Identity and Access Management (IAM) is sure to be increasingly an integral part of our personal and business lives as the technological and societal landscape continues to evolve rapidly. While we cannot wholly and correctly prophesy anything ahead, it is possible technological advances will continue to change our lives in future years which will require a new approach to identity and access management in the enterprise.

As distributed and interconnected systems increase in numbers, seamless, continuous, and accurate access to all resources with advanced authentication systems such as biometric and artificial intelligence technology will be prevalent. Password will be the thing of the past as user-controlled access will be replaced by machine-controlled access management. There will be no more passwords to access systems or badges to enter buildings. Smart systems will be able to recognise and greet us using some of our personal and distinct features when we use ATMs, go into stores and restaurants, visit online websites, enter office locations, drive cars, and access business systems.

Identity management and artificial intelligence will revolutionise security beyond people, places, and things that we manage today as increasing number of devices and systems will communicate with and learn from one another without human intervention. For example, household systems which will be a big part of the Internet of Things will interact with each other to control and manage our lives. Refrigerators will order food items when the inventory goes down, and fire detection systems will contact the fire department in case of fire, doctors will be notified when our vital signs show trouble and much more. Almost everything will have an identity which will change today’s definition of identity theft.

In developing a robust IAM strategy, businesses must bet a few stakes – making predictions of their own. Here are my top 10 predictions to assist you in developing your future IAM strategy.

Prediction No.1: Death of Password-Based Authentication Has Been Greatly Exaggerated

login

Security experts have been talking about the demise of password-based authentication for as long as we have been using them. With the current deficiencies in password-based authentication, the security community is right to make such a pronouncement. Passwords chosen by users – whether they are for sensitive financial transactions or social media accounts – tend to be very weak.

Also, there is the prevalent issue of identity theft and the increased risk associated with password sharing. To simplify the users’ lives in the face of having to remember hundreds of different passwords to different applications and systems, people tend to re-use passwords for a wide variety of services and accounts. With this risk, a compromise of a password credential in one order or environment compromises the security of all of them.

With this known password-based authentication issues, why are we still using passwords?

There are four significant reasons.

  • Passwords are cheap to use
  • Passwords are easy to establish
  • Passwords are the existing legacy standards on both on-prem and cloud-based applications
  • There is insufficient recognition or lack of appetite of a need for change

Passwords are cheap

Every platform you are likely to interact with has built-in password-based authentication. Writing password management logic into every application and system is straightforward. Also, there is no need for any specialised supporting infrastructure to use password-based authentication. With passwords, businesses do not need individual sensors such as fingerprint readers, microphones or cameras. No hardware tokens or smart cards are required either. Also, most significantly, no proper support infrastructure is needed to distribute and maintain these devices.

Easy to Establish

Passwords have been in use for as long as people started using computers. While users have a bad habit of choosing bad passwords, and may frequently forget them, they are comfortable with the process. The impact of a weak password to most users is zero unless their accounts have been compromised because of the poor choice of password. The ease of password-based authentication means, users do not require to carry around with them additional credentials or hardware. With the lack of security discounted, from majority users’ perspective, passwords deliver a reasonably good user experience.

Passwords are Existing Legacy Standard

It is hard to overstate the advantage of being the existing legacy standard for a highly visible core service. There will be stiff resistance to change across multiple stakeholder groups. Users will resist change that decreases their user experience, technologists will not want that reduction in performance or availability either, and business leaders will not want any change that drives an increase in cost. If a decision were to be made by a business to move to a more secure authentication system, the reform will be piecemeal and will not be comprehensive. Given the risk profiles of specific business services, the cost of migration will not be justifiable. So, unless these legacy systems are retired password-based authentication will remain a vital feature of these environments for the foreseeable future.

