The sudden explosion in remote work, increase in cloud adoption, and mix of new and ongoing data privacy requirements, combined with a never-ending barrage of phishing and ransomware attacks, are shaping IAM trends for 2021 and beyond as companies look to secure business-critical data from relentless adversaries and internal threats.
Carla Roncato, analyst at Enterprise Strategy Group, a division of TechTarget, shared her insights on five of the most pressing IAM trends companies should be aware of to best keep their users, data and organization as a whole safe.
1. Cloud IAM
The COVID-19 pandemic accelerated the cloud migration journey for many companies as the number of remote office employees multiplied overnight. Many organizations that relied on on-premises tools for IAM were forced to evaluate cloud-based options due to employees needing access from outside the traditional network perimeter.
“One future trend is around being able to orchestrate access across all clouds. It used to be that you had multiple data centers on premises and in different regions; now, you have different clouds,” Roncato said.
To accommodate the modern workplace that uses various cloud services, company focus today needs to be on cloud-managed IAM tools, which requires adopting products that work across multi-cloud deployments. For example, Ping Identity and Okta offer IAM products for public, private and hybrid cloud deployments.
Many vendors, Roncato noted, have also “verticalized” cloud IAM — meaning companies such as IBM, Google, AWS and Microsoft are tailoring their offerings to include industry-specific products. For example, financial services, healthcare and education have their own tailored IAM services available.
2. Continuous verification
Zero trust is what Roncato called a “permanent trend” for IAM. Companies that have not started down a zero-trust journey would be wise to start. One of the main tenets of the zero-trust model taking hold in enterprises today is continuous verification. Companies need to continuously ensure the authorized user who initially logged in is still the same over the course of the log-in period.
“Think, ‘I need to do a money transfer or I’m handling particularly sensitive data,’ and I still have the right to do it, but companies want to make sure that I didn’t step away from my machine and have someone else take over,” Roncato said.
IAM processes and policies must also go beyond verifying users to include continuous verification of machine and application identities. Behind the scenes, machines must authorize with numerous services through digital certificates and keys. If malicious actors gain access to a machine — whether an application, VM or API, for example — they can compromise the certificates used to authenticate with another service. One famous example of this happening is the SolarWinds supply chain attack.
The increased need for continuous verification has resulted in many vendors entering the market to provide relevant services, as well as existing vendors updating their offerings. Continuous verification services and features include step-up challenges that require users to complete additional authentication; requiring users to reauthenticate after going idle for a set period; and determining normal/baseline behavior and repeatedly scanning to compare and find potentially anomalous behavior.
3. Entitlement management
A longstanding fundamental in IAM is the principle of least privilege (POLP). It still rings true today but needs updating. POLP must now include machine and application IDs. For example, applications can use a static access rate token that remains continually active and could be used by attackers who gain access to the application. Restricting an application’s access with POLP is critical to prevent privilege escalation and other attacks.
Monitoring access is also key to prevent privilege creep. Using methods such as just-in-time access provisioning, which monitors identities to ensure they have the proper privileges and only for as long as needed, is important. Access too often remains static, even though individuals aren’t static as they move vertically and horizontally within organizations.
Entitlement management is especially important as companies migrate to the cloud as any access rights on premises will shift to the cloud. “The big problem is you have all these on-premises systems that already have access rights, and then they get synchronized to the cloud. Cloud resources will have the same almost unrestricted access,” Roncato said.
4. Decentralized identity
Decentralized identity involves using blockchain to enable self-sovereign identities for customers and employees. A decentralized identity uses the concept of an identity wallet to keep users’ personal data private from third parties when authenticating. Information from the wallet can validate a user’s age without revealing the user’s actual birthdate, for example.
Decentralized identity also reduces the need for users to have separate identities — for example, usernames and passwords — with each company, application and service with which they interact. On the business side, decentralized identity may reduce compliance issues for organizations since users manage their own data, not the company.
5. Managed IAM services
Not all companies have the necessary budget or staff to deploy and manage IAM. This is where managed security service providers (MSSPs) can step in.
“Many companies recognize that they’re not identity experts,” Roncato said. “Identity is something that is continuous and needs to be handled like incident response.” By outsourcing IAM, she said, companies can offload tasks such as continuous verification, threat intelligence and account compromise to an MSSP that can more efficiently handle them.