The growing scope and complexity of modern identity environments is becoming too difficult to manage in the usual ways, requiring IT leaders to evolve their identity and access management (IAM) environments. Ahead of Gartner Identity and Access Management Summit 2018, Smarter With Gartner reached out to experts presenting at the event to ask them what the upcoming IAM trends are and how IT leaders should prepare.
Evolving IAM systems
The move to the cloud, the adoption of microservices architectures, the digitalization of the modern world and the resulting growth in cyberthreats continue to expand the use cases for IAM. “To meet these new challenges, IT leaders must evolve their IAM systems,” says Mary Ruddy, research vice president at Gartner. She offers four ways to do so:
- Integrate more closely with security and fraud systems. Compromised identity credentials continue to be a major element in data breaches. The number of these breaches, including identity-related fraud (such as account takeovers), is growing.
- Support higher levels of automation and communication between IAM modules. This includes access management, identity governance and administration, and privileged access management.
- Incorporate a development security operations (DevSecOps) approach. This requires a change in organizational mindset, and is especially important for organizations developing their own applications and services.
- Implement customer data management policies that are more respectful of customer consent and preferences. This is necessary to meet new and expanding privacy regulations and evolving customer expectations.
See Mary Ruddy at her IAM Summit sessions:
- Gartner Opening Keynote: The Future of Identity and Access Management in 2019 and Beyond
- Consumer IAM and GDPR: Giving Consumers Control of Their Data
“The number of identities for people, things, services and robotic process automation bots keep growing,” says Gartner senior director Homan Farahmand. “And the walls between identity domains are blurring IAM architecture.”
Farahmand adds that the underlying technologies are due for a radical transformation in the coming years to leverage the accelerating pace of digitalization and deeper privacy and compliance requirements, such as the EU’s Global Data Protection Regulation.
Gartner estimates decentralized identity services to be generally ready for broad production scenarios in 2020
Blockchain-enabled identities and decentralized identity are forcing IAM systems to allow users to create, prove (via trusted third parties), and register their own identity and related relationship identifiers to utilize digital services. “For organizations, this will reduce their costs and operational risks by eliminating the need for siloed/replicated identity repositories and data,” says Farahmand. “Gartner estimates decentralized identity services to be generally ready for broad production scenarios in 2020.”
See Homan Farahmand at his IAM Summit sessions:
- Architecting Privileged Access Management for Cyberdefense
- How Decentralized Identity Can Be Disruptive
Next-generation adaptive access services
One of the most pronounced trends in IAM today is the ubiquitous use of analytics. “Whereas traditional adaptive authentication was rule-based, the next generation of adaptive access services combines rules with machine learning and advanced analytics,” says Paul Rabinovich, senior director at Gartner. “Rules are useful but limiting. You may not have thought of all possible scenarios.”
For example, unsupervised learning is good at anomaly detection. An organization can establish a baseline for a user or a group of “similar” users, and it can detect that today the user is behaving differently and take corrective action.
See Paul Rabinovich at his IAM Summit sessions:
- Application Migration to the Cloud Requires a Strong IAM Strategy
- Cloud-Based MFA Is Ready for Prime Time
- Active Directory: Eliminate Your Technical Debt and Move On
Privileged access management (PAM)
The good news is that IT leaders can quickly realize value with PAM controls by reducing the attack surface. However: reduction doesn’t necessarily mean elimination, as privileges are hidden everywhere — in administrative accounts, system/service accounts, containers, devices and codes. Tackling this requires finding and managing accounts, alongside rethinking the operational model for privileged access overall.
Think about the five “W’s” of privileged access — who, when, where, why and what
“Organizations make the mistake of assuming they can manage privileged access in the same way they manage regular access,” says Gaehtgens. “Instead they must think about the five “W’s” of privileged access — who, when, where, why and what — and adopt a new operational model for PAM, one that emphasizes purpose-driven, just-in-time privileged access.”
See Felix Gaehtgens at his IAM Summit sessions:
- Manage Privileged Access to Reduce Security Risks and Increase Agility
- Plan for Success With Identity Governance and Administration
- The Five-Step Approach on How to Choose IAM Solutions
Evolution of IAM leadership
“As digital transformation places new significance on reinvention, successful IAM leaders will collaborate with others in the business to orient people and resources, and ensure that the IAM vision reflects new business goals,” says Gartner senior director Kevin Kampman.
See Kevin Kampman at his IAM Summit sessions:
- Keynote: The IAM Magic Quadrants and Critical Capabilities
- What’s Your IAM Vision and Strategy?