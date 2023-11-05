Sean Deuby, Principel Technologist di Semperisdetails how businesses will need to prepare for the future of identity management.

Investments in security and identity protection have reached an all-time high, with the value of the global identity and access management (IAM) market expected to reach $20.75 billion in 2023. Additionally, Gartner recently estimated that approximately 75% of all security failures are attributable to poor identity, access and privilege management.

Despite increased investment in identity threat detection and response (ITDR), organizations still struggle to implement these systems as i. departments within them are often disconnected, defeating any possibility of promoting a sustainable identity culture. According to Denis Ontiveros Merlo, vice president of enterprise platforms at bp, this disconnect is not something companies can fix internally.

“We have built an entire ecosystem that, without realizing it, has created anti-patterns that defeat the ultimate goal of making identity frictionless, safe and secure,” explains Ontiveros Merlo. “People adopt these models because they think it’s the right thing, and we end up in a vicious cycle. We need to do a lot of training to free ourselves from this situation.”

Training on the latest identity management features is the first step towards the future. But that’s not the only challenge organizations will encounter along the way.

Encounter a new perspective on identity management

The enterprise sector is still recovering from the paradigm shift that occurred during the pandemic. Now everything is digital, distributed and federated, regardless of our will. This shift presents a significant challenge for organizations accustomed to managing centralized infrastructures and teams.

“When it comes to applying a certain sense of governance, there is no longer a single interlocutor to be accountable to,” says Ontiveros Merlo. “Whereas before everything was monolithic, now we have a multitude of small components working together.” Along with digital transformation and remote working, microservices architecture is becoming the norm.

“All of these components need to authenticate and trust each other,” he continues. “Every user, machine, application, device and sensor. It’s a significant challenge, but I believe it’s also an opportunity. We see this with Entra B2B (formerly Azure), which could be considered the beginning of decentralized identity.”

Identity management cannot be the same for everyone

While we like the idea that there is a one-size-fits-all solution for ITDR, organizations have different capabilities, constraints and requirements, so technologies and strategies that work for one company may fail completely for another. .

“I’ve always found it interesting that when it comes to identity challenges like privileged access, we try to build solutions and ecosystems that tend towards configuration drift,” reflects Ontiveros Merlo. “The ideal model would instead be to push the code declaratively through continuous integration/continuous delivery (CI/CD). However, before we get to this point, we need to be more aware and attentive to the biases we may have when adopting new technology and the anti-patterns we may fall into. And we also need to be more aware of how we incorporate technology into the organization.”

Identity management isn’t just a job for administrators

Identity management has traditionally been considered an administrative issue but the truth is that identity is important to many stakeholders.

“We have to ask ourselves who the customer is in this situation,” says Ontiveros Merlo. “Because identity tends to be a shared service, it is often used as a reference point for governance. But the reality is that governance and accountability are everyone’s responsibility.”

We can’t expect identity teams to address issues like privacy or segregation of duties. When we develop and implement identity management solutions, we must also consider user experience and how our processes and policies contribute to it. Security and convenience can no longer be at odds.

Go beyond role-based access control

In the long term, role-based access control (RBAC) may not be best suited for a distributed future, a potentially disruptive change, according to Ontiveros Merlo.

RBAC was fine in older, monolithic systems where there were no major changes. However, today the business landscape and roles are very dynamic.

“When the organization changes and the roles do not change, friction is created,” explains Ontiveros Merlo. “Users end up having too much or too little access. Policy-based access is much more dynamic, which is why we have seen an evolution in authentication standards in recent years.”

While authentication has evolved, authorization seems to be lagging behind: we are only now starting to see new technologies that externalize and standardize authorization concepts. Recertification, particularly regarding contextual assets, is another major identity management challenge that the industry must overcome.

How to avoid identity management anti-patterns

Security professionals have an unfortunate tendency to become complacent when they believe they have found the “correct” way to do something, which is dangerous behavior.

“When we shut down conversations without considering exactly what they mean, we push things into a much less safe channel,” says Ontiveros Merlo. “Especially with complex systems, we tend to slip into pre-established behaviors. We all need to be a little more aware of context, our own biases, the industry in general, and what other departments can teach us about our own.”

Ontiveros Merlo recommends applying engineering and psychological practices to identity management: embracing a broad, multidisciplinary approach that focuses on problem solving through data, customer centricity and critical thinking.

“Ultimately, treat identity as a product and be curious about your customers’ perception of it,” he says. “They could be end users, application developers, or even developers who are reinventing the registration and login journey. Whoever they are, try to reduce the cognitive load on these distributed teams, so they can focus on what they do best.”

All organizations are involved in this situation

The identity space has made great strides in recent years, but the biggest challenges are yet to come. Machine identities are merging with customer and corporate identities, as more businesses and entities work together across intricate, connected supply chains. For this reason, a company will inevitably have to grant access to identities for which it is not the authoritative source.

In this scenario, collaboration is not simply a recommendation, but represents the only way forward.

“We will use the data much more for behavioral analysis and to provide context to identities,” predicts Ontiveros Merlo. “And to manage everything from recertification to transaction security. No one will be able to solve problems like this alone. In the future we will need cross pollination. We will need partnerships and collaborations between different companies and disciplines.”

