What Has Happened to Identity and Access Management?


Those who have been in IT security for as long as I have may recall that identity and access management (IAM) was really the origin of IT security. Considering that IAM is such a historic component of a much larger security landscape, it is interesting that many of the organizations I work with are reconsidering their IAM strategy.

So, what’s happened to Identity and Access Management?

In a word: EVERYTHING…

IAM_IT_SecurityKey control?

Let’s start with a basic fact: Authentication is a key control amongst key controls. Some people may debate this idea. But, if you think about it, successful authentication unlocks preventative controls and creates a convincing audit trail for detective controls, including security event correlation and security monitoring. If you can undermine authentication, you can beat out encryption and take advantage of access. Even analytics may have a challenge depending on the behavior of someone with stolen credentials. We have to be masters of identification and authentication to protect the investments at other layers. Access Management, part of the IAM umbrella, bears large expense and also depends on the strength of Identity and Authentication. This blog will focus on identifying and describing the new challenges that Access Management must now address. Stay tuned for my next blog, which will focus on how we can change our approach to Access Management in order to address these new challenges.


I’m not going to regurgitate the news nor speculate on anything that’s happened in the past two years. Based on your experience and understanding of the trends, would you agree that there is a systemic issue in which malicious remote attackers spoof identity and then steal, or leverage, hijacked credentials?

While better threat monitoring is an important part of your security roadmap, you still have to question why these tactics are so successful. I predict we’ll spend a ton of money on analytics and catch more threats proactively, but the trends and lessons learned will still point back to, you got it, better IAM.

Regulations and Guidance

PCI and FFIEC press the topic of stronger authentication. CMS guidance from years back advised HIPAA-covered entities to implement remote two factor authentication. NIST wrote an entire framework on just electronic authentication, NIST 800-63, and it’s gone through several revisions. I met with the authors a few years back and they shared that many organizations were highly interested in this publication.

As an industry we can’t wait for regulations – they take too long and reinforce “doing the right thing” amidst changing technology and threats. I highly recommend familiarizing yourself with the NIST 800-63 document scope and appendixes, especially if you’ve had business executives ask “why can’t Facebook be a source of authentication?”

“SMAC” my head

The combination of Social, Mobile, Analytics, and Cloud computing create new exciting solutions and new areas of expansion for IAM. It shouldn’t be any surprise that a key control of key controls still matters, decades later. Social networking and social sharing create new places to authenticate and new places to be authenticated from. Have you figured out what to do with social use patterns inside, outside, and in between (prosumerism)?

Mobile is another interesting area for identification and authentication. Mobile computing is a new area of inherent risk requiring new types of controls and protocols, including authentication (consider OAUTH). Mobile is also a new opportunity to validate identity using an in-hand token. For years in IAM circles we dreamt of a day where the average person wouldn’t mind being bothered with a token they’d carry with them all the time. The first time I saw a smart phone, I stood up and said – this is a personal token! Not everyone got it. Analytics’ very nature makes “minimum necessary” a challenge. I predict Analytics will drive the principle of tokenization of identity in a big way as well.

How you tokenize identity and manage its traceability needs to be a factor in your overall IAM strategy. It’s a bit tangential to the historic scope of IAM but, like I said, this isn’t your fathers IAM anymore. The topics of determining identity and then protecting that identity are related and need to be strategized as such.

Cloud?– Talk about a game changer; if your employees and other users leverage cloud services along with other internal services (they do, check it), and leverage mobile apps to access those services directly (they do, ask them), then they are probably establishing other forms of identity and using them for business purposes. On top of that, cloud and social together drive peer to peer collaboration – have you factored that into your strategy? What assurance do those identities yield?

Access Management remains a critical control. Breaches continue to occur and highlight the need for a new approach to Access Management. Conforming to regulations does not ensure adequate protection. In addition, SMAC technologies create new areas that need new controls and offer new ways to achieve an effective Access Management program.

Next up, I will discuss old Access Management methods that are no longer working and how we can leverage ideas from National Strategy for Trusted Identities in Cyberspace (NSTIC) and Fast Identity Online (FIDO).


If you would like to talk with OpenSky about your security strategy, including your IAM program,
please contact us here.


Read more by Mark:
How’s Your GRC?
Healthcare Cybersecurity Trends and What to Do About Them