Reducing complexity in Identity & Access Management
Identity & Access Management (IAM) is an important part of how many of today’s organisations verify the identity of both employees and customers and ensure they have the appropriate level of access to the resources they need from within cloud and on-premises applications.
IAM is a valuable asset in any organisation’s security arsenals, but access rights can often be difficult to manage, with increased digital complexity, changing employee roles and the growth of cloud and remote workforces meaning that ensuring that employees have access to the correct resources to carry out their job, while not compromising on security, can be a challenge.
Today’s employees have a wealth of different workplace applications at their disposal, which can greatly aid with productivity. However, having multiple logins for different applications can make the process increasingly fragmented, with employees spending time logging into and switching between multiple apps and websites. What’s more, employees often reuse passwords for multiple applications, increasing the risk of an adversary gaining access to multiple corporate systems.
Organisations are therefore looking for identity and access management systems that provide a central control point for IT teams enabling effective role-based access to end users who only require one set of login credentials.
This digital experience, powered by bespoke research, will explore what IT leaders want from IAM and how this can be delivered in a way that ensures ease of use while remaining secure. It will ask whether consolidation would save IT teams precious time, and the impact this could have on IAM compliance and uptake.
Intro
Partner and Customer IAM are only marginally less important use cases than employee IAM.
88
%
of survey respondents at least strongly agreed that increasing security threat frequency and sophistication meant IAM is ever more important for their organisations.
Most organisations have more than
one IAM solution
in place.
The most significant challenges
experienced with IAM solutions are user engagement, Privileged Account Management (PAM) and above all, integration with different applications, workloads and systems across hybrid architectures.
Integration capability
is the 1st consideration of enterprises, when assessing solutions and vendors.
Defining IAM
Before investigating what organisations prioritise when choosing IAM solutions and the challenges that they are experiencing in this area, it is helpful to define exactly the area being discussed because IAM is a wide area encompassing policies, processes and systems and can be complex.
The resources that individual employees, third parties or customers can access is defined and managed by IAM tools.
When asked to define IAM, many individuals would focus on Multi Factor Authentication (MFA) Single Sign ON (SSO) or privileged access/user management, but IAM covers a much broader architecture, including API access management, user lifecycle management and hybrid cloud gateway. As endpoints have proliferated (and a growing proportion of those endpoints do not necessarily have a human being behind them) and infrastructure has become more complex – so IAM has evolved as a discipline.
No plan, but interested
Fully implemented
Planning
Incubating/
trialling
Rolling out
What stage is your organisation at in implementing advanced identity and access management (IAM or CIAM) platforms?
The majority of organisations surveyed have some form of IAM – simply relying on passwords and default log ins isn’t feasible beyond the smallest organisations, and every organisation taking part in this research employs in excess of 500 people. 57 per cent of them already have advanced IAM and/or CIAM (which focuses solely on customer access) in place or are mid implementation. The majority are running more than one IAM solution. 31 per cent have two, and 25 per cent have three solutions. 17 per cent have four or more.
30%
extremely important
not at all important
On a scale of 1 (not at all important) to 10 (extremely important), how important are the following use cases for IAM at your organisation?
This graph shows that, whilst employee IAM remains the most popular use case, partner and customer use cases only rank marginally behind those focused on employees. This finding highlights the erosion of traditional corporate and vertical industry borders and their replacement with increasingly complex ecosystems of related business over which data is shared and potentially accessed by customers via single digital interfaces. The API economy is booming and the proportions highly ranking both partner and customer use cases reflects this.
Cyber Security
– A Perfect Storm
By far the biggest motivation for IAM was cyber security in general, with compliance ranking a little further behind.
Certainly, one of the critical functions of IAM is to mitigate the risks inherent in allowing employees to access enterprise resources purely via passwords, risks which have grown along with digitisation, SaaS and hybrid architecture. The sheer number of applications people log into daily – each requiring their own credentials – has led in many cases to a degree of password fatigue. The result is distinctly sub optimal security practices such as using the same password across multiple applications and/or the saving of password lists on phones or laptops.
