IAM is an important component of an overall security and risk management plan and a key enabler of digital business. Attendees will learn how to evolve their IAM approach given the current best practices and industry trends. Key issues are:
● What are the architectural trends in IAM?
● What drivers and best practices are shaping the evolution of IAM in 2019?
IAM programs don't gain support without a common organizational goal and direction. Determining that requires more than promoting a shiny new object. It requires salesmanship, collaboration and commitment. After all, vision is something that is shared. Learn how to structure and communicate a vision and strategy that corresponds to organizational needs and expectations, and that can support the establishment of a new discipline.
Regional and country-specific privacy mandates continue to increase. Mapping commonalities and managing risks for differences are crucial for security and risk leaders. This presentation offers a practical guide on reusing GDPR compliance investment for China’s privacy requirements.
IAM programs must deal with a variety of process and technology related opportunities and issues. Coordinating these to provide measurable progress and benefits is always a challenge, and it may not happen in the optimal or desired order. The challenge for IAM leaders is to fulfill expectations of stakeholders and organize activities to manage dependencies. Use the roadmap to manage outcomes.
The access management market has evolved beyond supporting traditional web applications, and now there are more choices than ever. Attend this keynote presentation for an overview of the IAM-related Magic Quadrants and Critical Capabilities that have been published in the past year.
Passwords are a bane. Everyone struggles with multiple passwords. Passwords are notoriously weak, yet attempts to strengthen them only increase people’s frustration, while providing little respite from attacks. However, passwords require no new technology and are very familiar, even comforting. And while reducing friction is generally good, can passwordless methods show intent? Join this crossfire session for a thought-provoking discussion among Gartner analysts.
As identity and access management activities align more with an organization's digital objectives, security and risk management leaders responsible for IAM recognize the need to manage IAM as a program in its own right. This session addresses:
* How to justify the IAM program
* Establishing program responsibilities
* Establishing program governance
Buying IAM solutions requires detailed analysis of vendors, solutions and alternatives. Learn to use this five-step approach to structure the evaluation process, derive your shortlist, choose a solution and negotiate the best price.
Trusted digital identity is critical for enabling digital trust. To take advantage of digital business opportunities, IAM leaders must leverage various trusted digital identity models, including BYOI, to satisfy consumer needs, enabling simple, convenient and secure access. Audience members will learn why noninteroperable digital identities will not scale with digital business.
If you are still struggling with getting beyond passwords, better times are coming. The conjunction of increasing online use cases, behavioral analytics and next-generation hardware are propelling opportunities for advanced authentication techniques. This presentation will chart a course for clever, subtle and transparent identity management.
Identifying the core features to call out to a potential managed security service provider (MSSP) when scoping the need for an outsourced service is critical for a successful engagement. This session will provide practical examples of how to establish effective requirements and use cases before engaging providers:
● What are the key service performance metrics to insist on from an MSSP?
● How can you define service customization requirements to ensure additional services charges are managed?
● How can you align internal processes with the providers' outputs?
In line with the trend of Office 365 adoption, many organizations are considering Microsoft’s native IAM and security offerings such as Azure Active Directory, Azure Information Protection, Intune, Exchange Online Protection and Advanced Threat Protection. Which of these are you using successfully? What challenges have you encountered? Where have you found the need to supplement or supplant these capabilities with a non-Microsoft product? Join us for a peer-driven discussion to address these and any other questions you may have.
This workshop will help IAM leaders develop metrics that can help them to communicate more effectively about the state of their IAM programs and, ultimately, manage those programs better.
When building a security operation center, or trying to improve the visibility over threats, an abundance of new technologies overwhelm security leaders with too many options. This session will highlight the benefits and compare the use cases for the most useful security analytics tools. Technologies covered in this session include: SIEM, network traffic analysis, user behavior analytics, endpoint detection and response, intrusion detection, full packet capture and SOAR.
This session gives you an opportunity to ask questions about privileged access management (PAM), successful use cases and requirements needed to make your PAM efforts successful. Attendees should come prepared to ask questions.
The privileged access threat landscape is growing with a higher risk of enabling cyberattacks and severe consequences. Technical professionals must architect privileged access control capabilities to defend against exploitation scenarios and to resist advance persistent attacks. In this session, we discuss how to develop overarching PAM requirements and architecture strategy.
Together, IAM and CASBs extend access control beyond the front door. In this session, we discuss how the two relate, integrate and how they rely and leverage each other to take back control of identities, services and data.
The evolving OAuth 2.0 frameworks and OpenID Connect have proven hard to master when protecting enterprise applications with authentication and authorization. What's the latest enhancement of the framework and how should native and web apps, as well as services, implement and leverage the framework to balance security, privacy and convenience?
