The identity and access management market is rapidly changing.
Technological disruptions such as artificial intelligence are advancing the capabilities of identity and access management (IAM) software, while organizations struggle to modernize systems and manage employee identities both in the cloud and on premises.
Attendees at Identiverse, an identity and security conference that recently took place in Washington, D.C., were there for strategic as well as practical reasons. They wanted to learn about what's coming to the IAM market, how to combine identity management with the corporate security strategy, and how to deliver the best service to employees and customers on a tight budget.
"We've been moving our identity management within our security focus," said Jon Fondrie, senior information security analyst at TIAA, a New York-based financial services company. "I think the industry is moving that way. Once you start moving into this hybrid world and your network can no longer be your first line of defense, identity becomes more of a source of security."
Maintaining ROI with IAM
Fondrie's sentiment echoed that of many conference attendees. Some were searching for validation that what they're organization was doing was correct, while others wanted to learn how best to implement IAM while also maintaining a good ROI.
"A lot of [these capabilities] are cool, and the more you automate and the more you move to the cloud, the more you simplify things," said Michael Daum, tech lead for identity and access management at State Auto, an insurance company based in Columbus, Ohio.
Daum said that his organization is working to upgrade its IAM systems, while also not breaking the bank.
Michael Daum Tech lead for identity and access management, State Auto
"We're in this spot with a lot of technical debt," Daum said, adding that State Auto is a G Suite customer and is in the cloud with AWS, but is hesitant to add on another vendor just for identity management. "We're paying a lot of money to a lot of different companies and we're trying to find a way to see which of those companies can be used for identity services. No offense to Ping Identity or Okta, but why pay them however much money if we can limit the amount of cooks in the kitchen."
Emerging capabilities within IAM products intrigued Daum, but never bested ROI.
"Where's the value added?" Daum said. "Everyone is talking about cloud and password-less and zero trust. Those buzzwords sound nice, but the cost to implement is still huge."
Zero trust is a security architecture introduced by Forrester Research that is designed to assess threats not just from outside the network, but from within it. It uses the principle "never trust, always verify" anything trying to connect to the network to ensure it remains secure.
Easing ID management for customers
New capabilities like zero trust and passwordless sign-in, which uses other unique identifiers, including biometric or text-based verification, can be useful for IAM, but they can also be difficult for IT admins to implement, especially if they're trying to improve identity management for customers rather than internal end users.
Stephanie Kesler, senior technologist at General Communication Inc. (GCI), an Alaska-based telecomm company, came away from conference sessions feeling validated about how her company's implementation of IAM has gone, especially with internal identification of GCI employees. She also wanted to find ways to ease identity management for GCI customers. That's something easier said than done, as customers have different preferences and tend to have less patience than employees.
"One thing I've been looking at is how other people and organizations are solving these problems," Kesler said. "It's much easier to implement some of these things on the enterprise side first. And once you've gained that knowledge, you can start looking at the consumer-facing side of things."
Kesler said she had been researching trends like multifactor authentication (MFA) and zero trust, but wanted to be sure to balance those IAM features with customer experience.
"MFA is difficult to implement for customers. We don't want to be that annoying company that makes you do multiple things to log on," she said. "Internally, you have a captive audience where it's easier to implement things like MFA or zero trust. But on the customer side, it's a larger base where you don't have as much control."