Insufficient Recognition of The Need for Change

Many users are oblivious to the amount of risk they are exposed to using password-based authentication. While there have been analysts and researchers, a report highlighting the dangers posed by password-based authentication, the level of adoption of more secure authentication systems – even in environments that offer them – have been low if passwords remain the default choice. An excellent example of this is Google’s popular Gmail service. Gmail has provided their customers with the option of using 2FA (Two Factor Authentication) since the onset of 2011 yet even after high profile incidents of theft of Gmail passwords and subsequent account hijack, the number of customers who uses Google’s 2FA (Two Factor Authentication) is a tiny fraction of their user base.

In my opinion, passwords are merely too ubiquitous, too accepted, and also too useful to be replaced by another authentication method or to die completely. It does not mean that change is coming. Change is inevitable but will be at a languid pace. Technologies, strategies, and approaches are being developed to address each of these significant challenges and progress have been made. It is expected to take several years to reach a tipping point where password-based authentication is no longer the primary form of user and system authentication method. It is worthy of noting that, while we will not have to rely exclusively upon password-based authentication methods forever, they will remain an essential component of our authentication environment for the foreseeable future.

Prediction No.2: Voice Will No Longer Be Your Password, But Your Phone Will

voice_img01.jpeg

One of the significant drawbacks of offering enhanced authentication is the additional supporting infrastructure it often requires. While this is not commonly true for all types of advanced authentication, moving beyond password-based authentication requires a business to issue a real credential to each of your users. With biometric authentication, you still need an infrastructure of readers that can take the necessary physical measurements. Admittedly, this is one of the significant cost drivers for the implementation of advanced authentication systems. Rather than issuing these expensive devices to your users, imagine if all users already owned a tool that the business could use to authenticate them. It could be even more ideal if the device contained sensors that could also be used to implement some elements of biometric authentication. Well, many – if not majority of your users already own this type of device in the form of their smartphones. The current generation of smartphones offers a unique platform on which to implement high-quality authentication services at a much lower cost. Smartphones have the capability to host and manage multiple authentication credentials, they have built-in sensors that can be used to enable biometric and other kinds of authentication attributes, and they are inexpensive, at least from the perspective that so many of your users will already own one for other purposes.

Let’s take a sneak peek at these advantages to the business.

Secure Hosting of Credentials

With the advent of next-generation of smartphone operating systems including Google Android, Apple IOS, and Blackberry have all implemented features and services that enable a strongly protected security container which can be used to securely store secrets including encryption keys, passwords, and other kinds of security tokens. These next-generation smartphone OS’s have a lower-end equivalence of HSMs (Hardware Security Modules), which are used in enterprise environments to store cryptographic keys on a large scale securely. It provides the much-needed lower cost opportunity for organisations to save the secrets necessary to enable many kinds of enhanced authentication on smartphones in a reasonably secure manner. Many different credentials can also be established on the same device, removing the need for the user to carry separate security tokens for every environment to which they wish to authenticate.

The sturdiness of these containers varies based upon the version of the OS and the kind of phone. With the older designs, attempts were made to manage the secure storage service purely in software which is much more difficult to provide complete protection. Fast forward to today, and the most secure designs include specific hardware extensions that give tightly controlled interfaces which limit how software on the device can interact with the safe storage area.

Sensors

Modern day smartphones come with built-in sensors that can be used to enhance authentication. One of the most basic forms of these sensors is the microphone. There are many companies now offering systems that leverage the receiver for voice biometrics. Most smartphones now come with high-resolution cameras, which is also frequently used to enable biometric authentication including palm print and facial recognition.

In addition to biometrics capability on smartphones, there are other sensors on these smartphones that can enhance authentication, such as assisted GPS services which combine a GPS receiver with information gleaned from the WIFI radio. What this means to the business is that the company can now make authentication decisions based upon where a person is located, thereby opening new opportunities to enhance authentication. If part of your data security strategy is to restrict access to corporate information while abroad, then the smartphone has the location information needed to make the right decision.

Even more interesting to the business, the Bluetooth radio can also be used to offer an authentication service in the form of proximity detection. It can be used to prevent login from succeeding unless the smartphone is proximity to the device being used to access the desired service. More interesting from a security and business standpoint, it can also be used to lock a device if the space between the smartphone and the device exceeds a reasonable distance, hence preventing an unattended device or a device which that has been stolen while logged in from being used by unauthorised individuals.

