Guest speaker Andras Cser, VP and Principal Analyst at Forrester Research, and Stephen Cox, Chief Security Architect at SecureAuth, discussed the emerging Identity and Access Management Trends for 2017. Learn how these trends will impact your organization and how you can develop an effective Adaptive Authentication Strategy to stay ahead of the trends and cyber attackers. Learn more on these emerging 2017 trends: * The evolution of the threat landscape & emerging threats * What adaptive authentication in 2017 will look like * Why it's time to go passwordless * Types of breaches to watch for in 2017

1. What to Expect in 2017 -
Predictions for Identity and
Security

2. 2Copyright SecureAuth Corporation 2016
Today’s Speakers
ANDRAS CSER
VP and Principal Analyst
Forrester Research
STEPHEN COX
Chief Security Architect
SecureAuth

3. 3Copyright SecureAuth Corporation 2016
+ All attendee audio lines are muted
+ Submit questions via Q&A panel at any time
+ Questions will be answered during Q&A at the end of the
presentation
+ Slides and recording will be sent later this week
+ Contact us at webinars@secureauth.com
Webinar Housekeeping

4. 4Copyright SecureAuth Corporation 2016

5. 5Copyright SecureAuth Corporation 2016
© 2016 Forrester Research, Inc. Reproduction Prohibited 5
We work with business and
technology leaders to develop
customer-obsessed strategies
that drive growth.

6. 6Copyright SecureAuth Corporation 2016
Top Trends Shaping IAM in 2017
Andras Cser, VP Principal Analyst
January 18, 2017

7. 7Copyright SecureAuth Corporation 2016
7© 2016 Forrester Research, Inc. Reproduction Prohibited
› You don’t want to be on CNN headline news
› Security has shifted from a Director/VP/CISO/CIO IT
problem to a CEO problem
› Data protection is a key concern
› Mobile and IoT present new challenges
› BYOD/user owned devices are here to stay
Assess the impact of cyberattacks

8. 8Copyright SecureAuth Corporation 2016
8© 2016 Forrester Research, Inc. Reproduction Prohibited
› Perimeter is long gone (Can you give a laptop with VPN
to every contractor and employee???)
› Identity has emerged as the new perimeter
› Holistic approaches for joiner, mover, leaver, attestation
and self service processes
› Unified treatment of Application, Data, Endpoint, and
Network access controls
Shift identity to the center of your threat
detection ecosystem

9. 9Copyright SecureAuth Corporation 2016
9© 2016 Forrester Research, Inc. Reproduction Prohibited
› IAM is essential for business
› General IAM future requirements
› B2E IAM requirements
› B2B IAM requirements
› B2C IAM requirements
› IAM for IoT
› Forrester’s predictions
Agenda

10. 10Copyright SecureAuth Corporation 2016
10
Digital
transformation
drives IAM

11. 11Copyright SecureAuth Corporation 2016
11© 2016 Forrester Research, Inc. Reproduction Prohibited
› Digital customer experience vs Security strength
› IAM must support profile and preference management
› IAM must protect privacy
› IAM must aid in helping protect sensitive data
› Mobile/any device support
› IAM must support BI
IAM is essential for today’s business and
digital transformation

12. 12Copyright SecureAuth Corporation 2016
12© 2016 Forrester Research, Inc. Reproduction Prohibited
› Consumer like user interface everywhere
› API security and availability of IAM services as an API
› Behavioral profiling built in
› Multimodal and multi target IAM (SaaS and on-prem IAM
policy servers to support cloud and on-prem workloads
› IAM becoming lightweight (microservices)
› Privacy and security must be built in
General IAM future requirements

13. 13Copyright SecureAuth Corporation 2016
13© 2016 Forrester Research, Inc. Reproduction Prohibited
› Cloud migration: It’s not longer a question of ‘if’ but more
like ‘how’ and ‘when’
› What data do you have?
› How sensitive is your data?
› Where is your data?
› How do you detect anomalies in accessing data
› Users
› Devices
› Apps
Get a grip on cloud apps and cloud platforms

14. 14Copyright SecureAuth Corporation 2016
14© 2016 Forrester Research, Inc. Reproduction Prohibited
› Encapsulate data with identity to protect it
› Context, relationship and activity based provisioning,
access management
› Federation built in between on-prem and cloud user
stores
› Adaptive authorization to reduce recertification burden
› Recertification, role management and governance are
the ultimate preemptive strike against data breaches
B2E IAM requirements

