I recently ran another of my highly scientific industry polls – via LinkedIn to get a feel for this years spending patterns as they pertain to some emerging identity and access management technology areas. I have been tracking four emerging areas over the past 8 months or so, including Passwordless Authentication (where The Cyber Hut released a 61 page buyer guide last year), Cloud Identity/Infrastructure Entitlements Management, Decoupled Authorization and Identity Threat Detection and Response.
All four areas have had significant venture capitalist funding over the past 36 months and the use cases and capabilities of each have started to stabilise to a point where buy side procurement and integration is becoming consistent and vendors are identifying their competitive go to market narratives.
So my poll was essentially asking, which of these areas would a buy-side practitioner look to invest in during 2022?
So the response was quite small (n=53) but as always, the comments and commentary are also the most interesting part of any poll. The overwhelming majority was seemingly passwordless authentication. It could be argued that this area is probably the most mature in some respects of the 4 sectors – have we not been trying to rid ourselves of passwords since about 1975?
The passwordless arena has certainly blossomed over the past year or two, with vendors such as Transmit Security, HYPR, Secret Double Octopus, 1Kosmos, Beyond Identity, Keyless.io, Magic.link and Stytch all receiving decent funding rounds. The battle grounds for passwordless seem to divide into the B2E and B2C worlds, with broad coverage (how many integrations and applications can be brought into the project) and broad user involvement (how many user and device types can be integrated) both important – not to mention the ability to deliver enrolment and lost device use cases in an entirely self-sufficient way – avoiding the dreaded help desk call.
Most passwordless vendors are seemingly leveraging asymmetric cryptographic and challenge response style flows (some standards based using the likes of WebAuthn, some proprietary) with the private key being securely stored either on device in a tamper resistant way, or off device in a distributed fashion. Local mobile biometry seems popular too to gain access to the private key. A focus on improved identity proofing, account recovery and app-less integrations are interesting competitive areas too.
Second in the poll list was Cloud Infrastructure/Identity Entitlements Management. CIEM (often pronounced “kimm”) is looking to solve the observability and management issues of having a multi-cloud and distributed application landscape. Many large enterprises will have a multitude of different application and service provider integrations that they need to handle and of course identity is somehow stuck in the middle trying to be the glue that defines identity attributes as well as providing a foundation for authorization via permissions and rules. It is interesting to see how CIEM actually evolves – and does the set of capabilities needed to manage this ecosystem start to fall into the next flavour of Identity Governance and Administration or a more hybrid approach to identity analytics?
Decoupled Authorization (or externalized authorization management) has been around for a while (see Axiomatics and PlainID) where the focus was upon having a dedicated policy decision point away from the authentication and session management services associated with the identity provider infrastructure. As authentication is becoming a “known” feature set, the need for continual security, adaptive access, zero trust identity post authentication, coupled with a more complex set of assets to protect (think APIs, microservices, data objects, privacy for PII, IoT) we’ve started to see authorization gaining a second wind. A wave of vendors have emerged such as Cloudentity, Scaled Access (recently acquired by OneWelcome) and Veza are all competing to take the post-login security budget – via the protection for a range of resources using fine grained access control.
Whist access and relationship management wasn’t added to the poll there is certainly a wave of vendors looking to handle the first step in that authorization challenge – via improved cloud-centric access request management, access review and access intelligence. See ConductorOne and Indent as some examples.
The final position in the poll, went to the area of Identity Threat Detection and Response. ITDR is certainly a more recent sector, but one with some deep origins. Threat detection has often been associated with endpoints and devices. The concepts around discovery of assets and then analysis via signatures and behaviour is a staple security model. Applying this concept to the mature identity landscape seems a pretty sound evolutionary step – how can organisations aim to manage a distributed identity landscape with remediation without dedicated tooling? Well I’m assuming they can’t. Here the ability to ingest identity data be it from identity providers, activity logs or the applications themselves, before applying checks, scans and rules provides a basic foundation to essentially identify misgoverned accounts, permissions and behaviours. Emerging vendors in this space include Oort, Permiso, Silverfort and Illusive.
About The Author
Simon Moffatt is Founder & Analyst at The Cyber Hut. He is a published author with over 20 years experience within the cyber and identity and access management sectors. His most recent book, “Consumer Identity & Access Management: Design Fundamentals”, is available on Amazon. He is a CISSP, CCSP, CEH and CISA. His 2022 research diary focuses upon “Next Generation Authorization Technology” and “Identity for The Hybrid Cloud”.
Up and Coming Events
The following The Cyber Hut events are coming up soon:
The Cyber Hut CISO Briefing: Consumer Identity and Access Management Market Review
2 Day Masterclass Training: Consumer Identity and Access Management (Remote)