Identity and Access Management in 2023 and beyond

At the heart of Information Technology (IT) security; be it modern solutions like Zero Trust, or legacy/perimeter based protection, the first step in securing critical business data is to establish fundamental access policies. What users (and in a lot of cases roles), and what business critical information and applications do they require to fulfil their duties?

Put simply - who gets access to what?

Breaches are inevitable, but a good way to reduce the attack surface is limiting the exposure of a user account. This coupled with other important measures we see today, such as perimeter/edge based firewalls, web proxies, SIEM tools, to name a few.. will ensure businesses are equipped to mitigate today’s bad actors. The concept of digital identity dates back to the 1960’s when Fernando Corbato helped in creating the first computer password.

Passwords have served us well, but alone they aren’t enough

Same goal, different methods

Since this time, we have seen new authentication methods surpass those early passwords, to the complex passwords we use today, to 2FA, to MFA. Attackers and bad actors have also matured their arsenal and processes, and this never-ending game of chess.

The space continues to evolve, and some recent examples of that evolution are:

• Biometrics – Biometrics are becoming second nature, as a lot of us tend to use them on our mobile devices today without a thought.
• Password Less Authentication – modern hard token devices and protocols (think FIDO and FIDO2) are removing the need for passwords altogether. Remember when Google, Microsoft, and Apple told us that passwords suck?
• Risk Based Authentication – the advent of Big Data, Machine Learning and AI, has brought with it the capability of rigorous profiling. We see it in the tailored advertisements that online vendors create for us, or when our phone learns a routine from repeated activity like a morning walk, or a regular commute. Security companies, too, are using advanced profiling techniques to potentially prevent users from accessing their regular apps and data, if their habit deviates far enough away from their profile.

Modern MFA means evolved authentication methods like facial recognition

The dynamic shifts in the way people work as contributed to this evolving Cyber Security landscape. Zero Trust, as an example, became a lot more popular with the advent of remote/hybrid work, during the 2020 pandemic. Because people are now logging in from potentially unsecured networks (such as café’s or other Public WiFi access points), a continuous interrogation on the user accessing business applications and data – the traditional ‘flat’ networking and security structure won’t suffice.

Visibility is the new black

A big concern most businesses have with Identity and Access Management (IAM) is that security measures are usually reactive - not proactive, and that these businesses are usually in the dark until a breach has occurred. At this point, security teams work backwards to understand where the issues were.

Identity Governance and Administration (IGA) addresses this, by wrapping policy and rigor around the day-to-day IAM operation. IGA’s enable businesses to allow better self-service to their users or business units, whilst maintaining a clear audit trail. Some of the fundamentals of a modern IGA are:

• Managing the end-to-end lifecycle of Joiners, Movers, Leavers (JML) to capture access requirements of a user from their first day, to a new role, and their last day of work
• Centralised policies and access rights, as well as access requests. Though the premise of decentralisation is taking the world by storm today, a good governance solution should centrally facilitate user access rights and support approval workflows, and have a modular portal to support both admin and user experience alike
• Scalable to manage anything from basic single identity source to more complex, multiple identity source ecosystems
• Provide in-depth analytics and reporting, and audit logging for administrators/business owners or external auditors
  
  

Good authentication and MFA controls are essential. A top-down overview of Identity Governance is best.

Where our partners identify opportunities and add value

Our partners are already having conversations with their customers around:

• Moving to Cloud
• Identity/Data Governance for compliance
• Enabling a flexible/hybrid workforce
• Enhanced security with technologies like biometrics
• Having a dynamic, risk based security solution adapting to business needs

Each of these topics are a great time to talk about their IAM solution, and what they should expect at minimum to maintain security posture today.

Your Dicker Data SecurID sales reps and technical resources are always on hand to assist in these conversations, and with modern “ID Plus” solutions, getting a customer trial is a cinch.