As part of Solutions Review’s Premium Content Series—a collection of contributed columns written by industry experts in maturing software categories—Manoj Srivastava, the General Manager of ID Agent at Graphus, shares some expert insights on the future of identity access management (IAM).
With the rise in phishing and cyber-attacks, it will be more critical than ever for organizations to implement identity and access management (IAM) policies as part of their overall cybersecurity strategy. IAM has long been used to verify users’ identities when logging into systems, platforms, applications, and the cloud, among others. In the old days, the all-digital infrastructure used to be on the premises. Users either logged into systems from within the network or over VPN if they were remote. For remote login, they sometimes used two-factor authentication, such as RSA tokens, to access secure networks.
The evolution of IAM mirrors the development of digital infrastructure. The proliferation of Software as a Service (SaaS), infrastructure as a Service (IaaS), and Platform as a Service (PaaS) had given rise to federated identities and Single Sign-On. Today, it’s common for users to be asked for a code that is either texted or emailed to verify their identity. Biometrics, such as fingerprints, has become another way to authenticate users. IAM tools combine Single Sign-On (SSO), multi-factor authentication (MFA), and password management into one integrated solution.
The prevalence of work from anywhere—and the rise of ransomware and other cyber-attacks—has birthed the notion of zero trust architecture (ZTA). The driving tenet for this is “don’t trust anyone or any device” and default to “least privilege authorization” for completing a task at hand.
When it comes to IAM, organizations should keep a few things in mind this year as they develop and roll out their security plans. The first is passwordless authentication – it will change how IT professionals register users with devices and lead to more secure authentication that is key to a zero-trust architecture. This technique verifies a user’s identity via other forms of authentication, including biometrics and one-time passwords, sent via email, SMS, or an authenticator app.
Next, SSO standards such as SAML, OAuth 2.0, and OpenID will continue to reduce the number of accounts needed to access web applications. Additionally, push notifications will replace SMS One Time Password (OTP). Push notification authentication sends an access request to the user’s device associated with their account to verify the person is who they say they are. Typically, it’s offered through a third party.
Another driving trend that organizations should be aware of is artificial intelligence for automating IAM procedures. With hundreds or more users accessing networks, devices, and apps, it can be challenging for IT professionals to keep tabs on an ongoing basis. But AI can keep watch round the clock and pick up on things that a person might miss. This can be a huge time saver for organizations as it can apply IAM policies to requests for access based on the situation at hand, meaning their IT teams spend less time resolving problems associated with access.
And finally, zero trust will continue to evolve and play a critical role in IAM. With cybersecurity topping the list of concerns, even the U.S. government advocates implementing zero trust within its agencies. Zero trust goes beyond existing architecture—it requires that organizations rethink how they view security. It works to protect the most sensitive and critical information by ensuring that even if cyber attackers get a hold of usernames, passwords, and/or IP addresses, they won’t be able to use it to gain access to data with application roles and IAM protocols.
It’s hard to conduct business without a solid security strategy, including a robust IAM policy. When implementing security solutions, organizations may face a myriad of challenges. The most pressing is the strategy and knowing where to start. Company leaders may also worry about productivity and how implementation will impact day-to-day operations. Once up and running, organizations have to keep up with changes to ensure ongoing management and success.
Although the challenges may feel daunting, cyber-attacks are here to stay, so organizations need to be prepared. The best way to do that is to have a solid security strategy that incorporates identity access management policies and continually follows the industry to see how the technology is evolving.
Manoj Srivastava
Manoj Srivastava is the General Manager, Security, for Kaseya’s ID Agent and Graphus companies. He was the co-founder and former CEO of Graphus before Kaseya acquired it. Learn more about how to prevent phishing attacks by visiting Graphus.ai or IDAgent.com
