Anyone familiar with identity management knows that it can be extremely messy – lots of tactical tools, access policies, multiple data repositories, manual processes, etc. Furthermore, user authentication continues to be anchored by user names and passwords making nearly every organization vulnerable to credentials harvesting, identity theft, and cyber attacks.
These persistent IAM problems remain, even though identity management is becoming a bigger component of enterprise security. This is true because, as organizations embrace cloud and mobile computing, they lose some control over their IT infrastructure. As one CISO mentioned to me, “when we lose control in some areas we need to get better control over others as compensating controls.”
Thus, identity management is transitioning into a new security perimeter at many enterprise organizations.
ESG recently undertook a research project on the links between IAM and cybersecurity and published the results in a research report titled, A Cybersecurity Perspective on Identity and Access Management (note: I am an ESG employee). ESG discovered that 87% of enterprise organizations (i.e. more than 1,000 employees) say that the cybersecurity team has become more involved with IAM policy, process, and technology decisions and operations over the past two years.
Why the increased cybersecurity oversight of IAM?
- 36% said that the cybersecurity team had become more involved with IAM in order to improve risk management and security best practices.
- 36% said that the cybersecurity team had become more involved with IAM to better detect things like credentials theft, remote access, and illegitimate account provisioning often associated with cyber attacks.
- 33% said that the cybersecurity team had become more involved with IAM in order to improve regulatory compliance.
- 33% said that the cybersecurity team had become more involved with IAM because their organizations had opened more internal applications and services to external users.
- 31% said that the cybersecurity team had become more involved with IAM because of the increasing use of cloud and mobile computing by their organizations.
As CISOs gain more responsibility and oversight for IAM, ESG foresees a number of ramifications:
- Organizations will consider more enterprise IAM projects. Today’s tactical IAM is fraught with security vulnerabilities and operational overhead. Security requirements may serve as a catalyst for strategic multi-million dollar IAM projects not seen since the 1990s. Vendors like CA, IBM, Microsoft, Oracle and RSA Security stand to benefit from this trend.
- Enterprises become more open to cloud-based control planes. SaaS offerings for IAM (i.e. Centrify, Okta, Ping, etc.) may become more attractive as CISOs seek pragmatic solutions to unify the existing morass of point tools with a common cloud-based control plane.
- User name/password authentication is one of the first things to go. Everyone knows that user name/password authentication is a security nightmare, but it’s been way too expensive to replace this method with security tokens or smart cards in the past. Wide support for the FIDO specification and pervasive biometrics built into mobile devices may finally bury user name/password authentication for good.
- IAM skills become more valuable and rare. Enterprise organizations will look to hire IAM architects and engineers but quickly discover that these skill sets are as rare as a blue lobster. IAM service specialists like Accenture, E&Y, HP, PWC, and Unisys will bridge this gap and print money in the process.