Workforce hybridization and changes to the centralized nature of business operations over the last few years have sparked a digital reformation in the way IT functions around the globe deliver their services, especially cybersecurity.
Securing key assets and data in a hybrid world has highlighted many challenges for CIOs and CISOs across the board. One of the largest challenges is securing identity and access management (IAM) practices. According to IBM’s 2022 Cost of a Data Breach report, almost 20 percent of breaches in 2022 stemmed from credential misuse and resulted in a $4.35 million loss on average per breach.
This trend has resulted in many organizations beginning (or reimagining) their journey toward building a mature identity program. Leveraging identity governance (IGA), privileged access management (PAM) and access management (AM) tools are necessary steps on this journey to increasing maturity; however, companies that reach this level of maturity are pushing the bar higher to establish IAM as the foundation of security for their organization. We have observed several industry-agnostic trends in the IAM space, and this series of posts will evaluate those key trends that organizations will focus on over the next few years, covering trends such as digital authorization machine identity management (MIM) and passwordless authentication. This first post highlights the increasing need for simplified IAM engineering.
Simplified IAM engineering
An emerging trend in IAM has been the desire to reduce the engineering required to deliver and maintain IAM services. Many organizations have built custom components for their identity environments and while they may satisfy one or all their necessary use cases, these components are often difficult to maintain and come with the burden of an increased manual overhead. Because most IAM teams run lean, decreasing manual overhead is often the number one reason organizations cite to justify improving their identity environment. This trend to reduce engineering is one that technology vendors have been leaning into over the past few years as traditional, on-premise technologies give way to more modern SaaS-based solutions. The transition from highly customizable solutions residing in the data center to best-practice-based SaaS solutions has forced organizations to take a hard look at their processes and policies and challenge the status quo of their identity programs.
The IAM solution space (IGA, PAM, AM, etc.) is full of mature commercial products that execute use cases efficiently and effectively. When we say organizations do not want to “re-engineer” IAM, we mean they would like to look to these tools to manage IAM instead of relying on homegrown systems. This push, along with the ever-present need to deliver cost savings, has led many companies to look to the cloud, specifically SaaS. Many companies across multiple industries are moving away from tools that allow (and often require) more customization and options such as Microfocus, Hitachi, and other cloud-based tools such as SailPoint and Saviynt.
Customization drives a shift in thinking
The trend of IAM leaders moving away from the use of highly customized tools reflects changing attitudes among many IAM professionals. Customization was once seen as a benefit, but increasingly it is seen as a burden. While having the option to do anything may, on the surface, seem to be what every customer wants, in practice too many options can muddy the waters and produce IT environments that are overly complex. Asking business stakeholders and application owners, the question “What do you want to do?” opens a Pandora’s box where teams can talk in circles about what should be deployed without thinking about the overall ROI and potential challenges such customization would produce.
In contrast to this open-ended question, the rigidity of cloud-based IGA solutions acts as a catalyst that provides organizations the opportunity to change business processes that would otherwise remain stubbornly complex. Asking the more specific question, “Should we go with option A or option B?” forces other teams within the IT organization to prioritize what capabilities they really need. Do we really need to pull all these attributes? Is this process overly complex? What is the simplest trigger we can use to drive this provisioning process? These are all questions organizations will need to ask themselves to align business processes to these cloud-based applications.
The time has come to abandon the open-ended whiteboarding sessions of “How do you want this to work?” and yield to the “How can we evolve processes to maximize the capabilities of the tool?” discussion. The simplification of business processes in this manner will ultimately present two major benefits to organizations modernizing their IAM programs.
First, major IGA tool providers are following the business trend of migrating to the cloud. Vendors such as SailPoint and Saviynt are pushing their cloud-based products over their traditional on-prem offerings with consistent and increased investment and development with a focus on closing the gap of feature parity between the two solutions. Choosing a SaaS-based application will not only offload the day-to-day maintenance tasks to the solution provider but will also ensure the organization is not relying on a tool that will receive less development over the long run.
Second, simplification of business processes will allow IAM teams to run leaner with fewer siloes and without fear of institutional knowledge being lost. Establishing sustainable business processes with clear documentation encourages communication between different teams within the organization and will reduce bottlenecks that often slow IT development. In addition, sustainable processes will reduce overhead currently used for maintenance of over-complicated business processes which are more prone to breakage due to an increased number of points of failure.
Ultimately, moving away from highly customized IAM products towards more rigid cloud models could be an effective way to create a more simplified, and more effective, IT environment and business processes.
Stay tuned for more IAM trends. The next post in our series will be Emerging Trends in IAM Part 2: Using the Sunlit Approach to Simplify Role-Based Access Controls.
Read the results of our Global Technology Executive Survey: The Innovation vs. Technical Debt Tug-of-War.