ESG's Mark Bowker discusses how cloud, mobility initiatives, and app dev are driving chaos amongst IAM strategies.
Read the related ESG Blog: Who Owns Identity and Access Management (IAM)? (Video)
Mark: Who owns identity? That's a decision critical to the success of identity and access management implementations. What I'm observing is cloud, mobility initiatives, and app dev are driving chaos amongst IAM strategies. Also seeing security risks have increased due to the expanded perimeter. And then really it's fractured user authentication across networks, applications, and devices. Today, IT operations currently bears the majority of IAM responsibility, but increasingly developers, application owners, information security, and line of businesses are all leaning in. "So what's the best practice?" I often get asked, which team or teams should own identity and access management? Well, that answer is it really depends. It depends a lot on your organization's maturity, the current security posture, and how aggressively companies are pursuing identity and access management strategies. I have spoken with customers of Octa, Ping, Simio, Oracle and a lot of others about their deployment and here are some lessons I learned.
First of all, there's no clear owner of identity and access management responsibilities. Forty-nine percent of ESG research respondents report IT infrastructure operations bear the majority of IAM responsibilities. Other teams are having to lean in, including security, application management, developers, and mobile application management teams. Information security teams have wishes that IT operations team can't fulfill. These include improving risk management and information security best practices, blocking and detecting malicious attacks, complying with governance and industry regulations, such as GDPR for example, and new risks associated with increased usage of mobile devices and applications. There is also a lack of identity and access management skills and personnel that are compounding identity and access management strategies.
While some businesses I speak to have a dedicated VP of identity, most do not. But I do see some hiring happening to build out these identity and access management teams. And these teams will have to focus on the challenges we see, which include continued reliance on username and password, monitoring difficulties with increased usage of mobile devices, and even simple tasks such as managing profile changes. In the next 24 months, leaders are going to focus on monitoring user activities to detect anomalies, embracing multi-factor authentication, and an increased participation in the information security group into the identity and access management discussion. The current state of identity and access management presents an ideal opportunity for IT vendors focused on identity and access management strategies to sit down with their customers and synthesize how they can help improve a company's security posture while helping sort through a complex vendor landscape targeted at solving identity and access management challenges.