The Continuing Evolution of Identity and Access Management

By David Lello, CISO, Burning Tree

In recent years, the cybersecurity industry has seen rapid advancements in technological developments such as the Internet of Things (IoT), Machine Learning (ML), Artificial Intelligence (AI), the Cloud, and big data – which have all had a significant impact on business’ identity and access management (IAM) frameworks.

Innovations and Continued Improvement

Blockchain technology and its role in digital identity solutions is an area frequently spoken about across the information security industry – with as many doubters as supporters. However, it is the first technology to truly help in reducing the risk of personal data loss and online identity theft, by empowering the individual to directly control the use of their own data. Personal information is frequently shared without awareness, creating a centralised source of sensitive data, which is vulnerable to attack. However, a blockchain identity takes a decentralised approach, allowing an individual or company to securely store information about their identity within this proven technology. This means organizations do not need to hold unnecessary data about people – reducing the risk of compliance issues and the possibility of a substantial fine.

"The delivery of IAM solutions is now also being simplified through Identity as a Service (IDaaS), virtualisation and the use of Application Program Interfaces (APIs)."

Adaptive and context-based authentication has also become more mainstream thanks to software vendors and Cloud providers. This type of technology gives companies a real advantage in the effort to ensure only the right people are getting into their systems and information. This is because the solution uses advanced Machine Learning capabilities to recognise the way a person types or interacts with their computer – identifying the place of work and typical work patterns based on the time of day, duration, behaviours, and so on. When any of these parameters change (based on the company policy and risk appetite) a step-up authentication is then required using a token or biometric technology.

Lately, we have also seen User Behaviour Analytics (UBA) – armed with advanced Machine Learning capabilities and early-stage AI – start to deliver better identification of access events than that of traditional Security Information and Event Management (SIEM) solutions. In fact, the effectiveness of UBA has been so good that mainstream SIEM vendors are now offering it within their own tools. With time, the sharpening of rules and advancements in Machine Learning, we will likely start to see improved accuracy and less false positives – resulting in greater efficiency.

Equally, Privileged Account Management (PAM) solutions are becoming easier to use – providing a high level of security by centralizing privileged credentials in one place. This enables an organisation to easily control who is accessing critical data and information, log all accesses and monitor for any suspicious activity. Nevertheless, the real advancements happening in this space are in protecting instances, objects, and micro services in the Cloud.

The delivery of IAM solutions is now also being simplified through Identity as a Service (IDaaS), virtualisation and the use of Application Program Interfaces (APIs). As a result, IAM no longer needs to be overly complex with multiyear integration projects and a small army of consultants, as IDaaS can be readily consumed from providers without complicated implementations. Instead, integration can be achieved more easily through standard APIs, and even legacy technology can be integrated through virtualisation.

Customer Identity and Access Management (CIAM) is another long-standing capability with single sign-on (SSO) and high-volume authentications. Where this area is getting exciting is by combining other platforms and IAM capabilities; for example, merging blockchain and adaptive authentication with a communications platform in order to drive better interaction and increased sales probability.

Opportunities and challenges

As IAM vendors continue to innovate, the application of these innovations is becoming increasingly effective – particularly when the incorporation of business process control is considered and IAM solutions are combined with other technology to deliver real business value. This type of innovation is resulting in new and disruptive businesses succeeding in sustained and exponential growth, in a market where many traditional companies are slowing down, struggling or even going into administration.

Our customers at Burning Tree are gaining a real competitive advantage by adopting these innovations. However, sadly, there are still a lot of organisations who operate a legacy IAM environment, which is inefficient and vulnerable to abuse or attack.

Additionally, while it is all very well driving technology towards the Cloud, doing this without proper consideration of security control, identity and access could result in disaster (and has been known to in the past). The attack surface of a company’s applications is much larger in the Cloud so making sure the right people have the right access in the right context is absolutely vital.

Identity is, therefore, central to delivering applications in the Cloud. This is why code objects or microservices in the Cloud have keys or tokens to allow a user to authenticate and access information pertinent only to their access rights. Without this traversal across the application, the stack becomes possible and the application can be easily exploited.

Check out: Top Identity and Access Management Solution Companies in Europe

Weekly Brief

Read Also

Identity is Crucial to Staying a Step Ahead

Identity is Crucial to Staying a Step Ahead

Kathleen Peters, Experian’s Senior Vice President and Head of Fraud & Identity, Experian, North America
Building a Comprehensive Vulnerability Management Program

Building a Comprehensive Vulnerability Management Program

Benjamin Schoenecker, Director of Information Security, Hendrick Automotive Group
Managing Threats and Vulnerabilities in your Enterprise: Structuring for Modern Day Challenges

Managing Threats and Vulnerabilities in your Enterprise:...

John Gunter Jr., Head of Threat and Vulnerability Management, Electronic Arts
It's a Gnu Year - Keep moving

It's a Gnu Year - Keep moving

Sean Leonard, Director of Threat and Vulnerability Management, Universal Music Group
Vulnerability Management- Thinking Beyond Patching and Software Vulnerabilities

Vulnerability Management- Thinking Beyond Patching and Software...

Brad Waisanen, Vice President, Information Security at TTI
The Ever-evolving Information Security and Business IT Landscape

The Ever-evolving Information Security and Business IT Landscape

Steve Hendrie, Sr. Director & CISO, The Hershey Company