Identity and access management (IAM) – the provisioning and verification of employee identities and their access rights – is once again at the center of major cybersecurity programs amid global volatility and talent shortages. But why exactly is the concept of identity back in the spotlight?
IAM transformation: What are the main drivers?
IT systems built on robust and scalable identity services allow organizations to maintain a competitive speed-to-market while keeping up with increasingly complex internal and external compliance requirements. Whether it’s a new web service available to customers, a significant expansion, or a back-office merger – the need to scale IAM services quickly and efficiently is ever-present.
At Wavestone, we regularly encounter three drivers, often in combination, which demand more from IAM:
- Cybersecurity risks
- Business change
- End-user experience
Let’s dive into each of these in more detail.
Information systems are increasingly open and fragmented, fueled by cloud adoption and distributed architectures. Security practices are adapting to match this fundamental shift, and the notion of zero trust is well established. In turn, IAM is a key enabler for zero trust.
Multiple entities require access to information systems in any given organization, including third parties, customers, and employees. Identity is central to critical data exchange and confidentiality among diverse entities. Therefore, it is necessary to have a unique identity for each entity across the entire information system.
While architectures evolve, the ultimate IAM objective does not – the right person or entity, with the appropriate level of rights, must be able to access the right resource in the right context. Crucially, this principle must be met on an ongoing basis.
Each machine and user’s unique identity is also critical for traceability. An organization should be able to identify, authenticate, and authorize any user from any other entity when accessing a resource. The ability to centrally log, audit, and monitor these events from across the information system is essential.
Businesses are experiencing core transformation, which requires more agility and shorter time-to-market. For example, several retailers are seeking new digital avenues to market due to an evolving e-commerce landscape and operational challenges brought about by the pandemic. Identity services must be able to support large business initiatives and cater for innovation at scale.
Complex business change cannot be slowed down by extended security or infrastructure delivery times. Identity must be an enabler and not synonymous with delay. Any project must be able to rely on identity services that are provided as an available commodity to the business and not newly designed and deployed for each initiative.
The provision of identity services must become embedded in the organization’s operating model and practices such as Agile, DevOps, and innovation at scale – enabling IAM to be delivered as a service to the business.
Consolidation and standardization of IAM solutions and processes are critical to implementing this model. This includes consistent and robust management and is dependent on technology-agnostic methods and protocols based on the latest, secure industry standards.
The third crucial driver of IAM transformation is user experience. The onus is on organizations to provide employees with the same quality of authentication and authorization services that external customers have often enjoyed in the past. The objective is to allow end-users to prove their identity easily and effortlessly and access required services from anywhere and any device. This forms the basis for a genuine continuous experience that supports new ways of collaborating, also accelerated by remote working.
Easy and smooth registration processes and consistent authentication across different applications should be provided to customers to simplify their experience and build brand loyalty. This same principle holds for employees and third parties.
‘Passwordless’ technologies and unique application logins are examples of solutions on the rise. Innovative risk-based and contextual approaches can streamline access, which can have a significant positive impact on user experience by reducing authentication requests.
What are the steps to IAM transformation?
Understanding your current maturity is a key step toward delivering on the above. Over years of supporting IAM initiatives with clients, we’ve built our four-step IAM maturity improvement journey.
- Fragmented: The organization lacks a consolidated approach to IAM across solutions, governance, and standards.
- Rationalized: The technology landscape supporting IAM is simplified and managed centrally to aid user experience across all applications and users. Consolidation provides satisfactory oversight capabilities.
- Extended: The organizational IAM capabilities cater to an evolving information system: any user, device, or service. Many organizations currently have elements of these capabilities but are rarely deployed globally.
- Mastered: The organization has adopted next-gen solutions, which provide substantial security benefits and a smooth user experience – all while reducing the workload on IT operations thanks to intelligent automation. These are adopted on a case-by-case basis or serve as an aspirational step on IAM roadmaps.
Each of the above steps requires a profound transformation of the environment: change of governance, change of processes, and deployment or migration of supporting technologies. We believe it needs to be addressed as a dedicated IAM transformation program to be a success.
Ready to step up to the next level of IAM maturity?SCHEDULE A CONVERSATION
Florian Pouchet is Senior Manager at Wavestone with over 15 years’ experience in cybersecurity. He leads the Cybersecurity and Operational Resilience Practice for Wavestone UK, providing oversight across cybersecurity strategies, remediation programs, crisis management exercises, and recovery planning
Based in London, Toby Felton is part of Wavestone UK’s Cybersecurity and Operational Resilience team. He holds a First Class BSc in Mathematics from the University of Exeter.
Have a Question? Just Ask
Whether you're looking for practical advice or just plain curious, our experienced principals are here to help. Check back weekly as we publish the most interesting questions and answers right here.