IDC ANALYST CONNECTION Sponsored by: SecureAuth

Accelerate Digital Transformation Projects with Solid Identity and Authentication Practices October 2019

Questions posed by: SecureAuth

Answers by: Jay Bretzmann, Program Director, Cybersecurity Products

How and why is identity central to digital business initiatives for both customer and enterprise environments?

Many digital transformation (DX) projects are about reducing operational costs by helping people help themselves. Around-the-clock service availability and automated processes deliver new conveniences to employees or customers who want to do ordinary tasks where human involvement isn't really necessary. Surveys and conventional wisdom confirm that mobile or tablet-based applications deliver better experiences than dialing into 800 numbers.

Other DX projects are about expanding opportunities to reach new markets and deliver superior customer experiences. Online stores are easier to visit, and augmented reality and virtual reality (AR/VR) technologies allow customers to more fully experience goods or services. Toss free shipping into this mix, and it's no surprise that customers increasingly see leaving the home or workplace to shop as unnecessary.

In these cases and many others, transformation is good for business as long as both parties can securely identify and authenticate themselves — and absolutely not otherwise. Convenience is a strong motivator but not at the risk of an identity compromise or the significant disclosure of private information. Depending upon the nature of the requested task, users will expect and embrace authentication challenges or grow uneasy with the session and simply disconnect. Better to wait on hold than compromise an important account or effectively tell the world about your beliefs, ailments, or affiliations.

Add one wrinkle here as there's a new category of users to accommodate who have the ability to deploy new code releases into the wild without any prior review. DevOps is a necessary approach for successful digital transitions; however, DevOps leverages multiple new, open source, downloadable tools that developers and security teams may not initially know how to secure. Security teams need to understand what developers are doing and the risks they might inject into serving employee and customer interests.

Vendors, partners, and customers all want to benefit from digital transformations, but only if they're reasonably sure that what they develop and share is safe. This IDC Analyst Connection discusses how best practices for identity and authentication can help drive digital transformation.

Page 2 #US45540019

IDC ANALYST CONNECTION Accelerate Digital Transformation Projects with Solid Identity and Authentication Practices

What decisions must be made to balance user experience and security?

Friction is an unavoidable component of an identity program when it comes to the user experience. You can't just let everyone in, so the trick is for IT to pick its battles. When access risk is low, lighten up on the approach and wait for users to open accounts, initiate transactions, or perform other similar activities before elevating authentication challenges. Especially in the consumer space, visitor traffic is good; the more people who use the systems, the more opportunities to collect data, learn about preferences, and improve the experience.

In a corporate enterprise environment, C-suite management support for any changes to employee user experiences must be won, and management's wishes must be communicated to employees if any substantial change in operational behavior is to successfully occur. People naturally resist change, but not all data is created equally, and so not everyone needs to get a palm print or a retinal scan as part of the process. IT and security teams should meet with representatives of the affected constituencies and address pain points separately to gain support department by department. Authentication is not a one-size-fits-all technology.

Also, secure adequate funding to complete the project, and don't go it alone. There simply aren't enough identity professionals to go around (train or hire); professional services will make a big difference in accelerating deployment times and avoiding errors other firms have made. It's hard to define user groups and classify data — especially when elements of both move around frequently.

How can business and IT teams work together to achieve both experience and security goals?

Business owners, DevOps, and traditional IT operations people generally don't like security initiatives that slow down overall efforts to make an organization more agile or responsive, but DX projects multiply the corporate attack surface like no previous undertaking. Suddenly, customers, contractors, partners, and cybercriminals are knocking on the front door or looking for an open window. Problems generally develop when the right hand doesn't know what the left hand is doing and new technology is deployed in the dark.

Security, and identity projects in particular, should not be positioned as the department of "no." The devil in the details is defining and classifying roles and then identifying the associated systems and data that need protecting more than selecting a specific authentication technology. Businesses own this step of the process and really need only an IT coach to succeed.

Page 3 #US45540019

IDC ANALYST CONNECTION Accelerate Digital Transformation Projects with Solid Identity and Authentication Practices

The struggle with identity is that we tend to approach today's DX initiatives with yesterday's view of identity. If we apply modern technology to modern problems, we can create win-wins. Look at adaptive authentication that can be easy and painless; these techniques are fundamentally more secure while dramatically improving user experiences. Identifying users by analyzing behaviors, locations, devices, and times of the day also paves the way for passwordless authentication in the future.

