In today's digital landscape, where data breaches and cyber threats have become commonplace, safeguarding sensitive information has, in turn, become paramount. As the pace of technology adoption continues to move at breakneck speed, the importance of robust cybersecurity measures has never been more critical. Among the various security challenges, managing and protecting user identities has emerged as a top priority. Consequently, the demand for effective Identity Access Management (IAM) solutions is rapidly escalating.
A crucial aspect of modern-day digital security that involves the management of user identities and their associated access privileges to digital systems, applications, and resources, the IAM market is projected to be worth US$39.26 billion by 2030 as the digital landscape continues to evolve.
“Hybrid work is more common than ever and employees need secure access to company resources, whether they’re working on-site or remotely,” says Microsoft. “This is where IAM comes in. The organisation’s IT department needs a way to control what users can and can’t access so that sensitive data and functions are restricted to only the people and things that need to work with them.”
IAM encompasses the processes, policies, and technologies that enable organisations to control and secure access to their critical systems, applications, and data. It provides a framework to manage user identities, authenticate their access, enforce security policies, and monitor user activities across various platforms. With the proliferation of cloud services, mobile devices, and remote work arrangements, traditional perimeter-based security measures are no longer sufficient. IAM solutions provide a centralised approach to identity management, ensuring that only authorised individuals can access valuable resources, while minimising the risk of unauthorised access and data breaches.
Zero Trust, cyber hygiene, and the rise of identity-first security
A security concept that has gained significant prominence in recent years and plays a crucial role in IAM, Zero Trust shifts the traditional perimeter-based security model – which assumes trust within the network – to an approach that enforces strict access controls and verification for every user and device, regardless of their location.
In the context of IAM, Zero Trust extends the principle of "never trust, always verify" to user identities and their access privileges. It emphasises continuous authentication, authorisation, and validation of users throughout their entire session, rather than relying solely on initial login credentials. By adopting a Zero Trust approach to IAM, organisations can achieve greater granularity and control over access, reducing the risk of unauthorised access or lateral movement within the network.
As explained in a whitepaper by Okta, Zero Trust is not a novel concept or idea. “The industry has been discussing the reality of the shifting perimeter for nearly two decades, with origins back to the Jericho forum. It has really only been within the last 5-10 years that we have finally reached a point where organisations are prioritising security strategy and technology has seen enough innovation to support the implementation of these new strategies,” it says.
“This was brought into sharp focus in 2020. The worldwide pandemic forced many organisations to shift operations to support remote work overnight, effectively dismantling traditional security models, accelerating the adoption of cloud technologies, and forcing the shift to support remote work outside the safety of a corporate network. As the world emerged from the pandemic, many organisations made the decision to continue to support a dynamic work model, meaning they must maintain flexibility while securing fully distributed workforces and hybrid working models.”
Marc Rogers, Okta’s Senior Director of Cybersecurity Strategy, explains that an ‘identity-first’ strategy is crucial: “Our security strategy is identity-first – on top of impeccable, basic security hygiene. Gartner has described identity-first security as reaching critical mass’ in the past year, and this is mirrored in what we see in demand from our customers. The trend is not going away.”
“Our Identity-First research has shown that in the wake of the pandemic, identity and access management tools are increasingly important, whatever industry you work in,” adds Rogers. “The pandemic saw network perimeters become increasingly elastic for many companies – and, in many cases, these boundaries broke down altogether.”
In Rogers’ view, the traditional ways of thinking about security are no longer enough: “More than half of companies already adopt a model where a strategic approach to identity is at the centre of security architecture. This can ease the pressure on overworked support teams and, at the same time, limit the impact on productivity. Single Sign On and Multi-Factor Authentication solutions can help to ensure that security is not a time drain for workers.”
“Cybercrime is continually evolving, but cybercriminals are also fundamentally cheap by nature – if a method works, they will keep using it until it stops working. Large changes are expensive for criminal organisations, just as they are for legitimate ones. It is up to businesses to stay ahead of the game by investing in relevant technologies, stopping threats like ransomware before they can gather pace. However, it is also up to all of us to collaborate in creating an ecosystem that is designed to reduce the profitability of criminals and protect those victims less able to protect themselves, such as organisations that exist below the cybersecurity poverty line.”
A robust approach to identity management
Denis Dorval, Vice President, International (EMEA & APAC) at JumpCloud, comments that, despite large-scale cyberattacks filling the headlines and the growing emphasis on security in the boardroom, instilling good cyber hygiene into an organisation's culture remains challenging.
“As organisations increasingly rely on digital technology to manage day-to-day operations and take advantage of working on cloud and hybrid environments, IT admins handle a number of users, devices, and applications,” he says. “The doors for data and systems to exist anywhere and allow organisations to adopt work-from-anywhere practices also leads to cracks appearing, creating security risks for businesses.”
“Employees demand flexibility, operational efficiency from their IT stack, and robust security. Despite being widely accepted among CISOs and IT admins as the best threat mitigation strategy, the zero-trust framework is rarely implemented with this in mind. The patchwork of point solutions and MFA applications used in many modern businesses creates a headache of fragmented identities that IT admins struggle to manage centrally. The core ethos of "never trust, always verify" only adds friction to a user's day-to-day workload.”
Looking to the future, organisations should put identities at the heart of their IT security strategies, leading to IT departments moving from patchwork solutions and on-premises Active Directory environments, Dorval concludes. “A robust identity and access management strategy is the most effective way to protect organisations’ wider attack surfaces.”