Low Cost

For many organisations, the marginal cost of leveraging an employee’s smartphone as a credential is exceedingly small. While offering a promising alternative authentication method, smartphones do come with security concerns and authentication issues. One such primary challenge is the security of the device itself. Due to its widespread use and popularity, smartphones have become a prime target for malware developers. It is highly likely that the credentials stored within it will be stolen if a person’s smartphone has been compromised. To mitigate this threat, newer smartphones are including trusted computing devices that actively resist the removal of their secrets. This problem, however, is no different from the challenge of protecting other computing devices (e.g., laptops, desktops) used to access network services.

Addressing the predetermined set of users who do not have, or who do not want a smartphone is another concern. It is an easily addressable problem though. The price tag is dropping at rapid rates, which means the affordability threshold is also declining and most smartphone-based authentication techniques can be easily supported with older technology than the latest production models. For your users who do not want smartphones or emerging markets where smartphone adoption is significantly lower, alternative authentication methods, such as a fall back to username and password, can be supported.

Prediction No.3: Biometric-Based Authentication Will Remain a Niche for Primary Authentication

biometric_img01.jpeg

There is a weird, science fiction feeling to the use of fingerprint, facial, eye (iris/retina) and voice recognition. However, the bulk of these biometric techniques are proven to work well, if they do work well, then why are the deployments of biometric authentication in enterprise environments so limited? It is because biometric-based authentication struggles with three serious problems: lack of infrastructure, user acceptance, and privacy.

Lack of Infrastructure

The first significant infrastructure issue is the need for some form of sensors to collect the biometric data. While there has been some promising progress utilising existing infrastructure sensors such as webcams and (as I mentioned previously) smartphones, most biometric deployments rely upon the presence of sensors that are dedicated to authentication. This allows the sensors to be tuned for its primary application, thereby increasing accuracy and improving the ability to reject attempts to provide previously recorded biometric data (e.g., liveness checks). Further compounding to this hurdle is the cost of implementation. Purchasing, deploying, and installing biometric infrastructure can cost prohibitive for most organisations. If significant device manufacturers included biometric sensors as standard part of their standard product configuration, this cost would be mitigated. Some device manufacturers are already doing just that, but the rate of uptake from end consumers and companies has not been encouraging, and their presence is conveying little market advantage.

User Acceptance

The second hurdle to the use of biometrics an enhanced authentication method is user acceptance. To gain full recognition, biometric systems need to be reliable and fast, and at least in comparison to the authentication method, they are replacing. Users will very quickly get frustrated by the system if it takes multiple attempts to get a good reading before access is granted. Next, users may worry about the potential theft of their biometric data with the risk that they can now be impersonated. There is a risk that, if an adversary captures a high-quality recording if the features being used for authentication, it is technically possible that the adversary can replicate a copy that would be accepted by the biometric authenticator. In practice, this is more difficult to execute than it would appear but is still a concern, and unlike with passwords, if someone’s biometric data is compromised, there is no way to reset the authentication.

Personal Safety and Privacy

The third issue with biometric-based authentication is about personal safety and privacy. Sadly, there have been cases already where criminals have cut off the fingers of their victims to authenticate using their victim’s fingerprints. Liveness checks that ensure that the biometric is being read from a real and live person are a standard part of most biometrics systems but (a) they are not reliable and (b) the criminals need to know that these liveness checks exist. The breach of a user’s privacy is another rational fear that a user’s biometric information will be used to breach their confidentiality. Once collected, it is possible to use the biometric data to identify a person in situations where they may not wish to be determined. With all these concerns, is not to say that biometrics should be abandoned altogether. There is increasing use of biometrics in government for authentication especially for applications like immigration control, where the ability to accurately identify someone, even if they are attempting to impersonate someone else is critical. I predict that the most extensive scale deployments though will occur if smartphone and tablet manufacturers start bolting biometric readers to unlock devices. This application would be a substantial improvement in both the security and the convenience to access these devices, making it a perfect use case for biometrics form of authentication.

