Catalyst to Catalyst (Winter 2023): Ideas and Insights from InCommon Catalysts

Estimated reading time: 9 minutes

Edited by Apryl Motley, CAE – InCommon Communications Lead

As part of our ongoing commitment to providing you with additional opportunities to benefit from the insights and expertise of InCommon Catalysts, we are continuing their quarterly Q&A column, Catalyst to Catalyst, which we feature in our e-newsletter InCommon News.

Think of Catalyst to Catalyst as a quarterly, virtual advice panel providing perspectives on key identity and access management (IAM) topics for the InCommon community. In this installment, catalysts address AI and IAM resolutions for the New Year. This is our final column for 2023.

Question: What near-term impact do you see AI making in IAM?

Response: Since the launch of ChatGPT last year, artificial intelligence (AI) and generative artificial intelligence (GAI) have been in the headlines. It feels like you can’t go anywhere on the Internet without seeing a reference to AI/GAI–whether it’s a TikTok from a content creator discussing how to use GAI to save time or make money or simply the plethora of articles opining on how AI/GAI is going to change the workforce. So, how will AI/GAI change IAM in the near term? I think it will help universities move from IAM solutions to identity governance and administration (IGA) solutions.

Today, provisioning accounts at scale is a challenge for universities to solve with their limited resources. Because of the scale and timing of account provisioning, most universities have solved this either through in-house account provisioning solutions or with a commercial or open-source identity and access management (IAM) tool. However, governance and compliance are still often done manually–there simply is not enough time or resources to fully understand the complexities of the numerous business roles that would need to be created to have a full set of access control policies that would govern the provisioning of all user accounts.

This is where AI/GAI will help in the near term. Role mining is a process by which you sift through all of the information about what users do and what access levels they have for each application. Doing this by hand, especially if it has never been done before, is an arduous process. AI/GI can sort through this information and propose a set of policies for your organization in a fraction of the time.

With appropriate policies (e.g., RBAC) setup, institutions can start to move from identity access management to full identity governance and administration solutions, ensuring proper governance and compliance are enforced.

—Matt Growden, CISSP, Executive Director of Identity Services, Provision IAM; mgrowden@provisioniam.com

Response: AI is positioned to make a notable near term impact on IAM across various domains, primarily focusing on security practices. Beyond security protocols, AI will optimize and streamline day-to-day tasks integral to IAM processes.

AI’s inherent ability to discern patterns within expansive datasets lends itself particularly well to behavior analytics. This analytical capability holds the promise of proactively identifying anomalies in system logs and user behavior, signaling potential security threats, unauthorized access, or compromised accounts.

Authentication methodologies are also undergoing a shift with the integration of AI. The refinement of biometric identification, encompassing facial recognition, voice analysis, and fingerprint authentication, underscores AI’s capacity to elevate the authentication landscape. Simultaneously, the efficacy of conventional CAPTCHAs is diminishing in the face of AI models capable of circumventing these safeguards. A compelling case emerges for the widespread adoption of multi-factor authentication (MFA), both in terms of methodologies and coverage, to counteract evolving threats.

The sophistication of AI-generated emails in targeted phishing attacks necessitates heightened vigilance among end-users. Crafted with publicly available data, these emails are becoming increasingly authentic, demanding a more discerning approach to thwarting phishing attempts.

In the realm of day-to-day IAM processing, AI is poised to streamline operations by detecting duplicate identities and facilitating identity matching across diverse data sources. AI’s application in identity and access governance also enables audits of extensive datasets to ensure adherence to policies and access protocols.

The impact of AI is currently being felt in programming assistance tools, such as Copilot and CodeWhisperer, allowing faster creation of more efficient programs and scripts. As AI progresses, advancements in natural language processing are expected to augment help desk roles, enhancing user experiences with routine tasks like password resets and account recovery.

In summary, the integration of AI into IAM not only impacts security practices but also augments operational efficiency, demanding a proactive approach to navigate the evolving landscape of identity and access management.

