Identity and access management (IAM) provider ForgeRock recently held its annual IDLive conference in Austin, Texas. One of the most compelling sessions involved ForgeRock CTO Eve Maler, who discussed the future of IAM and how it’s now being heavily infused with artificial intelligence (AI) to make it more effective.
The future that Maler described is very much aligned with the company’s mission to “help people safely and simply access the connected world” and its vision of “never having to log in again.” While IAM has historically been a part of the IT plumbing to manage employee access within companies, it has emerged as a technology with a significant impact on all users — employees, consumers, citizens and others — in the new post-pandemic digital world that is evolving into Web3.
Digital transformation shifts IAM to digital identity
It’s well-documented that the past two years have greatly accelerated digital transformation. We’re now in the experience era, in which businesses define themselves by their ease of use and low customer friction. In fact, one datapoint presented during CEO Fran Rosch’s keynote is that 90% of businesses now compete on the basis of customer experience. This is consistent with what we see at ZK Research, and we’ll add the datapoint that two-thirds of millennials admitted to dropping a brand in 2021 because of a single bad experience.
IAM has a direct impact on user experiences — from the time a customer first signs up for a new service to every subsequent time she accesses that company’s products and services. Often, the one bad experience that causes a consumer to drop a brand is the registration or login experience.
The first notable point from Maler’s presentation was a more expanded vision of digital identity that replaces the traditional concept of identity in the context of IAM. The latter is an old-school construct for a more traditional workforce environment. Today, a digital identity isn’t just our given credential, but it also encapsulates the devices we use, our patterns of behavior, our location and so on.
Our digital identities are used not only at the time of access, but throughout our digital interactions with a company. Traditional IAM solutions that focus only on authenticating users during login might not detect a user whose credentials were stolen and then used by a threat actor overseas. But a modern IAM platform detects anomalous behavior, even after a user has logged in, and can trigger an alert to block access.
That’s a basic example, but to realize its vision of simplicity, the ForgeRock platform must work across all systems. “It doesn’t matter if there is a heterogeneous environment — no gaps, no lack of scale or performance — it all just has to work,” Maler said. This is certainly a bold vision, and AI is the enabler to, as Maler put it, “make the right, intelligent decisions.”
The reason AI is needed is to analyze and find insights into increasingly large amounts of data. “We are seeing an ocean of data and our customers are drowning in it and are unable to make the right decisions,” Maler said. “Most tools that make use of the data are inflexible and a bit dumb, which leads to coarse-grained decisions, resulting in poor experiences. This creates an opportunity for much more automation across the identity lifecycle.”
Artificial intelligence enables zero-trust identity
The addition of AI to digital identity will cause this market to shift again, and that shift will be to zero-trust identity (ZTI). Zero trust is obviously a big topic because companies are looking to use the technology to help with the transition to hybrid work.
Most zero trust is done in the network layer, but that causes problems because it’s easy for bad actors to hide from the network. When zero trust is used in identity, it follows the digital identity. Maler gave an example of ForgeRock’s recently released Autonomous Access product that uses AI/ML to process all the signals associated with a user’s digital identity to either give them seamless access, intervene with stepped-up authentication when unsure of the user’s identity, or block them when they are fraudulent.
During her presentation, Maler discussed four ways AI will enable zero-trust identity in the future:
- Dynamic protection of company resources. AI can be used to find even the smallest anomalies that can indicate credentials have been compromised.
- Ability to implement fine-grained policies. Coarse-grained policies are generally easy to implement with zero-trust solutions. AI analyzes data to understand the relationships between users, data and things. This can be used to create granular policies without impacting user experience.
- Elimination of personal data in access tokens. The tokens are used to permit or deny access and typically need a certain level of user information to operate. Because AI-based ZTI uses behavior info, all personal data can be eliminated, thereby ensuring user privacy.
- Continuous verification. Most zero-trust systems verify once and allow a worker to access resources. If the user is breached once authenticated, that approach can create unfettered access to company information. AI is constantly watching all behavior, enabling verification to be continuous.
Security professionals need to understand that the technology environment has changed. The IT organization no longer has control over apps, where people work, the network, or other infrastructure. In the business-to-consumer world, this IT control is nonexistent. Security controls need to shift to digital identity, and the IAM industry must evolve away from legacy constructs, such as allow/deny access, to an AI-powered analytics system that is always on.