For professionals in the Identity & Access Management sector, there are only a handful of truly important conferences worldwide. The Gartner IAM Summit, with its more than 40 research-based sessions, presented by visionary speakers and experts, is one of them. This year again, I had the opportunity to be in London, immerse myself in the technology, and identify new trends during the two-day conference. Especially for us, as a vendor-independent system integrator in the field of Identity and Access Management (IAM), it is crucial to always stay a step ahead technologically, to obtain an objective market overview and assessments of current topics, and also to foster the exchange of information with analysts and vendors. The latter exchange is particularly effective at the London conference, with more than 600 participants and exclusive access to leading technology vendors. For me personally, the Gartner Summit also offers an ideal opportunity to reflect on my own views and to share ideas with specialist colleagues.
Market overview and trends
With regard to the market situation, I feel confirmed in my observation that, in the medium term, IAM solutions are not expected to consolidate into a few large software vendors. Rather, we will continue to benefit from a very fragmented market, with many providers offering technology-driven solutions and, in some cases, a great deal of potential. I liked an Israeli start-up that focuses on flexible authentication processes in mobile apps.
Hybrid Cloud and DevOps – the two key trends
From my point of view, the two most important trends shaping the further development of IAM strategies are Hybrid Cloud Computing and DevOps.
The hybrid cloud is the reality we will have to come to terms with over the next few years. In the near future, not everything will happen in the cloud, but no company will be able to remain competitive without making extensive use of cloud services. For us, when designing IAM solutions, this means offering our customers the best possible service: Neither the positioning of the application nor that of the user should play a significant role.
The second major trend topic is DevOps. Of the 2,000 largest companies in the world, one in four now base their software development on the principles of DevOps – and the trend is upwards. For IT security, this change presents both challenges and opportunities. DevOps promises a higher degree of agility and flexibility, greater dynamics, and faster responses to customers’ wishes, changes in the market, or regulatory requirements. However, to fully exploit the agility and responsiveness of the DevOps approach, IT security must not only play an integrated role in the entire app lifecycle, it must also become more flexible and adaptable overall. And this is exactly where the difficulty lies. Agility has never been a particular strength of IAM – for various reasons. IAM software must adapt to the accelerated pace of development, otherwise there will be a conflict between deployment speed and software security. If IAM doesn’t play along with DevOps, it inevitably becomes a stumbling block. And in the era of digitalization, new business models, and disruptive change, this more than just a minor flaw. I am particularly excited to have received very good feedback from Gartner analysts on our Service Layers approach, which offers both DevOps and IAM from a single source.
Privileged account management, in particular, faces special challenges with the cloud and DevOps. There is still considerable room for improvement among the established providers, who are now confronted with completely different approaches to the topic of “credentials for privileged operations” in the face of competition. Gartner has good reason for calling CI/CD automation, a basis for DevOps, the highest level of PAM maturity.
The power of networking - maintaining existing partnerships, exchanging ideas with potential customers, and reexamining own viewpoints
In addition to an objective market assessment and trend observation, the IAM Summit always offers an ideal platform for high-class networking with leading vendors, colleagues, and analysts, given the multitude of IAM experts on site. As a system integrator – despite the good products our partners offer – project success always depends on having our recommendations and wishes for further development taken into account. And, of course, unfiltered feedback from the projects helps vendors improve their products. For us, the main demand was being able to guarantee a very high level of security for IAM solutions hosted in the cloud and to further improve the operability of IAM solutions in containers.
Exchanging experiences with users and analysts, as well as the strategic discussions about new ideas and solutions, occasionally make it necessary to reexamine personal views. Incorporating established best-practice processes and experiences is essential to efficient project implementation, but it’s also important to reflect from time to time and critically assess whether the premises you hold are still accurate.
At this point I would like to mention the presentation by Erik Wahlstrom, who presented his analysis of OAuth 2.0 and OpenID Connect – due to the outstanding success of these protocols at many companies. He nicely summarized practical experience, identified special challenges, and named innovations and further developments:
- The OAuth 2.0 framework continues to evolve. There is progress in a standard to raise OAuth to a much higher level of security that both authenticates clients securely and makes the misuse of access tokens much more difficult: OAuth Mutual TLS Client Authentication and Certificate-Bound Access Tokens/ https://datatracker.ietf.org/doc/draft-ietf-oauth-mtls
- OAuth leaves many freedoms at the protocol level, but not everything should be used. Direct access to the password with an app (OAuth Resource Owner Password Credential Grant) is absolutely outdated, but there is already a very good guideline for native apps, e.g. on mobile devices (https://tools.ietf.org/html/rfc8252) and this is now also in progress for browser-based apps (https://tools.ietf.org/html/draft-ietf-oauth-browser-based-apps-00). It’s important to keep in mind that the use of implicit flow is generally no longer recommended. Code flow is now the means of choice, also for public clients, additionally secured via PKCE.
All in all, the Gartner IAM Summit 2019 was such a success from our point of view that we will be participating as a sponsor next year.