Investors Predict What’s Next In Identity and Access Management

Editor’s Note: This is a conversation between Kaitlyn Henry, Investor at OpenView, and Eliza Loring, Investor at .406 Ventures. 

Identity and access management has always been an area of interest for enterprise software-as-a-service (SaaS) investors. It’s a core pillar of every company’s security strategy.

But over the last few years, it’s become an even bigger priority for Chief Information Security Officers (CISOs). In fact, a joint study by JumpCloud and ESG Research found that 97% of security executives plan to expand or continue existing spend on identity and access management (IAM) tools in 2021.

Why is identity still such a difficult problem for the modern CISO? Every person, machine, and device has its own identity, and every application and environment must be able to leverage those identities with a distinct set of rules and permissions applied to them.

“97% of security executives plan to expand or continue existing spend on identity and access management tools in 2021.”

Perhaps this was manageable in the on-prem era, where you could see every server sitting in your closet and count the number of applications your organization used on two hands. But today—in the era of cloud, SaaS, bring-your-own-device, and the Internet of Things—identity’s combinatorial complexity has gotten out of control. With more than 40 billion user, device, and IoT identities that exist today, it’s no surprise that organizations struggle with managing, provisioning, and securing all those identities.

As investors, we see this as the ideal market condition for startups to thrive. Many already have, with companies like Okta, Duo, and Auth0 creating billions of dollars of enterprise value in the last five years alone.

We see even more opportunity in the years ahead, so we want to share our predictions for what’s next in IAM technology.

Machine learning takes authorization to the next level

Kaitlyn Henry: Most progress towards this identity-centric security strategy has historically been around authentication, or verifying that a user or system is who they say they are. But authentication can only control who gets let into a particular system. Authorization goes a level deeper, and determines what a user or machine can do once they’re inside a system. What data can they look at? What actions can they take?

CISOs recognize that authorization on a per application basis is not enough, but getting super granular permissions right is a daunting task. Overdo it, and you’ll keep users from performing crucial tasks and trigger a mountain of access requests. Under-do it, and you’ll miss critical loopholes and vulnerabilities—especially when it comes to data security.

Machine learning has the potential to take authorization to the next level by enabling hyper granular permissions for every user or system and allowing those permissions to expand and contract over time as needed. Policy automation and anomaly detection are some of the most exciting applications that I’ve seen in this space, but I’m sure there will be many more.

Ephemeral and just-in-time access

Eliza Loring: One of the biggest complaints I hear from CISOs is how to manage “privilege creep,” or users and applications accumulating permissions that far exceed their technical and business needs. No matter how granular someone’s permissions start, they seem to grow over time through a series of ad-hoc requests that never get removed.

“Just-in-time” provisioning and ephemeral access, or granting an identity access to a resource for a limited period of time or until a specific action is complete, can be a solution to this. But historically, it’s been hard to scale. Most identity tools aren’t architected in a way that seamlessly supports this, and switching to an ephemeral access model has historically required a significant behavior change by the users who are expected to manage access requests.

The companies that can help sprawling enterprises implement just-in-time access or ephemeral access in a responsible way will have a meaningful wedge into the next-generation identity stack. To win here, it’s really all about creating a repeatable process to onboard and integrate new apps to a singular engine which can automatically grant and set expiration dates for permissions.

Eventually, dynamic permissioning and ability to enforce policies consistently across managed resources will be a key principle of all identity systems.

Every data security company will become an identity company

Kaitlyn Henry: The more time I spend in data security, the more I’m convinced that the need for standalone data security products will shrink as these greater identity problems are solved. Many of the data security and IAM pitches I’ve heard over the past few years sound almost exactly the same, since most data security problems have identity at their core. CISOs want to know all of the places their data is flowing in an organization, find out how that data is being used, and prevent it from getting into the wrong person’s hands.

By managing your users and the access they have, you are protecting sensitive resources like crown jewel data. This is increasingly important as companies rely on supply chain partners and other contractors that are essential to their business operations.

When you get that right with identity, I think that the need for a lot of these other bells and whistles, like homomorphic encryption for example, will fall to the wayside.

Identity will become part of the continuous integration/continuous delivery (CI/CD) pipeline

Eliza Loring: The notion that “developers don’t care about security” couldn’t be further from the truth. No developer wants to ship a product filled with holes and vulnerabilities.

I think the problem is actually the other way around: Security doesn’t care about developers. The fundamentals have historically been gatekept by security teams and can be complex to learn, making it difficult for developers to implement.

“The notion that ‘developers don’t care about security’ couldn’t be further from the truth.”

While I don’t know if the security function will ever entirely shift left, how can security teams support developers in building good authorization the same way SRE and DevOps support them in building good infrastructure? That’s what I want to see in the next generation of developer-friend IAM tools. The more authentication is built into the CI/CD pipeline, the fewer remediation cycles developers will experience (and therefore the more efficient they are) once the code is in production and runtime.

Are you building an IAM tool?

Both OpenView and .406 are excited to support the next generation of entrepreneurs tackling new challenges for identity in the modern enterprise. If you’re building something in this space, we’d love to hear from you. Reach out to us at [email protected] and [email protected].