Mobility, Cloud, IoT Has Created IAM Chaos
Identity and access management is older than the Internet, but the environment IAM has protected for years has fundamentally changed as businesses are inundated with the increased use of mobile devices, cloud applications and IoT. To compound the problem, organizations have been babysitting IAM for years making it difficult for security teams to reduce the risk associated with identity theft and privilege escalation associated with cyber-attacks.
Something must change.
The fact is IT has lost control of IAM and it’s time to tackle some key initiatives in an effort to bring confidence back in the authentication and authorization process while still delivering an optimal end user experience.
What initiatives are businesses focused on to address these IAM challenges? ESG research indicates these top areas of focus over the next 24 months (click on the image to enlarge):
- 29 percent want to monitor user activities more comprehensively throughout the network. In many cases this involves monitoring activity as part of a compliance audit, insider threat security investigation and to expose access patterns that could be useful for identity governance. Monitoring user behavior also is used with strong controls to protect confidentiality and integrity of sensitive data.
- 26 percent want to replace username / password authentication with MFA (multi-factor authentication) whenever possible. Saying goodbye to passwords combined with the power to produce strong authentication presents an ideal opportunity to enhance IAM security and simplify user access.
- 23 percent expect to increase participation of the information security group into IAM decisions. Information security teams are leaning in to improve security best practices, block/ detect malicious acts, comply with industry regulations and an overall effort to address new risks associated with the increased usage of mobile devices. Microsoft’s internal IT organization has made this shift and is able to make decisions faster with more confidence now.
It’s important to point out that there isn’t a silver bullet solution to solve all the IAM challenges. IAM initiatives include both an investment in technology and reshaping organizational responsibilities. The organizational shift of IAM strategy into the office of the CISO is an ideal start while exploring opportunities to strengthen the authentication process with MFA techniques, and improve authorization policies by capturing insights and intelligent on user behavior.
A good place to start with improving authentication is to look at the FIDO alliance and review some of the adoption examples. For example, Microsoft supports the FIDO specification to enable users to authenticate with Windows 10 using biometrics without having to remember passwords and cumbersome smart cards. Another example is how Google is teamed up with security key vendors like Yubico to provide U2F (universal 2nd factor) to simplify access and strengthen security. Both are examples of where the future of authentication is headed.
Monitoring user behavior to protect (not spy on) the user is essential to creating authorization policies that can adapt to workstyles, devices, networks and data access. The first place to look to improve user behavior monitoring and insights is to look at some of the workspace delivery and device management solutions likely already implemented to some degree. These include solutions from Citrix, VMware AirWatch, MobileIron, Google and Microsoft. Each of these companies has enhanced the depth of monitoring user behavior.
There is no question that businesses are not going to let IAM remain an IT dinosaur. The perimeter IT operations and information security teams need to protect is expanding too fast and the risk are high – the kind of risks where people lose jobs and companies go out of business. On the flip side, mobility and cloud adoption are extremely valuable to businesses and have created the re-equipment to evaluate, tune and embrace IAM initiatives to help bring some normalcy and confidence back into IAM.
Mark Bowker is an analyst with ESG Global Research, member of Enterprise Mobility Exchange's Editorial Advisory Board, and contributor to the site.