“As we looked to provide a particular organization with a tax credit, there were audit points that included other organizations, but we kept those resources in isolated, segmented, disparate systems,” said O’Rourke, now co-founder and president of identity technology firm Attest. “There was no efficient, portfolio-level way in which a given individual or organization could engage with the department.”
Across government, technology leaders and business-line managers rank IAM as a foremost concern: In 2018 the National Association of State Chief Information Officers (NASCIO) included identity on its top 10 list of state tech priorities for the first time. A number of factors have come together to make IAM a pressing issue:
- Citizen access is expanding, with taxpayers logging into a variety of state and local systems. Loose control over IAM leads to fragmentation and excessive complexity, not to mention a poor citizen experience.
- The rise of cloud technologies creates a range of new access points for government employees, whose identity must be verified and validated across both legacy and emerging platforms.
- Rising mobile access among both citizens and government workers creates an additional vector for IAM.
- Regulatory and compliance constraints put added pressure on government to ensure proper management of beneficiary identity and other aspects of IAM.
When Jennifer O'Rourke was innovation leader at the Illinois Department of Commerce, she encountered the complex problem of identity management. Now as co-founder and president of Attest, she and her team are using blockchain to consolidate and track citizen IDs.
The vendor community is eager to assist: Grand View Research sees the IAM market reaching $22.68 billion by 2025. Before the spending starts, it’s worth looking at some of the main tools currently emerging on the IAM landscape, including cloud-based controls, artificial intelligence and blockchain.
Cloud-Based Management
The rise of cloud computing creates new challenges around IAM, but also offers new solutions.Move to the cloud and IAM leaves the familiar (if clunky) confines of your legacy environment. You may work with multiple cloud providers, each with its own unique security controls. This creates the potential for confusion and complication. But cloud also brings its own remedies.
Cloud providers and third parties may offer identity as a service, or identity as a platform. “These tools create a central identity database that integrates with your internal directory. Through that they manage a single sign-on and multi-factor authentication, and they can identity life cycle management,” said Henry Bagdasarian, executive director of the Identity Management Institute.
Google, for instance, boasts that its Cloud Identity tool “makes it easy to provision and manage users and groups, set up single sign-on, and configure multi-factor authentication” directly from a central console. All the major cloud providers claim similar capabilities. Some will also offer identity governance services, helping to create policies for identity management, while others may deliver authentication services in support of multi-factor authentication.
Centralization is the key asset here. By leveraging the cloud to create a central directory, IT leaders can gain a global view of IAM, integrating their legacy and cloud iterations in a common touchpoint. “You want to centralize and automate as much as possible. You don’t want your system admin to have to go one by one removing and adding people,” Bagdasarian said.
AI and Machine Learning
In the big picture, IAM seeks to manage identity, ensuring that those who interact with government systems are who they claim to be. In a more granular sense, though, IAM puts the emphasis on access — it’s about limiting who gets in, and where.Some experts point to rising capabilities around machine learning and artificial intelligence as a potential boon to access management. AI can see into the inner workings of a system with a speed and volume unmatched by human senses.
“Imagine I’m looking at a dashboard showing how many logins I had today, how many people requested access to a system, how much traffic we are seeing,” said Sarah Squire, co-author of the 2017 NIST Digital Identity Guidelines.
“AI can look for those same types of things and it can crunch way more data,” said Squire, now senior technical architect at IAM solutions firm Ping Identity. “It can also see much more subtle patterns. It can find anomalies: No one has ever logged into your government system at 3 a.m. from China before. That’s weird. Let’s tell someone or block that access.”
An instructor with the SANS Technology Institute, Kenneth G. Hartman says this kind of access control could be the low-hanging fruit for AI. “The simplest examples are when I am known to be in San Francisco and someone is using my identity in China. That automatically triggers an alarm,” he said. “What’s interesting about AI is that it can detect even more subtle patterns, things we as humans might not notice. I normally log in at 9 a.m. and then I start coming in at 7 a.m. and maybe there are algorithms that pick up on that.”
AI and machine learning could help on the identity management side as well, for instance by cross-checking the veracity of citizen data across multiple fragmented databases. “Suppose you have data that isn’t consolidated and there is a discrepancy,” said Gartner Senior Analyst Kevin Kampman. “You might be able to use machine learning to spot that. Say someone puts their initials instead of their full name, but everything else seems to match. Machine learning could help you to consolidate those records on a large scale.”
