Identity and access management, or IAM, has taken center stage as the most critical enterprise cybersecurity must-have of 2019.
But what is it, how are identity and access management trends shifting and why exactly should enterprise organizations deploy it? What are the challenges and pitfalls in implementing IAM? How can enterprise technologists make sure their IAM implementations are successful?
Let's take these in order. As the name implies, IAM tools ensure that only the right individuals have access to the right data, applications and resources.
Seems simple enough, but appearances can be deceiving. Most technologists envision IAM as a simple database containing users and the resources they're permitted to access. If that sounds a lot like Microsoft's Active Directory (AD), it's for a good reason. For most people, AD is their first exposure to the concept of IAM. Like IAM, AD provides access and authorization services that permit users to access particular machines and applications.
Here's the catch: The user-to-machine paradigm is obsolete. Today's enterprise environments are increasingly cloud-based. About half of all workloads will live in the cloud by the end of 2019, according to recent Nemertes research.
Even the concept of an application is being redefined as containers become the dominant approach to application development and enterprises deploy microservices and DevOps. Users rely on an ever-growing mix of mobile devices. Automation and IoT, in the meantime, are reframing the very definition of a user, which increasingly could be a bot, an IoT device or a software service.
As a result, data and applications may reside anywhere, so restricting access by machine makes no sense. In today's environment, applications are increasingly dynamic, and containers may have a half-life of less than a second.
Adopting zero-trust security and identity and access management trends
So, perhaps it's time to redefine IAM. Today, IAM is a technology option that ensures that users -- whether human or cyber -- get access only to the resources they're entitled to, regardless of where those resources reside and for how long.
Enterprises need IAM for the three following reasons.
1. Defining and enforcing who should get access to what data is the foundation of cybersecurity. Most breach varieties involve users or bots gaining access to a resource they shouldn't be able to access. Preventing that from happening is essential.
2. For regulatory compliance, it's imperative to provide documentation of who has accessed what. Because the majority of enterprise organizations are subject to regulatory compliance, a good IAM system not only functions in real time -- permitting authorized access and denying unauthorized access -- but retains logs that can be used for compliance, as well as incident response.
3. In the migration toward zero-trust security, effective IAM is a cornerstone. As the enterprise evolves from on-premises models, firewalls become less useful in protecting resources. With cloud services, there is no longer a meaningful definition of inside the perimeter, so perimeter-based -- i.e., firewall-based -- security makes no sense. Enter the zero-trust model. Contrary to the name, zero-trust security doesn't actually mean "never trust anyone or anything." It actually means "highly distributed and granularly controlled trust." In other words, zero trust is about providing -- in a highly distributed, dynamic environment -- fine-grained control over who can access a particular resource. That sounds a lot like IAM -- which it should.
Think strategically when evaluating IAM
The biggest challenge in anticipating identity and access management trends is not thinking strategically enough. Selecting and deploying an IAM should be not a matter of looking up IAM vendors on the web, doing a bake-off and implementing the one with the best feature functionality.
IAM needs to evolve as the enterprise does, and enterprises are in a massive state of transition in their digital transformations. As noted earlier, applications are moving to the cloud; users are moving to mobile devices; and new application models, like containers, microservices and DevOps, are changing how applications are deployed. At the same time, automation and IoT are changing the definition of the user.
To ensure success with IAM, the best place to start is with an assessment. Many cybersecurity consulting companies, as well as IAM vendors, are happy to provide an evaluation that gives enterprises a current snapshot of where critical gaps may exist and, in some cases, outline future challenges. Based on that assessment, enterprise technologists can develop a set of selection criteria and a weighted scorecard --and then reach out to the vendors to compare products.
When thinking about IAM, make sure you take a holistic view of the enterprise. Use broad definitions of users (humans, yes, but also, potentially, services and devices) and resources (which can range from apps and containers to cloud services and other components). And factor in your organization's future plans to ensure you've selected a future-proof product.