Identity and access management (IAM) is critical to a successful digital transformation and for creating an end-user-centric digital workplace. The friction associated with the controls implemented by the IAM solution can determine the success or failure of an initiative, whether internally focused (on the workforce) or externally focused (on customers). In the case of friction, the natural reaction is to try to find a way around it, which eliminates the control’s effectiveness.
With the evolution in authentication and orchestration solutions to date, user experience will be streamlined from registration through the lifecycle of the relationship with the organization — without sacrificing the effectiveness of the security controls. In 2022, orchestration solutions will become more widely adopted and mainstream.
The adoption of AI and ML in IAM processes will continue to increase as product offerings mature, allowing further improvements in user experience through automation and reduction of manual touchpoints across the entire IAM process chain. These improvements will benefit customers, workforce users, administrators and developers.
Zero standing privileges / JIT PAM
The maintenance of privileges or entitlements is one of the most challenging aspects of IAM. It is also the biggest source of risk, as overprivileged access is responsible for many recent security incidents. It is necessary to practice the principle of least privilege, where an identity receives privileges only when they are needed.
Although well-executed, the traditional approach of introducing processes to periodically verify access provides a window of opportunity for bad actors to gain access. A new approach called zero standing privileges (or just-in-time PAM) is gaining popularity and is now supported by most PAM vendors. In this case, even when an identity is granted access to a privileged entitlement, the access is not enabled until it is needed. When the privileged activity is complete, the access is removed. If a privileged account is compromised, the bad actor still cannot have privileged access to anything.
Analysts are calling 2022 the year of JIT PAM, since it is predicted to gain widespread popularity over the course of the year.
By converting perpetual licensing models into subscriptions, we have seen companies treat technology and services as an operating expense rather than as a capital expense. This provides a more predictable source of income for vendors and a simpler financial treatment for customers. Beyond technology acquisition, customers are increasingly seeking to buy complete solutions in this manner, including not only technology but also services. This approach also simplifies procurement by reducing the number of vendors. The rapid pace of technology evolution coupled with a labor shortage (especially for skilled staff) has made in-house delivery a challenge for many customers. These as-a-service offerings are beginning to gain popularity, and they will continue to do so in 2022.
According to Gartner, “By 2023, 40% of IAM solutions will be driven by MSSPs offering best-of-breed integrations, shifting influence from vendors to service partners.”
Expanding privacy regulations
Privacy is gaining an increased focus, largely due to the surge in ransomware and data breaches, as well as an increase in remote online activity by both employees and customers. The result has been an increase in privacy regulations globally, including in the United States — where individual states have begun introducing privacy regulations instead of waiting for the Federal Government to do so.
The increase in regulations is starting to have an impact on organizations that may not have been concerned with pre-existing regulations like GDPR. This will require updating existing solutions and creating opportunities to modernize IAM infrastructure or even complete applications. In some cases, it may be easier to start with a new, modern infrastructure rather than trying to retrofit a home-grown solution created years ago.
Moreover, privacy is driving the adoption and innovation of identity services that leverage blockchain, verifiable claims and trust frameworks to support user-centric, privacy-compliant services.
Acquisitions and vendor consolidation
In 2021, we saw a resurgence in consolidation in the IAM market across technology and service providers. Service providers are expanding capabilities and using acquisitions to drive accelerated growth. Technology providers are consolidating to expand their offerings to offer a more comprehensive portfolio. This aligns with the customer focus on reducing the number of vendors they work with, making the suite vendors more appealing. This doesn’t ensure that an existing vendor will get new business, but if an existing vendor has an offering, it will be considered before looking at a new vendor. The consolidation trend is expected to continue or even accelerate in 2022.
Top recommendation for 2022
Identity and access hygiene is the most important step to be taken to protect against ransomware and data breaches. One must establish and maintain processes for removing unnecessary accounts (e.g. when someone leaves the organization) and verify that policies around identity and access are being followed. While well-implemented tooling is ideal — with automation being the end goal — a manual process is still better than nothing, as long as it is done in a timely fashion with proper checks and balances in place.
About the author
Global IAM Practice Lead & CTO
Allen Moffett is Global IAM Practice lead and CTO at ATOS. He is also the global lead for the IAM and Biometrics sub-domain of the ATOS expert community, helping to steer business strategy and building the technology roadmap by anticipating the products and services that will be needed by the market. He also is member of the Executive Advisory board of the Identity Defined Security alliance.