As the world prepares for recovery from the global pandemic, we are beginning to gain a picture of how workplaces and businesses will continue to evolve. Many organisations have adapted to the pandemic with staff working from home and, as such, have been required to evaluate their cybersecurity policies. One emerging trend is that of identity and access management, a discipline that existed pre-COVID but is now finding prominence as more organisations move business assets and processes online.
An overview of identity and access management
Identity and access management (IAM) encompasses two interrelated disciplines. Identity management refers to the policies, procedures, and data stores required to assign roles, responsibilities, entitlements, and access rights for individuals affiliated with an organisation. Meanwhile, access management refers to the authorisation and enforcement of the given rights to access certain applications and systems, as well as permissions to act within given applications and systems. It also deals with the authentication of users, passwords, multi-factor authentication and biometrics to verify that they are who they claim to be.
What is the importance of identity and access management?
IAM is critical to protecting firm and client data. With many applications and computing resources now located outside of the organisation, in addition to many workers and all customers, identity has become the new security perimeter. It is also important for operational efficiency, especially at scale. Granting, changing, and revoking access to thousands of applications for tens of thousands of employees and millions of customers requires automation with a sound governance model in place. Many industries also need to comply with regulations and provide proof of compliance to auditors. Identity governance makes this more effective and efficient.
Speaking to experts from Forrester within the IT sector, we have compiled five of the top trends in identity management that are set to develop over the next year, and look at the implications for entrepreneurial and growth-driven businesses.
1. Stronger authentication
As technology progresses, and the requirement to access online data becomes more pressing, we are seeing a push for stronger methods of authenticating users. Historically, passwords have been a primary tool in providing a layer of security against unauthorised access to private accounts. However, as hackers become more sophisticated, the approach of solely using passwords has quickly become outdated and less secure. Humans are creatures of habit, and as such, passwords can be cracked with relative ease.
To combat this weakness, the use of biometric authentication has seen a rise in recent years. Using a fingerprint to open a mobile phone is now commonplace and we continue to see more devices incorporate facial identification, providing another unique layer of security. Multi-factor authentication is a similarly commonplace measure that requires the user to pass at least two security checks when accessing an account. This can take the form of security questions, CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) or other measures deemed appropriate for identifying the user.
A side to IAM that is not currently as commonplace is endpoint protection. Endpoint protection is an emerging security trend that sees protection provided to computer networks that are remotely connected. This includes laptops, mobile phones, and any other wireless devices that may be vulnerable to cyber-attacks. Endpoint protection is a software approach that helps identify and manage the user’s data access over a corporate network. Sensitive data can be restricted and access to pre-decided websites can be controlled. This provides a great deal of protection against unverified websites that can potentially inflict malware onto a corporate network.
2. Agile solutions
A crucial requirement of IAM is agility. Business dynamics and digital processes are constantly evolving, even more now than ever as more organisations move towards remote working. This presents an increasing need for speedy IAM solutions that lend themselves to a rapidly changing environment.
Just-In-Time access (JIT) enables organisations to provide access to systems for specific periods of time on an “as required” basis. Users simply request access, and the provider can grant it based on the reasoning for the request. For organisations that deal with multiple sensitive documents, this can be a great help in ensuring that access is only permitted on a case-by-case basis with measurable access.
From a user perspective, automated self-service access represents a fusion of technology and processes that allows customers to serve themselves. Users can interact with a business in a minimal fashion which results in an easier and quicker solution to previously lengthy processes. This includes changing their own passwords if they have been forgotten or potentially compromised, updating their user profile, requesting access to restricted services, and approving access requests.
3. Modular authentication policies
Not all platforms are equal in terms of security. Often due to regulations, the level of security required for online banking records is required to be significantly stronger than that of a fast-food takeaway application. The sensitivity of data contained within an account demands different levels of authentication and with modular policies, organisations can protect the multiple authentication schemes in their application programming.
From a back-end perspective, modular polices enable the platforms to receive authentication from a single server source, rather than each step requiring authentication individually. This creates a system that is more secure. When adding multiple layers of authentication, the scope for potential failure points gets wider and as such increases the risk for exploitation. Where previously, any bugs or exploits in the chain could threaten the entire system, a modular approach creates single system for authentication. This allows for changes to be made quickly and securely, without compromising the chain of authentication tools.
4. Decentralised Digital Identification (DDID)
DDID, also referred to as self-sovereign identity, is rising in popularity due to the mandate that digital transformation creates a privacy-friendly but secure exchange of claims. There is less risk to organisations that use electronic data verification and the added benefit of improved transparency and auditability. DDID is underpinned by blockchain technology, a method of securely providing encryption on data ledgers and protecting it from any potential hackers. DDID offers a comprehensive restructuring of the currently centralised digital, and physical identity ecosystem into a structure that is democratised and decentralised.
5. Non-human identities
One of the more significant changes in IAM is the proliferation of non-human identities. The rapid growth in volume and different types of non-human identities presents compliance, security, and business risks to organisations. Non-human identities such as software bots, robots, Internet of Things, application programming interfaces/app-to-app and cloud workloads, need to be managed with secure credentials and lifecycle management. Recognising and understanding how non-human identities are used in IT environments is a critical consideration for organisations that want to simultaneously mitigate the risks and opportunities these identities provide. Non-human identities also often represent most users in many organisations and as a result their digital footprint is bigger. This can present a blind spot for IT departments as these identities are often not considered when establishing security controls. Therefore, understanding and providing the same level of security to these identities is expected to become ubiquitous with the IAM process.
Protection against cyber-threats
Security threats are constantly evolving and becoming more sophisticated. Often, they take advantage of poor identity management and unprotected credentials to gain access and move through networks and systems undetected. Furthermore, digital transformation and disruptions, such as the pandemic, throw chaos into business operations.
To ensure effective security and risk mitigation, businesses must have effective governance and a level of automation for managing digital identity access. This will provide a sound security posture, efficient operations, and a good user experience for all stakeholders