Identity And Access Management: A Must for Global Businesses & How it could be Converged with Modern Security Solutions
Why an effective IAM strategy is a must for organizations of all sizes?
Ans: In today's world, BYOD and mobile workforce is a reality that takes information beyond the boundaries of an enterprise. The proliferation of digital customers and the growing retail & e-commerce business indicates that people need access to information on the fly. Hence, we are quickly realizing that Identity and Access Management (IAM) is an area where we can lose control rapidly. Traditional approaches and strategies from the inhouse data-center world would not suffice anymore. Organizations need to rapidly invest in the technologies and processes to stay ahead in this complex threat landscape and to prevent repercussions of poor IAM governance. Investment in IAM doesn't just mitigate risk; but can also improve productivity, efficiency and increase employee satisfaction.
Many organizations at different levels of IAM maturity often find themselves taking a piecemeal approach to security, identity, and access that ends up dealing with issues as they arise rather than having a holistic strategy. In some cases, these organizations have addressed a business or technical problem by implementing a tool, only to discover another problem has cropped up elsewhere. Often the problems that need fixing are obvious, but without a strategy and roadmap, these organizations don't know how to address them.
Every organization should have an IAM strategy, an understanding of the right technologies for their requirements, and a roadmap for implementation. Organizations with strategies, roadmaps, and a phased delivery approach can accelerate their project outcomes, better manage scope, secure long-term executive and stakeholder support, and reduce costs through efficiencies.
But each organization has different needs and priorities, and as they evolve, their needs and priorities also evolve. The case to invest in an IAM strategy is clear and compelling. Organizations can benefit from an assessment of their unique state, where they are today and a detailed roadmap for the way forward. When they know their options for managing risk, complexity, costs and compliance, organizations can align their strategy with broader business goals and develop a realistic plan for implementing it.
Where do you see the global IAM market in the coming years? What are the factors contributing to it?
Ans: With the increasing demand for cloud-based solutions, micro-services architecture, compliance management and mobility solutions, the Identity and Access Management (IAM) market is poised at a very interesting stage of growth.
Organizations are now discarding the old model of `trust but verify', which relied on well-defined boundaries. They are adopting the 'Zero Trust' model, which is centred on the belief that organizations should not automatically trust anything inside or outside its perimeters and instead must verify everything trying to connect to its systems before granting access. Organisations can ensure that full access to non-sensitive data is given to all while a Zero Trust approach becomes the norm for higher sensitivity data.
Identity validation continues to be an ongoing challenge and with the advent of IoT devices, it has become complex. Every person, phone, computer, and IoT device has an identity that must be authenticated to establish trusted communication.
As organizations, and especially those that are in the developing stage continue to invest in the cloud, the apprehensions related to cloud security cannot be denied. CASB that connects the cloud provider and the cloud service consumers with better security will see an increase in demand and implementation of Single Sign-On (SSO) for all cloud services and hybrid environments to provide a better user experience. SAML, OAuth 2.0, OpenID, and other protocols mean that people will see a drastic reduction in the number of unique accounts and credentials necessary to log in to certain websites.
With the rise of bring your own device (BYOD) culture in the workplace and the access to personal accounts, the lines around corporate and personal identities have started to blur. Context is a large part of redefining identity, with `who you are' being based on several factors rather than just a username and password. AI and Machine learning in IAM is expected to be a growing trend and can get to know a person so well that all the data collected about them, combined with multi-factor authentication, will securely identify most people.
Additionally, let's not forget that most of the recent data breaches were ultimately the result of the administrator accounts being compromised. There is an enormous need for better forms of authentication and authorization for the administrator accounts as these accounts are often shared and lack adequate activity monitoring. Increased auditor sophistication and organizational emphasis on compliance combined with the realization of privilege elevation attacks have raised concerns about privileged accounts to the highest levels of the organization. Hence, Privileged Access Management (PAM) would play a strong part in the Zero Trust Architecture.
