As we shift our focus to 2017, assessing where things stand, our industry offers a powerful launching point for this year's initiatives. Last year, we saw a pronounced and significant trend in identity and access management (IAM) in the Asia Pacific (APAC) region. For the first time, organisations focused more heavily on revenue-generating and user experience initiatives than traditional application integration and security-lead projects. And in our recent The State of Digital Transformation Report 2016, IT executives corroborated these observations. To learn more about the survey and some of the interesting action items IAM pros can pull from the results, listen to our webinar replay: 2017 IAM Resolutions Based on Surprising Digital Transformation Stats.
Based on conversations and workshops with Ping's prospects and customers from all parts of Australia, New Zealand and into Southeast Asia, particularly Singapore, Malaysia and Indonesia, it's clear that their focus areas match those in the report, but with notably different priorities. In general, our customers have been tasked with doing more with less by their business stakeholders. Business agility, reducing complexity, and improving time to market have been paramount. IAM has had to support these mandates and that has driven many new changes including four significant trends:
1. User Experience Is The New Battleground
Organisations see user experience as the new competitive differentiator, particularly in consumer- and citizen-facing projects. For many end users, the process of registering an account, setting a password, validating their identity and then authenticating themselves to one or more services, often on a mobile phone, drives their impression of the company and can have a direct impact on their decision to remain a customer or move to a competitor. We've all had poor experiences with our service providers in this regard, and I've also recommended companies to friends and colleagues based on positive experiences.
IAM is the lynchpin of this user experience. The ability of the underlying IAM platform to easily enable a smooth registration, authentication and authorisation process in line with agile development and deployment methodologies is now a top priority for organisations. As one of my banking customers told me this year, "It's an arms race. In banking, we're continually leapfrogging each other with new features that make it easier for our customers to use our applications."
Even for employee use cases, user experience has been a priority. One organisation I spoke to has employees out on the road, using tablets with more than twenty mobile apps in front of their customers. Having to login to each app was frustrating for employees and reflected poorly on the organisation as the customer watched on. Taking advantage of Single Sign-On for mobile apps using open standards helped them solve this problem.
2. Innovations in Security
It's been said before, but it bears repeating: If you're relying on passwords as your sole credential for authentication, especially for consumer- and citizen-facing services, you'll have issues with fraud and hacking. 2016 has seen a major focus on multi-factor authentication (MFA), with APAC organisations looking to strengthen their security to mitigate these risks. It's also well understood amongst my customers that SMS is no longer a particularly secure mechanism for MFA. Organisations are looking to give their customers the comfort of a visibly more secure authentication experience without negatively impacting the time and effort it takes to login. We've seen significant interest in biometric technologies (voice recognition, facial recognition and the like), while fingerprint recognition via the mobile device is now a given. An example I've seen this year is in customer care, where the end user may be on the phone and the requirement is to enable an authenticated session across the phone and web channel.
These innovative technologies are also helping to reduce the costs and overhead of maintaining hardware tokens for MFA, previously a popular security mechanism for remote employee authentication.
Industry standards efforts like FIDO play an important role in this space and help to ensure authentication technologies can be used across multiple channels, improving user experience and preventing technology silos, which in turn leads to increased costs and complexity.
3. Architectural Flexibility
The IT landscape has never been more heterogeneous and diverse. Applications are no longer all inside the firewall, nor are they all maintained by the organisation themselves. The shift to cloud platform-as-a-service (PaaS) and software-as-a-service (SaaS) applications is a reality for nearly all customers that I spoke to across the region. Even those organisations with regulatory limits have taken on PaaS and SaaS for development and testing purposes, or for low-risk services like Trouble Ticketing and Travel and Expense Management.
In the consumer and citizen space, the end user identity may not originate or be managed by the organisation themselves. Federating via government login services and/or social media platforms is becoming more prevalent.
To ensure applications can be integrated into all of these systems and easily maintained, I've seen my customers recognise the role of the IAM platform as their integration mechanism. Security logic is being removed from applications, and authentication flows and authorisation decisions are being configured in the IAM service. Applications are making use of open standards like OpenID Connect and OAuth to request IAM flows, reducing vendor lock-in and making it easier for developers to work across different platforms and languages.
Moving authentication and authorisation out of the application also makes the service more agile. New authentication methods can be introduced without major changes to application logic. For example, there's been significant interest in transaction-based MFA from the organisations I've worked with to help them reduce fraud from phishing attacks. Configuring policies in the access management layer of their IAM platform lets them quickly define new authentication flows without having to make code changes or support legacy application versions.
4. Know the Customer and Give Them Control
A major focus for many APAC customers this year has been around end user entitlements. Being able to gather the roles, relationships and attributes of the end user, determine how they map to the organisation's products and application features, and allow those applications to query this information in real time from a centralised service via well-defined APIs has been the point of many interesting discussions.
Often this data is spread across a number of internal systems: customer directories and databases, CRM and other specialised data stores. Ping has helped customers enable this entitlements service to work with all forms of user data, from structured to unstructured. This helps them provide a more personalised application experience across the digital channel and has allowed them to unlock some innovative functionality for their customers, about which I presented at the Cloud Identity Summit in New Orleans in June last year.
One of these innovations is delegated access control: making use of identity relationships to allow certain third parties the right to perform actions on behalf of the customer. Examples include family relationships (parents delegating certain access to young children, or elderly parents delegating access to adult children), third party websites having delegated access rights to certain user attributes, or complex many-to-many relationships in business scenarios. Being able to publish endpoints that applications can use to obtain normalised data about entitlements reduces complexity and speeds application and service deployment.
Another important requirement is allowing the end user to see what entitlements they have delegated to other entities and providing the ability for them to manage those access rights. This is now much easier to provide across different channels due to the widespread industry support for OAuth across IAM platforms, API Gateways and applications themselves.
The explosion of customer identity and access management (CIAM) use cases in the region this year has been exciting for us in the Ping APAC team. While we've done a number of projects for employee- and partner-facing projects, it's been the customer-facing projects and discussions that have made us reevaluate our approach to IAM and pushed us to develop new architectures to meet those requirements. This in turn has been fed back into our product development process so Ping remains at the forefront of IAM in the industry.
I'm looking forward to 2017 and the new and exciting use cases my customers and prospects raise with us. Thanks to each and every one of our customers and partner organisations and here's to a safe and successful New Year.