Prediction No.4: Access Decision-Making Will Become Context-Ware

Coordonnées GPS

Traditional access decision-making is static. It happens during provisioning when a user is first authorised to access a system, service, or function within an environment. Once users are provisioned, access is granted whenever they request it once they have correctly authenticated with the desired system. It does not matter when, where, or why the person is seeking the service. It is increasingly insufficient in today’s environments, as it does not allow organisations to make right, risk-based decisions based upon the context of the request.

There are many situations where essential context can add substantial security value. A good example is, banks have long used location, type, and amount of credit card purchases as a strong indication for the validity and genuineness of a transaction. Context-aware authentication means, when a customer suddenly starts purchasing from a vastly different location, on different types of merchandise above their typical buying patterns, the transactions may be denied until the bank can verify that the sales are validly carried out by the correct person. These approaches allow the banks to dramatically cut down the level of fraud loss while still providing efficient service to the vast majority of customers’ transactions.

Strategically, these same types of approaches can be used in the broader context of access management. The challenge here is understanding the specific risks that you as a business is trying to manage and then coming up with the right contextual data to help mitigate the risk(s).

A location will give one of the most used context attributes. There are so many situations where the risk of providing a service is significantly impacted by where that access is being offered. A typical example would be a company does not want sensitive documents to be transferred to a laptop if that laptop is currently operating from an area that is known for large amounts of information theft. Alternatively, an organisation might want to disable the features of a smartphone, such as a camera and a microphone, when the person enters a sensitive area within a building such as a boardroom.

Notably, there are many technical and policy changes to enabling context-based access management, but these are being solved. The technical challenges centre on many systems that still make all their access decisions based on locally managed access policies. However, there is a strong will exodus away from this stove-piped access management systems to externalised access decision engines that allow more complex access logic to be applied across a set of systems and services. The problematic long-term challenges are the development and maintenance of context attribute repositories and the development of the policies that leverage these attributes to make risk-based decisions. Fortunately, many companies are already tackling these issues and are finding ways to collect vital contextual characteristics and leverage them to write more flexible and powerful access policies.

Prediction No.5: There Will Be the Emergence of Identity Ecosystem

ecosystem_img01.jpeg

Identity management has mainly remained stove-piped, with each service maintaining separate and distinct records of identity. These create many important challenges. Bulk, if not all, of the sites an average person accesses will rely upon username/password-based authentication. To maintain good security hygiene, the user should choose strong/complex passwords for every site they wish to access and should not share passwords between sites. However, it not uncommon for users to have dozens, if not hundreds of sites that they periodically visit. As most users can attest, the more sites they visit that require passwords, the more difficult it becomes to manage them. Maintaining distinct, high strength passwords for each site is not a reasonable thing. However, if a person shares passwords between sites, there is a real danger that a security breach at one site will compromise that user’s security on many sites.

It would be much better if users were able to leverage high-quality credentials for the sites they need to access. In the current stove-piped environments this would be prohibitively expensive and inconvenient. Imagine users having to carry with them many tokens to be able to access all the sites they regularly do business with. Wouldn’t it be great if users had a limited set of high-quality credentials that could be used anywhere they need to use them? It is the primary argument in favour of the identity ecosystem.

The identity ecosystem proposes that a set of identity providers be established that are in a position to strongly authenticate people on behalf of organisations (referred to as relying parties) that need to grant access to their services. These identity providers would have to perform two primary responsibilities. First, they need to make sure that the individuals that they authenticate are in fact whom they say they are. Second, they need to bind a high-quality credential to that user. The fusion of these two features would allow the various relying parties to have high confidence that when a user authenticates to their systems using one of the identity providers’ credentials, that they were dealing with a known and authorised user.

Admittedly, neither of these responsibilities is particularly comfortable, but some organisations already perform high-quality identity vetting and credentialing as part of their primary business. Banks, for example, are required to verify the identity of their customers as part of their regulatory responsibilities through Know Your Customer (KYC) rules. Cloud providers like Google are now offering enhanced credentials to enable their users to log in more securely. So, these services are already being performed. The key challenge is making these services available to a broader set of relying parties.

