Future IAM will need to be broader, says Martin Kuppinger
Identity and access management systems need to look at all forms of identity, not just employees or users, says KuppingerCole analyst
Future identity and access management (IAM) systems will need to look at all forms of identity, not just employees or users, according to Martin Kuppinger, principal analyst at KuppingerCole.
“IAM will have to include identities not only of employees, but also business partners, customers, services, user devices and things in the internet of things (IoT),” he told the 2015 European Identity & Cloud (EIC) conference in Munich.
Kuppinger said organisations should plan for a future in which all identities are treated in the same, consistent way.
“There should not be multiple IAM systems, but a single system to provide a homogenous view of identity, which means organisations need to merge and integrate,” he said.
Currently, many organisations have different IAM systems for different groups of identity, which is “just wrong”, according to Kuppinger.
He also advises organisations to rethink all their IT silos and apply consistent identity, security and governance policies and controls across the whole organisation.
“In this way, IAM is part of identity, and security will automatically become part of a central entity,” he said.
Read more on identity and access management
- Identity and access management (IAM) is increasingly important, but it is also increasingly complex and is set to get worse.
- Identity and access management (IAM) is set to move to the fore in 2015.
- A risk-based approach is the most successful strategy for identity and access management in the modern enterprise.
This streamlined, central, non-silo approach, Kuppinger believes, is essential to enabling organisations to move from prevention and detection to better detection and timely response.
“There is a need to integrate response technologies to ensure organisations can take appropriate actions when intrusions or anomalies are detected,” he said.
For example, systems need to be able to detect and respond to changes in risk as context changes or potential anomalies in behaviour are identified by asking for additional authentication factors or by limiting access or functions based on user device and location.
“Because we want to protect information at the core, it is not only essential that all documents be encrypted on creation, but also that access controls are put around them from the start,” said Kuppinger.
This will ensure that organisations are always able to monitor who or what is accessing documents or other corporate resources and to make access control decisions based on context.
“In security, everything we do should be in context: identity, firewalls, endpoint security – all these things need to understand who the actor is and act in concert,” said Kuppinger.