—Jim Beard, IAM and Grouper Engineer, Unicon; jbeard@unicon.net

Response: Near term, we primarily see AI (specifically large language models) making an impact in four areas:

1. Automating development of code and data models. The ability to convert descriptive plain language or visual concepts into code has been the promise of “drag and drop” workflow engines for decades, but with AI (LLM) we are finally seeing it work for real use cases. This has proven useful for both generation of new code as well as migrating logic between different programming languages.
2. Analyzing legacy code and configurations to discover processes (i.e. reverse engineering). A common challenge in replacing legacy or homegrown systems is often the processes are not documented and/or created by developers no longer available. In what is effectively a reverse of the first point, we see utility in using AI to analyze and document these processes from code/configuration. 
3. Providing dynamically generated email notifications and reducing the need for templating. Being able to dynamically assess the data being passed to a notification will allow for more focused and useful notifications for items like approval, recertification, and other informational emails.
4. Analyzing role usage and composition to assist with defining the criteria to minimize the number of roles while maintaining necessary granularity. Also, detecting outliers in the role data to identify roles that could be removed or modified.

—Paul Hodgdon, CEO, Instrumental Identity; paul@instrumentalid.com

Response: AI has tremendous potential in many areas, and IAM is not an exception. When assessing the near-term impact, we need to focus on the current strengths of AI. The first one is creativity. Even though the ability to construct text, images, and so on based on simple input is fantastic, it has little use in IAM. For IAM, the best application will have intelligent assistants who work together with the user and try to suggest the next steps. AI has all the data in the IAM system that can be used as its source of information, and in an ideal world, it can learn patterns from other IAM deployments that could be generalized.

Let’s demonstrate the possibilities in certain use cases. One can be a help with configuration. All IAM administrators are spending a non-negligible amount of time connecting new systems. AI could make that easier by suggesting mapping between objects and attributes in connected systems with their counterparts in IAM. For example, AI can easily guess a person object should be mapped to a user object, and the first name and given name are most likely the same attributes. The important part is that this principle will work even on systems that the AI couldn’t learn from, like homegrown systems, which are typical in academia. Another example is risk management where AI can detect anomalies during authentication and raise flags that can be investigated further automatically or manually. The same principle can be applied to IGA, where AI can analyze risks of individuals or roles and flag potential problems that the security department can investigate thoroughly later.

MidPoint is already experimenting with AI. We are using machine learning principles for a role mining feature, the initial implementation of which is available in the current midPoint 4.8 version. This feature aims to examine the application access of users and use it to recommend the creation of business roles based on similarities. Business roles are crucial for keeping the order in your access, but they take much work to design. AI can help people start with business roles design, saving a significant amount of time and ultimately bringing better security.

To sum it up, we believe AI plays a significant role in IAM. We do not expect a sudden revolution but rather an evolution over time where AI becomes increasingly integrated into the tools we are all using. In some cases, the integration has already started.

—Igor Farinic, CEO, Evolveum; academia@evolveum.com

Question: What do you think is a great New Year’s resolution to make to improve your institution’s IAM strategy?

Many New Year’s Resolutions aim to benefit personal well-being. When it comes to improving your IAM strategy, why not take inspiration from that? Focus on the classics of improving diet, exercise, and sleep.

Healthier Diet: Consume less junk food! Work on getting better-quality data and governance management in place across your institution so that your authoritative identity repository is intentionally manageable. Along these lines, what can you trim from your task list, so your IAM team can focus its time on more-useful innovations?

More Exercise: Get to the gym! Build partnerships and collaborations across the campus aimed at improving the user experience. Bulk up automations and integrations, creating toolkits for others to leverage, reducing dependency on direct involvement for routine tasks.

Get Better Sleep: Be intentional to relax more! Revisit your institution’s overarching strategy, vision, and roadmap to better align the IAM strategy with large initiatives. Start planning around these now, so you aren’t losing sleep later with a massive IAM change request. (Vantage’s Michael Berman and Jon Young co-authored a blog on this topic).

Finally, since “losing sleep at night” is tightly paired with information security concerns, reduce institutional risk by regularly auditing access management. While expanding access to services is usually not a problem, we commonly are not as good at revoking access to previously required resources, which can lead to a situation where users/groups have access to data beyond their least-privilege.

Our expertise lies in cultivating sustainable IT operational strategies. We work closely with our clients to create realistic plans and achievable roadmaps that can be sustained for more than a few weeks, making it a resolution you can stick with!

—Jacqueline Pitter, CISSP, Senior Strategic Consultant, Vantage Technology Consulting Group; jacquelinepitter@vantagetcg.com

ICYMI

• Catalyst to Catalyst (Fall 2023): Ideas and Insights from InCommon Catalysts