SHARED INTEL Q&A: Forrester report shows Identity and Access Management (IAM) in flux

By Byron V. Acohido

Identity and Access Management (IAM) is at a crossroads.

Related: Can IAM be a growth engine?

A new Forrester Trends Report dissects ten IAM trends now in play, notably how AI is  influencing IAM technologies to meet evolving identity threats.

IAM is a concept that arose in the 1970s when usernames and passwords first got set up to control access mainframe computers.

By the 1990s, single sign-on (SSO) solutions had caught, and with the explosion of web apps that followed came more sophisticated IAM solutions. Federated identity management emerged, allowing users to use the same identity across different domains and organizations, and standards like SAML (Security Assertion Markup Language) were developed to support this.

The emergence of cloud computing further pushed the need for robust IAM systems. Identity as a Service (IDaaS) began to gain traction, offering IAM capabilities through cloud providers.

Last Watchdog engaged Forrester Principal Analyst Geoff Cairns, the report’s lead author, in a discussion about the next phase of IAM’s. Here’s that exchange, edited for clarity and length.

A new Forrester Trends Report dissects ten IAM trends now in play, notably how AI is  influencing IAM technologies to meet evolving identity threats.

IAM is a concept that arose in the 1970s when usernames and passwords first got set up to control access mainframe computers.

By the 1990s, single sign-on (SSO) solutions had caught, and with the explosion of web apps that followed came more sophisticated IAM solutions. Federated identity management emerged, allowing users to

LW: In the grand scheme, how urgent has it become for companies to focus on identity threats?

Cairns: The urgency for companies to focus on identity threats has significantly increased over the past few years due to several factors. First, the rapid advancement of technology has created a more complex and interconnected digital landscape, making it easier for attackers to exploit vulnerabilities. Second, the growing adoption of cloud and SaaS services, as well as remote work arrangements and the extended workforce, has expanded the identity threat surface. Third, high-profile data breaches, such as the recent Change Healthcare cyberattack, have underscored the importance of effective identity security controls in protecting sensitive information.

LW: What’s the vital lesson stemming from IAM-related breaches like those seen with MGM and Okta?

Cairns

Cairns: One of the most vital lessons for CISOs and IAM leaders to take away from the MGM and Okta breaches is that your IAM vendors’ servicing and operations is intrinsic to your own organization’s security posture and, ultimately, end-customer trust.  The ongoing consolidation of IAM vendors and technology stacks will lead to greater concentration of supplier risk, as well. We expect IAM platform vendors will face increased scrutiny from their prospects and customers as it relates to underlying platform security and incident response practices.

LW: Can you share an anecdote that illustrates exactly how generative AI is being used to improve threat detection and remediation in IAM systems?

Cairns: Given the ability to input natural language queries (e.g., “show me the last 5 privileged account access attempts”), IAM administrators are conducting conversational interrogations of the IAM system to more swiftly identify and isolate identity threats. With IAM administrators also able to use AI to generate immediate, actionable steps for remediation, incident response time is significantly reduced. In the future, we expect to see genAI advances that will proactively generate and optimize IAM policies to pre-empt future threats.

LW: What should CISOs clearly understand about integrations between IAM and non-IAM cybersecurity vendors?

Cairns: CISOs should understand that to effectively respond to identity-centric threats, integration is necessary between IAM and non-IAM cybersecurity tool sets. Support for these integrations is quickly maturing.  Across your existing security vendor portfolios, review roadmaps and integration points for identity threat detection, signal sharing, and response automation. Most importantly, leverage the opportunity to drive tighter operational process alignment and a stronger working relationship between IAM and SecOps teams.

LW: Are legacy IAM solutions obsolete; will they  — or be replaced?

Cairns: Even as environments get more complex and attacks get more sophisticated, companies should remain rooted in solid IAM fundamentals and core principles – strong authentication, least privilege access, robust monitoring – applying a defense in depth approach.  However, organizations must systematically evolve and upgrade their underlying IAM technology platforms to match their IT environment and the current threat landscape.  In some cases, like phishing-resistant passwordless MFA, it capitalizes on technical advances (biometrics, compute power) layered on top of well-established practices (multifactor authentication).  In other instances, it may require re-engineering of processes and systems to adopt a different technology or approach, such as verifiable credentials or zero standing privileges.  To be effective, IAM implementations must be dynamic and constantly evolving.

LW: Anything else?

Cairns: While staying updated on IAM technology trends is certainly important, perhaps the most critical thing that CISOs and IAM leaders can do is to nurture and maintain the right culture. Many security leaders that Forrester has spoken with stress the importance of establishing cross-functional relationships and collaboration to ensure a business-led approach to IAM. Prioritizing user-centric design thinking and a growth mindset are paramount for building a high-performing IAM team and applying the right set of IAM technologies to both protect and enable the business.

Acohido

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.


Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone