2000/01 META Trend: Proliferating requirements for remote access (2000/01) and business-to-business extranets (2001-03) will drive dissolution of the network perimeter. Tiered access will be controlled by a policy-oriented identity/rights infrastructure (directory with Web single sign-on now, PKI during 2001-03) and enforced by an increasingly distributed web of security devices (firewalls, VPNs).
2001/02 META Trend: Strengthening and centralizing authentication/authorization services are becoming top security concerns as organizations bolster e-business (external) security architectures and rationalize with internal solutions (2001-03). Traditional boundaries will melt as security functions are increasingly embedded in infrastructure components during 2002-04.
META Group's 2000/01 META Trend focused on the requirements for third-party access driving the need for policy-oriented access control and increasingly distributed security enforcement points. A year later, META Group's projections are holding true, with e-business remaining the primary impetus. Indeed, META Group's 2001/02 META Trend reiterates these concepts and expands to also capture some newly emerging aspects.
In particular, META Group expects traditional token schemes (e.g., SecurID) to meet the need for stronger user authentication in the near term (2001). Ultimately, widespread use of smart cards and biometrics (both used in conjunction with digital certificates) will be used for user authentication as these technologies mature, drop in price, and become embedded in common computing platforms (2002/03). The need to match authentication methods to users based on differentiated services provided (for economic reasons), along with the need to address overall scalability demands, will further emphasize the need for a robust identity and privilege management infrastructure. In addition, by 2002/03, a goal for leading organizations will be to have this infrastructure also apply to internal users.
META Group also expects an increasingly distributed and mobile workforce to cause dramatic similarities between how external parties and employees interact with an enterprise. This mobile workforce, along with a converged identity infrastructure, will form a solid base to evolve a more comprehensive security strategy that must be promulgated - one that further dissolves the differences between external parties and employees, thereby inherently addressing the internal threat to information resources (2004/05). The continued proliferation of appliance-style security devices and the increasing "embeddedness" of security functions at all layers will help this cause by enabling security enforcement points to become pervasive (2002-04).
Most organizations still rely heavily on relatively weak username/password methods for user authentication - even for external parties accessing e-business applications. However, maintaining this approach while increasing the value/functionality of externalized services (to remain competitive) creates an imbalance in the associated risk model. Thus, companies are forced to either adopt stronger means of assuring user identity or accept this greater risk as a cost of doing business. Unfortunately, acknowledged methods for strong authentication suffer from various shortcomings. Proven token schemes (e.g., SecurID) would be ideal except for their high costs and management/scalability challenges - yet they still represent the best tactical solution.