My esteemed colleague, Jon Oltsik, previously wrote about how identity and access management infrastructure is misaligned with security. Mobility, device proliferation, cloud, and the threat landscape make an enterprise IAM strategy extremely important, but many organizations continue to treat IAM as a hot potato, with no real owner or strategy. As I’m pursuing an upcoming research project related exploring IAM's key role in providing security via the Internet of Identities and speaking with IT pros who are rearchitecting their IAM infrastructure for mobility, I’m excited about how these business activities can be dramatically improved by taking a fresh look at IAM.
Certainly, IAM is a critical focal point as devices proliferate throughout the business and expand the security perimeter outside the proverbial four walls of the IT data center. Recent data and announcements have revealed:
- 66% of respondents are using IAM controls for cloud security. CASB leaders like Netskope, SkyHigh, Bitglass, and others have long ago extended beyond “shadow IT” and built a platform that is extensible to DLP, Proxy, and you guessed it…IAM. Sometimes, CASBs form tight integrations with IAM such as OneLogin’s cloud IAM integration with Cisco CloudLock.
- CISOs are becoming more engaged in IAM. 87% of organizations say that the security team is more involved in IAM policies, processes, and technology decisions than they were two years ago. IAM companies like Okta, Ping, and Centrify are being brought into conversations earlier during the AppDev phase because the concept of SecDevOps helps make enterprise agile software development run more smoothly.
- Cloud Service Providers are pre-integrating identity solutions to aid with visibility, management, and control. Google with its Google Cloud Identity, Oracle, and Microsoft are all aiming to relieve the management complexity while adding more robust and fine-grained security features.
- GDPR and other compliance regulations are driving fresh investigation into how new applications of IAM can not only satisfy requirements, but also bring more visibility and safeguards for personal data protection.
- Mobility is driving a wave of new device types and applications hosted outside the secure corporate network. Employees are experiencing great benefits, as IT vendors like Google, Microsoft , Citrix, and VMware rotate focus on creating context-aware policies that can react to user behavior based on device type, location, application type, time of day, etc.
IAM can be very complex and the internal ownership of authentication and associated policies must be considered across multiple IT teams and line of business owners. This challenge is creating renewed focus on balancing employee productivity and user experience with the secure delivery and protection of applications and data. IAM is an exciting (and challenging for businesses) market for ESG as we research the impact of cloud, mobility and security on today’s businesses.
For more of this research, check out the ESG Research Report, The Visibility and Control Requirements of Cloud Application Security, and the ESG Research Report, A Cybersecurity Perspective on Identity and Access Management.