Identity and Access Management (IAM) has always been a critical technology for the enterprise.
Yet COVID-19 somehow made it even more essential as businesses sought to support distributed work and cloud adoption in the face of an increasingly sophisticated threat landscape.
As the world continues to embrace digital transformation, the IAM market will continue to grow, reaching an estimated $34.52 billion USD globally by 2028.
So, what’s driving the rise of IAM? The trends defining this growth are many and varied, ranging from user expectations and emerging technologies to sociopolitical factors. In this article, we’ll tackle a few of the biggest trends we see driving IAM forward.
Digital Identification for Digital Lives
During the pandemic, contactless payments and virtual currency became the norm for retail. People increasingly lived their lives online, connecting with one another via platforms like Zoom. Even once the pandemic ends, this digitalization will remain.
And as more people continue to embrace it, we will need to change how we approach and understand identity.
We’re already seeing this to some extent with banking. The Bank of Canada, for instance, is exploring the development of a new type of currency. Known as Central Bank Digital Currency, it would be issued either as a response to widespread adoption of private digital currency or the inability of Canadians to access and use cash.
Such currency could even be programmable. Funds in an account holder’s wallet might be tied directly to them, making theft or fraud considerably more difficult. Money given by certain programs could be coded to only be spendable on approved categories like food or housing.
Identity remains the underlying issue here. Achieving something of this scope and scale would require some sort of national, government-approved digital ID. The ramifications of this go far beyond banking.
On the one hand, digital ID is immensely beneficial to businesses, which have easier access to credit data, virtual transactions, and demographic information. Digital ID will also make it easier to onboard new vendors, employees, and partners while also enabling better personalization for customers. The challenge lies in managing all of this information.
Businesses will need a means of securely managing and organizing these digital IDs, a fact which will necessitate more effective, robust federation, authorization, and provisioning.
Zero Knowledge Proof
Multiple social networks and online services over the years have flirted with requiring real-world information, with varying levels of success. The central concern raised time and again is the scope of requested data. We’re encouraged — perhaps even expected — to overshare, potentially showing details about our personal lives to the entire world.
This not only makes it easy for bad actors to collude and sell personally-identifiable data online, but also opens up a potential hornet’s nest. The Internet is brimming with examples of what happens when its less savory elements obtain details like a person’s home address. We’ve seen everything from stalking to life-threatening practical jokes to devastating harassment campaigns to outright murder.
The concept of Zero Knowledge Proof (ZKP) represents a solution to this problem. The basic idea is that when you’re asked for verification, you’ll provide the bare minimum amount of required data. Let’s say, for example, you go to a bar for a drink.
Traditionally, you’d need to present your ID, which includes everything from your address to your date of birth. Under a ZKP framework, a trusted third party would simply tell the bar that you’re over eighteen. Bar staff wouldn’t necessarily even need to know your name.
ZKP could also extend to authentication for everything from online banking to network access, greatly streamlining IAM in the process.
Blockchain represents arguably the best way to ensure ZKP through a concept known as decentralized identity. The basic idea is that everyone would have their own ‘identity wallet’ that could be used for authentication without revealing anything the user doesn’t want known about themselves. On a more macro level, decentralized identity also eliminates the need for separate identities between applications and services.
A user could seamlessly leverage their identity wallet for every business with which they interact. On the enterprise side of things, allowing users to manage their own data and personas makes for easier compliance and authentication. With that said, analyst Gartner rightly notes that IAM capabilities will need to evolve so that they align with a cybersecurity mesh architecture.
Identity is a great fit for blockchain technology no matter how you look at it. However, in order to enable it, we must first topple existing constructs and concepts. That means moving away from how we currently perceive identity — a shift which will likely take a great deal of time.
The Intersection of Identity and Zero Trust
IAM and Zero Trust go hand-in-hand. Identity-based authentication is not only more efficient than purely device-based authentication, it’s also more effective at verifying a user is who they claim to be. Linking a user to the devices they typically use, the locations from which they typically log in, and the behaviors they typically display makes continuous authentication far easier to accomplish.
