IAM is a set of security services, processes, policies, and tools to define and manage the roles and access of users, devices, and application programming interfaces (APIs) to a variety of cloud and on-premises applications, servers and services.
IAM is central to controlling enterprise data access. “IAM is at the core of digital transformation, at the core of cybersecurity, and at the core of regulatory compliance. It is essential, therefore, to have both a mature and a modern IAM in place,” wrote security consultant Martin Kuppinger in his blog. And Okta’s blog further amplifies this message: “IAM is the glue that holds all the disparate tech stacks together in a way that enables brands to deliver seamless, omnichannel experiences that are secure and reliable — for both their employees and customers alike.” This means having a single digital identity that can be used to define a particular user or computing device, and that is where IAM gets complicated very quickly.
The most obvious evidence of identity’s criticality is how often it is used as an initial attack entry point to a target enterprise network. Thanks to poor multifactor authentication implementations, more sophisticated phishing methods, more automated credential stuffing techniques and numerous legacy IAM systems that haven’t been updated, bad actors can often find these entries with minimal effort. One notable data point is that a million attacks are launched every month trying to bypass MFA protections, according to Proofpoint’s State of the Phish report analysis from April 2024. Granted, not many of them succeed, this is still a sobering reminder of how attackers are laser-focused on identity compromises.
This critical role has evolved over time and Gartner and other industry analysts have for years suggested that identity is more than just a collection of security applications, but a well-integrated fabric or mesh of architectures and processes that connect everything together into a coherent whole that can protect the entire digital surface of an enterprise. This fabric uses adaptive risk assessments to authenticate and connect both people and machines and uses information collected from continuous threat detection and operations visibility.
This vision sounds good in theory but is more aspirational than actual, and one reason is that “identity-first security requires tighter collaboration of IAM and cybersecurity teams to ensure alignment and put IAM at the heart of security strategy,” as Gartner analysts have said in their latest IAM planning guide.
In the past, IAM was just one of numerous acronym security solutions that stood alongside privileged access management, security logs, and posture management tools. But as identity has become the central heart of a digital infrastructure and applications, this means a bigger role is needed for IAM, and how it has become a functional focus rather than a line-feature.
The challenge is to grant access to the enterprise assets that users and devices have rights to in each context, and to keep up with changes in these contexts as computing needs evolve. That includes onboarding users and systems, permission authorizations, and the offboarding of users and devices in a timely manner. One example of these changes was what happened in our post-Covid world, as users migrated to more remote work that required modifications to maintain access to their internal systems. This put stresses on IAM systems and policies, to be sure.
But even without the changes from the pandemic, the IAM fabric construct places new demands on existing security software. Take privilege access managers as an example. In the past, this software focused on ensuring that users had the correct basket of access rights to local resources, and that administrators’ rights were assigned sparingly. As the collection of cloud apps has grown, this means ensuring that these apps are setup properly, with the philosophy that Gartner calls “no privileged account is left behind” as the number of machine identities outstrip those assigned to humans. “An average midsize to large organization uses hundreds of SaaS applications. Managing access separately for each application simply doesn’t scale,” Gartner said.
The move to the cloud has brought other complications. Many companies have evolved their access control policies over time, and the result is that they have overlapping rules and role definitions that are usually outdated and, in some cases, provisioned incorrectly. “You have to clean up your identities and revoke all the extra privileges that users don’t need so that you don’t migrate a mess,” Forrester’s Andras Cser tells CSO. “This means spending more time on upfront design.”
Part of the problem is that vendors too often treat machine identities in tools that were originally designed for just human identities. The two use cases are different: machines require careful API access that leverages automated routines, with potential exploits that can be quickly identified and stopped. “It is time to prepare for a world in which more customers are bots, which may require redesigning existing services,” says Gartner. Authenticating non-human entities such as application keys, APIs, and secrets, agents and containers is a lot more difficult, just because of the different contexts that these entities operate. For example, application keys may be hard coded inside a particular cloud application, placed there temporarily by a developer who has since moved on and forgotten about them. These are low-hanging fruits for attackers to leverage their way into your enterprise.
In the past, many IAM vendors segregated their products into those that focused either on customer identities or workforce identities. The former was used to manage external users and devices while the latter was used for internal users and devices. That distinction is disappearing, thankfully, and now many vendors combine the approaches.
Another problem is that workflows have grown and gotten convoluted and complex, requiring customized IAM protection policies for their protection. As zero trust moves from “nice to have” to a prerequisite for compliance, this places a bigger responsibility on IAM to manage everything. It also means migrating away from manual integration of new apps to a more automated way of delivering appropriate security. “You need to make sure any IAM solution is usable, secure, easy to automate and cost-effective,“ Okta stated in a blog from last fall.
