Identity and Access Management Reach Inflection Point

The COVID-19 pandemic has disrupted work as we know it. But think for a moment what that work was like – and soon will be again. Consider Audrey, a hypothetical mechanical engineer who is responsible for worldwide manufacturing for a vehicle parts company: She travels between U.S. design centers and global factories; she shares CAD diagrams in video conferences from hotels, coffee shops and her home office; she incorporates insights from factory-generated big data analytics into design specifications. She’s indispensable to her company and the powerful IT capabilities that support her are indispensable to her work.

And Audrey is not alone. Across industries of all kinds, businesses have been taking a mobile-first approach to employees at every level, even as those businesses digitally transform themselves at every level. As companies ride out the pandemic, many are taking a remote-first approach to workers. What’s more, they are likely to be accelerating their digital transformation projects, implementing web applications that pull in data from on-premises and cloud-based sources to automate processes and guide decision-making.

It’s a far cry from, when workers accessed centralized databases from fixed locations. Mobile users were the exception and had limited data access because bandwidth was at a premium. In this world, setting up a protective perimeter made sense. Web Access Management provided single sign-on and single sign-off for web applications. Security was implemented separately for each application.

Our world of work is different today, yet some organizations persist in implementing the Identity and Access Management (IAM) of yesteryear, oblivious to the disruption that has taken place thanks to mobility and digital transformation. A fresh approach is needed. Identity and Access Management must take up the gauntlet of disruption and disrupt outdated perimeter-based security.

The new IAM must be integrated into the fabric of applications. Instead of a single broad perimeter, the new IAM architecture is based on many microperimeters, each a single user, session, device or application. The new IAM has these characteristics:

1. Contextual and omnipresent. Identity doesn’t occur in a vacuum, but in a context of the user’s activity, device, session and application, with continual monitoring and adjustment.
    
2. Risk-based authentication. Each access request poses a different level of risk according to user device and data sensitivity. Authentication must correspond to the level of risk.
    
3. Relief from authentication fatigue. Users need not identify themselves over and over, which was once required when each application had its own security requirements.
    
4. Identity itself is the perimeter. By considering the unique characteristics and needs of each user, device and session, the appropriate security measures are applied to each identity.

That’s where we need to go. How do we get there? You can’t wave a magic wand over your enterprise, say a few magic words, and voilà it happens! And you can’t issue a top-down mandate that changes all the rules overnight. Although the new IAM disrupts the old, what is needed is a gradual transition to bring identity services closer to the applications.

Start by looking at things from the user’s point of view and make sure the user gets the same experience – seamless single sign-on and single sign-out – regardless of the channel. The old perimeter-based approaches won’t go away overnight but will exist alongside your new microperimeter approach to IAM for a certain period of time. In some markets, businesses might want to consider adding the distributed identity capabilities of blockchain to the mix.

Bottom line: You need to make IAM “just work,” not just for Audrey but for all workers, as well as your company’s customers and partners. There is more to say about all this, so please look for my upcoming blog entries on this subject. Next will be a close look at modernized IAM.

Download my whitepaper below for more information as well.