Investment in identity security and identity protection has reached an all-time high. This year, the value of the global identity and access management (IAM) market is projected to reach $20.75 billion. This is hardly surprising; Gartner recently estimated that roughly 75% of all security failures are attributable to poor identity, access, and privilege management. What does the future hold for identity management?
Despite increased investments in identity threat detection and response (ITDR), organizations still struggle with implementation. Often, the departments within an organization are foundationally disconnected, which defeats any chance at driving a sustainable identity culture. According to Denis Ontiveros Merlo, vice president of enterprise platforms at bp, this disconnect isn’t something businesses can address internally.
“We’ve built an entire ecosystem which, without realizing it, has created anti-patterns [in the name of security] that defeat the end goal of making identity frictionless, safe, and secure,” Ontiveros Merlo explains. “People drive these patterns because they think it’s the right thing, and we end up in a vicious cycle. There’s a lot of education that needs to happen for us to break free from this.”
Education about the latest identity management capabilities is the first step toward the future of identity management. But it’s not the only challenge organizations will encounter along the way.
Stumbling through a new identity management landscape
In many ways, the enterprise sector is still recovering from the paradigm shift that occurred during the pandemic. Everything is now digital, distributed, and federated, regardless of whether we want it to be. This shift represents a considerable challenge for organizations that are used to managing centralized infrastructure and teams.
“When it comes to enforcing some sense of governance, there’s no longer one throat to choke, as the saying goes,” says Ontiveros Merlo. “Whereas everything was monolithic before, now we’ve got a multitude of small components all working together. Alongside digital transformation and remote work, microservices architecture is becoming the norm.
“All those components have to authenticate and trust one another,” he continues. “Every user, machine, application, device, and sensor. It’s a considerable challenge, but I believe it’s an opportunity as well. We can see this with Azure B2B, which one could regard as the start of decentralized identity.”
The folly of forcing identity management into a box
We love the idea that there’s a one-size-fits-all solution to ITDR. However, organizations have different capabilities, constraints, and requirements. Technologies and strategies that work for one business could completely fail for another.
“I’ve always found it interesting that where identity challenges like privileged access are concerned, we tend to build solutions and ecosystems that ultimately tend toward configuration drift,” muses Ontiveros Merlo. “The ideal pattern would be to instead push code declaratively through continuous integration/continuous delivery (CI/CD). However, before we can get there, we need to be more conscious and mindful of the biases we can have when adopting new technology—of the anti-patterns we can fall into.
“We also need to be more aware of how we embed technology into the organization,” he adds.
Identity management isn’t just for admins
Identity management has traditionally been viewed as an administrative concern. However, identity is relevant to far more than just administrators.
“We need to ask who the customer is in this situation,” says Ontiveros Merlo. “Because identity tends to be a shared service, it’s often used as an enforcing point for governance. But the reality is that governance and accountability are everyone’s responsibility.”
We can’t expect identity teams to address issues such as privacy or segregation of duties. When developing and deploying identity management solutions, we also must consider the user experience and how our processes and policies play into that. Security and convenience can no longer be at odds with one another.
Moving beyond RBAC
In the long term, Ontiveros Merlo says, role-based access control (RBAC) might not be the best fit for a distributed future. This shift has the potential to be quite disruptive.
RBAC was all well and good in older, more monolithic systems where there wasn’t a great deal of change. However, today’s business landscape—and roles—are highly dynamic.
“When your organization changes and your roles don’t, that creates friction,” Ontiveros Merlo explains. “Users end up being given either too much or too little access. Policy-based access is far more dynamic, which is why we’ve seen authentication standards evolve to such a degree in recent years.”
Although authentication has evolved, authorization appears to lag. Only now are we beginning to see new technologies that externalize and standardize authorization concepts. Recertification, particularly around contextual assets, is another major identity management challenge the industry must overcome.
Avoiding the anti-patterns of identity management
The security community has an unfortunate tendency to dig in its heels when it believes it’s found the “right” way to do something, and that’s dangerous.
“When we shut down conversations without considering exactly what they mean, we push things into a much less secure channel,” says Ontiveros Merlo. “Especially with complex systems, we tend to drift into set behaviors. We all need to be a bit more mindful of context, of our own biases, of the wider industry, and of what other departments can teach us about our own.”
Ontiveros Merlo recommends applying engineering and psychological practices to identity management—to embrace a broad, multidisciplinary approach that focuses on solving problems through data, customer centricity, and critical thinking.
“Ultimately, treat identity as a product and be curious about the friction it creates for your customers,” he says. “Those could be end users, application developers, or even developers who are reinventing your registration and login journey. Whoever they are, try to reduce the cognitive load on those distributed teams, so they can focus on doing what they do best.”
We’re all in this together
The identity space has evolved in leaps and bounds over the past few years, but the greatest challenges are yet to come. Machine identities are joining customer and business identities as multiple businesses and entities work together across intricately connected supply chains. Inevitably, a company will have to grant access to identities for which it isn’t the authoritative source.
Collaboration isn’t simply a recommendation in this scenario—it represents the only path forward.
“We’ll be using data much more for behavioral analytics and to provide context to identities,” Ontiveros Merlo predicts. “And for managing everything from recertification to transaction security. No one will be able to solve problems like this alone. In the future, we’ll need cross-pollination. We’ll need partnerships and collaboration across businesses and disciplines.”