In this SearchSecurity podcast recorded at the 2013 Gartner Security and Risk Management Summit, Gregg Kreizman, research vice president at Stamford, Conn.-based Gartner Inc., explains how evolving corporate identity standards are affecting the IT security landscape.
Kreizman covers familiar standards like Security Assertion Markup Language (SAML) and OpenID, and assesses the progress being made by new standards like the Online Secure Transaction Protocol, though efforts are still needed for enterprises to supplant single-factor passwords. Beyond standards, he discusses mobility's positive and negative influences on enterprise identity and access management, an issue that he says is in the same nascent stage that cloud computing was three years ago.
To skip ahead to certain sections, see times below:
[0:37] There are several existing identity standards, including SAML, OAuth 2.0 and OpenID. How popular are these options with enterprises, and what kind of security benefits are they providing?
[1:55] What kind of progress is the Online Secure Transaction Protocol from the FIDO Alliance making with enterprises?
[3:07] The Online Secure Transaction Protocol uses, among other factors, the Trusted Platform Module chip. Is TPM going to be key for the industry as a whole to move past single-factor authentication?
[3:43] In terms of password alternatives, a survey from Nok Nok Labs and Ponemon Institute found that consumers prefer voice recognition over other biometric methods (83%). Do you think voice recognition will become more popular in the enterprise? What about other biometric options?
[5:23] Ultimately, how close are most enterprises to supplanting single-factor password systems, and what's it going to take to get there?
[6:54] The 2013 Verizon Data Breach Investigations Report once again highlighted enterprise authentication issues, including problems with stolen credentials and brute-force attacks. What was your reaction to that report? And is there any hope of improvement?
[8:44] There's been this notion for a while that identity is now the perimeter for many organizations. What effect has mobility had on IAM [identity and access management] technology and policy, and what are enterprises doing to get their arms around it?
[10:29] Mobility presents new challenges to IAM, but it also presents opportunities in the form of two-factor authentication. What's your take on mobile devices as part of an enterprise two-factor authentication strategy?
[11:34] What are your thoughts on the login credentials for sites like Facebook, LinkedIn and, most recently, Amazon being increasingly used across the Web? Is this trend going to improve Web security, particularly for Web-based SMBs [small and medium-sized businesses] that struggle with IAM?
[13:30] Finally, what's the most important enterprise authentication issue that you see
in research that isn't often talked about?
This was first published in July 2013