Jim Routh, chief trust officer at identity cloud management software firm Saviynt, has had a long career in tech. Recently, IT Brew had the chance to sit down with Routh and talk about his journey.
During that conversation, Routh opined on the future of identity access management and trends in passwords and security. It’s a dynamic part of the software industry as passwordless security solutions and passkeys become more important to making sure who has access—and who doesn’t.
This interview has been edited and condensed for clarity.
What evolutions in identity security have you seen over the past few decades, and what do you think is coming down the line as far as threats and ways to manage this space?
Ten years ago even, the threat landscape was different than it is today. Today, somewhere between 60% to 70% of all cybersecurity incidents are using compromised credentials. The credentials are coming from multiple sources. Threat actors figured out that if you have the password, it’s much easier to get into a system than if you have to break the system and then move laterally to try to get escalated privilege, all of which sends alarms off to the cybersecurity team and that’s doing the monitoring. But if you have a credential, you have a user ID and password combination, then you’re allowed into the system, and nobody’s paying attention to you because you look like a legitimate user.
Passwords are of course an important part of identity access management. Can you explain why today’s usage of multiple passwords presents problems?
We as an industry are relying too heavily on passwords. Passwords were never designed to be used across a couple hundred different types of digital assets…what’s happened over the years is, a digital consumer—any of us—could have over 100 digital assets. If I have more than 20, I can’t remember unique passwords for 20 different sites. Certainly, 100 is out of the question. Many people have 200! The more digital assets you have, the more your reliance on creating a unique password, and the higher the degree of difficulty it is for digital consumers to remember those passwords.
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
So, where does that leave us with respect to identity access management?
The net result is we have to evolve digital identity security to deal with the fact that credentials can be had and rely on other ways of providing authentication. If you look at the passwordless options available to an enterprise today, there’s probably 10 or 15 different products and types of products that any enterprise can choose, whereas 10 years ago, there were none.
The evolution of identity management, starting with authentication, is already well-established, and in that you have passwordless options, which reduces the need to stir and handle secrets and at the same time by relying on biometrics and behavioral pattern deviation we can trigger automatic workflow to take actions in real time, instead of combination, that’s essentially what digital identity security means. It means being proactive in protecting the enterprise. By creating almost like an immune system that’s operating in of itself to protect the enterprise. The immune system is built on this notion of established patterns that can operate freely.