IAM Leaders: Plan to Adopt These 6 Identity and Access Management Trends

February 17, 2022

Contributor: Laurence Goasduff

Use these identity and access management (IAM) trends to further evolve your roadmaps and architecture.

The fast pace of change across technologies, organizational priorities, user expectations, business opportunities and risks requires identity and access management (IAM) architectures to be more flexible. Furthermore, as digital business relies on digital trust, which is enabled by IAM, security and identity are, more than ever, an essential foundation of an organization’s business ecosystem. 

“It is critical for security and risk management leaders to architect more flexible IAM infrastructure and for IAM teams to partner with other functions to meet changing organizational requirements,” says Mary Ruddy, VP Analyst at Gartner. “Evolve your IAM deployments to better fit the changing needs of your organization by taking into consideration six key IAM planning trends."

Learn more: Streamline your tech purchase, from start to finish, with Gartner BuySmart™.

No. 1: Connect anywhere computing will further drive need for smarter access control

The transition to more remote, connected anywhere computing is placing greater demands on access management deployments. Access management platforms must become increasingly sophisticated to differentiate between valid users and malicious bots or fraudsters without annoying legitimate users.

Download eBook:The Top 3 Strategic Priorities for Security and Risk Management

In addition, organizations need to weave support for multiple options for user and device access as well as multiple generations of digital assets into a flexible modern identity infrastructure (identity fabric). To reduce risk, implement best practices, such as multifactor authentication (MFA), zero-standing privileges and zero-trust architecture, if these are not already fully deployed.

Require MFA for all privileged access and ensure that MFA vendors support all needed use cases, such as voice, biometrics, phone-as-a-token and smart cards. In addition, leverage adaptive access control, a context-aware access control that acts to balance trust against access risk, as a key element of zero-trust architecture.

No. 2: Improving user experience for all users will be essential for secure digital business

With the number and importance of digital interactions increasing, the bar continues to rise on providing a great total user experience. Gartner estimates that by 2024, organizations that do so will outperform competitors by 25% in satisfaction metrics for both customer and employee experience.

Organizations should create a cohesive strategy for all external users (consumers, business customers and partners). For example, align IAM priorities with both business and IT priorities, deliver an omnichannel experience, and unify customer profile data.

In parallel, apply a zero-trust approach to your organization’s digital supply chain by, for example, providing end-to-end security and privacy protection of customer data and other digital ecosystem resources. In addition, empower privileged users without sacrificing security by creating an identity for remote privileged users, which authenticates them every time they intend to perform administrative tasks or privileged operations. Then use a shared account that is controlled by a privileged access management (PAM) tool.

Learn more: Your Ultimate Guide to Cybersecurity

No. 3: Keys, secrets, certificates and machines will require more attention

The surge of the number of machines and their usage in hybrid and multicloud environments is forcing organizations to reframe their IAM strategies. 

Raise the bar on secrets, keys and certificates. Consider establishing a fusion team that gathers requirements, provides leadership, defines ownership, lays out guidance and sets reasonable expectations. Determine the machine identities your organization is using and categorize them into two groups: devices and workloads. Find organizational and technical ways for your IAM teams to integrate different teams' tools of choice.

In addition, as adoption of robotic process automation (RPA) is increasing rapidly, it is important to manage software robot identities and govern their access. Start by defining best practices and guiding principles for how to integrate RPA tools into the identity fabric, and treat RPA’s software robots as another workload that needs a machine identity. 

No. 4: New applications and APIs will need to leverage the latest IAM development guidelines

Also ensure that new applications from all sources are securely developed, sourced and onboarded. To do so, implement API access control — authentication and authorization of APIs — which is a vital part of API security, together with API discovery and API threat protection. To be successful, define its strategy and establish a cross-functional team that involves practitioners, such as developers, DevOps teams, cloud, security and IAM, to help establish the right guardrails and API access control guidelines.

In addition, the move to zero-trust strategies is placing even more pressure on having good SaaS application/tool acquisition and onboarding processes. To ensure alignment across the entire application life cycle, improve coordination between your software acquisition teams (both central and divisional) and your IAM teams.

No. 5: Hybrid cloud and multicloud will drive ongoing IAM architecture maintenance/evolution

As organizations move more digital assets to decentralized multicloud environments and operate in a hybrid IT environment, it is critical to add mature automated compensating controls. 

Integrate identity governance and administration (IGA), PAM and cloud infrastructure entitlement management (CIEM) solutions for consistent management and governance of identities and entitlements across all environments. PAM and IGA integration is essential in securing and managing access to on-premises and cloud environments, where long-standing privileged accounts still exist. CIEM offerings ensure that access to cloud infrastructure endpoints is actively controlled. CIEM tools use analytics and machine learning to detect anomalies in account entitlements, such as dormant and excessive entitlements.

Creating a “single pane of glass” is not yet practical when managing identity in a multicloud environment. Instead implement a single overarching framework for multicloud IAM that centralizes some functions, but leaves room for native tools, which is both achievable and desirable.

No. 6: IGA functions will evolve to enable decentralized architecture

The accelerated pace of digitalization and cloud adoption requires more support, including for identities in hybrid IT environments, identities in multiple cloud platforms and machine identities. 

This drives the need for evolving IGA capabilities to align with a cybersecurity mesh architecture. This evolution involves establishing an identity fabric using a standards-based connector framework across multiple computing environments, so that the organization can answer the question of who has access to what regardless of where the resources and users are located. Provide better management and orchestration of access policies, and use cloud identity analytics for continuous governance.

Identity analytics can predict what resources users have access to, see how they are using their access rights, track unusual user behavior and initiate a remediation action to address behavior anomalies, thus reducing overall risk for the organization.

In short:

  • Ongoing macroeconomic, organizational and technology changes are leading to disjointed architectural decisions.
  • Organizations must evolve their identity and access management (IAM) infrastructure to be more secure, resilient, composable and distributed and keep up with ever-changing demands.
  • Leverage these six trends to further mature your IAM roadmaps and architecture.

Experience IT Security and Risk Management conferences

Join your peers for the unveiling of the latest insights at Gartner conferences.