There are a crucial number of issues that have thwarted the identity ecosystem. An initial set of technical problems have mostly been solved. More challenging is the economic and legal issues that need to be resolved. Financially, the cost of performing the identity vetting and managing the credentials associated with those identities at large is significant. Coming up with workable economic models that provide sufficient return on these investments is essential for the success of the identity ecosystem. Another key stumbling block is the question of liability. If a fraudulent login does occur that results in an economic loss, which entity will be legally responsible? Another area of legal mire is if login fails because the identity provider services are temporarily down, do the relying parties have the right to sue for loss of revenue associated with the subsequent downtime? Placing substantial legal burdens on the identity providers will create significant barriers to the emergence of the identity ecosystem. The frank assessment is that these are sticky issues that are going to be difficult to resolve, but at the macroeconomic level, there is just too much at stake to lose for us to not move in the directions of establishing identity ecosystems. Significant players in the industry need to reach a workable consensus to come up with a framework that is win-win for all parties involved – the identity providers and the relying parties. The prevalent cases of large-scale password breaches have become common as adversaries have pivoted to targeting password-based credentials stores. In particular, for high-risk services, there is a need for higher confidence measures that users are authentic. Trying to solve this challenge individually with every organisation duplicating investments in high-quality credentialing is hugely inefficient. Although the rolling out of the identity ecosystems have been at a snail pace, it is close to the tipping point where both the need is clear and immediate, the solution is well articulated, and the stakeholders are emerging to participate.

Prediction No.6: Privacy Will Be at The Back Burner to Security

As a society, we expect privacy of our personal information. We want to have the power to be able to limit and control the information we share, whether it is personal information to our employers, our buying habits to marketing firms, financial information to our creditors, or any information that we feel jeopardises our autonomy. Because of the misuse of personal information of individuals that have created privacy concerns, substantial effort has gone into creating technologies and approaches that allow people to assert partial facts about themselves while not revealing more than is needed. Using privacy-preserving techniques, the person could state a claim that he or she was over 18 years old without showing the exact age or date of birth. Sadly, genuinely protecting the person’s right to control the period is both technically hard and at odds with the commercial interests of many of the organisations that the person does business with.

While privacy-preserving technologies are readily available and will be pushed into the marketplace, it is too easy to assemble detailed profiles of individuals by the collection and correlation of small facts contained within the vast databases of personal information that are in existence today. These big data approaches can disambiguate partial identity data to build complete personal profiles. It is right in situations requiring the person’s name to be disclosed. It is easy for that one piece of information to be combined with other small pieces of data to build a complete profile of the person.

The more a business knows about its users, the more context that can be created around transactions that they are requesting from the business data systems. The challenge now is to balance the need for this context with the collection, storage and protection of the underlying private attributes, especially where these attributes have financial value in another business context (e.g., marketing).

Even if we build systems that help users safeguard their private data, there is a vast amount of data still being collected all the time. It is a policy issue, and not a technical one. Businesses could spend a significant amount of effort to create technical solutions that help users control how much private data they share, which would seem to increase the user’s privacy.

It would be foolish to ignore the availability and value of private personal data. From a business angle, if the information is available that materially improves the quality of access decisions, why wouldn’t a business want to use it? That said, organisations should carefully consider what information they need, how long they need it, and what their responsibilities should be in protecting the information. Having a clear description of how private data is enhancing the person’s interactions with your organisation and how you are defending that information may go a long way in protecting your organisation from claims of impropriety.

Prediction No.7: The Adoption of Federated Authentication will Be Driven By The Increase in The Use of Cloud Services
federated_identity_mgmt_img01.jpeg

Cloud adoption, while not happening as fast as some analysts predicted, is a significant trend in information technology that will continue to expand over time. The power and flexibility offered by on-demand computing services are compelling but controlling access to cloud-based services remains a challenge for so many organisations.

