Analysts, customers and vendors are met at National Harbor near Washington DC to discuss trends and solutions.
The Gartner Security and Risk Management Summit kicked off on Monday, June 13, 2016, including Gartner analyst-led sessions, analyst roundtables, workshops, and exhibitor presentations and demonstrations. Gartner’s global research community of over 1,300 analysts engage in more than 300,000 one-to-one client interactions per year. One-on-one meetings with relevant analysts were available during the Summit. Keynotes, including from General Colin Powell, delivered insight into governance and leadership, lessons learned and best practices, and emerging trends and standards.
Properly capturing and reflecting the various aspects of personal identity, ensuring security, enabling and extending trust, and maintaining personal and organizational privacy, all while not impeding commerce, was driving most conversations. As was the case at ISC West, the collision of physical and logical security also loomed large in conversations as personal devices, wearables and Internet-of-Things (IoT) provide platforms for convergence and to deliver insight into behavior via telemetry, identity and security analytics.
Innovative workshops like “Experiences from Implementing Mobile Identity” provided a unique forum for disparate customers to network (without the presence of vendors) to discover how similar problems were solved across market segments using innovative approaches. The main discussion topics included the convergence of Enterprise Mobility Management (EMM) and Identity and Access Management (IAM), BYOD, and biometrics.
“As EMM and IAM converge and the product platforms combine, the influence of the CISO over product selection and solution design is likely to diminish, even if they continue to help configure and manage the final solution,” explains workshop conductor Rob Smith, Research Director for Mobile and Client Platforms for Gartner. Regarding the increased adoption of biometrics, Rob commented “We look forward to biometrics continuing to grow into more than a simple password replacement convenience. Liveness detection and revocable templates will be key.”
The consensus was that currently mobile identity and authentication is best achieved via digital certificates / PKI on mobile devices combining EMM and IAM (e.g. device fingerprinting as a part of the digital signature of the personal identity certificate). Separate hardware tokens or using secure elements inside the phone, or EMM vs IAM identity methods alone, were determined to be sub-optimal for most common applications.
Security and mobile identity management for IoT was also a hot topic in several presentations. Earl Perkins, Research Vice President at Gartner, explained why the IoT has really been with us since fleet management systems and key industrial interfaces (e.g. HVAC) were implemented many years ago. The difference now is the connectedness and the variety of types of systems has grown exponentially, combined with routine access from mobile devices. Earl demonstrated what is coined “cyberphysical” will increasingly require existing security and IT personnel inside an organization become physical security professionals.
We also were able to get down to the Solution Showcase exhibit floor where some companies were featuring mobile identity and biometric capabilities:
The FIDO Alliance and Google provided speaking opportunities and a booth for multiple FIDO member companies including Vasco, Yubico and Feitian. USB and Bluetooth implementations of FIDO U2F (2-factor authentication) were on display and case studies were highlighted. In parallel, FIDO announced more than 200 vendors now incorporate FIDO into their products and are certified, including leveraging Bluetooth technology.
Usher (by MicroStrategy), also FIDO certified, was showing off how strong PKI virtual badges and biometrics can be affordably deployed on mobile devices and used for both logical and physical access control including via Bluetooth and NFC. They explained how multiple Fortune 500 companies are already using the Usher Security platform for authentication, authorization enforcement, personalized user experiences, and security analytics.
Centrify demonstrated how biometrics are leveraged by IT professionals to access and check out privileged account passwords for one or more systems. Web Single Sign On was also demonstrated inside their mobile app where each web application is shown as a tile that directly launches the corresponding application.
ForgeRock revealed how Toyota is providing identity-centric, personalized user experiences within their automobiles leveraging their IoT platform. The vehicle’s seat position, mirror positions, media console settings and loaded apps, vehicle performance and ride, as well as other settings are automatically personalized when a registered person (identity) gets behind the wheel or enters the vehicle. Their goal is to enable this across vehicle manufacturers.