Access management tools are at the forefront of many digital transformation initiatives, catering to the new dynamic of the hybrid workplace and improving UX as a competitive differentiator.
At the same time, access management projects are challenging due to application requirements, staffing and skills shortages, and the need to support multiple user stakeholders. Let's also not forget about the complexity of identity and access management (IAM) practices that take hold when an organization goes through acquisitions or divestitures over time -- legacy tools and cultural challenges come into play here.
How, then, can security and risk management leaders capture the full value of access management? Here are five steps to help create a modern and efficient access management strategy that serves the needs of all user segments.
Step 1. Perform an application portfolio inventory
Start by classifying applications according to three primary access patterns:
- Standard web applications. These HTML-based applications can communicate via modern identity protocols, such as Security Assertion Markup Language, OpenID and OAuth, as part of fully federated single sign-on. Many SaaS applications and software-delivered applications fall within this category.
- Nonstandard web applications. These HTML-based applications cannot communicate via modern identity protocols but rather require "translators," proxies or agents that can.
- Legacy applications. For thick client- or Lightweight Directory Access Protocol-based applications or even mainframe-based applications, proxies and agents are limited. A better strategy may be to wait for the eventual retirement of the application in favor of a standard web application.
The collected information should be weighed against the capabilities of the market to help leaders choose the right access management tool and provide organizations with a roadmap for application integrations.
Step 2. Define and address the needs of multiple user constituencies
Security and risk management leaders need to consider access management use cases, which are spread across internal and external constituencies, including business-to-employee, or access management for the workforce; B2B, or access management for vendors and business partners; and B2C, or access management for customers.
A lack of cohesion over how to collect, refine and distribute identity data makes an IAM engine run poorly and affects an organization's access management project. Most Gartner clients prefer to keep their user constituencies separate. While this can be more expensive, it creates better separation along the lines of business as each community has unique requirements.
Separate directories, such as virtual directories or metadirectories, are often used to build databases of identity data. This enables data to be abstracted away from the environment, ensuring access management tools have the necessary information to make an access decision, regardless of the type of user.
Step 3. Decide on architecture and consumption
Access management tools offer a range of access and security functionality. To decide which functionality your organization needs, refine all requirements for the access management practice early on, and pay close attention to how vendors address these requirements.
One vendor may natively support header-based authentication, for example, whereas another may require a separate product. One vendor may support a GUI-based approach to delegated administration, where another may only supply a command-line interface. Evaluating how different access management vendors approach requirements helps you choose the right access management tool for your application.
Modern digital transformation is driving the adoption of IaaS, while the adoption of SaaS applications for critical business processes is well demonstrated across the market. Utility-level availability is now an expectation for any SaaS-delivered IAM offering, especially services as critical as access management. A few vendors have experienced outages, leaving their customers in the dark when it comes to application availability. To mitigate unavailability or security incident risks, select SaaS options that deliver high availability and/or conduct thorough disaster recovery and business continuity planning.
Step 4. Plan for and use adjacent IAM technology
While multifactor authentication (MFA) capabilities are a core offering among access management tools, other capabilities are less mature. Identity governance and administration tools manage the identity lifecycle, track authorizations and assist with provisioning. Most access management tools don't have mature capabilities here, so they should be augmented with identity governance and administration tools. Likewise, privileged access management tools are necessary to track and control access for accounts with elevated access, something access management tools typically don't do.
In expanding the security capabilities of access management tools, components that add additional inline visibility and control are important. Tools such as security service edge and web application and API protection tools can add visibility and controls that are not natively available in access management tools.
When it comes to customer IAM, remote identity proofing and account capabilities are lacking among most access management vendors, as are tools for consent and preference management. Adding these adjacencies addresses the gaps in access management tools.
Security and risk management leaders likely have to select more than one IAM tool to meet all requirements in the short term. However, Gartner anticipates that many access management market leaders will continue to migrate from a best-of-breed to a best-of-suite approach.
Step 5. Mature the access management practice
Access management has always been more of a journey than a destination, constantly adding new applications, features and functionalities to application access. A few noteworthy examples include MFA, session management, System for Cross-domain Identity Management provisioning, inline session visibility and control, and access orchestration.
These steps should be viewed holistically, and they largely build on each other as the access management practice matures. Skipping steps creates unforeseen issues later in the project. A mature access management practice provides users with secure, ubiquitous access to applications but also carries significant operational efficiencies and cost avoidance, achieved by relieving users of the pain of managing application passwords.
About the author
Michael Kelley is senior research director in the Secure Business Enablement group at Gartner, focusing on identity and access management. Prior to joining Gartner, Kelley served in the private sector leading both the Identity and Authentication and the Security Operations organizations at Koch Industries. He also served as an identity strategy architect focused on the migration of a global enterprise to identity federation and modern authentication. Kelley managed refreshes of enterprise public key infrastructure, rights management and active directory and drove implementations of certificate lifecycle management and virtual directory platforms.