API gateways play a key role in protecting APIs. They mediate identity and access management and provide basic features to reduce risk. This session discusses the features to look for and vendors to consider when choosing API gateways to protect microservices.
This roundtable discussion will cover what IT expects out of unified endpoint management (UEM) and if it is realistic to switch to UEM today from separate client management tools (CMT) and enterprise mobility management (EMM). What challenges are IT departments facing from the ever-exploding number of devices, and will they be going to UEM solve this?
When migrating applications to the cloud, teams may not properly account for IAM, leading to short-term solutions to IAM challenges and misalignment with the organization's overall IAM architecture. This session guides technical professionals on common approaches to IAM in application migrations.
It's not your IT anymore. Whatever you think you know to maintain business information, security and integrity after moving to the cloud, is obsolete. This presentation takes a fresh look at the virtual workplace and provides you with a set of actionable risk-versus-trust choices that actually take advantage of the new levels of the IT diversity.
DevOps methodologies use continuous integration/continuous deployment pipelines to speed up the time from inception to production. When credentials are copied, mishandled or exposed, this creates major security problems. Support for DevOps in PAM tools has been emerging to support these agile environments and to secure the DevOps toolchain.
Identity management is arguably the most important discipline required for a successful Microsoft Office 365 deployment. Yet there are so many moving parts. And things change quickly: Best practices 12 months ago are now deprecated. This session will leverage a live Office 365 environment to illustrate the path to Office 365 success — from conditional access to Office 365 Groups to seamless SSO to third-party MFA/IDaaS.
(TechDemo) We will evaluate the capabilities of Amazon Web Services (AWS), Microsoft Azure and Google Cloud Platform (GCP) to provide access control, authentication, SSO, active directory services and identity governance for IaaS. Via a custom single page application, we will provide guidance on best approaches for leveraging these capabilities as well as using them to integrate your applications and services across the three IaaS platforms.
Retailers and financial institutions typically add new technology to their payment fraud detection processes in the wake of a fraud attack, and fail to continually improve their capabilities on an ongoing basis. As a result, many organizations struggle with suboptimal processes. This workshop will help leaders to break out of this cycle by planning a considered payment fraud detection strategy.
Cloud computing has been around for more than 10 years but in many organizations, active directory is still unprepared to fully support cloud deployments. This session provides guidance on overcoming these deficiencies and on making AD more agile to better support cloud computing and mobility.
Self-sovereign digital identity is the notion of an identity and related data that is controlled and owned by the individual or consumer. Leveraging decentralized self-sovereign identity has the potential to allow service providers to increase security and convenience of access for end users, all while reducing exposure to data breaches and potential privacy compliance violations. Join this discussion to explore a new and disruptive topic of self-sovereign identity!
Fraud prevention leaders have mastered the art of detecting and preventing fraudulent account activity and payment events in many verticals and use cases. But as customers change the way they interact with each other and their expectations of their service providers, banks, retailers, health care teams and governments, the old ways have failed to evolve.
Please Note: Preregistration required. Reserved for end-user organizations.
In this live demonstration environment, we will dig into best practices for user management, SSO, MFA, hybrid architecture and availability. Topics include: Azure AD Connect, Pass-through Authentication, Conditional access and third-party IDaaS/MFA/federation integration. As this is a limited-attendee format, you will work through prepared materials and leave with checklists that are specific to your organization.
IGA deployment initiatives are a potential minefield for many organizations that risk costly delays, difficult integration and lower overall value. Gartner has identified common anti-patterns for IGA adoption that range from the planning phase to the actual deployment and integration. Learn how to identify and avoid these common mistakes and plan for a successful IGA deployment by focusing on value and using Gartner's IGA deployment model.
Blockchain has become a much-hyped technology with a lot of potential. Yet, with cyberthreats and data breaches, is this technology secure? As Blockchain starts to impact the world, CISOs must understand the security and privacy implications. This session aims to provide a CISOs with a framework that will help them identify and manage risks related to Blockchain.
During this session, we will cover the different deception deployment models, the benefits and limitations of deception products and services and how do you need to have your deception technology managed. Attendees will better understand deception as part of a wider security strategy, availability of products on the market and how service providers are adopting this technology.
No one can escape the wave of artificial intelligence marketing. The promise of increased security and better automation is appealing to security leaders, but sets the wrong expectations. Being too optimistic about artificial intelligence's impact could hurt the security organization. This session will provide answers to important questions such as:
● What should security leaders know about artificial intelligence?
● What are the expected impacts on security and risk management?
● Should security leaders search for a new job because they will be replaced with robots?
Employee monitoring is one of those topics that most IT leaders don’t like to talk about. Blandishments like “we trust our people” and “we have a culture of openness” are common. Yet, as Mark Twain said, “The difference between a man and a dog is that if you feed a dog and take care of it, it will not bite you.” We examine how employee monitoring contributes not only to prevention and detection of internal malfeasance, but can also be used to safeguard employees and ensure safe working environments.
