Your Go-To Guide To Identity And Access Management

A resilient identity and access management (AIM) program ensures authenticated users and groups can access the organizational resources they need, while safeguarding credentials from those who shouldn’t have them.

However, nearly 2,000 IAM leaders attending the recent Gartner IAM Summit heard a wake-up call: 

Two-thirds (66%) of organizations are not investing enough in IAM, and nearly half (47%) are understaffed in IAM. 

Those stats place many companies at greater risk of data breaches from compromised credentials. According to the Verizon 2024 Data Breach Investigations Report, stolen credentials remain the number one data breach entry point and appeared in almost one-third (31%) of breaches over the past 10 years.

IBM’s Cost of a Data Breach Report 2024 expands on the identity risks:

“Breaches involving stolen or compromised credentials took the longest to identify and contain (292 days) of any attack vector. …Compromised credential attacks can also be costly for organizations, accounting for an average USD 4.81 million per breach.”

Sayers attended the recent Gartner IAM Summit and offers the following foundational identity concepts explored at the conference. Use this reference guide as part of building a resilient program to prevent identity incidents that could damage your business.

The Foundational Pillars Of Identity Security And Management 

Even in the era of Zero Trust, your organization operates by ultimately extending trust to the right people and things. Knowing who they are, managing their access, and keeping out unauthorized users comes down to the following:

• Identity and access management (IAM)
• Privileged access management (PAM)
• Identity governance and administration (IGA)
• Identity threat detection and response (ITDR).

Here’s what to know about each of those pillars and related identity terms.

1. Identity And Access Management: How You Grant Access

The Gartner IAM Summit emphasized a key theme in access management:

User authentication should be easy for genuine users but difficult for attackers. 

Many organizations place their IAM program under IT or with groups dedicated to providing access. Justified or not, a common concern about involving security teams is they will want to put access controls in place that can cause user friction. 

Joe Schnell, Senior Cybersecurity Architect at Sayers, says:

“Part of moving your identity program forward is to consider the human side of things – people being able to do what they need to do, accessing the resources they need to do their work.”

IAM terms to know:

Customer identity and access management (CIAM). CIAM manages identity, authentication, and authorization for customers to access your online business applications and services, including self-service capabilities. CIAM identity verification becomes more important in those online relationships, especially for customer account recovery and onboarding. 

Decentralized identity (DCI).  With DCI, the user can foster and create their own identity with verifiable credentials kept in their digital wallet. Using your decentralized identity, you can prove who you are to governments, public systems, and other organizations. DCI gains access to those resources without the user having to onboard and create yet another identity in systems at risk of being leaked. 

Gartner predicts:

The market for decentralized identity will grow to $3.3 billion by 2031, and at least half a billion people will use verifiable credentials containing identity data by 2026. 

Machine identity and access management. Increasingly, machines such as bots, servers, and applications are talking to other machines through API services. Machine IAM focuses on ensuring only authorized machines can access specific resources, in many cases using certificates for authentication. 

As machine identities outnumber human identities in organizations, certificate lifecycle management becomes more important. Through automation you can rotate and renew those certificates, avoiding interruptions in functions that require machine-to-machine interactions.

Multi-factor authentication (MFA). This authentication method requires at least two steps to verify the user’s identity, such as a Time-based One-time Password using a rolling six-digit code you must type in manually.

Cybercriminals attempt to bypass MFA protection with techniques ranging from phishing and MFA fatigue attacks to malware and social engineering. Organizations are turning to phishing-resistant MFA methods supported by Fast IDentity Online (FIDO) open protocols. The Cybersecurity and Infrastructure Security Agency urges organizations to implement phishing-resistant MFA as part of applying Zero Trust principles. 

Gartner predicts:

By 2027, more than 90% of MFA transactions using a token will be based on FIDO authentication. 

User authentication. Organizations have long incorporated a system of passwords to authenticate users. Those same users admit to non-secure password practices for the sake of convenience, to meet a business need, or to speed things up. Meanwhile, IT service desks deal with password resets for at least 30% of the calls they receive from users.

Passwordless authentication. A range of identity solutions offer authentication methods without passwords. FIDO2 standards support passwordless with authenticators embedded into mobile devices, physical tokens such as smart cards or USB security keys, or alternatives such as PIN codes or biometric credentials (fingerprints, facial recognition). Schnell says:

“Passwordless authentication offers a good user experience for your workforce because they can get to the resources they need without having to remember and rotate passwords on a regular basis. This makes it easier after vacation absences or if they haven’t gone into a system for a while.”

2. Privileged Access Management: How You Grant Elevated Access

Organizations use privileged access management (PAM) to grant elevated access to resources of higher importance or risk. With PAM, you can reduce the risk of stolen administrator credentials, ensure all admin credentials are unique, and reduce dwell time if those credentials are stolen.

Schnell says:

“PAM is a critical security initiative to ensure privileged access is only for the people and machines that need it, when they need it. Organizations must be careful to choose the right PAM tools for the required functionalities in their environment.”

PAM terms to know:

Cloud infrastructure entitlement management (CIEM). Managing cloud permissions has become more challenging with the use of multiple clouds, each with an increasing number of cloud service offerings. Traditional PAM solutions perform well on-premise or in a single cloud. However, discovering and securing access for all identities using core PAM in a multicloud environment tends to result in blind spots. 

CIEM refers to identity-centric SaaS solutions that manage identity access entitlements in those increasingly larger and more complex cloud environments. In addition to supporting and complementing PAM, CIEM can be integrated within other solutions such as Cloud Native Application Protection Platform and IGA tools. 

Remote privileged access management (RPAM). Third-party breaches are up, rising 49% year-on-year over the past three years. Organizations can significantly reduce their risk exposure by implementing an RPAM solution. RPAM controls remote access to sensitive resources by privileged users including third-party vendors. 

Note: Bad RPAM practices expose otherwise heavily guarded organizations. Secure Access Service Edge and Virtual Desktop Infrastructure are not replacements for RPAM. 

3. Identity Governance And Administration: How You Provision And Audit Access

By provisioning and continuously auditing identity-based access throughout the organization, IGA tools ensure people have access only to what they need in their current roles. IGA limits the risk of data breaches and enables organizations to meet the increasing demand for regulatory compliance against such breaches.

Rather than an IGA Magic Quadrant, Gartner offers a Market Guide for IGA solutions. Many smaller players are challenging the entrenched traditional solutions, giving organizations a choice of:

• Full IGA with capabilities including automation of joiners/movers/leavers, separation of duty checks, workflows for ad hoc access, and certification campaigns. Vendors such as SailPoint, Saviynt, Zilla Security, and One Identity fall into this category
• Light IGA with fewer capabilities, but those can be enough for some customers. Solutions include those by CyberArk, Microsoft, and Okta. 
• Specialized / augmentation IGA offerings provide added resiliency and the ability to map identities across multiple directories. Among these solution vendors are Semperis and Strata Identity. 

4. Identity Threat Detection And Response: How You Defend Identity Systems

Gartner introduced the term “identity threat detection and response” a few years ago to describe the tools and best practices to defend identity systems from threat actors and credential misuse. ITDR tools would focus more heavily on identifying risky accounts or configurations and recommending remediation. 

Gartner now views ITDR as a framework rather than a product suite or a set list of functions. Schnell explains:

“ITDR is more about being able to monitor identities, what they’re doing, and looking for differences in behavior and how to respond to those. We’re seeing continued investment in those capabilities provided by solution vendors such as CrowdStrike, SentinelOne, and Tenable.”

Questions? Contact us at Sayers today to discover extensive technology solutions, services, and expertise to cover all areas of your business.