The shifting face of Identity and Access Management
by Co-CEO Andrew John Zeller, PhD & Patrick Abrudean
Do we really know who is accessing our data? And for what reasons? Even worse, how can we make sure data is not deliberately being corrupted, stolen, or deleted by those accessing it?
The demand for secure access has skyrocketed in recent years. Organizations must meet the access needs of a wide range of users across numerous, disparate applications while ensuring adequate IT security. True to its name, identity and access management has largely been viewed as primarily focusing on human identities and how to manage them. But rapid changes in technologies, organizational requirements, user expectations, business opportunities, and risks require a more flexible architecture and are driving the development of identity and access management (IAM) in the enterprise (Gartner, 2022).
In this article, we will address the two topics:
1. Adaptive Authentication and
2. Modern Customer Experience
Key Drivers in Identity and Access Management
Compliance & Regulatory
Enhancement through Technology
According to Gartner the global market for IAM has been growing at a compound annual growth rate of 15% over the past five years, with an estimated revenue of approximately $13.92 billion in 2021 (Gartner, 2021). Consequently, it is important to keep a close eye on this market and stay up to date with the latest developments, drivers, and trends. In total, we currently see four major evolving, overarching areas where IAM is undergoing significant change.
1. Adaptive Authentication
While methods such as single sign-on (SSO), federated identities, and zero trust remain important, new factors are increasingly coming to the fore. The trend towards decentralized, location-independent data processing is placing greater demands on access management (Stockburger et al., 2021, p. 1f.). Access management platforms face the challenges of developing more advanced solutions to differentiate between valid users and malicious bots or imposters, without inconveniencing legitimate users. While multi-factor authentication (MFA) has become one of the most popular IAM elements, there is still a lot of room for improvement as data breaches continue to occur, which in turn cause significant revenue losses. Perhaps one of the most recent examples of MFA failure is the Coinbase data breach in 2021. Here, hackers managed to steal cryptocurrencies from around 6,000 Coinbase accounts after bypassing multi-factor authentication as part of a suspected phishing campaign (Ikeda, 2021).
Adaptive Authentication represents the next generation of MFA that uses machine learning to detect suspicious user behavior or illegal access. It captures all user credentials related to login time, device, location, browser, IP address as well as other data that can be used to analyze the authenticity of a login attempt (Arias-Cabarcos et al., 2020, p. 1ff.). If a login attempt is deemed suspicious, the system prompts the user for authentication with an authentication request or denies access. By using such solutions, it is possible to discover data patterns that are extremely helpful in reducing fraud and identifying risks. As product offerings evolve, the adoption of AI and ML in IAM processes is set to increase, enabling significant user experience improvements through automation and elimination of manual touchpoints throughout the IAM lifecycle. As a result, nearly every entity will benefit from these improvements, ranging from clients to employees (Atos, 2022).
As described, IAM starts to encompass much more than initial authorization and identification of users. One very promising approach is adding claims to identity tokens that with be generated after login and issued to the user to manage fine-grain access control primarily in web and mobile applications. Without identity tokens, each time a certain function needs to be called, a request will be sent to a central data store (usually a NoSQL database) to retrieve who has what level of access, if at all. The introduction of an identity token will completely remove this step and thus lead to a much faster and less coupled architecture.
2. Modern Customer Experience
Along with the increasing number and importance of digital interactions, the requirement for an excellent overall user experience keeps growing. The ever-expanding regulatory environment is having a major impact on companies that have not previously implemented regulations such as GDPR or have not addressed them comprehensively. This requires updating existing solutions and creates opportunities to modernize IAM infrastructures or even complete applications. The new regulations require them to obtain consent to store and/or use personal data from users. As a result, IAM priorities should be aligned with business and IT priorities that provide an omnichannel experience and unify customer profile data (Atchison, 2016, p. 27ff.; Gartner, 2022). In addition, privacy is driving the adoption and innovation of identity services, such as blockchain, to support user-centric, privacy-compliant services. In particular, new technologies like blockchain offer functionalities such as transparency, reliability, and integrity – making it a popular candidate for ensuring data privacy in both public and private sectors (Sedlmeir et al., 2022, p. 3ff.). In the context of IAM, two aspects come into play: Self-Sovereign Identity being the concept where individuals protect their entire identity as their own personal property, rather than having it managed by an organization or third-party provider. Especially in times of cyber-attacks and high privacy related regulations, this can significantly improve the user experience. The second aspect is the audit trail, which is used to record the entire history of a user’s login, access request, granting of permissions, changes made, or engagement. This is helpful for an organization in monitoring activities, detecting fraud, and meeting compliance requirements (Sedlmeir et al., 2022, p. 8f.; Stockburger et al., 2021, p. 4f.; Strüker et al., 2021, p. 9ff.)
For more details
please feel free to contact Patrick Abrudean – Analyst.
Send your mail to: firstname.lastname@example.org.