Users seem to be connecting to everything but their enterprise gateway these days and secure communications are in flux. Enterprises have lost integrity and control over endpoint communications. This presentation reviews your options for secure communications when the cloud has turned your network upside down, and considers several forms of mitigation including new uses for CASBs.
The GDPR ups the ante and tilts the business case for compliance as of 2018. Typical questions that might be asked in this “Ask the Analyst” session include: How can I take a holistic view on the entire data life cycle? How do I make difficult decisions with regards to applicable security controls to apply? Can we still analyze data? Should we anonymize, pseudonymize, other options? Please note: Attendees should come prepared to ask questions and contribute to the discussion.
The presentation will explore experiences that have worked and/or failed to protect employee and their business data when traveling internationally. Topics will include loss, theft, surrender of login and password credentials, export controls, encryption and masking, VPNs and other secured communications, and variations in workplace rights and expectations. Attendees will receive copies of Gartner's international travel advice and examples of travel rules and policies from real companies.
Orthodox, credential-based authentication does not scale to the needs of digital business. Here, we discuss how new analytics-centric identity corroboration tools facilitate a CARTA (Continuous Adaptive Risk and Trust Assessment) approach to user authentication.
- What are the weaknesses of orthodox methods?
- How can IAM leaders evaluate and meet user authentication needs?
- How will enterprises benefit from taking a strategic CARTA approach?
Is your organization in need of a Privileged Access Management (PAM) solution? If so, this session will serve as a good primer on the technology.
Key issues covered include:
* Introduction to privileged access management
* The PAM maturity model
* An overview of PAM tools and when and how to use them
Multifactor authentication (MFA) is now mainstream, and many organizations are looking for secure, user-friendly and easy-to-integrate implementation options. A new crop of cloud-based MFA services provides support for common authentication use cases, both within the enterprise and in hybrid access scenarios. In this session, we will discuss cloud-based MFA that can balance trust, user experience and cost.
Moving Authentication and Access Management (AM) to the Cloud. As enterprises embrace cloud computing interest in adopting cloud-delivered IAM capabilities increases. But, is IAM as a service (IDaaS) a viable model? This session gives you an opportunity to ask questions such as: Can it support hybrid (cloud and on-premises) biz app architectures? Can AM vendors authentication capabilities displace incumbent tools or is there still a need for standalone authentication solutions?
(Registration Required, End Users Only)
Identity cannot be absolutely proven — merely corroborated to fall within transactional risk tolerance. Security and risk management leaders must discard flawed legacy methods and embrace analytics that evaluate multiple positive and negative signals.
In this presentation, we will address the following key issues:
- Knowledge-based authentication is dead, thanks to rampant data compromise and oversharing
on social media.
- High friction during enrollment leads to abandonment and does not reduce risk.
- The convergence between identity proofing and online fraud continues, with the online fraud engine acting as a risk arbitrator not only in authentication but in enrollment.
Early promises of easy, secure and universal authentication through unique personal traits have been unfulfilled for decades, but in the past 10 years we have seen a surge in interest and adoption. Are biometric methods the way forward for every enterprise?
● How does biometric authentication differ from other orthodox methods?
● Where is biometric authentication most popular today — and what are the pitfalls?
● How does biometric technologies fit in an enterprise identity corroboration strategy?
In this workshop, we will discuss several of the more common authentication and authorization use cases that require OAuth/OIDC and the specific OAuth/OIDC extensions that are needed to properly implement them. We will also provide information on which vendor offerings support some of the newer, the less commonly available OAuth/OIDC extensions.
After ample preparation time in anticipation of the GDPR, Gartner has observed a few misconceptions on privacy as well as number of key functions for a mature privacy management program. We will address the lessons learned and the necessary capabilities to protect privacy, including the role of security, program ownership, and what the market is, and should be, doing.
In this workshop, we will assess how identity is provisioned to IoT devices and how identity is used to authenticate and authorize access to and from the device. We present a model for the identity of things (IDoT), different constraints and we will look at the current state of the art. You will work through prepared materials and leave with an IDoT design for your most challenging IoT effort.
Decentralized identity and related evolving standards will be disruptive. Proof-of-concept projects have shown the potential benefits such as enhanced privacy, reduced security risk and cost-efficiency. However, there are still gaps and challenges that require more work. This session will demystify decentralized identity architecture, example offerings and current state of the market.
IoT devices generate a huge amount of data, which may include sensitive personal data. As regulations and awareness of privacy has increased, security leaders require a consistent approach with data security and privacy. What are the concerns with IoT security? What are the legal implications of regional privacy laws such as GDPR? What approaches should be considered when embarking on IoT initiatives?