Keeping track of user names and passwords sounds easy, but it is not. In a world where protected network resources are accessed by employees on mobile devices, outside contractors, web applications and internet of things (IoT) devices – passwords just don’t cut it anymore.
The stakes are high: Eighty-one percent of confirmed data breaches in 2018 involved a compromised identity, according the Verizon Data Breach Investigations Report.
Accordingly, breaches, attacks and increased complexities around these issues are spurring the emergence of a broad range of discussions around using identity- and access-management (IAM) solutions.
Earlier this week for instance, the OMB announced plans to harden its identity-, credential- and access-management policies. The move, similar to those in the private sector, is recognition that while traditional security approaches remain important, a new growing risk lies in poorly managed digital identities.
“While hardening the perimeter is important, agencies must shift from simply managing access inside and outside of the perimeter to using identity as the underpinning for managing the risk posed by attempts to access federal resources made by users and information systems,” wrote Russell Vought, director of the White House’s Office of Management and Budget (OMB) on Tuesday (PDF).
This IAM area of security is evolving fast, and sometimes hard to navigate — key players are using a mix of different definitions and acronyms to describe mostly the same thing. For example, the White House calls it Identity, Credential and Access Management (ICAM), Forrester Research calls it Identity Management and Governance (IMG), Gartner calls it Privileged Access Management (PAM) and still others refer to the area as Identity-as-a-Service (IDaaS).
Here is a brief primer to help parse the space a bit better.
(Upcoming Webinar: Exploring Identity and Access Management: In this webinar Threatpost editor Tom Spring moderates a panel of experts from CyberArk, Forrester Research and Okta to explore the future of Identity Management. When: May 29 at 2 p.m. ET Learn More and Register…)
All Encompassing Term
Identity- and access-management (IAM) refers to a framework of policies and technologies for ensuring that the proper people, applications and non-human devices both within an enterprise and outside of it have the appropriate access and access rights to technology resources.
IAM systems identify, authenticate and authorize individuals who will be utilizing IT resources. Increasingly, IAM also pertains to the cloud services, mobile and web applications and IoT systems that connect to those resources as well.
Warning Signs
A recent SailPoint Identity Report estimates that 54 percent of organizations have an identity program in place. Yet the same study found that 88 percent of companies are not properly managing access to data behind corporate firewalls, such as office-related files. In fact, only one in 10 organizations told SailPoint that they monitored user access to those files, leaving the majority without oversight in organizations.
Trends Shaping Identity Management
What’s driving the IAM market?
“For today’s digital businesses, identity management and governance (IMG) involves more than just provisioning and enforcing employee access to corporate apps and data,” wrote Forrester Research in a recent report on drivers of the technology. “Security pros must now govern and secure access across a hybrid application environment and myriad of IoT devices for a variety of populations — employees, partners, and customers — all without hurting user experience.”
Passwords Don’t Cut It
An IAM approach strives to streamline access management via a single user sign-on tied to multiple services and based on predefined user roles. An IAM framework grants users access to only the resources they need and are authorized to access. Management is centralized either on- or off-premise; this centralized nature of the process allows for faster onboarding, off-boarding and provisioning of employees.
Into the Cloud
As platforms and infrastructure move to the cloud, so do IAM services. Google and Amazon offer pre-integrated tools, and a host of companies are offering IDaaS for management and provisioning. Features support token exchange, token validation, authorization and authentication.
Non-Human Identities
By 2022 there will be an estimated 29 billion connected devices, of which 18 billion will be related to IoT, according to a recent report by telecommunications firm Ericsson. Many of those connected things, plus the mobile apps and autonomous processes that drive them, will need new IAM solutions.
“Identity and access management can depend on a lot of different things,” said Noam Liran, director of customer success at CyberArk. “It used to be just based on [the question of], does that identity have a password. Now, companies need to manage identities of microservices, cloud containers and mobile apps seeking access to privileged data in the cloud.”
Liran added that even a website with a simple chat system needs access management. “A customer-service chatbot can be another form of identity to manage,” he said. “We have customers who are using a chatbot to grab tracking numbers from UPS or FedEx deliveries and then push the shipping data into a database.” Each one of those interactions requires a privileged relationship.
It’s worth noting that businesses are taking notice: The global market for IAM systems grew from $4.5 billion in 2012 to $7.1 billion in 2018. By 2021, according to MarketsAndMarkets, it is expected to reach $14.82 billion.
Want to know more about Identity Management and navigating the shift beyond passwords? Don’t miss our Threatpost webinar on May 29 at 2 p.m. ET. Join Threatpost editor Tom Spring and a panel of experts as they discuss how cloud, mobility and digital transformation are accelerating the adoption of new Identity Management solutions. Experts discuss the impact of millions of new digital devices (and things) requesting access to managed networks and the challenges that follow.