Cyber Security
Score: 506
Ease burden
on IT
Regulatory
Compliance
Competitive
Advantage
Please rank these drivers for IAM in your organisation in order of importance
Employees being lax about security practice is not new, and cyber security education within organisations has always been challenging. However, right now organisations are facing a particularly insidious set of cyber security problems that are intensifying the impact of password fatigue. According to research by Computing, over the last 18 months not only is the volume of threats increasing, threat types are also changing.
Endpoint defences are being put under increasing pressure not just by the proliferating volume of endpoints themselves, but also by malware and ransomware that is evading more traditional defences. Ransomware is designed to move laterally and silently through networks, exfiltrating data and encrypting back ups in order to maximise leverage for criminals and increase the chances of victims quietly paying up.
(1= most important 4= least important)
Don’t know
No
Yes,
at least once
Yes,
at least monthly
Yes,
weekly
Yes, daily
Has your organisation experienced cyber security attacks on its digital platforms in the past 12 months?
Combine this menacing threat landscape with often under-staffed cyber security teams and a surfeit of manual processes and tools for remediation and you have the perfect security storm as we can see in the diagram left.
Organisations can mitigate some of the risks arising from endpoints and their users by means of cloud IAM which provides single sign on (SSO) across SaaS, cloud applications and on-premises infrastructure. IAM should also encompass not just devices but location and user behaviour. Hybrid working patterns that are likely be the future in many businesses mean that enterprises need to know that users are who they claim to be – and this information needs to be validated often.
IAM also has a significant role to play in neutralising threats arising from inside organisations – or rather people leaving them. Deprovisioning soon to be ex-employees from all applications is vital for both security and compliance mandates. IAM should leverage directory services to determine and govern access to systems, applications and services and bring an auditable peace of mind for enterprises.
88
%
of contributors to this research agreed strongly or very strongly that increasing security threat frequency and sophistication meant IAM is even more important at their organisation. They are right – IAM has a key role to play in the cyber wars.
Integration
Privileged user management
Acceptance by staff
Identity management
Compliance/data protection
Costs
Internal skill sets
Operational technology
Monitoring
Self-service
Policies
Configuration
Architecture design
Deployment
Which of these are the most challenging areas in the daily use of IAM solutions at your organisation?
IAM Challenges
There is no single challenge that really stands out in the graph above in terms of how widely experienced it is, but there are two which polled noticeably more than others. The first of these is integration.
The typical complexity of enterprise architectures means that integration is one of the most significant challenges that businesses face across the board. How do you integrate and secure access to on-premises applications and databases and workloads with enterprise cloud applications and SaaS applications? Standardisation remains an aspiration and Individual vendors often require their own systems for user authentication and management. When assessing IAM products and services, enterprises should look for one which is compatible with multiple integration technologies and can be managed from a single point.
The goal should be to integrate new applications with SSO and user management capabilities without spending hours on configuration. This has the benefit of making both employees more productive and cyber security and helpdesk teams happier as their call load reduces.
API tracking also constitutes part of the integration challenge. Centrally managed IAM should include the ability to control access to APIs if those APIs are not to become both a security and compliance risk.
Privileged user management was the second most frequently raised issue. Privileged Access Management (PAM) is a category of solutions in itself but in this context should be viewed as part of a wider IAM solution. Privileged accounts are often targeted by hackers precisely because it saves them the effort of having to penetrate enterprise defences, and of course the still wide scale of remote working has made it easier for criminals to socially engineer and credential phish their way into these accounts.
The typical complexity of enterprise architectures means that integration is one of the most significant challenges that businesses face across the board.
It is a fairly widely accepted fact that passwords are inherently insecure as a means of access so jettisoning them from the authentication process entirely makes it no less secure – rather the opposite.