Many IAM platforms have already evolved to include device and information management capabilities — the capacity to link each user to a semantic network of data regarding who they are and how they work. This evolution will continue as more and more businesses adopt Zero Trust.
Passwordless Authentication Continues to Gain Ground
The fact that password-based authentication is outdated and insecure is widely-known. Security experts have been calling for an end to passwords for years. Solutions like multifactor authentication currently exist largely as a band-aid for the inherent weaknesses of usernames and passwords.
Passwordless authentication, we’re told, is the future of cybersecurity, a future guided largely by IAM. Unfortunately, accessible alternatives have typically been few and far between. Methods such as biometric or location-based authentication, while valuable, have proved insufficient on their own.
It’s through the exploration of trends such as decentralized identity that we find a possible solution. A user that authenticates through an immutable, unassailable asset like a digital identity wallet has little need for a username and password. Multifactor authentication again provides an extra layer of verification, and the entire system is considerably more secure than it would be with passwords.
A Poor User Experience is No Longer Acceptable
User experience is a cornerstone of effective cybersecurity, and has been for quite some time. This applies equally to IAM solutions. With digital interactions and identity management becoming increasingly prominent in our professional lives, businesses that offer a poor user experience will find themselves falling progressively further behind.
Gartner predicts that by 2024, organizations that provide a great overall experience will outperform competitors by 25% in satisfaction for both customers and employees. That translates to better productivity, increased revenue, and reduced turnover. For IAM specifically, Gartner recommends the following:
- Align your IAM priorities with both business and IT goals.
- Create a distinctive identity for remote privileged users that authenticates every time they perform an administrative task or privileged operations.
- Use a shared account controlled by a privileged access management (PAM) tool.
The Need for Smarter Access Control
Humans are no longer the only users that require authentication in an enterprise environment. As robotic process automation and artificial intelligence continue to evolve, software-based robots are becoming as much a part of the identity landscape as flesh-and-blood employees. Factor in the continued prominence of distributed work, and IAM vendors have their work cut out for them.
Their solutions will need to become smarter, adding functionality such as machine learning and support for multiple authentication and device options. They will need to introduce new categorizations into their identity frameworks—not just users, systems, and workflows, but also machines.
Finally, to account for the diverse operating environments in which they are likely to be deployed, IAM platforms must also adopt support for API access control, hybrid cloud environments, and multi cloud environments.
Digital Assets Meet Digital Identity
Another major challenge of managing digital identities is tracking and maintaining their connections to various different assets. That’s simple enough to achieve if you’re just looking at a user on a corporate network with three different devices. But introduce the scope and scale that will be required in the future, and things get complicated.
It’s largely an authorization issue.
How do we verify that the holder of a digital ID wallet is actually who they claim to be? How do we continuously verify a user’s ownership of different digital entities? How do we centralize all of this functionality in such a way that we remain both secure and compliant?
Unfortunately, there aren’t really any easy answers to those questions. At least not yet — and that’s okay. Many of the things we discussed today are some years out.
But make no mistake, they are coming. Currently, solutions such as plainID’s authorization platform represent one facet of how we manage identities, assets, and authorization. Coupled with IAM solutions and endpoint security, they comprise the bulk of our approach.
They will evolve in the coming years. And now that you know the current trends, you also have some idea of what to look for in that evolution.
Keep Pace with Changing IAM Trends
It’s no secret the world of digital identity and security is rapidly evolving. Gaining more control and visibility into how users are authorized, authenticated, and granted access is more than a nice-to-have today, it’s a must-have.
And yet, the challenge for many organizations is identifying where to even start.
Are you looking to embrace IAM in your organization? Indigo Consulting can help. Discover your path to a purpose-built IAM that’s capable of keeping up with changing security trends. Book a discovery call today to get started.