Do you think blockchain has the potential to transform identity and access management?
Ans: Identity and access management (IAM) is
Ans: In today's world, BYOD and mobile workforce is a reality that takes information beyond the boundaries of an enterprise. The proliferation of digital customers and the growing retail & e-commerce business indicates that people need access to information on the fly. Hence, we are quickly realizing that Identity and Access Management (IAM) is an area where we can lose control rapidly. Traditional approaches and strategies from the inhouse data-center world would not suffice anymore. Organizations need to rapidly invest in the technologies and processes to stay ahead in this complex threat landscape and to prevent repercussions of poor IAM governance. Investment in IAM doesn't just mitigate risk; but can also improve productivity, efficiency and increase employee satisfaction.
Many organizations at different levels of IAM maturity often find themselves taking a piecemeal approach to security, identity, and access that ends up dealing with issues as they arise rather than having a holistic strategy. In some cases, these organizations have addressed a business or technical problem by implementing a tool, only to discover another problem has cropped up elsewhere. Often the problems that need fixing are obvious, but without a strategy and roadmap, these organizations don't know how to address them.
Every organization should have an IAM strategy, an understanding of the right technologies for their requirements, and a roadmap for implementation. Organizations with strategies, roadmaps, and a phased delivery approach can accelerate their project outcomes, better manage scope, secure long-term executive and stakeholder support, and reduce costs through efficiencies.
But each organization has different needs and priorities, and as they evolve, their needs and priorities also evolve. The case to invest in an IAM strategy is clear and compelling. Organizations can benefit from an assessment of their unique state, where they are today and a detailed roadmap for the way forward. When they know their options for managing risk, complexity, costs and compliance, organizations can align their strategy with broader business goals and develop a realistic plan for implementing it.
Where do you see the global IAM market in the coming years? What are the factors contributing to it?
Ans: With the increasing demand for cloud-based solutions, micro-services architecture, compliance management and mobility solutions, the Identity and Access Management (IAM) market is poised at a very interesting stage of growth.
Organizations are now discarding the old model of `trust but verify', which relied on well-defined boundaries. They are adopting the 'Zero Trust' model, which is centred on the belief that organizations should not automatically trust anything inside or outside its perimeters and instead must verify everything trying to connect to its systems before granting access. Organisations can ensure that full access to non-sensitive data is given to all while a Zero Trust approach becomes the norm for higher sensitivity data.
Identity validation continues to be an ongoing challenge and with the advent of IoT devices, it has become complex. Every person, phone, computer, and IoT device has an identity that must be authenticated to establish trusted communication.
As organizations, and especially those that are in the developing stage continue to invest in the cloud, the apprehensions related to cloud security cannot be denied. CASB that connects the cloud provider and the cloud service consumers with better security will see an increase in demand and implementation of Single Sign-On (SSO) for all cloud services and hybrid environments to provide a better user experience. SAML, OAuth 2.0, OpenID, and other protocols mean that people will see a drastic reduction in the number of unique accounts and credentials necessary to log in to certain websites.
With the rise of bring your own device (BYOD) culture in the workplace and the access to personal accounts, the lines around corporate and personal identities have started to blur. Context is a large part of redefining identity, with `who you are' being based on several factors rather than just a username and password. AI and Machine learning in IAM is expected to be a growing trend and can get to know a person so well that all the data collected about them, combined with multi-factor authentication, will securely identify most people.
Additionally, let's not forget that most of the recent data breaches were ultimately the result of the administrator accounts being compromised. There is an enormous need for better forms of authentication and authorization for the administrator accounts as these accounts are often shared and lack adequate activity monitoring. Increased auditor sophistication and organizational emphasis on compliance combined with the realization of privilege elevation attacks have raised concerns about privileged accounts to the highest levels of the organization. Hence, Privileged Access Management (PAM) would play a strong part in the Zero Trust Architecture.