Interestingly, the third most widely raised challenge was acceptance by staff. Similar challenges apply to customers – we’ve already touched on the issue of password fatigue from both an employee and customer perspective and the many security vulnerabilities it creates. The banking sector is an excellent example of one that uses MFA for both employees and customers alike.
However, demand for a frictionless user experience has been growing, as people in their capacity as employees and consumers rebel against all those bothersome passwords, hard tokens and cards. 85 per cent of the organisations we spoke with agreed to at least some extent that expectations for a frictionless user experience are higher than they were two years ago.
What does frictionless access look like? It could be in the form of a SSO where employees have all of their applications stored on a desktop and they simply click and go. It could also be a one touch MFA solution such as fingerprint access to mobile phones or other wearables. It is a fairly widely accepted fact that passwords are inherently insecure as a means of access so jettisoning them from the authentication process entirely makes it no less secure – rather the opposite.
The most comprehensive IAM solutions encompass passwordless authentication options such as email magic links. This goes more than a little way to resolving the employee buy in challenge.
Conclusions – Consolidate to Integrate
Our research paints a picture of widespread, legacy IAM being in place alongside newer deployments designed to secure access to specific customer or partner access to applications.
The remote working and likely hybrid working future have exacerbated the challenges that security teams face. 74 per cent agreed to at least some extent that the pandemic had increased the need for capable IAM solutions at their organisation. Security teams are struggling under the weight of a shortage of staff and an excess of processes and tools to manage and some of these challenges relate directly to IAM.
Security teams are struggling to integrate multiple IAM solutions into SaaS, cloud and legacy on-premises applications. PAM is a worry given the frequency with which these accounts are now being targeted and many organisations are struggling with user buy in for IAM.
When assessing IAM vendors and solutions, enterprises should seek vendors offering open platforms and standards for other technology vendors – including public cloud vendors. This enables them to offer thousands of pre-built integrations from a single platform so that their customers can avoid reinventing the wheel every time they need to integrate new applications and systems. Not only does this bring IAM into line with flexible hybrid infrastructure, it also engenders the greater personalisation and reduced friction of user experience whilst reducing risk.
The illustration below shows us what the organisations involved in this research really value in an IAM solution. The most frequently mentioned factors such as suitability for hybrid environments, a seamless user experience and, above all, integration are all inextricably linked.
Which of these are the most challenging areas in the daily use of IAM solutions at your organisation?
13%
Score: 226
Score: 342
Score: 374
13%
17%
13%
28%
25%
19%
24%
15%
4%
Suitable licensing models
Product roadmap and ongoing support
Technical support
Initial/ongoing costs
Absence of hidden costs
Focus on legal/fiscal compliance
Appropriate UK/EU focus
Sector-specific expertise
Investment in emerging technologies
Commercial flexibility/willingness to negotiate
Partner and Customer IAM are only marginally less important use cases than employee IAM.
of survey respondents at least strongly agreed that increasing security threat frequency and sophistication meant IAM is ever more important for their organisations.
88
Most organisations
have more than
one IAM solution
in place.
experienced with IAM solutions are user engagement, Privileged Account Management (PAM) and above all, integration with different applications, workloads and systems across hybrid architectures.
The most significant challenges
Integration capability
is the 1st consideration of enterprises, when assessing solutions and vendors.
1%
1%
4%
8%
10%
18%
31%
19%
7%
0%
Customer identity and access management
Partner identity and access management
Internal identity and access management
Okta is the leading independent identity provider. The Okta Identity Cloud enables organizations to securely connect the right people to the right technologies at the right time. With more than 6,500 pre-built integrations to applications and infrastructure providers, Okta provides simple and secure access to people and organizations everywhere, giving them the confidence to reach their full potential. More than 9,400 organizations, including JetBlue, Nordstrom, Siemens, Slack,
T-Mobile, Takeda, Teach for America, and Twilio, trust Okta to help protect the identities of their workforces and customers.
About the sponsor
Click for more information