Is fuss-free security the holy grail for users and CISOs alike? Stepping into 2025, Identity and Access Management (IAM) is not just about technologies, but also how it is adapting to the new and constantly changing challenges of our interconnected world and users.

While Allen Moffett, in another article in this edition, shares the top 5 IAM technologies to watch out for 2025, I will take a different angle and explore how IAM has evolved and will continue to evolve, changing the way organizations operate their strategies.

The gravity of IAM

Identities are the new perimeter and permissions the new attack surface.

Today, IAM is the single most critical control of any digital business, and its policy is often defined by the permissions and workflows needed for your business. A financial controller’s role would be meaningless without access to ERP tools. Similarly, any third party that is connected by API, or any other way, to that application is, de facto, your business partner, whether you want it or not. Now, this is even more critical and prevalent when using cloud-based applications (such as Software-as-a-Service), where anyone on the Internet is just one permission away from being your business partner or your financial controller.

The gravity of this technology is well understood by CIOs, CTOs and CISOs, and results in significant growth of the IAM market. Cloud IAM, for example, is projected to reach $5.30 billion by 2025, growing at 21.1% annually. As IAM continues to influence and get influenced by other core technologies like cloud migration, IT/OT convergence, automation and orchestration, it is indeed strengthening the need for identity-based zero trust cybersecurity strategies. At centerstage, these strategies are focused on the never trust, always verify paradigm with continuous authentication and authorizations for cloud and non-cloud resources. Meanwhile, we have provided more flexibility to our users, allowing them to work from environments and devices we no longer control (BYOD, mobility, etc.), further increasing the importance of IAM.

Improve timely-reviews of privileges (50%) and access to sensitive data (43%) are the Top 2 planned investments of identity stakeholders.

IDSA 2024 trends in identity security

IAM is emerging as the digital mirror of your business operations. This is why it should be as dynamic as your organization and business. Every IT, OT, and application project, every HR change, partner change, or new customer must lead to a change (even slightly) of your role-based access control (RBAC) model. Role explosion[1] and permission creep[2] are indeed two negative consequences of static RBAC.

Controlling your IAM posture is not an option anymore. Processes like accounts recertification, automated (un)provisioning or permissions consistency reviews are mandatory, and tooling them with an Identities Governance and Administration (IGA) solution is critical.

This is why the business applications access model is under such high scrutiny, and this is key for regulatory compliance, including identities actions logging and reporting, requiring traceability and auditability, whether it is a technology-oriented or vertical-oriented regulation.

In a nutshell, what we really need to control is “who (or what) accesses which of our resources, from where, for which reasons, when and how”.

IAM: Where the user comes first

Frictionless IAM for the employees and the business

Remember when passwords had to be long, complex, and impossible to remember?

Thankfully, those days are behind us (are they?) and we now have more diversified and friendly authentication methods.

Hackers don’t break in, they log in!

Of course, passwords are not yet totally dead and might even still be useful in some cases, but we facilitated their creation and management by offering password managers and/or email and SMS links or codes to our users. Then we further enhanced our security by adding time-based one time passwords or push notifications.

But, yes, we’re getting away from passwords by making biometry technologies more fluid (first only physiological biometry[3], but now expanding into behavioural biometry[4]) and more privacy-focused when used for authentication only, and not identification[5]. The last, but not the least, of authentication technologies growing in democratization, is the asymmetric cryptography as seen in certificates and FIDO2, for example. These provide stronger and more secure, phishing-proof authentication. The way of storing the private key has also diversified into smartcards, phones, USB/NFC tokens, and TPMs, just to name a few, for ease and flexible use cases. Our CardOS solutions focus on providing those multiple form factors via contact-based and contactless interfaces.

Attackers gain access to web applications using credentials in 98% of cases (stolen or guessable credentials).

Verizon 2024 DBIR

This diversification is vital because IAM must now manage more diverse identities than ever before. Twenty-five years ago, we only managed our employees’ identities. Today, we have to also include the following:

  • Privileged users with more scrutiny and strengthened controls
  • Consumers identities, with consent management features to our IAM, as well as convenient options like social networks login and single-sign on
  • Non-human identities (NHIs), which are the biggest growth that we need to further control to master applications identities, system processes identities, as well as machines/objects.

Non-human identities outpace human ones by a 45:1 ratio.