Will consumer identity and access management (CIAM) and identity and access management (IAM) initiatives converge at some point?

Yes. Wait, no; it's complicated. Fundamentally, CIAM and IAM initiatives are the same, yet they support very different use cases. Interactions with customers do not have the depth and breadth of access to data, applications, and network resources as interactions with enterprise workers, but they do have a need for scale. Legacy systems using "jump box" gateway architectures that can introduce network complexity, potential chokepoints, and single-target security risks will not help a retailer on Black Friday when prospective customers are flooding its website, for example.

Advances in technology will help align IAM and CIAM in the future, but consumers — as opposed to employees — have more choices. Corporations use IAM to reduce the risk and cost associated with onboarding and offboarding new employees, partners, and suppliers; they use CIAM to help drive revenue growth by leveraging identity data to acquire and retain customers. With a lower pain threshold for suffering authentication challenges and low switching costs, customers will take their business elsewhere when challenges needlessly mount or delays ensue. Conversely, automated consent controls allow customers to streamline an "opt in" capability adding multifactor automation when privacy concerns increase.

CIAM log-ins are also shorter-lived, more narrowly focused, and more progressive in the use of technology, and they may need to leverage social media account credentials; IAM log-ins are pretty much the opposite and will navigate increasingly toward privileged use with session monitoring and zero-trust capabilities.

How does one measure and report on return on investment (ROI) or success for identity initiatives?

A bane of the IT or security team's existence is the need for password resets. Everyone knows people aren't good at remembering more than a few, including the cybercriminals who rejoice in launching credential stuffing attacks. IDC has heard multiple stories about how 1 in 10 users requests password resets on a regular basis, costing anywhere between $18 and $50 each; therefore, a quick ROI metric is to divide your user population by 10 and multiply the result by something like $30 — back-of-the-napkin stuff, but not an indefensible figure.

Next, consider that user access entitlements and weeds share a similar characteristic: They both grow fairly easily, and if left unchecked, they eventually become a big issue. Unnecessary entitlements are a problem waiting to happen when attackers compromise your network perimeter and begin working on lateral or "east-west" movements. Legacy IAM systems are especially susceptible to these issues because those systems complicate the ability to interpret who has access to what. Weeds tend to mess up your lawns and gardens; best to pull 'em or spray 'em.

Page 4 #US45540019

IDC ANALYST CONNECTION Accelerate Digital Transformation Projects with Solid Identity and Authentication Practices

With today's analytical tools, it's also easy to analyze external traffic to understand what people are doing on your websites. Customers who subscribe to loyalty programs and repeatedly visit sites are likely comfortable with what they're doing from an identity and customer privacy standpoint.

Analyzing internal traffic tends to be a cheaper, easier effort. Employees are rarely shy when it comes to providing feedback about their productivity increases or decreases. Conduct a quarterly poll to understand if any of the role assignments or authentication measures are causing access issues and impeding productivity.

About the Analyst

Jay Bretzmann, Program Director, Security Products

As Program Director for IDC's Security Products research, Jay Bretzmann is responsible for Identity and Digital Trust and Cloud Security. Jay focuses on identity management, privileged access management, identity governance, B2C identity management, and a multitude of other identity and cloud security topics.

IDC Corporate USA

5 Speen Street Framingham, MA 01701, USA

T 508.872.8200

F 508.935.4015

Twitter @IDC

idc-insights-community.com

www.idc.com

This publication was produced by IDC Custom Solutions. The opinion, analysis, and research results presented herein are drawn from more detailed research and analysis independently conducted and published by IDC, unless specific vendor sponsorship is noted. IDC Custom Solutions makes IDC content available in a wide range of formats for distribution by various companies. A license to distribute IDC content does not imply endorsement of or opinion about the licensee.

External Publication of IDC Information and Data — Any IDC information that is to be used in advertising, press releases, or promotional materials requires prior written approval from the appropriate IDC Vice President or Country Manager. A draft of the proposed document should accompany any such request. IDC reserves the right to deny approval of external usage for any reason.

Copyright 2019 IDC. Reproduction without written permission is completely forbidden.