With the growing realisation that robust and mature identity and access management (IAM) stems from an ‘identity-first’ approach to security, it is no surprise that the global IAM market is forecasted to grow from $15.7 billion in 2023 to $32.6 billion in 2028. IAM is a framework that leverages policies and tools to regulate which employees have access to what resources.
An ‘identity-first’ IAM strategy means necessarily prioritising user identity as the key decision-making tool for resource and systems access. Today, enterprises are constantly expanding their customer and constituent base, in the form of more B2B, B2C and B2E, which creates the need for more mature governance, access management, authentication, authorisation and auditing. With so many different types of users, organisations will need to maintain a timely and holistic view of identity lifecycles, and a system of foundational policies and tools that enable agility and futureproofing.
What are the main challenges to implementing an all-encompassing IAM strategy?
A strong IAM strategy requires enterprises to maintain a centralised and consistent view of all devices, resources, data and users. This includes identity lifecycle management (joiners, movers, leavers) and timely provisioning of access to different users. When any of these elements are insufficiently operated, both the level of cybersecurity and quality of user experience are jeopardised.
On the topic of cybersecurity, manual provisioning/deprovisioning of user access, multiple active directories for different applications and decentralised access management for remote/hybrid employees continue to significantly hinder enterprises. The trade-off between user experience and cybersecurity has traditionally manifested in multiple passwords for users to access different applications and services, resulting in ‘password fatigue’. With an identity-first mindset, enterprises can allocate funding and resources to scale solutions and tools and meet their needs and the challenges of growing cyberthreats.
6 IAM Trends in 2024
Although the relationship between user experience and cybersecurity has traditionally been treated as a ‘trade-off’, IAM trends in 2024 point to a symbiotic relationship where one reinforces the other. The following trends ranked by prevalence highlight the ability of organisations to streamline their operations, ensure efficiency and agility, and establish powerful preventive capabilities.
Applying the Zero Trust concept of ‘never trust, always verify’ ensures the constant reverification of a user based on a range of factors: what a user accesses, when, where and why will be questioned depending on the user’s characteristics, entitlement management and the duration of access time requested.
Physical attributes such as fingerprints, facial recognition and eye recognition are unique to every individual and are hard to replicate. Already widely used for identity authentication due to the distinctive and unique characteristics they hold, biometrics are considered a more secure measure of authentication than passwords, and boost usability and user experience.
The automation of certain operations (such as provisioning and deprovisioning) to allow for more time and resources on more technical needs, and user behaviour analysis are only a few ways that AI-backed processes and tools in IAM can boost efficiency, security and precision. With the help of AI, role mining (a central part of role-based access control) could enable organisations to map user activities and responsibilities across roles, to then create a consolidated list of roles that can be administered with the same permissions, depending on the grouping of activities. Additionally, AI can improve process efficiency by automatically providing a new joiner with the correct role permissions and administration based on their identity, without necessarily requiring the manager to make this request.
Single sign-on (SSO) systems enable an employee to use a single set of verifiable credentials to access a variety of applications and resources. With SSO, the user must enter their login credentials only once whereas multi-factor authentication (MFA) requires users to provide at least two identification factors such as passwords, PINs, security questions, fingerprints and facial scan. In this sense, whilst MFA mitigates the laxness of traditional passwords with an added layer of security, SSO removes the inconvenience of entering login credentials multiple times.
SSI is founded on the idea that users should protect their identity as if it were their personal property, rather than placing this responsibility on an organisation or third party. SSI data is typically protected in encrypted blockchain, making it difficult for the data to be compromised and manipulated.
IDaaS is a cloud-based service provided by a third party which decentralises the IAM framework as a way to boost security and productivity whilst reducing costs.
Zoom in
Zero Trust Security
Trust is not taken for granted in the organisation and the principle of ‘least privilege’ is upheld: users are given the minimum level of access required to perform their jobs. The monitoring of access requests can be a powerful source of pre-emptively identifying suspicious behaviour and preventing attacks. As a recent Wavestone paper details, many organisations are embarking on their Zero Trust Security transformations by securing remote access and establishing micro-segmentation to strengthen their cybersecurity postures. Success in Zero Trust transformations is measured incrementally due to the complexity.
Biometrics
Unlike the plethora of passwords that users must remember in a traditional IAM framework, the use of biometric data can empower enterprises to modernise and streamline their access management whilst also providing a highly user-friendly and accessible solution. Combining physical attributes with behavioural analytics (for example, typing patterns, gait or signature) can create an even more powerful and unique authentication process that can help with preventing insider threats and cyber-attacks. However, the use and storage of biometric data has raised concerns over potential data privacy violations relating to global data privacy laws, for example the GDPR and HIPAA. Further, sophisticated presentation attacks whereby a photo, video, mask or voice recording are used to impersonate a person and compromise the system can also pose challenges to the integrity of biometrics. Companies that use and store biometric data in IAM systems may become central targets for malicious actors.
SSO and MFA
Implementing SSO provides the benefits of a more seamless and simplified user experience and password management. Combined with MFA, a layered approach to security can be established to ensure users are verified across multiple factors and characteristics before access is provided. Adaptive authentication goes one step further, using machine learning capabilities and the analysis of user login details, login time, location, device status and user behaviour to determine the authenticity and integrity of an access request. Upon analysing this, the system will choose how a user must authenticate, and if the access requests are further deemed suspicious, they may be blocked. Echoing the principles of zero trust security, this layered approach to security has become increasingly important in the world of remote working where employees connect from different locations and devices.
What to expect
The future of cybersecurity will largely be one of anticipating new threats, regulations and technologies. The trends detailed above may greatly impact the IAM landscape as enterprises endeavour to find solutions that optimise user experience and cybersecurity, whilst also factoring in efficiency and cost optimisation. Ultimately, organisations should champion an identity-first cybersecurity strategy that necessarily leverages the most robust IAM policies and tools.
Related Insights
Gerome Billois
Sleh-Eddine Choura
Henri du Périer
Nicolas Gauchard
Hugo Bérard
Coraline Joly