Identity and Access Management – A crucial link to successful digital transformation

Felix Gaehtgens, VP Analyst, Gartner, highlights the crucial role of IAM in leading organizations to a successful digital transformation.

How critical is IAM considering the current ‘work-from-anywhere’ culture gaining ground?
More critical than ever! Before, a medium-sized company might have had 5000 employees and 5 offices. Nowadays as everyone works from home, it would have the same 5000 employees but 5000 offices! There is no more perimeter in terms of “inside the office vs outside the office”. Identity is the ultimate perimeter in an otherwise perimeter less world. So, the job of the IAM leader has become much more important! So many more things to do. Just think about how identity enables remote access! On one hand that’s great news for IAM professionals as they should have no problems finding jobs, but not so great for organizations as this exacerbates the skills crunch.

What are the important factors should IAM leaders consider while designing their organization’s IAM strategy for 2021?
As mentioned above, recognize that identity is the ultimate perimeter! If you are the IAM leader within your organization, expect to become an enabler to many use cases and look for synergies. For example, look at the intersection of identity with data security, networking, software development, DevOps, and so on. And also, even though this may seem boring: don’t forget the basics. Don’t get carried away by the promises of advanced and promising new technology without addressing the fundaments! IAM is like the laundry: you’re never “finished”. You need to put it on a solid foundation with long-term planning and financing.

What according to you are the major loopholes that have to be plugged to make IAM more secure?
One of the top concerns that comes to mind immediately is machine identity management. I speak to every organization about managing access for people. But only few organizations bring up IAM for machine identities. But it’s not a niche or exotic concept, rather it is that many organizations are blind regarding the risks they face there. Every organization has tons of service accounts, automation scripts, app-to-app, service-to-service, app-to-database, robotic process automation, and so on. In most cases, there are more machine identities than people identities. They are a significant source of risk and a sizable chunk of the overall attack surface! Organizations that do not manage them properly will remain very vulnerable. Just think about it. Machine accounts are wonderful “soft targets” for every hacker!

How does IAM strategy vary across different entities, such as government entities, educational institutions/healthcare/ private organizations?
While there are some aspects of IAM (especially those around management of identities for employees, business partners and customers) are similar, there are some marked differences in the scope between different types of organizations. For example, government entities are the driving force for e-ID initiatives (government ID). We have seen rapid progress in the region, one of the latest examples is the Saudi National Digital Identity Management initiative. These initiatives are especially successful when they create identity networks that span public and private institutions.

For education, collaboration is really important, so they are looking for ways to integrate distinct identity systems. Another example: critical industries have many industrial control systems and operational security that needs to be secured as well – including identity, and very specifically privileged access management for those environments.

What are the new IAM techniques to watch out for in 2021?
My tip would be decentralized identity! The promise for people to “own” their identity while being able to use it for high trust use cases. In other words, the promise of both strong privacy and strong trust. This is a hot area with a lot of activity and development and governments are starting to step up to do their part to become trust anchors for these initiatives to work.

How have organizations across the Middle East fared in implementing effective IAM strategies?
Honestly, it’s a mixed bag! Let’s start with the very positive: As part of my job as an analyst at Gartner, I review many strategy documents, RFPs and roadmaps, and am often impressed at how well these are thought out and done. Many organizations in the Middle East have very rapidly matured in terms of IAM and can run circles around similar organizations in other parts of the world. And when they are not there yet, they tend to make giant leaps. Also, many clients are more open-minded towards technology adoption and maturing their practice, rather than sticking to old-school thinking that holds them back. However, there is another side of the coin as well. It’s not uncommon to find high-level executives demanding “special access” and circumvention of typical and commonsense IT controls that apply to everyone else. That is unfortunate, because it really puts those organizations at risk, and I believe that executives should lead by example – if they want their organization to be secure.

How can organizations enhance consumer IAM to prevent fraud and protect privacy?
A top factor to consider is contextual and adaptive authentication. Don’t treat your customer or your employees and business partners like a criminal. Yes, there is a lot of potential fraud and danger out there. But the vast majority of your clients and workforce is honest and just wants to get business done. That’s where context and analytics comes in. If a client logs in to do a low-risk operation, you don’t always need to inconvenience them by interrupting the flow and ask them to solve puzzles, juggle devices or do anything further to strongly identify themselves. That should be reserved for high-risk transactions. Be smart and use risk-appropriate authentication, step-up authentication and analytics in the background.

What is your take on the emerging futuristic password less authentication techniques?
Well, they are not futuristic anymore! “Passwordless” is here to stay, just look at FIDO2 and Windows Hello for Business. But be aware that “passwordless” doesn’t necessarily mean “without any password”. It could mean “an alternative authentication mechanism that will fail back to password when it’s unavailable”. For example, biometric authentication that, when unfeasible because you’ve been swimming and your fingerprint recognition doesn’t recognize your water softened fingers, will fall back to some other knowledge-based authentication mechanism. In a nutshell, the complete elimination of passwords is still very far off, if it ever happens. But decreasing reliance on passwords is feasible today, and many are doing it already.