Identity and access management (IAM) is a difficult and enduring challenge for enterprises. Organizations need to balance securing and managing identities effectively with ease of use for employees, customers and suppliers. Put in too many layers of identity and access control, and the result is “friction”: processes that make it harder for employees to do their jobs.
“Many organizations start their identity journey with a combination of only short-term objectives, poor identity data, immature identity architecture and weak user verification,” warns Scott Swalling, a cloud and data security expert at PA Consulting.
“A poor IAM approach, at best, can make it cumbersome and frustrating for your users and administrative staff. Onerous processes that don't take full advantage of IAM capabilities will breed users finding ways around them – as they always have – leading to security issues and potentially breaches.”
Even with the expansion of measures such as multifactor authentication (MFA) and biometrics, access remains a weak spot in enterprise security, as well as data compliance and privacy. IAM has become even more critical as enterprises move away from a fixed perimeter to flexible working, the cloud and web applications.
The scale of the problem is very real. According to Verizon's 2024 Data breach investigations reportstolen credentials were used in 77% of attacks against basic web applications. Google's 2023 Threat horizons report found that 86% of breaches involve stolen credentials.
“We need to transition to an identity-first security culture,” warns Akif Khan, a vice-president analyst at Gartner who focuses on IAM. “If you don't identify your users, it's hard to have any type of security. If you don’t know who is accessing your systems, how do you know if they should be accessing them, or not?”
IAM, Khan suggests, is replacing the old idea of organizations having a secure perimeter. The risks of relying on perimeter security alone are clear. In June this year, data breaches at Ticketmaster and Santander were traced back to unsecured Snowflake cloud accounts,
Securing privileged accounts goes hand in hand with strong identity management and initiatives such as zero trustBut as zero trust requires significant, long-term investment, CIOs and CISOs should also be looking to improve existing security for credentials and move to risk-based approaches for identity.
This is prompting organizations to move toward policy-based access controls and risk-adaptive access controls. These systems allow firms to enforce multifactor authentication if an action appears high risk, or block it altogether. But this depends on a clear IAM strategy throughout the organization.
“Get the basics right to ensure you have clear visibility and control of who has access to your resources,” recommends PA's Swallowing. “Ensure identity data is good. “Coupling this with robust privilege access management, utilizing automation and machine learning where possible, will streamline and enhance administrative tasks and reduce user frustration.”
Frustrated users make for ready victims, agrees Mustafa Mustafa, EMEA solutions manager for identity at Cisco, with a very real risk of MFA flood attacks.
Zero trust
Cisco is a proponent of the zero-trust security modelbut Mustafa admits few organizations have fully achieved it.
In fact, Cisco research found that 86% of enterprises have started on zero trust, but just 2% say they have reached maturity. Barriers include complexity and an inconsistent user experience.
“The principle is trust no one, verify everyone,” says Mustafa. “The only way to implement a zero-trust policy is continuous verification of all users, devices and applications at all times and locations within or outside a given network.” This includes deploying multifactor authentication, least privilege access and micro-segmentation.
Zero trust is worth the effort, he argues. It improves security, compliance and risk management, but also simplifies operations – once it is properly implemented – and potentially allows organizations to reduce administration overheads, costs, and delays and frustrations for users. It also makes hybrid and remote working easier to manage.
Meanwhile, enterprises need to continue to invest in MFA, identity governance and administration, privileged access management, and single sign-on, to list just a few. This can force CIOs to operate in two “lanes” – one for improving security around identity and access now, and a separate, longer-term objective of moving to zero trust.
In time, this will include making more use of artificial intelligence (AI) to spot unusual user behavior or actions that could be evidence of a breach, and a move towards IAM based on risk, rather than just identity. This is sometimes also called adaptive authentication.
“By integrating real-time risk assessments, organizations can grant access based on context rather than identity alone,” says John Paul Cunningham, CISO at Silverfort, an identity protection provider. “This shift would reduce the operational overhead and data burden of managing authentication and authorization. Ultimately, adopting this model would enable businesses to strengthen security, improve user experiences and lower the cost of maintaining identity security,” he says.
In practice, organizations are likely to rely on layers of security for layers of access, at least for now.
digital wallets
“The more forward-thinking organizations are prioritizing identity. But the challenge still exists of stitching together disparate systems,” says Cunningham. “Looking at the future you can build new platforms, but people still have a lot of legacy architecture.”
However, enterprises still need to verify the identity of a user – whether an employee, supplier, or customer – in the first place. Here, the move towards global identity wallets (GIWs)usually part of a government-backed scheme, can help.
Most often associated with digital government initiatives, GIWs might not be the most suitable tool for day-to-day access management, but they could play a role in onboarding staff or customers, and potentially cut fraud and credential theft. Already, there is some convergence between GIWs and IAM, with Microsoft's Entra Verified ID integrated into the company's Authenticator app, for example.
According to Gartner, more than 500 million people worldwide will use phone-based digital identity wallets by 2026. This represents significant growth, and should ease a number of issues around identity verification, especially for government services.
“In principle, you could have an identity wallet on your phone, and it's not hugely different from an authenticator app. That could be used,” says Khan. “It's not a Microsoft ID, but an ID in a Microsoft app.”
Open standards around digital ID and interoperability between platforms are likely to drive adoption among government agencies and, in turn, take-up by citizens. Global identity wallet technology, for all its advantages, is likely to be too expensive for enterprises to set up on their own. And part of their advantage lies in scale, and in the trust that comes with government-issued ID.
“The market is moving towards portable digital identity, so users won't have to verify their identities again and again, but instead have an ID wallet on a mobile device which verifies that ID,” says Khan.
Businesses that currently pay for third-party identity verification services could even save money through a GIW. “How the commercials stack up will be key to this,” he says. Organizations also need to accept the identity asset in the wallet, which is again why government backing, and open standards and interoperability, are so important. And using GIWs could give advantages in areas as diverse as recruitment or providing services to new customers.
“From a technical point of view, it makes perfect sense if there is a route to onboard someone more quickly,” says Khan. “In a competitive market, organizations will look to explore that.”
Even so, GIWs look set to be part of the IAM landscape, rather than a replacement for internal identity and authentication systems. “You have an ID, and that ID has attributes such as 'I'm an employee of Gartner'. Then you have your attributes for access rights, which is layers upon layers of information,” says Khan. “That might not all be in the wallet.” Firms will still need to check details against their own identity infrastructure.
The prospects for enterprise use of identity wallets, and much of the future development of IAM, will depend on the type of information, and the levels of access, organizations need to secure.
“Digital wallets can play a significant role in day-to-day authentication, extending beyond one-off events like onboarding or identity verification,” says Silverfort's Cunningham. “By embracing digital wallets as a daily authentication tool, organizations can strengthen their security posture while enhancing user convenience and productivity.”
He expects to see take-up in healthcare, government, access to benefits and border control, at least initially.
But digital wallets could also strengthen MFA and give hard-pressed data security teams some breathing space as they look at longer-term options, including zero trust.
“Digital wallets serve as an additional factor in MFA, a unique identifier similar to certificate-based tokens, and a secure storage solution for sensitive data like passwords and cryptographic keys,” says Cunningham.
Used well, they could improve security and ease of use while also reducing support costs for enterprises.