To follow or not to follow the trends – this is the question for most IT specialists, including Identity and Access Management (IAM) specialists. There are, of course, proven classic ways for how an organization can meet certain IT challenges when trends come and go, sometimes quite unnoticeable. What stays is 1) the constantly evolving and changing IT world; 2) the need for efficient Identity and Access Management. It’s time to keep pace with the changes and implement the next-generation IAM strategy in your organization. Which one? Well, let’s look at the 2022 trends first.
Not surprisingly, upcoming Identity and Access Management trends were one of the key themes of Gartner’s 2022 IAM Summit, held in Las Vegas this year. The organizers promised to share valuable insights on IAM programs and strategy, Single Sign-On, multi-factor authentication (MFA), passwordless methods, and many more topics. The long-awaited event delivered all that. Based on the insights Gartner shared, here are the top Identity and Access Management trends for the year ahead which you can consider following in your IAM strategy.
Modernizing Identity Management to include machine identities
Currently, many companies around the world are already in the process of “upgrading” their approach to identity management. One of the biggest changes they are brave enough to take is including machine identities in their Identity and Access Management strategy. This signals a significant shift in the way we think about machine identities, with discussions shifting from narrow IAM domains to the more general IAM environment (think: provisioning, de-provisioning, moving, changing, and so on).
Security with a stronger identity-first focus
Identity is foundational for security in any modern organization, and everyone knows it. However, the Gartner IAM Summit made it clear that in a post-COVID world, identity has moved to the center of security infrastructure. So, today, digital identity is not just foundational, it’s CRUCIAL to keep an organization safe and resilient to cyber-attacks.
According to Erik Wahlstrom, Senior Director Analyst at Gartner, the next evolution in identity strategy is protecting those identities and the infrastructure behind them against attacks. This means that we can expect an even stronger focus on the entire identity lifecycle (including machine identities) to ensure security at every step of the way.
Let’s move towards IAM convergence!
The IAM market constantly changes, and one of the positive changes is that teams no longer must decide between “the best one” vs. “universal” solutions such as a “best in suite” approach, which is getting more and more popular (and proves its efficiency). This shift in solution choice is fueled by a significant convergence in the capabilities of different Identity and Access Management tools on the market and increasing overlap between Identity and Access Management vendors.
However, we still have progress to make. Many organizations felt the itching need for creating homegrown tools to synchronize between various secrets managers, PAM tools, and IaaS-provided tools. This makes clear that interoperability between platforms and continued convergence are very needed.
Supporting centralized decentralized security
Centralized or decentralized? Well, both! The idea of centralized decentralized security (CeDeSec) stands for the adoption of the centralized control and decentralized enforcement concept by security and IAM teams. CeDeSec is based on the fact that in a world of decentralized IT, there must be a way for teams to maintain a single point of control while still allowing different teams to use the tools and workflows that best suit their needs. This concept may hardly be attainable (which is not true), but when done right, this evolves into a Cybersecurity Mesh Architecture (CSMA). Actually, the approach behind CeDeSec lends itself well to PKI and machine identity management areas where security teams are already well-versed in maintaining centralized visibility and management across a variety of different tools.
Just in Time access brokering for more robust security
Just in Time (JIT) access brokering has created a lot of buzz around itself. This approach is about enterprises using dear old certificates as a form of authentication for users, but with a twist – every time users log in to a system, they get a new certificate. In this way, the chances of compromised or stolen credentials are significantly reduced, since those credentials are so short-lived and can typically only be used once. Of course, making JIT access brokering work – especially without causing headaches for users – requires a highly efficient and scalable approach to issuing and de-provisioning those identities.
A machine identity working group to be established
One of the shifts we can see in the digital corporate world today is that plenty of organizations are moving away from Crypto Centers of Excellence. What do they choose instead? They establish machine identity working groups. This shift is happening, as Gartner states, because of two following issues with the traditional CCoE model:
a) Crypto’s meaning has changed from an IT security term to a currency.
b) The idea that one team (often security or Identity and Access Management) could manage all things crypto for the entire organization is unrealistic.
Instead, organizations are better served creating a cross-functional working group with key stakeholders from IAM, Security, DevOps, Infrastructure & Operations, and Cloud teams that meet on a regular basis to establish ownership, make policy and tooling decisions, and create guidance. Bringing together this cross-functional group extends the responsibility of machine identities across more teams within the organization and ensures all of those teams’ viewpoints are represented in strategies.
Gartner’s 2022 IAM Summit made clear that the next generation of Identity and Access Management is upon us, and it is high time to rethink strategies, solutions, and management to keep up with changes and ensure resilience to constantly evolving cyber threats. Is your team prepared to make changes?