Developments in IT Security Part 2

The shifting face of Identity and Access Management

(Part 2)

by Co-CEO Andrew John Zeller, PhD & Patrick Abrudean

In our second part, we highlight some other drivers and trends in Identity Access Management, including API Architectures and the Internet of Things. Furthermore, we share with you an approach on how to successfully analyze and design your current IAM landscape.

Read more about “Adaptive Authentication” and “Modern customer experience ” in “Developments in IT Security Part 1”.

1. API Architectures

With the advent of ubiquitous API management, which sees systems accessing other systems or modules to fulfill technical jobs often asynchronously, the focus of IAM shifts to identifying, monitoring, and managing machine identities (Newman, 2015, p. 68f.). In a secure environment, these machines need to request access data that in turn need to be validated each time the system accesses any resources in the infrastructure. Same applies to workloads that may need temporary access to resources. 

AWS Architecture for IAM key rotation (Amazon Web Services, 2019)

While this provisioning of machine identities needs a highly secure architecture, every activity within previously defined boundaries will have to be programmatically monitored and logged to enforce compliance and leave an auditable trail of every API call (see above). Medjaoui et al. even go one step further and proclaim machine-driven governance as a design pattern for continuous API management  (Medjaoui et al., 2019, p. 36). In addition, Radware published a survey which revealed that 92 percent of organizations have increased their API usage. However, in contrast to this trend, 62 percent also admitted that their API structures are poorly documented (Radware, 2022, p. 4).

2. Internet of Things

The Internet of Things (IoT) continues to witness tremendous growth in both consumer and business landscapes. As a result, the need to minimize security risk for the new devices being added to the network is also increasing. This is no longer just about managing people, but also about managing billions of connected devices, machines etc., that may be connected to a certain network. Accordingly, there is a strong demand for identity management services that provide secure identity access management for these IoT devices to prevent invaders from infiltrating the network (Fan et al., p. 186f.). Therefore, an IAM infrastructure must be designed to scale as the number of devices increases, whereby each device has a multi-layered relationship with another network entity or device. Consequently, enterprises are increasingly working with IAM systems that require the system to authenticate a user’s access across numerous devices. Another approach to ensure the security of IoT devices is to embed device identities directly into the processing chip, making them an integral part of the hardware (CREMONEZI et al., 2020, p. 2f.).

In the future, IAM within the IoT will evolve beyond the boundaries of user-centric identities to a more comprehensive information seeking model. Taking the multi-layered approach, this new model will include machine and system identities as well as the management of IoT devices and platforms. 

What should be done?

In terms of IT management, the potential consequences for existing IAM architectures are naturally manifold. A thorough understanding of the current state and a pass-way to a derived target model needs to be worked out in order to prioritize potential investment. An innovative three-pronged methodology, based on proven approach patterns (Hewitt, 2019, p. 161ff.) will help:

  1. Assessment

A quick assessment of the general health of the IAM environment in combination with a check of the GRC (Governance, Risk, Compliance) environment will provide a solid foundation to understand the impact of any IAM trends or changes. In addition, the scope of the current IAM system can be reviewed and then analyzed to determine potentially beneficial changes.

2. Target model

Using the results of the first phase, a set of requirements addressing the future state of the system will be pulled together. Ensure to define a clear vision and operational goals for the revised system. Furthermore, reallocate your resources and assess the financial, organizational, and technical feasibility of the planned changes. This in turn will be used to fill the backlog(s) of the subsequent development project(s).

3. Delivery 

Once trend impacts are understood, a target model has been derived, and requirements have been verified, the resulting program or project, respectively, will have to be delivered. Companies need to beware of moving goalposts at this point and have to constantly measure progress against the originally intended target model will its previously defined objectives.

Business Steps

Read more about “Adaptive Authentication” and “Modern customer experience ” in “Developments in IT Security Part 1”.

For more details

please feel free to contact Patrick Abrudean  – Analyst.
Send your mail to:


Amazon Web Services (2019) IAM-Benutzer-Zugriffsschlüssel automatisch drehen – AWS Prescriptive Guidance [Online]. Available at https://​​/​de_​de/​prescriptive-​guidance/​latest/​patterns/​automatically-​rotate-​iam-​user-​access-​keys.html (Accessed 29 June 2022).

