Each year we opine that the nature of access control has changed and evolved. Well, not to sound like a broken record, but we must say that again this year. Part of the reason that we are seeing these changes is the same reason we are seeing changes in the Perimeter Defense category: the dissolution of the perimeter. But at the same time, while perimeter defense is wandering about lost looking for a perimeter to defend, access control tools are working overtime for the same reason: access control is becoming less and less centralized on the perimeter.
Now, instead of simply guarding the gates to the enterprise, we have a wide variety of accesses that need controlling. Now single sign-on, a dicey and somewhat controversial form of access control back in the day has become the order of business and Kerberos, a technique that was difficult to understand for many and more difficult to deploy for most, has become a standard. So, what's left? Have we solved the access management problem in one (or two) fell swoop? Hardly. But what we have done is shrink the body of innovators significantly.
As you will see from this year's one company participant, it takes a heap of thinking to innovate in the space. We like to think that our innovators always are looking ahead to things that we mere mortals have yet to consider. And, usually, they are. But nowhere do we feel that forward thinking is more important than today where the threatscape is changing constantly and yesterday's solutions to the access control challenge are hopelessly outmoded almost before they hit the streets.
The adversary focuses on access control for one reason: it usually is hopelessly inadequate. Even with decades of warning we still see that the majority of access control is single factor and the factor is the tired old username/password combo. To exacerbate the problem, the typical user can't seem to get it through his or her head that fido123 is a terrible password. There are worse, of course, and periodic surveys remind us of just how bad people's password selections really are. But we giggle and use the same old tired access control.
So, with that in mind, we take a look at this year's innovator in this space.
Last year we introduced you to KeyScaler in our 2016 Innovators issue. The important innovation this company brought to bear was access control specifically for the Internet of Things. That, of course, represents a big challenge because the Internet is full – and getting fuller – of “thing.” So, when we talk about authentication at scale we really are saying a lot. That was this innovator's big challenge last year.
Vendor: Device Authority
Flagship product: KeyScaler
Price: Pricing starts at $25 per device per annum. Base License $50,000 per annum.
Innovation: Access control for IoT
From the perspective of access control, the issue becomes deploying a robust PKI in a space that often does not have good authentication capability in the first place. There are ways to do that, of course, but probably the most important key is replacing the device's security – and authentication – policy with the owner's policy. That addresses all of the disparate password policies, many of which not only allow, but may actually encourage poor password practices. It also accounts for devices that have no particular password policy at all.
KeyScaler addresses all of the IoT security issues in a deceptively simple manner: it takes over security control for every device and until that device is under control and authenticated it does not receive its PKI certificate. There is a centralized registry that tracks every recognized device and a device must be added to the registry in order to be accessible.
While this innovator has spent a lot of time on traditional IoT use cases – medical devices, for example – it now is working closely with partners to identify, define and address new use cases. Last year we predicted that this innovator would do big things in the marketplace and it would appear that we were right on target. Partnering with such high-profile companies as Comodo, KeyScaler is becoming the preferred IoT access control management system very rapidly.
Last year we predicted big things for this IoT upstart. This year we predict that it will become – if it hasn't already – the prime mover in the development of a safer Internet of Things.