We live in a world full of uncertainties and wake up to new data breaches on a daily basis. As applications and data proliferate in a cloud and mobile world, Identity and Access Management (IAM) must deliver more than ever, faster than ever, for businesses to succeed at building and maintaining trusted relationships and delighting customers at every interaction. We must get to a place where risk informs identity management services and authorization decisions in real-time to avoid our companies from being the next news headline. I call this Highly Leveraged IAM: the idea that identity being the center of every interaction that end users have with a company, IAM can not only provide the right access to the right user at the right time, but also the best user experience across a diverse set of protective layers and capabilities and can make these existing investments even more effective. The level of identity-centric maturity and scale of people, process and technology is equal to the degree of Highly Leveraged IAM.
In my last blog post I talked about the need for speed, automation and scale of IAM in . In companies where IAM is taken seriously and becomes “highly leveraged” the focus is two-fold. A highly leveraged IAM program will produce significant ROI for business and enable strategic business opportunities while minimizing risk.
Enable Strategic Business Opportunities
Desired business outcomes are generally diverse priorities from company to company, based on where they are in their IAM journey. Common business priorities may include any of the following, but are typically limited to the top two or three in any given year. (emphasis my own)
- Customer experience
- Speed to market
- Cost reduction
- Cloud strategy
- Mobile device management
Companies who have invested millions in their legacy IAM systems are waking up to the reality that cloud computing and BYOD are forcing a major re-think of strategy and architecture that is required to address user experience and security requirements in today’s federated world.
Risk Driven IAM
Today, a new breed of cloud security companies called cloud access security brokers (CASB) are growing up to be much more than an added layer of detective controls for monitoring user activity in the cloud. With CASB services, Identity-as-a-Service (IDaaS) providers are able to add innovative ways (E.g. contextual multi-factor or step-up authentication) that reflect and enforce the maturity and sophistication of the CASB with whom it has integrated.
Noteworthy alliances and acquisitions that have materialized in the last year include:
- Ping Identity’s Identity Defined Security Alliance which includes Netskope, VMware, ThreatMetrix and Optiv, and of course, Ping
- Microsoft’s acquisition of Adallom and Aorato
- Cisco’s acquisition of CloudLock (which includes alliances with Okta, OneLogin, RSA, Box, and others)
- Palerra, recently acquired by Oracle, has integrations for Microsoft O365, AWS, GitHub, Salesforce, Okta, ServiceNow, Fortinet and Rackspace
- Radiant Logic’s integration with CyberArk
These alliances continue to increase and evolve at a dynamic pace until IAM ceases to exist as a stand alone appliance, but rather an integrated ecosystem that is made highly secure through integrations and acquisitions. This approach to making apps and data safer through integrated IAM and CASB services will deliver unprecedented visibility into user activity and when a violation to a policy occurs, which is one of the first steps towards achieving highly leveraged IAM.
To continue towards this mature leveraged state, superior security, efficiency and scalability must also be achieved in order to realize the biggest ROI that can be realized from investments in next generation of IAM.
Risk & Threat Services
As CASB’s drive far beyond a minimum viable product to enhance the security and efficiency of a customers IDaaS and SaaS environments, a new crop of companies are sprouting up behind to support and enhance a CASB’s offering in the marketplace. Take for example the vast amount of data produced by a security researcher who may amass a rather large set of compromised credentials from the dark web and other sources, and putting an API front end on it that can be called by a CASB or an IDaaS to further enhance the security and speed for quickly identifying and mitigating compromised accounts before falling into the hands of bad actors.
I see the evolution of CASB and IDaaS to include integrations with (and yes, even acquisitions) the services provided by such a company (see Vericlouds) that provides efficient corrective measures for stolen passwords and compromised accounts.
With knowledge of recently compromised accounts, a CASB or an IDaaS service provider can orchestrate the full remediation from notifying the end-user, to forcing step-up authentication and automating the logging of a ticket in a company’s helpdesk system. Backed with additional threat services such as machine learning, security configuration management and threat intelligence (E.g. FireEye, Anomali) the next generation of IAM stands in the path of being reimagined with the inevitable outcome being more intelligent and comprehensive than anything we have seen in the past.
The Next Generation
As mentioned above, one of the main goals of any IAM program needs to be a stakeholder centric approach to align with the business and achieve desired business outcomes. Secondly, highly leveraged IAM dramatically improves risk identification and mitigation. The transformation of business with IAM will enable a balanced approach:
- From reactive to proactive
- Risk orientated, and
- Integrated with CASB & GRC
The move from purely detective and preventative controls to integrated policy enforcement and a full range of corrective controls at the application or service end-point will ensure that the next generation of IAM is secure by default. Let’s join together in one accord to define and execute on bringing highly leveraged IAM to your organization. The stakes are quite high, and the payoff is huge!
To continue in the conversation, join the Highly Leveraged IAM group on LinkedIn.
Forte Advisory is an information and consulting company helping transform business by building trust, reducing operational risk and improving user experiences. Our team consists of industry veterans with proven results implementing global IAM systems, security programs for network security, endpoint & data protection, privilege access and identity management.
Photo Credit: StockFinland