Future of Identity and Access Management (IAM)

Full Paper Link: Click Here

I have been working in the Identity and Access Management field for about 18 years, and I can tell you that IAM has changed a lot since I started. When I began, I worked with some security products, and over the time, some of those products have disappeared from the market and replaced by new products. Some organizations are investing a lot in building their own IAM solutions because vendor products do not meet their needs or they do not get the timely support they need for their customers.

The security landscape has evolved dramatically. Organizations are moving to cloud or even multi-clouds environment that introduce new risks to their business. Traditional IAM solution are not sufficient to manage the new risks, so it was important to change IAM strategy as well to support the new business needs. In the past, Identity Management, Single Sign-On (SSO) and Two-Factor Authentication (2FA) were the key focus areas in IAM and only a few organizations were implementing Multi-Factor Authentication (MFA) and Privileged Access Management (PAM) but now these are essential part of any IAM program. 

So, the big question is "What is the future of IAM"?

I believe there are still many areas in IAM that need more attention or require more work. Below, I have highlighted some of these areas:

• Zero Trust Implementation (Continuous Authentication)

• Zero Standing Privileges 

• Passwordless Authentication with Stronger MFA (Biometric/FIDO2)

• Cloud IAM

• Effective Approvals and User Access Reviews

• Privileged Access Management

• Non-Human Accounts Governance

• IAM for AI Agent

• Behavior and AI-Powered Monitoring, Alerting and Remediation  

Apart from above areas, User Education and User Experience will always be our top priority as there's no security with poor user experience (Click Here). IAM is moving towards smarter and more secure models of digital identities and will continue to evolve. 

Keep Learning and Keep Sharing. 

Security Principles: Just In Time Access and Zero Standing Privileges

JIT: Just-In-Time Access

ZSP: Zero Standing Privileges

If you work in Cybersecurity IAM Domain, you may be familiar with terms Just-In-Time provisioning and Zero Standing Privileges. Generally these terms are used interchangeably but both are slightly different. ZSP can be considered as the progression of JIT but both have same end goal i.e. to improve the security posture. 

JIT allows users to gain privilege or elevate access in the systems/applications when they need. JIT is associated with a time-frame that means users will gain privileged access for a particular time-period and once the time is over, privileges will be revoked from the user. 

ZSP focuses on no persistent access to users in the systems or applications. Every time users need to request access that they need to perform their job duties and privileges will be revoked immediately after use. 

Difference: Biggest differences between JIT and ZSP are 

• JIT allows users to gain access for a particular time-period but ZSP allows users to gain access for specific tasks

• JIT is time-bound and ZSP is task(s) bound

JIT: User requests privileged access for a particular time-frame say 8 hours and once request is approved, user will have the access for 8 hours and access will be revoked when time is over. No additional approval is required in that 8 hours window.

ZSP: User can request privileged access to perform a particular task and access will granted after the approvals. Access will revoked immediately on task completion. If user needs access again to perform another task, new approval will be required before access can be granted. 

Both security principles help prevent accidental misuse and targeted attacks, minimize security risk and reduce attack surface but ZSP is based on Zero Trust implementation requires reauthorization for each task. 

 

User Access Review (UAR) – A Closer Look at the Process and Its Challenges

What is User Access Review (UAR)?

User Access Review (UAR) is a process to review users' accesses/permissions and take the corrective action to ensure that they are appropriate. This process is also known as Access Recertification or Access Attestation. Typically, managers conduct the reviews but some organizations prefer to have permissions owners (entitlement/role owners or application owners or data owners) to take on this responsibility. The process, while essential, tends to be quite manual. The burden often falls on those executing the reviews, typically members of the Cybersecurity IAM team, and the reviewers themselves, who are responsible for verifying and confirming user access.

How Often Should UAR Be Conducted?

Organizations run UAR campaigns periodically as per their business needs - Quarterly, Semi Annually or Annually. Quarterly and Semi Annually are very common. While access reviews are important, it’s important to balance the frequency of these campaigns with the organization’s resources and needs.

Why Do Organizations Continue to Run UAR Campaigns Despite the Manual Work? 

Reasoning: Simplest answer is "Privilege Creep". Whenever someone joins an organization, they are granted certain accesses/permissions. They request additional accesses that are needed to do their job duties. Users keep on requesting new accesses while working for the organization but never requests to remove accesses that they do not need anymore. Over time, these accesses get accumulated which is known as Privilege Creep. Over assigned privileges result into security risk (insider threats) for the organization, that's why it is important to revoke/remove unnecessary accesses from the users time to time. User Access Review process not only reduces the security risk but also saves money by releasing the costly licenses. It is also a mandatory regulatory requirement to review everyone's access periodically. Without regular reviews, an organization loses visibility over who has access to what resources, making it difficult to assess and manage risks effectively.

Challenges and Solutions in User Access Reviews

Though UAR is an essential process, it comes with its fair share of challenges. Let’s explore the most common obstacles organizations face and potential solutions to address them:

Manual Work Overload: UAR campaigns require a lot of manual effort by IT team and reviewers. While some of the automation tools are available in the market to support IT team, they do not provide full automation. Reviewers need to review users' accesses manually. Again, we have some additional tools to help the reviewers while making the decision like access recommendation feature of SailPoint, not all organizations have invested in tools to support the review process. 

Solution: Automation is the key to alleviating this problem. Organizations should consider investing in automation tools to handle as much of the manual work as possible. Solutions like time-bound access, or Just-in-Time (JIT) access, can also help streamline the process by limiting the amount of access granted in the first place.

Lack of Awareness  and User Resistance: One of the biggest hurdles is user resistance. Employees often see UAR campaigns as an inconvenience, particularly when asked to review hundreds of access permissions every few months. Resistance is also because of lack of awareness about the security risk associated with over assigned privileges.                                                                               

Solution: User education is very important. User must be made aware of the security risks posed by privilege creep and understand how their participation in the review process contributes to the organization’s overall security and success.

Complexity in Scalability: There are often thousands of users across multiple systems and applications in large organizations. Reviewing access for every user, especially in environments with complex, multi-tiered access, can be time-consuming and overwhelming. This also leads to "rubber-stamping" problem where reviewers just approves everything without genuinely reviewing them. 

Solution: Implementing frameworks like RBAC, ABAC, JIT, Time-bound can significantly reduce the no of items that need to be reviewed in each UAR campaign. These frameworks can also solve the problem of "rubber-stamping" to a great extent. 

Time Constraints: Generally, UAR campaigns must be completed within a strict timelines else it can create issue during the audits. If entire campaign is for 4 weeks, 30% of reviews get completed within first week of campaign itself but the last 30% can be much harder to finish, especially, when reviewers go on leave without taking any action. 

Solution: Educating users about the importance of timely reviews, along with implementing strict follow-up actions for those who fail to complete their tasks, can help address this issue. Users must be communicated clearly about the deadlines and consequences for not taking action on time. 

Data Collection: Organizations use hundreds of systems and applications that means data comes from variety of sources. Sometimes data is extracted from these systems/applications with the help of automation tools and sometimes manually. Given that each system stores data in different formats, transforming and standardizing this data for UAR campaigns can be time-consuming and tedious. 

Solution: To ease this burden, organizations should invest in automating the data collection and validation processes as this will not only simplify the processes but reduce errors and save repeated manual efforts.

User Access Review is an essential part of maintaining security and compliance. While it is a time-consuming and complex process, implementing the access control frameworks correctly, investing and prioritizing automation and user education can help in mitigating som of these challenges.