Exploring (and explaining) the critical capabilities of Identity and Access Management

Gartner is largely regarded as an authority on the technology sector. Particularly where cybersecurity is concerned, it’s one of several firms that essentially defines the landscape and market. 

Gartner’s 2022 Critical Capabilities of Identity and Access Management report, published in November, provides a lot of valuable insights into the industry. 

While there’s undeniably important information contained within that report, it isn’t particularly easy to parse without a technical background. That’s where we come in.

We’ll explore each of the major talking points — each of the critical capabilities of IAM — to explain them in more understandable terms, including why they’re important. 

Then we’ll go over the major talking points to explain them in simpler terms, including what they mean for your business.


Workforce Identity vs. Customer Identity and Access Management (CIAM)

CIAM and workforce identity, also known as IAM, are two similar but different frameworks that secure access to IT systems, resources, and user accounts. Both share similar technologies, such as Single Sign-On (SSO), Multi-Factor Authentication (MFA), and identity behaviour monitoring. 

Additionally, both CIAM and workforce identity lay the groundwork for the zero-trust model. These new frameworks understand that there are no longer concrete boundaries locked up between four walls. Instead, the modern enterprise architecture is a collection of SaaS platforms, APIs, and third-party access.

However, CIAM and workforce identity management are fundamentally different in their core goals, despite having similar technologies. CIAM strives to enhance the end-user experience, cut down or eliminate fraud, and store consent to privacy policies. Conversely, IAM focuses on better user provisioning, more secure authentication, and robust universal directories.

Why This Matters

Both IAM and CIAM are critical to managing internal and external identities. CIAM is not only necessary for consumer-facing businesses; even B2B operations will need a secure way to handle partners and clients.

Ultimately, the move to zero trust architecture is the next significant step for enterprises to improve security at every level. Embracing CIAM and workforce identity management is a necessary step toward embracing zero trust.


Connecting to Directory Services

This feature is one of the pillars of IAM, allowing a platform to manage both internal and external identities while also synchronizing those identities through the SCIM open standard. It’s important to note that in a modern context, these identities are not solely limited to human users. Physical devices, IoT devices, services, applications, automated processes, and scripts may also possess their own identities.

Why This Matters

As noted by our partner ForgeRock, directory services are essentially databases that store business-critical information such as credentials, authentication preferences, application data, and device information. It follows, then, that if an IAM platform cannot securely integrate with directory services or manage its own, it may as well be non-functional. 


Access Administration

Access administration can be divided into two segments, internal and external. Internal access administration covers onboarding, provisioning, password management, profile management, lifecycle management, and general administration for employees. External access management encompasses very similar functionality for external users, while also supporting federation with third-party identity providers, third-party credential management (BYOI), and consent management. 

Why This Matters

Administration is all about keeping your organization in control — of its systems, its assets, and its ecosystem. Without the ability to directly manage users, particularly provisioning and deprovisioning, your organization’s identities spiral into chaos. Picture an organization where every single user account is a domain administrator, and you’ve a good idea of how that might look. 


Developer Tools

Developer tools, as the name suggests, allow an IAM platform to support open standards, application programming interfaces (APIs), and documentation. Some IAM tools also provide software development kits (SDKs). There’s also an increasing trend towards low-code or no-code development tools. 

Why This Matters

If your organization wants to embed IAM controls into an internally-developed application, it needs an IAM platform with built-in development tools. 


Authorization and Adaptive Access

Simply put, adaptive access allows an IAM solution to manage and modify policies, controls, and access decisions based on contextual data. This enables a more dynamic and flexible approach to access management. More advanced solutions may also integrate features such as behavioral analysis and fraud detection. 

Why This Matters

In today’s threat landscape, risk is no longer static. Without the capacity to flexibly and automatically assess risk, you’ve no option but to unilaterally apply access controls and decisions without regard for context. In a world of distributed work and sprawling digital supply chains, that’s a dangerous prospect.


SSO and Session Management

Session management allows your organization to exercise global control over session times and access tokens. Single Sign On (SSO) is closely related to session management, allowing a user to authenticate to an entire suite or collection of applications with a single login.

Why This Matters

This capability matters for two reasons. First, SSO makes security and authentication significantly less painful for users, consequently making them less likely to try circumventing your organization’s security controls. Session control, meanwhile, can greatly reduce overall risk. 

As an addendum, this also applies to deployment and administration — a system that’s difficult to use and integrate is hardly worth the effort.


User Authentication

User authentication is precisely what it sounds like. It’s how the IAM platform identifies and grants access to legitimate users. In addition to standard credential-based authentication, this includes multi-factor authentication (MFA). 

Why This Matters

Every organization, no matter its market or industry, should incorporate MFA into its login processes. The additional layer of security it offers usernames and passwords can often prevent an account from being compromised, and thereby prevent a data breach.


API Access Control

Essentially, this feature controls authentication and authorization to an API rather than a network, device, or application. As you’ve likely guessed, this functionality is largely geared towards application developers. 

Why This Matters

By applying IAM controls to an API, the APIs owner can ensure that only users with legitimate credentials are granted access. This enables much finer, more granular control over who can leverage your resources and how. 


Application Enablement

Another critical foundation of IAM, application enablement allows access, SSO, and authentication to both standard SaaS applications and non-standard legacy applications.In some cases, IAM platforms that support non-standard application enablement may also support servers, VPNs, and network devices.  Standard application enablement leverages protocols such as OpenID Connect and SAML.

Why This Matters

Simple — if your IAM tool doesn’t support application enablement, then you can’t use it to manage authentication or authorization to any of the apps or systems your business uses. 


Analytics & Reporting

This capability actually encompasses several distinct features. 

  • Record and orchestrate data about all events on an IAM platform, including both access and administration. 
  • Apply diagnostic, predictive, and prescriptive analytics to gain deeper usage insights. 
  • Audit access and identity access logs and generate custom reports. 

Why This Matters

You can’t stop what you can’t see. In addition to providing visibility into the operations of your IAM platform, analytics & reporting functionality plays a critical role in digital forensics — if the worst happens and you suffer a breach, it can help you determine how. Lastly, auditing and reporting functionality is required in certain industries. 


Security & Resilience

How well does the IAM platform protect itself against targeted attacks? What features does it have in place to detect threats, ensure operational resilience, and protect credentials? What does the vendor know about cybersecurity? 

Why This Matters

Threat actors have targeted Active Directory — the primary directory services solution in most larger organizations — for over two decades. They know that if they can compromise it and gain access to the identity information it contains, they’ve carte blanche to do whatever they want. 

It follows that they would apply the same logic to IAM tools. 


Safeguarding Identity

There was a time when corporate networks were relatively simple, walled off from the outside world by firewalls and authentication controls. Those days are long behind us. In a world defined by distributed work and digital interconnectivity, the old methods of authentication and access management are obsolete — you can no longer rely on devices, usernames, or passwords alone.

You need to manage identities and policies. You need IAM. And we can help you find the right tool for your organization.

Interested in learning more about Agile Development for IAM Solutions? Download our eBook today!