Do you think blockchain has the potential to transform identity and access management?
Ans: Identity and access management (IAM) is
one area in which various attempts have been made to utilize blockchain technology. Blockchain has been talked about in relation to Identity and Access Management and can be the platform to secure individual identities from been stolen or becoming victims of various fraudulent activities.
Many organizations look to incorporate blockchain technology into IAM to deal with issues of authentication and authorization. On the authorization aspects, whilst distributed ledgers such as blockchain are good at storing and archiving information indisputably, they are not fit for managing real-time access authorization and real-time contextual enforcement.
Blockchain technology will be able to provide a decentralized and reasonably secure way to store and verify the proof of identifiers for the identities. It is likely to help users to create, prove and register their own identities and related identifiers to make use of growing digital services. It is expected to reduce operational risks and costs by eliminating the need for replicated identity repositories and data. As such, for blockchain to be of genuine value in the IAM space, there seems to be a common understanding that identities and private information should not be stored on public blockchain networks. Rather, only individuals' unique cryptographic identifiers should be stored and referenced. What would be interesting to watch for is that its adoption in IAM would require more open-source availability, easier financial models and privacy and user experience would be the key amongst all.
How security in the cloud can be ensured using IAM?
Ans: Cloud computing is a complex system with a combination of diverse networked devices that supports demanded services. The architecture of cloud computing consists of different kinds of configurable distributed systems with a wide variety of connectivity and usage. The organizations are adapting to cloud networks at a rapid pace due to the benefits like cost-effectiveness, scalability, reliability and flexibility.
Increasing penetration of mobiles and tablets has enabled employees to connect to the enterprise network through their mobiles and laptops. Instead of using their old office desktops, employees like to use their own devices in enterprises, which increases the need for cloud identity and access management. Though the primary merits of cloud computing are promising facts, cloud networks are vulnerable to various kinds of network attacks and privacy issues. Lack of efficient mechanism creates multiple challenges in a cloud environment which include identity management, risk management, trust management, compliance, data security, privacy, transparency, and data leakage.
Additionally, many organizations use a multi-cloud strategy. Each provider has its policies, tools and terminology. There is no common language that helps understand relationships and permissions across cloud providers. Features like multi-tenancy and the third-party managed infrastructure in the cloud environment necessitate the requirement of identity and access management mechanism. Managing privileged users with access to an ever-expanding set of services, and separate IAM roles and groups for these users is challenging. Resources add another layer of complexity to it. We're now seeing a renewed focus on IAM due to the rise of abstracted cloud services and the recent wave of high-profile data breaches.
Today, most of the businesses use some form of Single Sign-On (SSO) to manage the way users interact with cloud services. This is an effective way of centralizing access across many users and services. While using SSO to log into public cloud accounts, the mapping between SSO users and IAM roles needs to be planned efficiently. The rise of SSO in combination with MFA and the maturation of cloud platforms will likely result in a reduction in on-premise centralized directories. As more enterprises transition to hybrid infrastructures to the cloud, flexibility means relying less on systems and applications that pair with on-premise centralized directories to authorize user access. The cloud will undoubtedly control IAM's transformation and capabilities for the foreseeable future.
Why consumer IAM (CIAM) is crucial for businesses in this ever-increasing, tech-savvy world?
Ans: Consumer Identity and Access Management (CIAM) is still relatively new but it is rapidly becoming a `must-have' for any customer-focused business. It sets the foundation for an enterprise to deliver great customer experiences while creating the ideal balance between convenience and security. Traditional IAM, which worked well for employees to connect to internal and cloud-based resources, provided a great platform to manage business users but fell well short of customer-specific requirements such as consent, preference and privacy management. Moreover, this type of identity solution lacked the performance and scale to meet the needs of potentially millions of consecutive customer interactions. It didn't take long for the organizations to realize that, by using CIAM solutions, in addition to enhanced security, they also had much more visibility into their customer behaviour.
