My colleague Mark Bowker just completed some comprehensive research on identity and access management (IAM) challenges, plans, and strategies at enterprise organizations. As a cybersecurity professional, I welcome this data. Identity management should be a major component of an enterprise risk management strategy, yet IAM technology decisions are often treated tactically or left to application developers or IT operations staff who don’t always prioritize security in their planning.
The ESG data suggest a change in the IAM weather – large organizations seem to be prioritizing security as part of their IAM strategies. ESG asked 273 to identify the initiatives that will be part of their IAM strategies over the next 24 months. The data reveals:
- 29% say they will monitor user activities more comprehensively. In other words, they will be on the lookout for account compromises and insider attacks. This may also be linked with UEBA deployment as well.
- 26% say they will replace username/password authentication with multi-factor authentication (MFA) wherever possible.While monitoring users can be seen as threat detection, MFA is clearly part of a threat prevention and a sound risk management strategy. MFA proliferation may also be related to GDPR or other compliance mandates.
- 23% say they will increase the participation of the security group in IAM decisions. This supports the move toward threat prevention and detection described above. Not surprising since user accounts are often compromised using phishing attacks, social engineering, or keyloggers.
- 20% say they will hire more IAM specialists in the cybersecurity department. Good idea – if you can find them. The global cybersecurity skills shortage may make it difficult to make this happen.
I was talking to a CISO a few years ago about the proliferation of cloud and mobile computing. In describing his security response to these two trends, he said: “When I lose control of devices and servers, I need to make sure to establish as much control as I can in two areas – identity management and data security.” So henceforth, my CISO friend plans to treat identity management (and data security) as new security perimeters.
The ESG data demonstrates that some organizations are following this sagacious advice. Good start, and Mark and I will be tracking how this trend progresses.