By David Mahdi, Senior Director Analyst, Gartner
In 2020, remote working and increase in digital transactions raised the visibility of identity and access management (IAM). It also highlighted the challenges ahead for IAM leaders.
The COVID-19 pandemic has raised the visibility of identity & access management (IAM) due to the high priority in getting remote access secured and the increased protection needed around digital transformation initiatives.
In an effort to make organizations more secure, agile and resilient, IAM leaders must improve governance and strengthen privileged access management (PAM) practices to prevent breaches, establish more robust and agile authentication and authorization, and enhance consumer IAM to prevent fraud and protect privacy.
Invest in emerging technologies to develop an adaptive IAM strategy
With the rapid growth and pace of digital business, IT leaders now recognize the importance of IAM. As a result, demand for IAM and digital identity technologies has increased significantly, along with rapid investment. The access management market is expected to reach $19 billion in 2024, up from $13.7 billion in 2021. Yet, with the flurry of investment and development of existing IAM technologies, not all technologies are ready for production; some will require more extensive proofs of concept (POCs).
In 2020, machine identity management made its debut on the Gartner 2020 IAM Hype Cycle. Machine identity management establishes and manages trust in the identities of machines, such as IoT devices, virtual machines, containers and RPA bots.
As environments become more digital and cloud-enabled, IAM leaders need to ensure that they can manage the increase in volume and velocity of machine identities required to support digital business needs. Machines such as servers, cloud environments, RPA and applications all require digital identities. These digital identities will enable IAM leaders to apply the most appropriate security policy to manage and control all of these entities.
The years 2019-2020 advanced bring-your-own-identity (BYOI) approaches, which allow users to select and use an external digital identity of their choice, including social IDs. For example, in 2019, Mastercard announced a consumer-centric model for digital identity. Apple announced and launched “Sign in With Apple,” which leverages Apple digital identities, and Microsoft offers “external identities” features with Azure AD.
To successfully implement BYOI, ensure that the level of trust provided by the identity provider matches/exceeds the level of access risk.
Identity proofing enables trust in digital interactions
Establishing confidence in a user’s identity is paramount for many organizations. This could range from a customer signing up for a new bank account, to a new employee starting a new role working from home to a citizen trying to register for pandemic-related financial support on a government website.
In some cases, this confidence is needed to mitigate the risk of financial fraud, in others it’s to prevent a bad actor from accessing your company systems, and in some, it’s a regulatory requirement.
The COVID-19 pandemic has accelerated the need for robust identity proofing in digital channels and also prevented many of the in-person interactions where identity proofing has typically taken place.
Furthermore, organizations have elevated their digital transformation initiatives, and with that so has the need to know who is really on the other end of that internet connection.
By 2022, Gartner predicts that 80% of organizations will be using document-centric identity proofing as part of their onboarding workflows, which is an increase from approximately 30% today.
For many years, the foundation of online identity proofing has been a data-centric approach. This involves checking the identity data (e.g., name, address, date of birth, social security number) entered by a user against sources such as electoral records, credit bureau data and census information. The identity assurance achieved with this capability used in isolation is relatively low, as there is no assurance that the user entering the data is actually the owner of the identity.
More recently, there has been a surge of interest in document-centric identity proofing, more informally known as the “ID + selfie” process. In this process, a user captures an image or video snippet of their photo identity document, which is assessed for signs of tampering or counterfeiting. The photo on the document is then compared with a “selfie” (still photo or short video) taken by the user submitting the document. A critical component when assessing the selfie is presentation attack detection (commonly referred to as “liveness detection”), which confirms the genuine presence of the user. This offers a far higher degree of confidence in the identity and that the owner of the identity is present.
Privileged access management is a crucial piece for security programs
Nearly every successful security breach involves a failure of privileged access management (PAM). PAM is the combination of tools used to secure, control and monitor privileged access to an organization’s critical information and resources. And while it may not prevent an initial breach, PAM can reduce or eliminate the impact of the breach. Note that privileged access is different from high-risk access, and includes access that exceeds what normal users typically have.
The result of COVID-19 and the related shutdowns was an increased requirement for remote work, and an increased need for PAM. Due to the expansion of administrative work happening remotely, additional opportunities for bad actors are possible. This has driven organizations to increase their usage of PAM, first by expanding privileged access for their employees who require administrative access. Second, businesses broadened PAM use in remote privileged access for third parties, such as vendors, contractors, service providers and business partners.
To mitigate the risk of breaches and insider threats, a PAM practice helps organizations achieve the principle of least privilege, ensuring that the right person has the right access to the right resource at the right time for the right reasons. A PAM practice will use PAM tools to control access to privileged accounts, and will rotate credentials after each use. They will also monitor, record, audit and analyze privileged access sessions and activity.
