The time to plan for the next generation of identity and access management (IAM) strategies is now.
Not surprisingly, that was one of the key themes of Gartner’s 2022 IAM Summit, held in Las Vegas. The event promised to share valuable insights on privileged access management (PAM), IAM programs and strategy, single sign-on, multi-factor authentication (MFA), passwordless methods, and more – and it delivered all that and then some.
I was lucky enough to attend the event and have the opportunity to speak with a variety of IAM leaders while there. Based on my discussions and the insights Gartner shared, here are the top IAM trends for the year ahead.
1) Revamping identity management to include machine identities
Many companies are in the process of revamping their approach to identity management, and one of the biggest changes they’re focusing on is including machine identities in their overarching IAM strategy.
This represents a big shift in how we’re thinking about machine identities, with conversations in this area moving away from technical and security-centric domains to the broader IAM context (think: provisioning, de-provisioning, moving, changing, and so on).
Overall, the inclusion of machine identities is a significant part of the “next generation IAM strategy,” and is even reflected in Gartner’s shift from the Hype Cycle for IAM to the Hype Cycle for Digital Identity.
2) Implementing identity-first security
Everyone knows identity is foundational to security, but the Gartner IAM Summit made clear that in a post-COVID world, identity has moved to the center of security infrastructure.
In fact, according to Erik Wahlstrom, Senior Director Analyst at Gartner, the next evolution in identity strategy is not just issuing identities, but protecting those identities and the infrastructure behind them against attacks.
Going forward, this means that we can expect even more of a focus on the entire identity lifecycle (including machine identities) to ensure protection at every step of the way.
3) Moving toward IAM convergence
As the IAM market changes, teams no longer have to decide between “best of breed” vs “all in one” solutions, and can instead take a “best in suite” approach. This shift is fueled by a significant convergence in the capabilities of different IAM tools and increasing overlap between IAM vendors.
That said, we still have progress to make. Many organizations have had to create homegrown tools to synchronize between various secrets managers, PAM tools, and IaaS-provided tools, which makes clear the need for more interoperability between platforms and continued convergence.
4) Supporting centralized decentralized security
Centralized decentralized security (CeDeSec) is the idea that security and IAM teams need to embrace the concept of centralized control and decentralized enforcement. When done right, this results in a Cybersecurity Mesh Architecture (CSMA).
CeDeSec stems from the fact that in a world in which IT is decentralized, teams need a way to maintain a single point of control while still allowing different teams to use the tools and workflows that best suit their needs.
Fortunately, CeDeSec is readily attainable: this approach lends itself well to PKI and machine identity management, areas where security teams are already well-versed in maintaining centralized visibility and management across a variety of different tools.
5) Thinking through Just in Time access brokering
Just in Time (JIT) access brokering is picking up steam. In this approach, enterprises still use certificates as a form of authentication for users, but every time users log in to a system they get a new certificate.
In this way, JIT access brokering significantly reduces the chances of compromised or stolen credentials, since those credentials are so short-lived and can typically only be used once. Of course, making JIT access brokering work – especially without causing headaches for users – requires a highly efficient and scalable approach to issuing and de-provisioning those identities.
6) Establishing a machine identity working group
Finally, many organizations are moving away from Crypto Centers of Excellence and instead establishing machine identity working groups.
Gartner points to two issues with the more traditional CCoE model: (1) Crypto has lost its significance as an IT security term since it’s now a currency and (2) the idea that one team (often security or IAM) could manage all things crypto for the entire organization is not realistic.
Instead, organizations are better served creating a cross-functional working group with key stakeholders from IAM, Security, DevOps, Infrastructure & Operations, and Cloud teams that meet on a regular basis to establish ownership, make policy and tooling decisions, and create guidance. Bringing together this cross-functional group extends the responsibility of machine identities across more teams within the organization and ensures all of those teams’ viewpoints are represented in strategies.
Preparing for the next generation of IAM
Gartner’s 2022 IAM Summit made clear that the next generation of IAM is upon us, and the time to rethink strategies, solutions, and management is now.
Trends like including machine identities in IAM strategies, implementing identity-first security, and establishing a machine identity working group are just a few of the steps organizations can take to keep pace with the next generation and avoid falling behind.
Is your team prepared to make these changes? The time to have these discussions is now.