CIAM allows businesses to manage customer identities, preferences, and profile information at scale. Companies use CIAM to create user-friendly, seamless online experiences for their customers. Many CIAM solutions include multi-factor authentication (MFA) capabilities for secured access and offer federated identity features, such as Single Sign-On (SSO) or social login so that the customers need to authenticate only once to access a suite of different company applications. Businesses also use CIAM to maintain customer consent and other preferences to comply with data privacy laws such as GDPR and CCPA.
An efficient CIAM platform lowers the threshold to entry by streamlining customer onboarding with friction-free social login, registration, single sign-on (SSO), and step-up authentication. It should be designed in such a way that it can scale on demand.
What are the key characteristics of a trusted IAM platform?
Ans: Identity and access management (IAM) in an enterprise is about defining and managing the roles and access privileges of individual network users and the circumstances in which users are granted (or denied) those privileges. Those users might be customers (customer identity management) or employees (employee identity management). The platform must not only be equipped for today's business needs but also be able to handle future access requirements.
As more organizations turn to mobile-friendly and cloud-based platforms, the need to provide a safe and secure place to store identifiable information becomes more important. More accessibility means more entry points, which means we must rethink how we approach security. IAM policies need to adopt the fluid boundaries of today's technology. From the slow demise of passwords to the increasing implementation of zero-trust security, strong authentication factors help build a circle of trusted identities. The best way to enforce this circle is to add layers of trust that needs to be verified before you allow access.
Identity management solutions can mitigate threats by allowing for detailed behavioural and contextual access control. Analytics are integral to many enterprise systems, including identity management. Identity analytics reveal how a user access and interact with networks, which provides essential information for clarifying roles and honing access policies.
Argha Bose, Head Cyber Security And Risk Business, Tata Advanced Systems
A 26 years experienced technology & security professional, he is excellent in creating strategic alliances with leading OEMs. Primarily focused on cybersecurity including Identity & Access Management & Consulting, he has worked with global clients across the globe.
Many organizations look to incorporate blockchain technology into IAM to deal with issues of authentication and authorization. On the authorization aspects, whilst distributed ledgers such as blockchain are good at storing and archiving information indisputably, they are not fit for managing real-time access authorization and real-time contextual enforcement.
As more organizations turn to mobile-friendly and cloud-based platforms, the need to provide a safe and secure place to store identifiable information becomes more important
Blockchain technology will be able to provide a decentralized and reasonably secure way to store and verify the proof of identifiers for the identities. It is likely to help users to create, prove and register their own identities and related identifiers to make use of growing digital services. It is expected to reduce operational risks and costs by eliminating the need for replicated identity repositories and data. As such, for blockchain to be of genuine value in the IAM space, there seems to be a common understanding that identities and private information should not be stored on public blockchain networks. Rather, only individuals' unique cryptographic identifiers should be stored and referenced. What would be interesting to watch for is that its adoption in IAM would require more open-source availability, easier financial models and privacy and user experience would be the key amongst all.
How security in the cloud can be ensured using IAM?
Ans: Cloud computing is a complex system with a combination of diverse networked devices that supports demanded services. The architecture of cloud computing consists of different kinds of configurable distributed systems with a wide variety of connectivity and usage. The organizations are adapting to cloud networks at a rapid pace due to the benefits like cost-effectiveness, scalability, reliability and flexibility.
Increasing penetration of mobiles and tablets has enabled employees to connect to the enterprise network through their mobiles and laptops. Instead of using their old office desktops, employees like to use their own devices in enterprises, which increases the need for cloud identity and access management. Though the primary merits of cloud computing are promising facts, cloud networks are vulnerable to various kinds of network attacks and privacy issues. Lack of efficient mechanism creates multiple challenges in a cloud environment which include identity management, risk management, trust management, compliance, data security, privacy, transparency, and data leakage.
