For the first time, Gartner has compiled a Hype Cycle report for one of the most important emerging domains in cybersecurity: digital identity.
Gartner Hype Cycles provide a graphic representation of the maturity and adoption of technologies and applications, and how they are potentially relevant to solving real business problems and exploiting new opportunities.
“Transformational technologies covered in this Hype Cycle revolve around technologies that establish, broker and manage trust in digital identities, while allowing users to “own” their digital identity.” We believe understanding these emerging and established tools can help security leaders achieve greater flexibility, agility, and risk coverage across the digital identity landscape.
To us, the trends observed in Gartner Hype Cycle for Digital Identity are part of a wider conversation within the domain of Identity Access Management (IAM). IAM frameworks dictate the system processes through which individuals and machines are identified, roles are assigned and recognized, sensitive data is protected, and access levels are assigned.
As Gartner Hype Cycle for Digital Identity states, “Due to cyberthreats and privacy laws, security and risk management (SRM) leaders must support use cases that enable digital business while ensuring data protection.” Below, we’ll home in on key takeaways from two areas of digital identity mentioned in the report: Machine Identity Management and IoT authentication.
Machine Identity Management & IoT Authentication
Machine identities are digital keys, secrets, and certificates that establish the validity of digital transactions.
Machine identity management (MIM) was first mentioned on 2020 Gartner Hype Cycle for Identity Access Management and has since gained prominence as a cybersecurity initiative. While organizations have long prioritized securing the identities of human users accessing systems, they often lack a strategy for validating machine identities across the enterprise.
1. The sheer volume of machine identities poses a growing concern for organizations.
The definition of “machine” has become quite expansive, comprising not only devices like laptops and servers, but also APIs, algorithms, applications, cloud infrastructures, containers, and dozens more.
It’s no surprise that machine identities have grown to outnumber human identities 10 to 1, on average. Small enterprises require thousands of machine identities, while Global 500 companies require millions.
Though the tools for establishing digital identities are fairly mature, the management of these identities presents a sizable challenge, especially when managed manually.
2. Security teams aren’t always well-versed in machine identities.
Bad actors know machine identities are one of the least-understood aspects of security, which make machine identities a favorite vulnerability to exploit. New malware targeting machine identity vulnerabilities is on the rise, as are the sheer number of malware attacks on certificates. These attacks grew 400% from 2017 to 2021, and in 2020, 50% of cloud security failures resulted from inadequate management of machine identities and permissions.
As per Gartner, “Machines and humans have differences in their requirements when it comes to observability, ownership and automation.” Organizations must work to understand these differences to effectively implement their strategies.
3. IoT has become the next wave for MIM.
Connected products present an entirely new use case and environment for MIM, bringing the advantages of digital infrastructure to physical processes which generates real-time production data, alerts operators to upcoming maintenance needs, tracks assets, and more.
As per Gartner,” these connected devices bridge cyber and physical worlds, and open up new threat vectors”. We believe a robust MIM strategy will prove key in preventing privacy breaches in high-governance industries like finance and healthcare. This will help guard against attacks on “industrial devices that lead to operational impacts and, potentially, catastrophic events in safety-critical production areas.”
IoT fields present unique demands and challenges in terms of both compliance and design. While the public sphere has made progress in defining approaches for IoT authentication, there is still plenty of work to do. As per Gartner, “most IIoT systems are self-contained and use native proprietary means for authentication. Also, “Some authentication methods are not good candidates due to certain IoT devices that are resource or feature constrained with low computing power and limited secure storage capacity,” Gartner suggests. “Evaluate and adopt authentication frameworks that support the range of device types across the IoT realms in operation.”
4. The supporting infrastructure around machine identities is still finding its footing.
On top of a greater variety and volume of machines, use cases among different business units and departments differ, as well. This widespread usage requires a set of centralized standards to keep MIM aligned throughout the organization while still allowing departments the flexibility to implement MIM in ways appropriate to their unique contexts.
However, frameworks and governance supporting best practices in MIM are still emerging. The Hype Cycle identifies a “chicken and egg” problem, in “Target applications wait to see if a standard takes off and IAM vendors wait for wide support in their target applications.”
As per Gartner, “There is only a partial convergence of tools. Many tools have different approaches with regards to user interfaces, integrations, discovery, reporting capabilities, reach and latency. This results in a best-of-breed strategy using multiple tools.” Gartner suggests, “Determine the overall interdependence of machine identities by establishing discovery processes. Evaluate a mix of multiple tools that can provide continuous observability of machines in your hybrid and multicloud environment.”
New MIM platforms and service models are making it easier for organizations to manage machine identities and public key infrastructure. These centralized platforms provide a hub for the state of MIM across the enterprise and set the stage for automation. They create cost efficiencies, too. In the past, each business unit managing machine identities required its own certificate authority (CA), and each CA required its own server. Modern MIM platforms can host multiple CAs on one server. These offerings come prepackaged with databases and integrations, allowing users to avoid vendor bloat. PKI-as-a-Service offerings allow organizations to outsource MIM completely through an efficient SaaS subscription model.
5. MIM is critical to enabling more agile workflows across design, development, and security operations.
Agile and DevOps processes heavily employ cloud systems and other decentralized platforms to facilitate iterative development and fast feedback loops. From a security perspective, that means a higher velocity of digital requests and transactions that must be secured without becoming a bottleneck.
Security, software testing, and compliance phases are often regarded as speedbumps to agility and innovation. But the “shift left” trend recasts these sticky phases as accelerators by bringing security, testing, and compliance stakeholders into the design conversation at the earliest stages, an approach known as DevSecOps. With the proper tools, we believe key tenets of DevOps, like automation, can be expanded to security and MIM.
6. MIM lays the groundwork for Zero Trust.
Zero Trust is the latest movement in enterprise security. Traditionally, once a user or machine passes through the firewall, it is “trusted” and can move laterally, unchecked, through the systems landscape. A Zero Trust approach verifies each request as if the request is coming from an open, unsecured network.
Zero Trust is a strategy, not a tool. To enable that strategy without slowing down business processes, organizations must have the architecture and frameworks in place for managing machine identities efficiently.
What’s Next
When it comes to machine identities, the train has left the station. Certificates and keys are already at play in every enterprise organization and stand as an integral feature of any modern digital infrastructure.
As a company, it’s unlikely that your primary function is to create an efficient MIM process. We believe the traditional method of managing machine identities is tedious, manual, and often misunderstood, and can significantly inhibit your security team from focusing on their higher-level objectives.
The field of MIM and its umbrella, IAM, has splintered into exciting new subfields that position MIM as not only sustainable but as a value-add to your organization. That’s where Keyfactor comes in. We help organizations take back control and secure every machine identity so they can focus on driving business value. Let us show you how our cloud-first platform makes it easy to manage and protect every key and certificate across your business — schedule a demo to learn more.
Gartner, Hype Cycle for Digital Identity, 2022, Felix Gaehtgens, 25 July 2022
Gartner and Hype Cycle are registered trademarks and service marks of Gartner, Inc. and/or its affiliates in the U.S. and internationally and are used herein with permission. All rights reserved. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
