The point solution IAM evolution under reform

Sponsored Feature The inexorable pace of technological innovation in response to the unrelenting growth of cyber attacks has led to fragmentation within cyber security provision. Things generally follow a common pattern, starting with a new security requirement being identified, whether a response to a novel threat, or a compliance or regulation challenge. This leads buyers to specialized tools, usually from smaller vendors that do one thing well. But inevitably over time, buyers end up using a mishmash of systems and tools, each with its own job and management processes.

Bringing in the best tool for the job initially looks like a good decision. Except that you’ve just added that tool to a suite of other tools, each designed to solve a specific cybersecurity issue. Organizations eventually end up mired in the sort of software complexity and sprawl that can be hard to dig themselves out of.

With these systems suddenly under huge pressure from changing patterns of business, many organizations find themselves subsequently coping with their own version of the same, repeating problems. A decade ago, IAM was an enabling tool that managed employee access to a resource. Today, it is on the frontline of an organization’s cybersecurity, which means it has become strategic.

“Through no fault of anyone, large organizations have built security portfolios that have organically grown over time,” observes One Identity’s Darren Thomson, vice president of product marketing.

“Criminals find new ways to target organizations, and sure enough the industry comes up with a product to solve that. The end result is that I’ve spoken to CISOs who are running 50 tools that generate so many log files and alerts that it’s hardly surprising that attacks are missed.”

Some of this might be inevitable in an industry that has become fragmented into ever smaller niches by the rapid evolution of cyberattacks. But it’s an irony that organizations increasingly say they are being overwhelmed by the volume of data they have to monitor to stay safe, a tactic they once eagerly adopted as a way of lowering their risk.

Consolidation on the cards

One answer to this cyber security fragmentation is consolidation, which starts with the industry itself. This includes One Identity, which in 2021 acquired IAM and single sign-on (SSO) vendor, OneLogin. Meanwhile, One Identity parent company Quest Software was acquired by Clearlake Capital Group in early 2022, a move which underlines the growing importance of IAM to investors.

The emergence of managed service providers that turn IAM into an integrated service has happened in parallel. On the face of it, this dodges the need for enterprises to constantly invest in new systems or the skills needed to manage them.

Gartner certainly agrees, predicting that by 2023, “40% of IAM application convergence will primarily be driven by MSSPs that focus on delivery of best-of-breed solutions in an integrated approach, shifting influence from product vendors to service partners.”

Equally, the consolidation offered by service providers is only possible if the underlying systems meet that demand with multi-featured platforms that can be managed as single entities.

“Customers constantly ask why, rather than having discrete identity solutions, they can’t simply have a single platform that performs all the identity tasks they need,” agrees Thomson. “While most of the industry isn’t there yet, One Identity has invested a lot of time creating that single platform.”

Aflac cuts complexity

One firm that has already reached the threshold is Fortune 500 supplemental insurance company Aflac. It recently decided to consolidate its multi-headed IAM and IGA under a single platform, One Identity’s One Identity Manager, giving it a single view on its expanding user population.

Over the years Aflac found itself grappling with the sort of Identity management challenge that would present even the most experienced CISO with a monumental planning nightmare.

The company was interacting with customers through an increasingly complex web of channels, including numerous websites and around 500 different apps. This put immense pressure on its workflow, starting with an estimated 1,000% increase in identity and access management (IAM) requirements in only five years.

In addition to an over-reliance on manual processes to manage this, Aflac had come to rely on six different identity governance and administration (IGA) systems for provisioning and de-provisioning access in a sector where compliance is non-negotiable. As well as giving Aflac a single view of its user base, the migration to One Identity Manger also made it easier to integrate IAM with the company’s human resources ERP.

Ease of use, features and cost

Aflac is a bona fide success story. But given that the majority of the customer base continues to struggle without a consolidated system, what other factors are driving the further evolution of IAM?

Up close, IAM can be daunting, taking in multiple technologies, processes, and layers. Its foundations are privileged account management (PAM), endpoint management, access management and control and log management for example, plus the sort of IGA that extends governance to the cloud and SaaS.

Most organizations add additional tools and functions such as SSO, as well as provisioning and de-provisioning layers to smooth usability. Finally, IAM is becoming less centralized, for example providing attestation (the ability of business managers to approve or deny access without having to ask IT) and self-service access which allows users to request access as they need it.

Traditionally, these have relied on separate administration consoles, which quickly multiples the workload, says Thomson. “Managing privileged accounts and deciding on the governance policies is complex, which traditionally has meant that the tools to do this job end up being complex too.”

At the core of every organization’s access control is its directory service, which typically means an on-premise Active Directory (AD) often considered the single source of truth. User rights set in AD then govern all other aspects of the organization, from the field workers to the CEO. However protecting this critical database is often overlooked while Active Directory management (and security) is frequently out of scope for identity security projects – a fact not overlooked by ransomware groups.

In addition, modern IAM often results in rival identity stores which might replicate some of its functions. For identities managed as part of PAM, this fragmented approach generates special risks.

“Organizations might have four of five different solutions for doing different jobs. But this can lead to gaps that create opportunities for the criminal,” argues Thomson. Similarly, the lack of integration raises the underlying expense of running multiple identity stores with slightly different but overlapping jobs

 “If an organization is managing four or five different systems, unavoidably this adds costs in terms of management time and security training.” he adds.

Not a Job for the faint hearted

Despite the obvious benefits, Thomson feels many of One Identity’s customers are not yet ready to make the final jump to a fully consolidated platform today. The reasons for this reticence are varied.

Organizations have built their IAM and IGA processes around separate tools which, however imperfectly, do their job. The security teams managing them also know this architecture inside out. This brings to mind the old adage about changing wheels on a vehicle that still moving – removing the first wheel is not a job for the faint hearted.

Instead, Thomson sees the evolution towards the more integrated identity platforms happening more slowly, one reform at a time.

“What we need to understand is what is the business problem that needs solving first. It’s about asking customers what they can’t do using separate systems and addressing that.” His belief is that organizations should see their journey towards a consolidated platform as one of increasing maturity rather than technological adoption.

Thomson uses the example of the OneLogin management tool which logs what applications employees are using. This data can be fed into the identity governance system to make automated decisions about which applications people need to access, and which ones they don’t.

“If you haven’t used 17 of 20 Microsoft applications within 90 days, there’s an opportunity to re-deploy the licenses for that access in a way that drives efficiency.” he explains.

The same integration could also benefit security, for example logging the fact that an account has had a series of failures of multifactor authentication in a way that indicates a credential compromise. Connecting two identity systems allows this to be shut down in an automated way without waiting for an engineer to react to an alert.

Cloud hangs overhead

Hanging over all of this is the role of the cloud in identity management. Thomson takes the pragmatic view that many organizations’ identity management requirements will initially lead to a hybrid world in which some services such as access control will fit more naturally into the cloud, while others such as directory services and identity governance will remain in-house.

“If everything becomes hybrid, we will need to offer customers choice. This means providing common APIs, integrations, and workflows so they’re using a common architecture,” he says.

Nevertheless, it is likely to be some time before larger companies with urgent and critical data privacy concerns feel able to fully embrace the cloud. One Identity’s approach to consolidation will have to take account of this, accommodating on-premise as well as cloud contexts. It’s an extra complication but a necessary one.

“As we develop an integrated out unified platform, it is going to need to work in the on-premise, cloud and hybrid contexts,” explains Thomson.

“That is not easy to achieve but it’s the right thing to do. Ultimately, consolidation is about reducing risk. What matters is to continue to provide choice for the customer.”

Sponsored by One Identity.