Blockchain
On the cutting edge of IAM, there’s blockchain, the shared immutable ledger technology best known as the infrastructure that supports bitcoin and other cryptocurrencies. Those key descriptors — shared, immutable, ledger — make some believe that blockchain could serve as a formidable new implement in the IAM toolkit.At Attest, O’Rourke and her team have a product in beta (due for a Q1 2019 release) that includes a “wallet” wherein citizens can digitally establish their identity on blockchain, and a pair of APIs that government could use to connect with citizens seeking to authenticate themselves in this way.
One advantage here lies in the validity of the credential. A physical driver’s license can be altered, whereas with a cryptographically endorsed digital credential, “it is immutably clear that the driver’s license has in fact been issued by the DMV,” O’Rourke said.
Moreover, the identity rests in the hands of the citizen, potentially freeing government from the laborious upkeep of those many, fragmented IAM repositories. “For the first time, a user can have a natively digital attribute, something about themselves, and they can be the holder of that, as opposed to the current state where all the different government departments are the authors or writers of this information and the holders of this information,” she said.
Blockchain credentials would have the advantage of being sharable across all government offices. In the absence of a central identity database — which many citizens would find more than a little creepy — government could leverage blockchain as a way to consolidate its IAM needs.
“In the ecosystem today, there is no one single entity that has certificate authority. There is no central place where all the participants can consistently go to in order to validate a document or a relationship between an individual and, say, the department of motor vehicles,” O’Rourke said. Blockchain could deliver that central touchpoint, without the Orwellian overtones of a central ID database.
In fact, some say the greatest value of blockchain lies in the possibility that it could get the government out of the identity business entirely.
Former Utah state CIO Phillip Windley chairs the Sovrin Foundation, a nonprofit that is using blockchain to back up identity. In Canada the organization has worked with banks and employers to launch initial forays into what it calls “self-sovereign identity,” the idea of a decentralized identity that is more about who you are and less about who issued the credential.
“We don’t want government to be the central identity player and we certainly don’t want Google or Facebook to do that either,” Windley said. “So we create a decentralized network where the parties issue credentials about whatever they know about. The bank issues a credential saying that I am a customer. My employer issues me a credential saying that I work in a certain place.”
The idea is nascent, but it has its supporters: IBM has partnered with Sovrin and has even produced a GitHub tutorial on self-sovereign identity.
Beyond Access
If government were to pursue these emerging IAM methodologies, some say, it could reap added benefits, beyond just access control.Take AI for instance. The immediate benefit is clear: Let’s stop those 3 a.m. logins from China. But AI could have broader applications across identity management as well. “Say the county is trying to act as a buyer for electrical power and they want to give constituents a discount. AI could be used to identify constituents who could benefit from that and who haven’t signed up for some reason,” Kampman said.
This example highlights the potential for IAM to make government more user-friendly, but it also highlights the inherent risk in any new IAM evolution: When you tinker with identity, you skirt the edge of privacy.
“You have to be careful when there is sensitivity around personal data,” Kampman said. Whether it’s AI or any identity-related effort, “you need governance over this to be clear about what can be used and what can’t be used for a given purpose. You are a custodian of data and when you aggregate that data your responsibilities increase exponentially.”
Broadly, the looking-before-leaping paradigm is in full force here. As government IT leaders and their business-line peers seek to better manage access and identity in an emerging cloud-driven enterprise, they’ll need to be thoughtful not just about the how, but about the why behind their efforts.
“There needs to be a strategy,” Kampman said. “What is the outcome going to be? The technology world can solve these problems but it needs to be done with a viewpoint toward how it will appear to the end user. You want to have control over the technologies but you also want all the stakeholders to have an opportunity to contribute toward governance.”
Some, meanwhile are looking over the horizon to an IAM end game in which all these pesky log-ins and multiple identities and siloed access management apparatus just … go away. They envision a world where people simply are who they say they are.
Some describe it as contextual identity. You typically log in from this device, in this place, at this time. You type this fast, using these keys, with a browser configured in this or that way. Taken together and smashed through appropriate algorithms, this data could serve to identify a user with little to no further fuss.
“We want a situation where our security is so good, we can tell whether you are an attacker or a valid user just through your traffic,” Squire said. “Our holy grail is zero log-in.”