IDENTITY ACCESS MANAGEMENT – THE NEED OF THE HOUR

In one of the most famous cases of identity theft and wrongful access to confidential data, David M Read of Virginia stole the American Express Card of actress Demi Moore in 2018. He then obtained her Social Security Number (SSN) and other personal information online and used the card to binge shop to the extent of some USD 169,000 over 25 days, before being apprehended while making a purchase[1].

Identity theft and fraud are among the most common online frauds. The US has been witnessing a continuous increase in the number of frauds since 2005. Javelin Strategy and Research estimated that there was a new victim of identity theft in the U.S. every two seconds in 2016[2]. According to Aite Group’s latest research on U.S. Identity Theft, [3] around 47 percent of Americans had suffered financial identity theft by 2020. Furthermore, according to the group’s analysis, losses from identity theft cases totaled $502.5 billion in 2019 and were expected to rise 42 percent to $712.4 billion in 2020.?

The trend is alarming with 2021 showing a 68% increase in identity theft over 2020[4].?

What is Identity Access Management (IAM)

Much evolved since its early days, when it was limited to a repository of user identities, IAM today is a management system that defines the roles and access privileges for users and devices that are connecting to cloud-based or on-premise applications. Identity Access Management takes its name from the area it addresses – namely identity. In an organization, this can be internal stakeholders like employees and subcontractors, and external associates like customers, partners, suppliers, consultants, etc. Considering both sets of entities access an organization’s network and critical data, using a variety of digital platforms, there is a need for a system that would identify the user seeking access to the organization’s network.

IAM is that system.?

Tech Target calls it ‘a framework of business processes, policies and technologies that facilitates the management of electronic or digital identities. With an IAM framework in place, information technology (IT) managers can control user access to critical information within their organizations’. [5]

IAM serves two purposes. In the first instance, it confirms the identity of the user seeking access to the system. Secondly, having done that, it grants to that user only as much access as has been granted to him. These ‘rights’ as we know them, can be in the nature of Read, Write or Edit. Management of these ‘rights’ is referred to as Privileged Access Management (PAM) – an integral part of IAM.?

How it helps

Gartner’s latest Planning Guide for IAM categorically states that ‘the economy relies on IAM’. That notwithstanding, organizations are finding IAM immensely beneficial in their areas of operation.

• With the safety of corporate data, a priority, increased regulatory pressure, and organizational requirements are compelling business leaders to safeguard corporate information. Manual and error-prone processes are no longer acceptable, says Tech Target[5].?
• Businesses with IAM systems are noticeably more agile, accurate, and characterized by lower identity management costs and fewer losses. They also enjoy greater investor and market confidence.
• IAM is ensuring safer and seamless working of employees across locations, higher business productivity, and smooth, uninterrupted functioning of digital systems. Safe opening of systems to external entities across devices, locations, and applications, is resulting in greater degrees of collaboration, higher efficiencies, and lower costs.?
• IAM is now evolved from On-premises IAM (on-prem) to include cloud operations, with users authenticating their identity using a Single Sign On (SSO), thereby making multiple passwords a thing of the past.?

Implementing IAM

Organizations implementing IAM would need to put in place several policies and practices. These would include:?

• Identification of key personnel responsible for developing, enacting, and enforcing identity and access policies concerning all users. Ideally such a team should be from a cross-section of corporate functions??
• Decision about the kind of IAM model – on-prem, cloud or hybrid
• Processes for administration of IAM and PAM
• Authentication systems – be they in the nature of SSO, 2-factor or multi-factor authentication and PAM
• Automation levels including areas like biometrics, behavioral analytics and AI tools
• Appointment of an experienced IAM vendor with a good track record of implementation and a good trust quotient for the IAM project

The things to watch out for

Despite all its obvious benefits, a poorly administered IAM can have a negative impact. Tech Target points out that poor configuration and process automation, inefficient provisioning of user accounts, inadequate review of the reports generated, weak housekeeping of the identity bases, and dilution or underestimation of the ‘access rights’ principles, can undo the potential of IAM[5]. Cloud-based IAM makes it imperative that a premium is placed on the administration of IAM.

The future of IAM?

According to a March 2021 study of more than 1,300 executives sponsored by Ping Identity, about “70% of global business executives plan to increase spending on IAM for their workforce over the next 12 months, as a continuation of remote work increases demand on IT and security” [6].?

Artificial intelligence (AI) is playing an increasingly transformational role in IAM, especially in the user behavior analytics, suspicious logins, and access sought from unrecognized locations and devices. This allows SOCs the ability to act on malicious access attempts from users that are not on an organization’s Virtual Private Network (VPN). Its high speed and accurate machine-generated results can provide micro-analyses to thwart identity theft.

But a really good insight into the future is enunciated by Gartner in its article The Top 5 Predictions for IAM[7]. The report makes interesting observations on the future of IAM, including one that says a cybersecurity mesh will begin to define IAM requests. This translates into the now widely-accepted understanding that no entity – internal or external – can be trusted until verified. Certainly, this resonates with Zero Trust Architecture (ZTA), that is founded on the premise that verification of any and all users is a pre-requisite for gaining access to a system.?

Sources:

[1] Identity Theft Cases: 6 Famous Identity Theft Cases in Recent Years | (homesecurityheroes.com)

[2] Cloudwards: Identity Theft Statistics, Facts and Trends You Need to Know in 2022 (cloudwards.net)

[3] 2021 Report: US Theft of Identity Statistics | i-AML Israel Anti-Money Laundering

[4] Insurance Information Institute: Facts + Statistics: Identity theft and cybercrime | III?

[5] Tech Target: https://www.techtarget.com/searchsecurity/definition/identity-access-management-IAM-system

[6] CSO Online: https://www.csoonline.com/article/2120384/what-is-iam-identity-and-access-management-explained.html

[7] Gartner: 5 Key Predictions for Identity and Access Management and Fraud Detection (gartner.com)