Recently I was asked to outline the trends driving the adoption of Identity and Access Management (IAM) technologies. I decided to break this down into five trends that cover various technologies considered as part of the IAM stack of capabilities. This includes Web Access Management, Federation, Identity Management, Provisioning, Role and Compliance and other IAM technologies. The top five trends we see when working with clients driving IAM adoption are:
- Too many ID’s and passwords: Using an ID and passwords to access applications is inherently weak. As users are required to authenticate to an increased number of applications the likelihood that they will either use the same ID and password or write them down greatly increases. If that credential is compromised or the list of passwords taped under the keyboard is located, others now have access to every of that user’s application identities. IAM abstracts away the authentication process from the applications. So, a common strong credential can be used without needing to remember ID and password per application. Otherwise types of credentials can also be easily substituted (like tokens, smart cards, etc.) further increasing the security of the applications.
- User management entropy: Entropy is the move from order to disorder. As the number of applications and sources increase it becomes increasingly more complex to manage the identities for those applications. User provisioning is typically a jumble of manual, error prone processes that require the involvement of disparate teams. These teams don’t own the overall process. So, no one is ultimately responsible for ensuring that the user is correctly provisioned. This can lead to at the best a poor user experience and at the worst access to unauthorized systems. While identity management and provisioning systems may not be the nirvana they claim to be, these solutions can sufficiently decrease the number of manual processes to improve user experience and reduce risk for the most important corporate systems.
- Expanding the portal beyond the firewall: With the move to the cloud and the desire for companies to more easily provide services while reducing IT costs, it has become critical to find ways to securely manage identity across the interconnected web of leveraged applications. Web portals are now a mix of services delivered across both on premise and cloud-based applications. This is further complicated as more systems are added into the mix from both single sign-on and identity security perspectives. IAM technologies support standards like SAML that allow organizations to act as an identity provider for both the internal and also the cloud-based applications. This centralizes the management and authentication of the users while allowing them to securely access cloud-based applications without being re-challenged for credentials. Additionally, single sign-on across internal application services delivered through the portal ensure a seamless user experience and presents users with a single common and cohesive experience. This provides a competitive advantage both through cost reduction and also through user retention.
- IAM is the lesser of two evils: While IAM technologies and projects can cost a considerable amount; the cost of a security breach is significantly higher. This can be due to financial implications like lawsuits and paying for credit monitoring services or an even worse tarnishing of the company’s reputation. The Internet never forgets. Once your company name is associated with a security problem it will forever be associate with the security event. IAM brings both better security, but also more immediate notification when a security breach occurs. This ensures that breaches are better contained, reducing the overall risk.
- Big Brother wants to know (even more): Government regulation has become an increasingly complex challenge. Whether it is being able to satisfy compliance requirements or to ensure that identities data is properly maintained, companies need to be able to quickly address information requests, attest to system access and sign-off on regulations like SOX and other compliance requirements. IAM technologies simplify the process of satisfying regulation requirements and can also generate the artifacts needed to show that the organization is compliant.
What do you see out there?