Arias-Cabarcos, P., Krupitzer, C. and Becker, C. (2020) ‘A Survey on Adaptive Authentication’, ACM Computing Surveys, no. 4, pp. 1–30 [Online]. DOI: 10.1145/3336117.

Atchison, L. (2016) Architecting for scale: High availability for your growing applications, Beijing, Boston, Farnham, Sebastopol, Tokyo, O’Reilly.

Atos (2022) Top 5 IAM Trends and Predictions for 2022 [Online]. Available at https://​​/​en/​lp/​atos-​top-​cybersecurity-​predictions-​2022/​top-​5-​iam-​trends-​and-​predictions-​for-​2022 (Accessed 29 June 2022).

CREMONEZI, B., Vieira, A., Nacif, J. A. and Nogueira, M. (2020) ‘Survey on Identity and Access Management for Internet of Things’.

Fan, X., Chai, Q., Xu, L. and Guo, D. ‘DIAM-IoT: A Decentralized Identity and Access Management Framework for Internet of Things’, in Gai, Raymond Choo et al. (Hg.) – Proceedings of the 2nd ACM, pp. 186–191.

Gartner (2021) Gartner Forecasts Worldwide Security and Risk Management Spending to Exceed $150 Billion in 2021 [Online]. Available at https://​​/​en/​newsroom/​press-​releases/​2021-​05-​17-​gartner-​forecasts-​worldwide-​security-​and-​risk-​managem (Accessed 29 June 2022).

Gartner (2022) 6 Identity and Access Management Trends to Plan for in 2022 [Online]. Available at https://​​/​en/​articles/​iam-​leaders-​plan-​to-​adopt-​these-​6-​identity-​and-​access-​management-​trends (Accessed 29 June 2022).

Hewitt, E. (2019) Technology strategy patterns: Architecture as strategy, Beijing, Boston, Franham, Sebastopol, Tokyo, O’Reilly.

Ikeda, S. (2021) ‘Coinbase Hack Attributed to a Multi-factor Authentication Flaw That Allowed Scammers To Steal Cryptocurren’, CPO Magazine, 15 October [Online]. Available at https://​​/​cyber-​security/​coinbase-​hack-​attributed-​to-​a-​multi-​factor-​authentication-​flaw-​that-​allowed-​scammers-​to-​steal-​cryptocurrency-​from-​6000-​accounts/​ (Accessed 29 June 2022).

Medjaoui, M., Wilde, E., Mitra, R. and Amundsen, M. (2019) Continuous API Management: Making the right decisions in an evolving landscape, Beijing, Boston, Farnham, Sebastopol, Tokyo, O’Reilly.

Radware (2022) ‘2022 State of API Security: EMA Research Report’ [Online]. Available at https://​​/​2022-​state-​of-​api-​security-​report/​.

Sedlmeir, J., Lautenschlager, J., Fridgen, G. and Urbach, N. (2022) ‘The transparency challenge of blockchain in organizations’, Electronic markets, pp. 1–16.

Stockburger, L., Kokosioulis, G., Mukkamala, A., Mukkamala, R. R. and Avital, M. (2021) ‘Blockchain-enabled decentralized identity management: The case of self-sovereign identity in public transportation’, Blockchain: Research and Applications, vol. 2, no. 2, pp. 1–18 [Online]. DOI: 10.1016/j.bcra.2021.100014.

Strüker, J., Urbach, N., Guggenberger, T., Lautenschlager, J., Ruhland, N., Schlatt, V., Sedlmeir, J., Stoetzer, J.-C. and Völter, F. (2021) ‘Self-Sovereign Identity – Foundations, Applications, and Potentials of Portable Digital Identities’, pp. 1–49 [Online]. Available at https://​​/​publication/​354653404_​Self-​Sovereign_​Identity_-_​Foundations_​Applications_​and_​Potentials_​of_​Portable_​Digital_​Identities.