Time to embrace a new level of IAM, says Martin Kuppinger

A new level of identity and access management is at hand, yet many businesses still rely on usernames and passwords

A new level of identity and access management (IAM) is at hand, yet many businesses still rely on usernames and passwords, according to Martin Kuppinger, principal analyst at KuppingerCole.

The new level of IAM that could enable stronger authentication is being ushered in through a combination of anomaly detection, user activity monitoring, user behavioural analytics and risk-based access.

“However, we all know from our daily life that usernames and passwords are still widely used and relied on,” said Kuppinger. “The approach has been declared dead and we need to move forward on strong authentication and risk-based access.” 

But, he said, stronger authentication methods need to be simple and intuitive for users and must not require specific kinds of hardware that could cause interoperability problems.

Risk-based access is becoming increasingly important, he said, as people access corporate IT systems from different places around the world using a growing number of different devices.

“All of these have different risks associated with them, ranging from the relatively secure corporate local area network using a desktop PC, to a mobile device over unencrypted public Wi-Fi,” said Kuppinger.

He believes it is important organisations not only understand that risk, but have the technologies in place to enable or deny access based on a corporate risk model.

“Organisations need the ability to combine as much information as possible to ensure that the person trying to access systems really is who they claim to be,” he said.

Read more about behavioural analytics

A key component of this could be behavioural analytics, such as keystroke analytics that could help confirm the identity of a user as part of a stronger authentication process.

“The bigger story behind this is that we need to move from an approach that is focused on protecting to an approach that is focused on identifying what is going on and responding appropriately,” said Kuppinger.

Detecting unusual user behaviour

Traditional IAM was based on defined access controls, he said, but it soon became clear that many users typically had more access than they really needed.

“This resulted in legislation like Sarbanes-Oxley requiring organisations to re-certify access controls on a regular basis,” said Kuppinger.

But even assuming a good entitlement process and a working re-certification process, users could potentially have inappropriate entitlements for extended periods of time between reviews.

Kuppinger also said the re-certification process does not provide any protection against entitlements being used in an inappropriate or different way.

“A user may have the right to access customer records, but could abuse that right, and therefore organisations need to be able to detect and respond to anomalous behaviour,” he said.

For example, Kuppinger said it would be useful for organisations to know if an authorised user suddenly starts accessing a large number of accounts over a short period of time.

Similarly, it would be useful for organisations such as banks to be able to detect unusual customer behaviour as this could be an indicator that the accounts have been hijacked by cyber criminals.

“If an organisation has some behavioural intelligence and knows what normal behaviour looks like, then it can more easily identify any anomalous activity,” said Kuppinger.

We need to move from an approach that is focused on protecting to an approach that is focused on identifying what is going on and responding appropriately

Martin Kuppinger, KuppingerCole

In turn this will enable organisations to take action far sooner than they have ever been able to before to block malicious activity.

While this approach of using behavioural analytics and risk-based decision-making for stronger authentication is not yet widely deployed, Kuppinger said the enabling technologies have been available for some time and are reasonably mature.

“Most of the use cases for these technologies still tend to be highly specific rather than a broad range of use cases, which means companies could do more than they are with the technologies that are available,” he said.

Kuppinger believes there a several reasons for this. First, there are challenges around integrating risk-based and behavioural analytics into existing authentication processes.

“Attempting to integrate these technologies also tends to raise other issues and questions about existing and future approaches to authentication and it can easily end up being a much bigger project or challenge than expected,” he said.

Second, suppliers of risk-based authentication back-end systems for supporting different types of authentication mechanisms to make risk-based decisions have focused almost exclusively on the banking industry.

“This means technologies are relatively unknown outside the banking industry and suppliers have not made it easy for other industries to understand the benefits or how to integrate them into non-banking industry processes and systems.

“Also, while it is relatively simple to do risk-based authentication by adding one or more factors, authorisation in applications requires applications that can consume that information, which is a challenge for many organisations because it often requires a change to the security architecture of the applications,” he said.

Time to rethink user authentication processes

Kuppinger believes the next best step is for organisations to rethink the way they authenticate and authorise users for all of their identities.

“For most organisations it is no longer just about employees, but also business partners, consumers and suppliers. We need to handle this in a more consistent, flexible and versatile way to support different types of authentication, understand the risks and make the right access decisions,” he said.

Kuppinger recommends starting with a focus pre-study to outline the bigger picture. “This will help identify where to start with specific projects and ensure organisations do not implement point solutions that will work well as part of the whole,” he said.

Organisations that fail to plan properly are likely to end up with a mix of technologies that do not work well together, resulting in a lot of wasted investment.

“It is important to formulate an approach that will satisfy all potential use cases, bring all the relevant trust elements together and optimise the technologies you have in place,” he said.


Kuppinger is to lead a panel discussion on the topic of risk-based real-time security intelligence: prime time for the next generation of IAM solutions at the European Identity & Cloud Conference in Munich from 5–8 May 2015.

Read more on Identity and access management products