financial service regulation). The workforce environment was very much controlled and structured and underwent limited change in volume.
However, today identity is now not only left-shifted in priority, the tentacles of identity are now reaching new environments. Environments which exist under different constraints – technically, politically and societal.
Identity related services have to operate under new conditions:
|Scale||Consumer identity projects reaching millions of users|
|Volume||Transaction numbers in there millions/second within microservice / API-first integrations|
|Resilient||Authentication at the edge – for first responders, military personnel or autonomous vehicles|
|Adaptive||Access control for a range of different asset types – from data to doors|
|Contextual||Ability to make runtime decisions based on the environment or the transaction – can we mimic psychological human factor?|
|Physical||Ability to link the digital identity to the physical – for assets and other people|
|Integrity||Ability to confirm the origin of a message, interaction or set of events to an identity|
|Distributed||Ability to provide authenticity and security services in a non-centralised fashion – for device to device, service to service and identity to identity interactons|
When we start to see where identity is (and certainly could end up) there are different characteristics we need to consider. Autonomy – as defined from developmental psychology as “…the capacity to make an informed, un-coerced decision” (courtesy of Wikipedia) – starts to play a vital role in environments where the identity service needs to be distributed and resilient, or perhaps operating in the physical world and at high volume, yet with a dose of contextual analysis.
The ability to make powerful human-esque decisions regarding access control, trust and data sharing by design requires a good dose of autonomy. No call backs to a mother-ship (that would take too long). No hard-coded signatures and rules (that is not adaptive enough). No long windows before updates and repaves (the context is too volatile).
How can we get there? Well autonomy is already starting to play vital roles in services such as extreme authentication (where machine learning techniques operate on edge technology) or distributed authorization enforcement (where side cars and proxies have just enough information to make a relatively informed access decision).
As both the use cases and commercial solutions continue to evolve over the next 36 months, we will start to see more services being able to operate in more extreme environments – making decisions with information that is presented to them at runtime – perhaps with a level of AI/ML magic (wow, nearly got the end of this article, without mentioning AI/ML) that allows adaptive and robust alterations in decision making, perhaps in the authentication or trust space.
In summary though, identity is moving into a new world. Use cases are evolving rapidly, the success metrics of identity are now being consumed by different stakeholders and the days of pure automation and productivity being the only success criteria, seem short lived.
About The Author
Simon Moffatt is Founder & Analyst at The Cyber Hut. He is a published author with over 20 years experience within the cyber and identity and access management sectors. His most recent book, “Consumer Identity & Access Management: Design Fundamentals”, is available on Amazon. He is a CISSP, CCSP, CEH and CISA. His 2022 research diary focuses upon “Next Generation Authorization Technology” and “Identity for The Hybrid Cloud”.