Additionally, many organizations use a multi-cloud strategy. Each provider has its policies, tools and terminology. There is no common language that helps understand relationships and permissions across cloud providers. Features like multi-tenancy and the third-party managed infrastructure in the cloud environment necessitate the requirement of identity and access management mechanism. Managing privileged users with access to an ever-expanding set of services, and separate IAM roles and groups for these users is challenging. Resources add another layer of complexity to it. We're now seeing a renewed focus on IAM due to the rise of abstracted cloud services and the recent wave of high-profile data breaches.
Today, most of the businesses use some form of Single Sign-On (SSO) to manage the way users interact with cloud services. This is an effective way of centralizing access across many users and services. While using SSO to log into public cloud accounts, the mapping between SSO users and IAM roles needs to be planned efficiently. The rise of SSO in combination with MFA and the maturation of cloud platforms will likely result in a reduction in on-premise centralized directories. As more enterprises transition to hybrid infrastructures to the cloud, flexibility means relying less on systems and applications that pair with on-premise centralized directories to authorize user access. The cloud will undoubtedly control IAM's transformation and capabilities for the foreseeable future.
Why consumer IAM (CIAM) is crucial for businesses in this ever-increasing, tech-savvy world?
Ans: Consumer Identity and Access Management (CIAM) is still relatively new but it is rapidly becoming a `must-have' for any customer-focused business. It sets the foundation for an enterprise to deliver great customer experiences while creating the ideal balance between convenience and security. Traditional IAM, which worked well for employees to connect to internal and cloud-based resources, provided a great platform to manage business users but fell well short of customer-specific requirements such as consent, preference and privacy management. Moreover, this type of identity solution lacked the performance and scale to meet the needs of potentially millions of consecutive customer interactions. It didn't take long for the organizations to realize that, by using CIAM solutions, in addition to enhanced security, they also had much more visibility into their customer behaviour.
CIAM allows businesses to manage customer identities, preferences, and profile information at scale. Companies use CIAM to create user-friendly, seamless online experiences for their customers. Many CIAM solutions include multi-factor authentication (MFA) capabilities for secured access and offer federated identity features, such as Single Sign-On (SSO) or social login so that the customers need to authenticate only once to access a suite of different company applications. Businesses also use CIAM to maintain customer consent and other preferences to comply with data privacy laws such as GDPR and CCPA.
An efficient CIAM platform lowers the threshold to entry by streamlining customer onboarding with friction-free social login, registration, single sign-on (SSO), and step-up authentication. It should be designed in such a way that it can scale on demand.
What are the key characteristics of a trusted IAM platform?
Ans: Identity and access management (IAM) in an enterprise is about defining and managing the roles and access privileges of individual network users and the circumstances in which users are granted (or denied) those privileges. Those users might be customers (customer identity management) or employees (employee identity management). The platform must not only be equipped for today's business needs but also be able to handle future access requirements.
As more organizations turn to mobile-friendly and cloud-based platforms, the need to provide a safe and secure place to store identifiable information becomes more important. More accessibility means more entry points, which means we must rethink how we approach security. IAM policies need to adopt the fluid boundaries of today's technology. From the slow demise of passwords to the increasing implementation of zero-trust security, strong authentication factors help build a circle of trusted identities. The best way to enforce this circle is to add layers of trust that needs to be verified before you allow access.
Identity management solutions can mitigate threats by allowing for detailed behavioural and contextual access control. Analytics are integral to many enterprise systems, including identity management. Identity analytics reveal how a user access and interact with networks, which provides essential information for clarifying roles and honing access policies.
Argha Bose, Head Cyber Security And Risk Business, Tata Advanced Systems
A 26 years experienced technology & security professional, he is excellent in creating strategic alliances with leading OEMs. Primarily focused on cybersecurity including Identity & Access Management & Consulting, he has worked with global clients across the globe.