The content of this article is taken from an interview conducted by Marc JACOB for Global Security Mag in March 2022, available here.
The obviousness of IAM, and the difficulty of the transformations it implies
Faced with the evolution of growing threats and use cases (Mobility, Teleworking, Cloud Computing etc.), incorporating IAM is no longer just an option. Instead, it is now a given that incorporating an efficient and agile identity and access management is a major differentiator for organisations.
In essence, IAM is at the crossroads of all structuring transformations. Firstly, it is a major pillar for moving towards a zero-trust approach. Secondly, it is a “basic” essential for effectively serving its users and providing them with constant comfort during all phases of transformation. Finally, it is obviously a differentiator in the creation of the relationship with customers.
IAM can no longer simply allow itself to “follow at a distance” amidst the transformations of the Enterprise i.e., by offering a minimal level of service that is often difficult to evolve. Instead, it must be efficient, agile, and able to anticipate complex situations that may arise. For instance, M&As, the multiplication of APIs, or the shift to a “platform” economy model. These situations imply an in-depth rethink of the IAM service. For example, the IAM’s scope and ambition, policy and governance, delivery mode (on-premise vs. SaaS), service offering, and economic model etc.
Deployment of IAM services in major accounts
Market maturity: know how to evaluate your maturity in relation to the market in order to launch your transformation programme on a solid and objective basis
The vast majority of large accounts have already carried out one or more projects that have led to the deployment of IAM services. However, these deployments are often partial, and the maturity of the deployment can vary greatly from one entity to another. Historically, these projects are in fact confronted with a strong heterogeneity of the existing ones (in terms of organisations, processes, and I.S.), and do not have the necessary legitimacy to make practices converge. Furthermore, IAM was often seen as a “one shot” project with resources that were often insufficient to follow and adapt to changes in the company (reorganisation, M&A, application changes, etc.). These factors could lead to a “disconnect” between the IAM subjects that are too static and the real needs that are constantly evolving.
The deployment of an IAM service is not simply a matter of deploying a “box” in production. Instead, in order to gain the most benefit, it is necessary to rethink and simplify its organisation and processes. Therefore, it is imperative to ask the following questions:
- How to manage the arrival of a new employee?
- How to manage the internalisation of a service provider?
- How can you model your business profiles? How to make them evolve over time?
- How to involve managers and data managers in the IAM process?
- How to deal with the loss of strong authentication means?
- What standards should be imposed to simplify the connection of applications to the IAM?
- How to ensure compliance with internal rules and regulations?
For a few years now, we have seen a real awareness and a desire on the part of our clients to take hold of IAM in order to make it more efficient, streamlined, and agile. This implies being able to arbitrate and carry out an in-depth transformation. In concrete terms, over the last 3 years, two-thirds of our clients have launched such IAM transformation programmes. These multi-year initiatives have gained in ambition, structure, investment, and visibility and now rank high in the “Top 5” of major IT transformation projects.
To launch such programmes, the first step is being able to assess its real maturity, entity by entity, before being able to define a realistic transformation trajectory that unites the stakeholders. In a very simplified way, we can distinguish 4 levels of maturity:
- Fragmented: the organisation does not have a consolidated approach
- Rationalised: the organisation’s IAM is simplified and centrally managed on core services
- Extended: the organisation’s IAM capabilities are adapted to an evolving I.S.
- Controlled: the organisation’s IAM is efficient, agile, and reduces workload through automation
As a trend, we consider that most large companies lie on the intermediate levels of “Rationalised” and “Extended” and aim for a “mastered” target that is based on:
- A central, unique, and optimised IAM infrastructure
- Delegated day-to-day management within each entity
5 keys to successfully operationalise your IAM strategy
IAM is a vast subject in which it is easy to get lost. Moreover, the operational reality of IAM is often poorly understood. Meanwhile, the complexity of the transformation is underestimated.
To mitigate these risks, we propose 5 major keys:
- Define your IAM ambition and ensure that this ambition is consistent with the resources allocated (sponsor, ability to move the lines, human & financial resources etc.)
- Take the time to understand the operational reality of IAM
- Organise yourself in a transformation programme capable of addressing all facets
- Prepare for an in-depth transformation by accepting to move forward in stages alongside any compromises and, therefore, any renunciations to deal with the sum of the constraints
- Rely on real data to explain its trade-offs and to anticipate possible quality shortfalls
Relying on IAM providers: trends and risks
The IAM vendor market is becoming more structured and is translating into the Cloud
The IAM provider market, like other specialised markets, is evolving as a result of changes in information systems. For instance, moving to the Cloud, offering more APIs, integrating data analysis and AI functionalities to simplify and automate decision making etc.
In addition to these considerations, two trends specific to the IAM vendor market are emerging:
- Firstly, the leading Access Management players are looking to progressively extend their functional coverage towards Identity Management or PAM functionalities
- Secondly, there are more and more players covering specific functional needs, such as IAI (Identity Analytics & Intelligence), CIAM, or the desire to have a platform directly developed in Service Now
The move to the cloud indicates changes in the architecture of IAM solutions
An increasingly great number of vendors are offering IAM solutions in the cloud. This movement aims to offer the same functional coverage as on-premise applications in SaaS mode. Depending on the services offered, they are structured around two components:
- A “Cloud” part that carries all the functionalities and stores the customers’ data
- An onsite “gateway” which provides a link with the historical system in place (for provisioning, for example). This allows for better control of data exchanges and therefore contributes to securing the architecture
Hence, the aforementioned two-component architecture presents the same risks as any other Cloud service and must be addressed in the same way: What service levels are guaranteed? Where is my data stored? What about the protection of my data and compliance with standards (GDPR in particular)? Under what conditions can I change suppliers?
The geopolitical context increases these risks and poses a potential service interruption in the application of possible international sanctions.
And the IAM of the future: what developments?
Tomorrow, IAM will continue its transformation towards greater agility, Cloud, standards & integration, decision support, and automation – thanks to enhanced AI capabilities. As far as the authentication system is concerned, a strong authentication is now a “basic” and we expect two major developments:
- A rather technical evolution with “passwordless” that aims to make passwords disappear. This includes, on a technical front, a passwordless world in application databases and in inter-application flows.
- An evolution in the means of authentication given to users. Smartphones have become an established authentication factor. However, not all enterprise populations are well equipped. While the “smart card” medium is losing ground, secure dongles (a hardware component that plugs into computers or televisions, generally on an input/output port) seem to be gaining traction for those populations without smartphones instead.
Finally, in the longer term, IAM will certainly evolve under the impetus of the “privacy-by-design” approach, which is becoming increasingly interesting and more frequent. This comes with good reason, especially with the with the growing generalisation of citizen identity (with an ad hoc level of enrolment) for commercial uses.