This last point – making IAM easy – bears further focus. IAM has the potential to make data access more difficult for users, and “a deteriorating user experience can undermine rather than install user confidence and trust,” wrote Forrester analysts in their report from last July on Essential Research for Building an Effective IAM Progam.
All IAM systems provide administrators with the tools and technologies to change a user’s role, track user activities, create reports on those activities, and enforce policies on an ongoing basis. These systems are designed to provide a means of administering user access across an entire enterprise and to ensure compliance with corporate policies and government regulations. Each platform has four basic elements:
These elements used to be part of separate security silos with responsibilities to maintain them segregated across groups such as development teams, IT infrastructure managers, and other operational roles such as human resources, legal, and so forth. This made it difficult to get a clear and complete picture of IAM’s role and made it difficult to assess and improve any coherent identity posture. Today’s IAM platform integrates across all the elements and provides a coherent and consolidated view.
The good news about IAM is that there are numerous open standards to track and to leverage. The bad news is that these standards are evolving, and that means that best practices are also changing. And while these standards are a great starting point, organizations need to go beyond embracing open standards and be more nuanced about how to adopt these standards and be more effective at managing access.
In the early IAM days, authorization messages between trusted partners were often sent using security assertion markup language (SAML). This open specification defines an XML framework for exchanging assertions among various security authorities. SAML achieves interoperability across different vendor platforms that provide authentication and authorization services. But SAML has fallen into disuse: the initial working groups have been mostly inactive, and many of the encryption protocols are easily compromised with modern computers.
Its replacement is OpenID Connect, which is what Gartner recommends using in its latest IAM guide. Another standard worthy of attention has been the adoption of FIDO among a variety of IAM vendors, device makers, and operating systems. It provides approaches for eliminating passwords entirely, using a variety of hardware security keys, biometric methods, and smartphone profiles.
One aspect of FIDO is what many enterprises have focused on, using various passwordless options. These techniques include such as using a user’s smartphone authenticator app or biometric face or fingerprint scanner as an access token. These are necessary, especially as the number of MFA bypass attacks that take advantage of user fatigue or misconfigurations of the additional security factors have increased. In addition to being more secure authentication methods, there is another benefit: usability.
“Organizations taking advantage of passwordless authentication for less end user friction at login is an example where today’s stronger IAM controls can go hand-in-hand with better usability. Using biometrics as an authentication factor rather than a knowledge-based factor like a password lightens the cognitive load on users and paves the way for phishing resistant MFA, greatly improving an organization’s security posture,” Forrester’s Geoff Cairns tells CSO.
Another FIDO innovation is a technology called passkeys that can replace passwords entirely, and at the scale that enterprises require. The past several years has seen a growing acceptance with IAM vendors of passkeys into their platforms. At last year’s RSA Conference, Christiaan Brand, a Google passkey product manager, gave an update and said, “We are at the point where mass transition away from passwords to passkeys can start to happen,” showing some code samples to implement various enterprise workflows using passkeys. Google, Apple and Microsoft began rolling them out to support Workspace, iChain and Windows Hello corporate users respectively last year. There are dozens of websites that support them, including GitHub, Adobe and Amazon.
However, “Passkeys are not quite there yet when it comes to enterprise security. Adoption has been slow,” Heath Spencer, the CEO of Traitware, tells CSO.
If you haven’t examined your IAM infrastructure lately, now is the time to evaluate your identity posture and see ways you can move to a more “identity-first” strategy, as Gartner calls it. This means that “organizations will have to reestablish IAM hygiene and raise the bar, by managing more user constituencies in more environments,” they wrote in their planning guide.
Forrester in its Build Your Own IAM strategy report from December 2023 suggests conducting a systematic and comprehensive IAM maturity assessment to examine the different components of IAM, such as user provisioning, privileged access management, and user password policies. “Document your current state and make realistic recommendations,” along with an honest evaluation of whether your enterprise is ahead or behind your peers in terms of technology.
Another recommendation is to establish an identity governance committee. Geoff Cairns, one of the report’s authors, says “this is key to any IAM transformation, but to be effective the governance committee must foster cross-functional collaboration and have strong executive support. Creating a culture of continuous improvement is vital as IAM will always be evolving; don’t underestimate the cumulative power of incremental changes. Thus, strong organizational change management and the associated employee communications, education, and support are essential.”
Part of this examination is understanding where IAM can be more effective, such as offering tighter integrations with other security and enterprise systems like single sign-on, endpoint protection, and other tools. Cairns says that these integrations “will allow users to submit and approve requests via familiar enterprise tools of choice, expediting initiation and processing of access and privileged credential requests with automated IT ticketing for tracking, and allow security teams to capitalize on advanced IAM analytics to allow for more rapid response to identity threats.”