The rise of identity-based attacks is fuelling investments in identity and access management (IAM) tools. We examine the key capabilities of IAM, discuss implementation best practices, and explore the future of this technology
The growing number of stolen credentials being used by cyber attackers to compromise IT systems and exfiltrate data is shining the spotlight on the importance of identity and access management (IAM) in Asia-Pacific (APAC).
According to Mandana Javaheri, general manager of Microsoft’s security business in Asia, identity-based attacks are one of the most common types of cyber security attacks targeting organisations and individuals.
“With over 40,000 permissions that can be granted to identities, of which over 50% are high risk, it is becoming increasingly difficult for organisations to know who has access to what data and across which cloud platforms,” she says.
Coupled with the roll-out of national digital identity systems across the region, and a consumer base that has become more aware of data breaches and privacy risks, organisations can no longer afford to leave anything to chance when securing access to critical systems.
“In the APAC region, the privacy-personalisation paradox is particularly relevant due to its diverse cultural, legal and regulatory landscape,” says Ben Goodman, senior vice-president and general manager for Asia-Pacific and Japan at Okta. “Organisations recognise the importance of securing their digital assets and sensitive data as well, and IAM solutions offer a way to implement robust security measures to protect against unauthorised access.”
Christopher Hockings, chief technology officer for Asia-Pacific at IBM Security, notes that in some countries, the adoption of strong standards-based authentication could reduce the risk of 40% of data breaches, adding that maturing regulatory standards will continue to put identity governance and privileged access management (PAM) at the centre of controls to help organisations protect themselves.
Broadly, IAM refers to processes, policies and technologies that facilitate the management of digital identities, including the identities of an organisation’s employees, customers, partners and suppliers. IAM systems typically deliver capabilities such as single sign-on, enabling users to log on to multiple systems using one set of credentials; two-factor or multifactor authentication (MFA); and PAM which focuses on securing the digital identities of privileged users like IT administrators to manage insider threats.
Goodman advises organisations to consider an IAM solution that supports various MFA methods including biometric authentication, as this will enhance security by requiring multiple forms of verification. Another aspect to consider is adaptive authentication, which dynamically adjusts authentication requirements based on risk factors like user behaviour, location and device, providing higher security for risky scenarios.
From a privacy perspective, stronger regulatory expectations will usher in a new wave of integration between IAM and data security programmes. Connecting users with their data and demonstrating trusted management and use of that data will become mainstream
Christopher Hockings, IBM Security
IAM systems also include capabilities to manage user identities during their lifecycle through policies and access certificates. Goodman says an effective IAM solution should automate the provisioning (granting access) and deprovisioning (revoking access) of users as they join, move within, or leave the organisation. Additionally, for sensitive access requests, an IAM solution should support customisable approval workflows to ensure proper authorisation.
For policy and governance, Goodman suggests IAM solutions that offer role-based access control, fine-grained access control, as well as comprehensive logging, auditing, and reporting capabilities in order to help track and analyse user access and activity, aiding in compliance and security assessments.
IAM systems can be deployed on-premise, consumed through the cloud, or deployed in a hybrid cloud environment. Although cloud IAM offerings are gaining traction due to their scalability, ease of management and accessibility, some organisations in regulated industries like financial services and healthcare may prefer to run IAM systems on-premise.
Goodman also points out the importance of having a versatile IAM solution that can handle both business-to-business (B2B) and business-to-consumer (B2C) use cases as organisations might need to manage not only employee identities, but also customer and partner identities.
However, these need not always come from a single supplier. IBM’s Hockings notes that IAM capabilities, including automated onboarding, passwordless access with multi-factor authentication and secrets management, may be blended together from multiple suppliers, supported by open standards and interoperability.
The Fido Alliance, for example, has been driving industry standards around passkeys, a replacement for passwords that provides faster, easier and more secure sign-ins to websites and apps across a user’s devices.
Microsoft already employs a passwordless authentication method which removes the need for a password and replaces it with something the user has or something that only they know, says Javaheri.
“Our Microsoft Authenticator application turns any iOS or Android phone into a strong, passwordless credential where users can sign into any platform by getting a notification on their phone, matching a number displayed on the screen to the one on their phone, and then using their biometrics or PIN to confirm.”
IAM best practices
Implementing IAM initiatives starts with defining your organisation’s IAM goals, taking into account your organisation's security needs, compliance requirements, and user experience expectations, Goodman says.
At the same time, involve and engage with stakeholders from various departments, including IT, security, compliance and business units to ensure that the IAM implementation aligns with the organisation's overall objectives.
“In addition, evaluate your organisation’s current IAM processes, technologies, and challenges to identify the key areas of improvement and to understand the scope of the IAM implementation,” Goodman adds.
IBM’s Hockings stresses the importance of treating IAM as a strategic programme, rather than a singular project, to secure executive sponsorship. He notes that the most prevalent issue with IAM projects is the lack of executive buy-in, which results in deploying too many tools within an organisation to address the same set of challenges, creating security blind spots.
Hockings advises organisations to identify areas where they can achieve the highest impact with the least effort to drive short-term wins and gain sponsorship for further investment. “There will be a blend of innovation advances (such as passwordless authentication and digital wallet adoption) that result in better security and higher customer adoption and satisfaction,” he says.
As with any technology implementation that involves multiple stakeholders, change management can be costly and complex. Microsoft’s Javaheri says both technical and business leaders need to be onboard and supportive of the IAM initiative.
“For successful system integration, it’s important that stakeholders reassess the strategy and plan after each phase given that risks could change over time and unexpected challenges may arise. Organisations also need to provide proper end-user guidance. By educating their employees about the benefits of IAM and how to adopt it, organisations can improve user acceptance for a smoother transition.”
The future of IAM
IAM’s primary function is to enhance security, and this focus is likely to persist, Goodman says. And as cyber threats evolve, it will likely incorporate advanced security measures, adaptive authentication, and risk-based access controls to better protect against unauthorised access and data breaches.
“The zero-trust model, which treats all users and devices as potentially untrusted until proven otherwise, is likely to shape the future of IAM. Organisations will implement access controls based on real-time user context and continuous monitoring, minimising the attack surface.”
With AI already aiding with threat detection and incident response, IAM solutions, too, will increasingly leverage AI and machine learning to detect anomalies in user behaviour and predict potential security threats. “These technologies can also assist in adaptive authentication, identifying high-risk scenarios and adapting authentication methods accordingly,” Goodman says.
IBM’s Hockings notes that developments in open standards that deliver vendor-agnostic interoperability will lead to the introduction of the identity fabric or mesh architectures, and the adoption of user-centric verifiable credentials, or digital wallets.
“From a privacy perspective, stronger regulatory expectations will usher in a new wave of integration between IAM and data security programmes. Connecting users with their data and demonstrating trusted management and use of that data will become mainstream,” he adds.
Read more about identity and access management in APAC
ForgeRock CEO Fran Rosch has set the IAM software supplier on a path to deliver a frictionless identity experience without compromising security or privacy.
Organisations should find a way to gain full visibility into their digital identities and leverage automation to tame the identify sprawl, says SailPoint’s senior vice-president for Asia-Pacific.
Read more on Identity and access management products
