Identity and Access Management is Changing: Here’s Where It’s Headed
We’re living in an exciting, highly dynamic world that is driven by rapidly evolving technology. To grow and compete, organizations have accelerated the pace of their digital transformation initiatives by seven years, according to McKinsey & Company. Yet the popular maxim “move fast and break things” sometimes means security gets left behind.
It’s easy to see how this can happen: traditional security threat prevention technologies have relied largely on network-based security controls. They have monolithic architectures, which are manual and tedious. They have policy-based authorization controls that barely have a semblance of session security. They burden users with session timeouts and terminate session options, and their audit and compliance capabilities are either missing or very costly.
Fortunately, the tide has started to turn in the last few years, with SaaS-based Identity and Access Management (IAM) moving higher on enterprise security teams’ priority lists. In particular, access management tools are designed to reflect today’s boundary-less enterprise reality and place identity at the core of security by using smart, conditional authentication and authorization mechanisms.
Yet nearly all these current access technologies stop at the authentication layer, providing very few, if any, session controls to monitor access to — and interactions with — sensitive or privileged resources. Without such controls in place, malicious insiders and external actors alike have a better chance of progressing their attacks without detection.
The Evolution of Access Management
As the lines continue to blur between identity and privilege, organizations need ways to confidently verify that workforce identities — requiring various levels of access at various times and from various locations — are indeed who they say they are, that their devices are verified and that their access is intelligently limited to exactly what’s required.
This is where artificial intelligence (AI) comes in and where the next wave of access management innovation is focused.
Using machine learning and contextual signals — including user data, device data and activity data — these access management solutions are constantly getting smarter and building more descriptive, visual risk profiles of individual human and machine identities. This helps organizations strengthen predictive capabilities so they can better anticipate and mitigate future threats. And through AI, these solutions can also determine when a user is low risk and legitimate, serving up a simplified authentication experience that allows users to access the apps they need to do their jobs.
When integrated into a unified platform, these AI-powered tools work even harder together to deliver higher quality data sets, fine-tune algorithms that can reliably differentiate between anomalous and malicious access attempts and automate responses while providing a real-time feedback loop to the organization’s machine learning engine to constantly improve performance.
The Journey Toward Passwordless Authentication
Passwordless authentication is a great example of an intelligent Identity Security approach in action — and represents a huge opportunity for organizations focused on securing their anytime, anywhere workforces.
I often find myself using this quote: “In today’s world, attackers don’t really need to hack in; they just log in.” It’s true. Traditional passwords and credentials remain one of the leading causes of identity-related attacks and breaches for numerous reasons. And attackers particularly target privileged credentials that enable access to sensitive systems and networks since they’re able to get so much information from just one source.
Industry research points to growing consumer comfort and confidence in passwordless authentication, such as biometric authentication methods (e.g., facial recognition and fingerprints) and behavior-based methods (e.g., passively observed signals that require no effort from the user). But when it comes to the enterprise, achieving true passwordless authentication won’t be like flipping a switch — it’s a journey that starts with giving your organization and its people and users the right processes and tools.
You can start by giving users access to a range of passwordless authenticators, such as FIDO2 security keys, biometrics, QR codes and magic links. These authenticators need to come with frictionless, intuitive self-service management capabilities to help make sure that users don’t get locked out of systems while trying to get their work done. Next, it’s important to make sure that all resources — from applications, to servers, to endpoints — are protected by comprehensive IAM solutions, whether they are hosted on-premises or in a hybrid environment. Finally, it’s important to have the systems and structure in place to measure key performance indicators and compliance around these passwordless initiatives so you can drive continuous improvements.
How to Achieve Zero Trust Through Holistic Identity and Access Security
Passwordless authentication is one technology in a broader set of Identity Security solutions that paves the way for Zero Trust, the widely accepted “trust nothing, verify everything” security philosophy.
At CyberArk, our Zero Trust vision brings concepts of “Zero Trust Access” and “Zero Trust Privilege” together. Zero Trust Access aims to ensure that every user and device is validated and that all access is intelligently limited based on the principle of least privilege. Zero Trust Privilege, on the other hand, works to secure and monitor privileged accounts and access, granting just-in-time, just-enough privilege for users so they can stay productive. This holistic, risk-based approach encompasses all identities, whether they are human identities, such as administrators, DevOps, workforce or vendor users, or nonhuman identities, such as machines and RPA bots, to help organizations protect their applications, infrastructure and data.
I recently spoke with Tom Field of Information Security Media Group to dig into the ever-evolving IAM technology landscape, how security leaders can incorporate solutions that emphasize frictionless user experiences and AI-powered security and ways to instill a security-first mindset across an organization to boost overall confidence and agility. You can check out our entire conversation here or click on the tile below.
Archit Lohokare is VP of Product Management at CyberArk.