The fundamental problem is the need to make consistent authentication and access management decisions across a variety of different technical environments. This challenge is similar to the need to manage identity across the various technology stacks across an internal data centre. Since migrating on-prem solutions to accounts for the extended reach of cloud environments is a long-term challenge, significant work has already gone into solving this challenge. So many protocols have emerged to address various aspects of this challenge ( e.g., OAuth, Auth0, XACML, SAML, SCIM,), but complex protocols like XACML have been slow to be adopted in cloud environments. Complexity is antithetical to the cloud environment, where most of the value comes from the commoditization of the provided service. The OAuth, however, have taken a light-weight approach that attempts to solve the most lucid and compelling federated authentication use cases. Regrettably, in many situations, this simplicity limits what can be achieved.

Eventually, the need to manage identities consistently between corporate and cloud systems will provide the impetus to solve the challenges associated with federated access management. The ensuing solutions will likely be hybrid models that make use of the best features of several combined protocols.

Prediction No.8: Entitlement Management Will Shift from Being Technlology Driven to Business Driven

access_entitlement_img01.jpeg

The management of sets of access entitlements associated with a population of users remains a challenge, especially in environments with large numbers of users and systems. It is made more challenging by the way entitlements are typically defined. Most entitlement names are created based on the context of the developer, and not the user. These names often have little relationship to the business purpose for the entitlement. To the user, they are little more than obscure labels. It makes the task of selecting which rights are necessary (or validating that the assigned set is appropriate) extremely difficult.

Even when attempts are made to document entitlements using business language definitions, they are often still difficult to understand because they can beat too low a level to map well to the user’s understanding of the task or process which they support.

To solve the entitlements issue, management needs to shift from developer centricity to business-level constructs that combine entitlements into higher level functions that map to the business problem they are solving. In short, companies need to model access to the actual business service they provide. For instance, take the need for a financial services employee to check a credit application. In the underlying systems and applications that make this function, there may be several individual permissions that need to be assigned to the employee. However, there is no real value in exposing this to the employee or the employee’s manager. To the employee, this is one clear business function. If a manager was asked during an access review, whether their employee needed to perform credit checks, the answer should be easy based upon the work that the employee is tasked to perform. However, if the employee entitlement definitions were provided instead, the task of review becomes all but impossible. It is a real problem as the typical response to this unfathomable complexity is to rubber-stamp these reviews, which leads to excessive entitlements being maintained within the environment.

There is a value in migrating to business task-based entitlements, but the path forward is daunting. Moving from system-centric definitions is made difficult by the size and complexity of existing environments. Role-based access control was one attempt at addressing this, but it brought access decisions to too high a level. In bulk of RBAC deployments, it is just as big a challenge to know whether the entitlements that are contained within a role are appropriate as it was to determine whether the specific entitlements assigned to a person were appropriate.

Prediction No.9: Access Governance Will Become Near Real-Time

governance_img01.jpeg

The need for tighter access governance has become increasingly important. It is mainly the case in regulated environments that have specific requirements to periodically verify that an employee’s accesses remain appropriate for their position and role within an organisation. Regrettably, the approach taken by most organisations is to perform these services on a fixed schedule that is not directly tight to any specific risk events or triggers. This approach can leave additional and potentially high-risk entitlements assigned in the environment for extended periods of time. It can also lead to wasted effort when low-risk or routine entitlements are being reviewed according to a fixed schedule when no real change has occurred to the user’s responsibilities or status.

While this is still an emerging approach, many organisations are beginning to depart from time-based reviews and instead are moving to strategies that only perform inspections of entitlements when specific risk-based triggers are being encountered. By doing this, these organisations free up the time of managers to focus on making decisions when there are real risks to address, instead of taking the schedule based of trying to review everything, every time. The specific risk triggers that are being used vary significantly based on the type of organisation. One very common risk-based trigger is a transfer review. Take a scenario when an employee is being transferred to a new position within the organisation, it is likely that their responsibilities will change. It is paramount for the set of entitlements that the employee needed for their old responsibilities to be identified for both the manager losing the employee and the manager receiving the employee. In some business cases these entitlements may need to be retained for a transition period, but in many instances, they should be removed immediately. When these types of reviews are not conducted, transferred employees tend to collect more and more entitlements the longer they employed. The risk is, often this missed opportunity to perform an entitlements review leads to entitlements combination that causes separation of duties issues.

