Identiverse 2024: Key takeaways in identity security

People, process, technology and data

Matt Caulfield, Cisco's vice president of Product for Identity Security, highlighted in his keynote the persistent challenges in identity access management (IAM) environments, despite advancements in authentication technologies. He noted that data promises to change the IAM game, and I saw the beginnings of that in conversations on and off the show floor.

Data combined with AI and generative AI (GenAI) holds the promise of streamlining IAM workflows to solve problems from overly permissive entitlements to threat detection. Many interesting startups are creating useful innovations in this space. While hype and inflated expectations surround the impact of GenAI, I see substance in products and services emerging as startups, such as Lumos and AKA Identity, that use IAM telemetry to better manage identities and apps, as well as inform IAM decisions.

Nonhuman identity management

The Identiverse conference had an abundance of startups and established players talking about nonhuman identity management, sometimes referred to as nonhuman identity security, machine identity management, workload identity management or privileged access management (PAM) for workloads. I prefer nonhuman identity management because the phrase makes clear the distinction between human and nonhuman identities, which have different processes and lifecycles. It also communicates a management element, which encompasses use cases from certificate lifecycle management to workload access control to detecting, monitoring and remediating nonhuman identity issues.

Enterprises are recognizing the risk around this attack surface. Ken Robertson, principal security engineer at financial services firm Fifth Third Bank, had an interesting session explaining how the bank used PAM to integrate applications and manage nonhuman accounts. I saw other intriguing ways of addressing the workload access control problem from two cloud PAM startups: Aembit and Britive.

Vendors are approaching the problem from a variety of angles. Some focus on visibility, monitoring and detecting threats, with certificate lifecycle management as part of the puzzle, as in the CyberArk acquisition of machine identity manager Venafi. Others focus on locating and remediating secrets in Git repositories, while yet others focus on workload access control.

Platforms, convergence and point products

While IAM practitioners want effective options that solve their identity challenges, they would prefer managing fewer products. Some product areas work well as a platform. Endpoint detection and response, for example, has gradually aggregated multiple pieces of functionality over time, while network security and cloud security, to a certain extent, have done the same.

Identity security remains a relatively fragmented space with multiple tools and products for similar tasks being deployed in the enterprise -- one for on premises, another for cloud and yet another where there is a gap in the identity governance and administration (IGA) or PAM platform.

If the question is whether platforms or point products win in identity security, my bet is on both -- convergence driven by big platforms aggregating more functionality and nimble startups solving painful problems.

As larger players integrate IGA with PAM, I expect this convergence to continue. But at the same time, new product gaps are cropping up. While using a platform might be preferred, enterprises will frequently buy a point product that solves an immediate problem rather than waiting for a platform to solve the problem.

We'll see how my prognostications hold up at Identiverse 2025.

Todd Thiemann is a senior analyst covering identity access management and data security for TechTarget's Enterprise Research Group. He has more than 20 years of experience in cybersecurity marketing and strategy.

Enterprise Strategy Group is a division of TechTarget. Its analysts have business relationships with technology vendors.