1 Introduction
IAM (Identity & Access Management) today is at the core of enterprise IT infrastructures when it comes to protecting digital corporate assets. IAM, as the name states, is about managing identities and their access. This involves managing user accounts and their entitlements across the variety of systems and applications in use in organizations.
Over the past several years, organizations have been facing multiple changes affecting their security posture. The perimeter which separated the internal network from the outer world does not have the same relevance it had before, with mobile users accessing internal systems, with integrating business partners and customers into business processes, and with the shift to cloud applications. On the other hand, the value and relevance of digital corporate assets and intellectual properties have increased. With the shift to connected things and to smart manufacturing, digital assets are becoming “crown jewels” even for more traditional businesses such as mechanical engineering.
Protecting digital assets, the systems, and applications in an IT environment of growing complexity and of a hybrid nature while facing ever-increasing attacks, involves several actions organizations must take. Protecting against internal and external attackers requires a well-thought-out understanding of risks and countermeasures.
Among the core elements of every infrastructure, we find IAM. IAM done right ensures that identities, their user accounts and passwords, and their access entitlements are well-managed. IAM thus reduces the attack surface by helping organizations moving towards the “least privilege” principle. IAM provides the tools to automate processes around managing users and access entitlements, but also for regularly reviewing these and identifying, e.g., excessive entitlements.
On the other hand, IAM also plays a vital role for business enablement, when it comes to the need of employees, contractors, business partners, and customers to access certain applications, systems, and data. IAM is the tool for implementing the workflows and automated processes for onboarding users and granting them access. Again, if done right, IAM can enable organizations by optimizing the onboarding and change processes, but also ensuring that entitlements are revoked, and accounts are deleted or deactivated once they are no longer required.
Under the umbrella of IAM, we can differentiate between the “core IAM” or– as it is called frequently today – IGA (Identity Governance and Administration), and the broader definition of IAM which includes additional capabilities such as Privilege Management, Web Access Management, Identity Federation, and more. IGA, in fact, is an umbrella term for the two core elements of IAM, which are Identity Provisioning and Access Governance. Identity Provisioning supports automating processes for creating and managing user accounts and their high-level entitlements across the variety of systems and applications in use, while Access Governance adds the governance layer for analyzing entitlements, regular reviews and recertification, and also efficient access request workflows.
These core capabilities of Identity Provisioning and Access Governance frequently are available in combined products or in suites with a good level of integration between the various technical components, as well as they increasingly become available as SaaS solutions. For the Access Governance part, it is essential for supporting the cooperation between business and IT. Business requests and approves the relevant access, which must be mapped to technical entitlements. Creating that interface well, from the definition to the ongoing management and reviews of entitlements, is challenging. Furthermore, tools must support requirements such as Segregation of Duties controls, but also have insight into high risk combinations of entitlements.
Having an infrastructure for Identity Provisioning and Access Governance in place is the cornerstone for successfully managing identities, their accounts, and their entitlements across the heterogeneous and increasingly hybrid IT infrastructure of organizations. Enabling and protecting the Digital Transformation requires IGA.
Unfortunately, IGA also comes with various challenges. Identifying the right access entitlements can be a challenge, with frequently tens of thousands of granular entitlements to choose from. Constructing entitlements e.g. based on roles requires a structured approach, discipline, and involves a lot of work. And identifying high risk access for efficient access review isn’t easy as well. To combat these challenges, we are starting to see an uptake of solutions that use some form of AI (Artificial Intelligence) or, at least, advanced statistical methods for supporting IGA processes. This is still an emerging area, but one that is of specific interest for increasing the user experience (UX) in using IGA.
One of the leading vendors and a pioneer in applying AI to IGA is SailPoint, which have launched a series of modules that make use of AI for improving UX in IGA. This is a key part of the vision for SailPoint Predictive Identity.