Since the beginning of the COVID-19 pandemic, cybercrime activity has been on a tear (e.g. +130% for ransomware) as companies had no choice but to open up their IT network to remote workers and devices, often struggling to comprehensively secure it on time, leaving entry points for malicious attacks. Interestingly, 50% of these security failures result from inadequate management of identities, access, and privileges according to Gartner and this figure should keep rising to 75% by 2023 as companies continue with hybrid work and as the proliferation of IoT devices multiplies entry points for hackers.
Identity and Access Management (IAM) should then find itself in the spotlight over coming years. IAM as its name suggests, relates to all the technologies and framework surrounding connections to a proprietary network. It is there to ensure that the network access is granted to the right people, at the right time, for the good reason, allowing them to access only the files/software they require.
The first layer of IAM, authentication/identification, is used to onboard and verify users’ identity before accessing the applications/network and then manage the identity lifecycle. And the main challenge is obvious: as users prefer the convenience of a single password across multiple accounts (both personal and professional), one set of stolen credentials can have dramatic consequences and give malevolent individual the possibility of lateral movement within a network.
Multi-factor authentication (MFA) is clearly the way to go to address this challenge and aims to securely identify a user by requesting two different factors. Most often, MFA will rely on an SMS message sent to a phone but increasingly uses specific hardware and biometrics (fingerprint, iris) solutions. Passwordless authentication methods, that rely on the same principles as digital certificates (a cryptographic key pair with a private and a public key), are also gaining steam.
Identity vendors such as Okta also offer a platform allowing remote workers to access various online services within a company (email, CRM, HR…) through a single sign-on (SSO) with a multi-factor process. SSO can be seen as a way to combine user convenience (one single log-in process) with high security (the various passwords for the user’s email, CRM… are stored by the identity vendor).
Interestingly, the consumer segment is as large as the workforce segment (both around $30-40 billion TAM) as providing shoppers with user friendly and secure authentication experiences is a must for customer acquisition or retention online. For example, seamless connections and re-connections to a website helps to build customer loyalty by eliminating burdensome login and passwords type-ins.
The second layer of IAM, access management is ensuring that the user is granted access to the right files and programs given his role, responsibilities, and regulatory policies. Privileged access management (PAM) monitors and controls access to highly privileged accounts, system assets and applications, protecting them beyond regular ones.
Access management vendors’ (such as CyberArk) first mission is to detect anomalies in entitlements, like accumulation of privileges, unnecessary entitlements, or orphaned identities (employees who left the company) thanks to analytics and machine learning. Access management vendors also offer centralized policy management solutions allowing to set policies for password complexity and frequency of password rotations and monitor and record sessions for audit and compliance purposes.
In all, a combination of smart password / authentication and access management systems is the best way to prevent credential theft and misuse. The fewer opportunities for threat actors to get access to the system, the better the company’s data security.
That being said, IAM is not yet widespread or is poorly managed, as illustrated by a CloudKnox report that estimates that 95% of permissions are unused, leaving major security holes in IT systems… But corporate awareness is now improving fast with close to 70% of global business executives planning to increase spending on identity & access management over the next 12 months according to Ping Identity.
Indeed, the complexity of cloud-based user entitlements is rising exponentially thanks to the growth in the number of human users, non-human users (IoT devices) and cloud applications. And with hybrid work set to become the norm, companies will have no choice but to find a way to balance employee productivity (by providing them access to the apps and systems to perform their jobs) and corporate data security.
IAM can consequently be considered as the first step in building a secure IT system and should enjoy strong growth over coming years. We would also expect some M&A at some point as the industry is highly fragmented between identity specialists (Okta, Ping, SailPoint…) and access & privilege specialists (CyberArk…) and needs to scale, with most companies generating less than $1 billion revenue.