Further, there are other kinds of risk triggers that an organisation can define based upon employee behaviour. For instance, an employee may have an entitlement that permits the transfer of files to external parties. To counter this, a behavioural rule might be designed to trigger an alarm if these transfers suddenly increase in size or frequency, or if these transfers start occurring outside of the employee’s regular working hours. A cautionary note here, this behaviour wouldn’t necessarily mean that the employee as conducting inappropriate activities detrimental to the organisation, but prudence would dictate a prompt review of the employee’s use of that entitlement.

Prediction No.10: Identity Repositories Will No Longer Be in Human Resources

repository_img01.jpeg

In most organisations, the place to look for identity data is Human Resources. Typical attributes available from HR data systems include a date of hire, location, job function, department group, and management chain. More important to note, HR is typically among the first to know of any termination dates and the reason behind them. All of these facts can be used to drive access management decisions, so using HR for this purpose makes much sense.

Identity access data repository in the hands of HR makes sense; however, there are two significant problems associated with using the HR database as the primary source of identity data. First, the most obvious is that HR does not always collect data from all users that you would like to grant access to your systems. It can include contractors, vendors, and other third parties who are essential to the operation of your organisation but does not have an employment relationship with your organisation. Assuming HR does track information for these types of individuals, the quality of the data tends to be far lower than for employees. For instance, HR would not typically know if a contractor moved to a project in a completely different department.

It relates to the second issue with HR as a custodian of identity data. HR maintains its data for fundamentally different purposes than for access management. It affects the content, quality, and timeliness of its records, even for employees. For instance, if a layoff is going on within an organisation, HR will know when the employee’s last day is from a payroll perspective but may not have any record on when the employee should lose access to the organisation’s computer systems. HR may also make use of batch processes that guarantee the information is up to date and accurate in time to make payroll decisions, but typically payroll is a biweekly or monthly process. If the organisation has automated provisioning activities from an HR feed, a multi-week delay would significantly slow onboarding, especially if the onboarding processes have their lead times. Worse so, a multi-week delay in notification of termination could cause a severe security disaster if a disgruntled employee continued to have access after their termination date.

Many organisations have put in place workarounds for these challenges, but it would be far more resilient to maintain an identity aggregation service tuned to the needs of IAM. An aggregated storage approach allows for a standard and consistent routines to be applied across the entire organisation and for all types of individuals regardless of their relationship to the organisation. It requires that all of the sources of identity be mapped out and that specific steps are taken to ensure that essential attributes like employment/assignment status are as accurate and up to date as possible regardless of the source. It enables all of the types of identity to be treated the same, facilitating a significant reduction in the complexity of managing identities across and environment.

Conclusion

In this article, I have laid out ten robust predictions relating to IAM and what businesses should consider as they devise new strategies to manage business processes. Moreover, while all projections are flawed, companies can look beyond to ensure they are prepared for the most likely changes and are making plans to manage them.

A well thought out and tested strategic identity and management plan will help your organisation get the most out of today’s business technology services and keep you moving in the right direction while helping you to avoid costly detours and unexpected ditches.

Do you have a view on the future of identity and access management? Please contribute to the debate by giving us your comments in the comments box below. Alternatively, if you are a business in need of a strategic direction with your identity and access management, please feel free to conact the author at support@dangata.com

 

Posted by Dan K Jatau Sr. MSc, PhD, MBCS, MInstLM

Dan K Jatau is a Nottingham, UK-based Information security and technology infrastructure expert and researcher who likes to write about technology subjects from both a business and technical perspective. His current interests are business-driven security architectures, identity and access, the Cloud, virtualization security and all aspects of security. He currently works in security program development and architecture and develops enterprise security programs for SMEs.