Interview with Alfredo Santos, IAM expert

Este artigo foi originalmente escrito e publicado em inglês para o LinkedIn Pulse.

Alfredo Santos is an evangelist executive who works with information security. He has been focusing on Identity and Access Governance for the past years. He has already worked as a consultant, salesman, technology security manager and system developer. Now, Alfredo works for a big information security company as the Information Security Advisor on complex projects.

Alfredo, let’s begin it with some news. From IAM/IAG point of view, what may customers expect from 2015? New features? New approach or implementation?
Following the market trend, all providers are seeking to have a Cloud IAM option in their service’s portfolio. Also, providers are working on expanding their ability to meet aspects of governance, and developing ways to easily perform access requests. Customers should expect better integrated solutions, which will allow faster installation and configuration, delivering features upon request. The complexity of authentication processes is also expected to decrease. Due to token and other strong authentication devices’ costs, companies may decline their usage or replace them for SMS token technology. Some CSO’s are considering the elimination of access control for data considered public or internal. For example, intranets may not have authentication features in some of the new designed implementations. This will decrease the amount of management complexity.

What are the adoption rates and what has the market offered regarding IDaaS?
Today, 15% of new projects in the world are IDaaS’s projects. We expect to have a big number of IAM-hybrid projects, where some components will be hosted in a Cloud environment (mainly authentication), and other components will be hosted on customer premises (provisioning and governance). This mixed format is appropriate due to the distributed authentication process among mobile devices, web and IoT; the other features will still be on the customer’s side. Soon, governance will be available at IDaaS, and we will see a migration to this new format.

What are the most recent problems regarding IAM? What has been breaking news, and what should CIO’s watch out for?
The most recent issues are still related to the complexity of this kind of project. What changed now is that IAM tools have more and more connectors and adapters, which allow more integration between systems using less development codes. The installation will be faster and more integrated to the components, which will help us too. The CIO’s need to evaluate the offerings in detail in order to avoid options focused on niches, because, in some cases, they cannot extend IAM features and solutions to the whole enterprise. Therefore, they should deeply analyze each case to get familiar with complex projects, their request dates, and how long is the project timeline.

Gartner has recently made a change to the IAM report. Since 2013, the old IAM and IAG reports were merged. This kind of action affected IAM players by changing the Magic Quadrant, and required some companies’ acquisitions to be better positioned. Since many customers use this kind of report before making decisions, what do you think about this merger?
I understand, and agree with Gartner’s action on this report merging. This makes sense because all companies should begin with IAM and extend it to IAG to support existing demands for compliance. They cannot be treated as different solutions.

What are your suggestions for those people who are looking for more information? Which meetings or events regarding IAM or Information Security should they participate in?
Beyond the major suppliers’ events where they talk about their tools and success cases, I recommend Gartner IAM Summit in Europe and America. Besides, there are other summits specifically for Cloud IAM, and professional associations like (ISC)2 and ISSA where you can also find information about IAM.

We have heard that the market is in need of IAM professionals. Do you agree or disagree with it, and what must be done to attract more professionals to IAM domain?
I agree that we have less professionals than the market demands, mainly because the IAM professional profile is differentiated. An IAM professional must know different kinds of technology due to system integrations, he/she must know information security in its essence, and some development skills will always help. I believe that more meetings and trainings focusing professionals responsible for running IAM projects will bring more people into this subject. It is good to remember that IAM/IAG is not a field only for technology experts, many other professionals with a business background can be successful.

Written in February/2015.
Originally published on LinkedIn Pulse – https://www.linkedin.com/pulse/interview-alfredo-santos-iam-expert-fabio-sales

Author: fabio

Fabio Sobiecki is a systems analyst, graduated from Unopar and specialist in Information Security from Senac and has an MBA from FGV. Since 2004, he works with Information Security, between 1998 and 2004, he worked with information technology, in the area of infrastructure and computer networks. Fabio Sobiecki is certified by (ISC) 2 as CISSP and CCSP, since 2008 and 2017, respectively. He is currently president of the São Paulo chapter (ISC) 2 and is a solutions engineer at RSA.