15. 15Copyright SecureAuth Corporation 2016
15© 2016 Forrester Research, Inc. Reproduction Prohibited
› Native organization and relationship management is a
must
› IDaaS will gain adoption for access and IMG
› PIM as a service to support IT administration
outsourcers and IaaS providers
› Custom and dynamic trust networks
B2B (Business to partners) IAM requirements

16. 16Copyright SecureAuth Corporation 2016
16© 2016 Forrester Research, Inc. Reproduction Prohibited
› Organization and relationship management
› Profile management plus self services, not just security
› MFA as a service, move to push notification from SMS
messages
› Continuous authentication based on behavioral
biometrics
› Wearables for MFA
B2C IAM requirements

17. 17Copyright SecureAuth Corporation 2016
17© 2016 Forrester Research, Inc. Reproduction Prohibited
› Massive scale
› Devices are the new kid on the block
• Lifecycle, authentication, biometrics, API
› IAM systems have to handle people, apps, systems and
devices
› Manage consent in IoT environments explicitly – this is
to protect data and privacy
› Authorization v2.0
IAM for IoT requirements

18. 18Copyright SecureAuth Corporation 2016
18© 2016 Forrester Research, Inc. Reproduction Prohibited
› Today’s environments are 10x-100x bigger than what we
had even 4-5 years ago
› 11 billion mobile devices
› 50-100 billion IoT connected devices (Forrester est.) –
hard to patch, easy to attack
› Using IoT devices to perpetrate DDoS attacks has
already been demonstrated in the Dyn DNS breach
Assess scale

19. 19Copyright SecureAuth Corporation 2016
19© 2016 Forrester Research, Inc. Reproduction Prohibited
› IAM suites becoming much more loosely coupled than today
› IDaaS will do provisioning, governance and attestation, not
just SSO
› B2C will spawn a new class of customer management
services
› Fraud management and IAM / access control integration is
key
› Behavioral profiling is to expand to certification and access
request management
Forrester’s predictions

20. 20Copyright SecureAuth Corporation 2016
© 2016 Forrester Research, Inc. Reproduction Prohibited
Move from
Signatures and
Rules to
Behavioral
Profiles

21. 21Copyright SecureAuth Corporation 2016
forrester.com
Thank you
Andras Cser
+1-617-613-6365
acser@forrester.com

22. SecureAuth 2017 Predictions
Stephen Cox, Chief Security Architect

23. 23Copyright SecureAuth Corporation 2016
Consolidation Amongst
Security Vendors
+ Too many security products
– Too many alerts, too much to digest
– Not enough budget
+ Products need to address multiple challenges
– Provide actionable alerts, not just data
– Help protect, detect and respond
+ Example: Analytics as a Feature
– Behavior analytics: product or feature?
– UEBA may disappear as a standalone
market segment

24. 24Copyright SecureAuth Corporation 2016
Identity Becomes a
Pillar of Security
+ Everest sized mountain of data cultivated from
breach analysis
– Screaming for wider adoption of risk
based authentication techniques
+ Stolen credentials are too easy to get
– Obtained on dark web, used to quietly log
in to an organization
+ Solving the visibility problem
– Identity currently a blind spot for many
organizations
– Adaptive Authentication helps protect,
detect and respond against breaches

25. 25Copyright SecureAuth Corporation 2016
the password has become a
"kind of a nightmare”
Prof. Fernando J. Corbato

26. 26Copyright SecureAuth Corporation 2016
dThe End of the Password
d
+ Passwords are a completely broken technology
+ Not just buzz - it is happening, and fast!
+ We have the technology to do this today

27. 27Copyright SecureAuth Corporation 2016
Fallout from the Yahoo Breach
+ What it means to the end of the password
+ The impacts in the security community
+ Large credential databases a gold mine to
aggressive threat actor groups

28. 28Copyright SecureAuth Corporation 2016
Another (Re)Emerging Threat - DDoS
+ DDoS is back!
– Poorly protected IoT devices are
to blame
– The Rise of Thingbots - David
Hobbs (Radware)
+ Doesn’t mean fewer attacks
leveraging stolen credentials
– DDoS a tactic, not a goal
+ Still relates to identity!
– The “default password” issue
– Poorly protected web properties

29. 29Copyright SecureAuth Corporation 2016
+ Can achieve MFA without a password
– Something you have, something you are
– Analyze risk - identity is a pillar of security
+ Leverage the push-to-accept approach
+ Increase security without impacting user
experience!
– Good for verticals with difficult and demanding
stakeholders
It’s Time To Go Passwordless

30. Q & A

31. Visit www.secureauth.com
The intellectual content within this document is the property of SecureAuth
and must not be shared without prior consent.