Security boulevard, August 2024

I’d like to insist on the ongoing convergence of application identities and privileged users, as one must realize that automation and orchestration has helped us transfer system administration and network administration privileges to infrastructure-as-code solutions like Terraform, Kubernetes, or AWS, Google Cloud and Microsoft Azure equivalents. Soon, we’ll also be transferring such privileges to autonomous agents enhanced by LLMs, if not already the case.

Autonomous agents, enhanced by LLMs, are capable of planning, orchestrating, and executing complex actions, making decisions, and acting without human intervention.

Thierry Caminel | Eviden CTO for IA and Decarbonation

Perhaps in 2026 or 2027, we should prepare ourselves for the possible rise of decentralized identifiers (DID) as a likely new technology used for providing the population with self-sovereign identities (SSI).

The European Union Commission is already laying the groundwork for this technology as part of the future EU Digital Identity Wallets (EUDIW) for EU citizens. Four EU Large Scale Pilots, involving 350 private companies and public authorities, are currently test driving the specifications of EUDIW in a wide range of use cases. On November 28, 2024, the Commission adopted rules for the core functionalities and certification of such EUDIW under the European Digital Identity Framework. In parallel, Gaia-X adopted SSI/DID to allow a decentralized verification of Data Spaces participants’ information. Large industrial players have announced their intent to leverage those Data Spaces, Airbus doing so recently.

If decentralized identities become a new standard, they could offer to consumers secure, reliable, privacy-focused and self-sovereign methods to manage their identities in the digital world, improving their experience in several instances. In such a scenario, it won’t be long before these EU-vetted decentralized identities are used also in business-to-business (B2B) and business-to-consumers (B2C) scenarios. Indeed, the EUDIW hold verifiable credentials which can be used for corporate authentication to enterprise resources[6]. Our Evidian Orbion IDaaS solution already leverages these SSI/DID VC as an authentication method available to all our customers.

Simplifying IAM

Can we still afford complex IAM policies and technologies?

Yes, IAM has become a critical game-changer, but in this pursuit, it has magnified the impact of even the tiniest mistake, increasing complexities and the probability of error too. This is no surprise then, that there is a push for simpler IAM organization, processes and solutions.

A promising lever is to bring automation through Artificial Intelligence. This is not new, as Machine Learning (AI/ML) has been used for years in Cybersecurity, including in IAM, User and Entity Behavior Detection (UEBA) as an example.

Everything simple is false. Everything complex is unusable.

Paul Valery

More recently, pushed by Zero Trust architectures, AI/ML was added for adaptive authentication methods, to leverage the diversity of authentication methods according to dynamic risk level thresholds and risk scenarios. Generative AI (GenAI) is also an interesting technology, when properly adopted, helping the IAM administrators navigate the IAM documentation, configuration and alerts by offering a natural language interface, addressing further the complexity aspect. This aspect was already largely documented, earlier this year, in an excellent article from Thierry Winter.

96% of organizations report AI will be beneficial in addressing identity related challenges

IDSA 2024 trends in identity security

The way ahead

However, it’s important to note that without more flexibility and better integration, automation would fail. The strategy of piling up best of breed products and solutions always brings negative impacts. For this reason, Kuppinger Cole introduced the concept of Identity Fabrics in 2019, which is gaining momentum. On a basic level, this states that every large enterprise should consider a fully integrated IAM suite, providing all features — Web Access Management, Enterprise Access Management, Identity Governance and Administration, Consumer IAM and Privileged Access Management — or as much as it makes sense.

94% of organizations use more than 10 vendors for identity-related cybersecurity initiatives

CyberArk 2024 Identity Security Threat Landscape Report

Not only are there such fully functional and state-of-the-art IAM solutions, but we can also observe a strong consolidation of the market to form IAM suites. These solutions are gaining flexibility and diversity of consumption models. The traditional on-premises solutions have added as-a-service options, while cloud-native solutions are adding on-premises options. Tighter integration has become a key success factor, because of various intermediate and mixed options, like Bring Your Own IAM (BYOIAM) deployments (an on-prem licensing but deployed by the customer on his cloud IaaS tenant), or having a SaaS IAM as main solution coupled with an on-prem secondary for most sensitive use cases. Indeed, customers now understand why IAM is the last function of IT they should surrender control of.

Simply put, if you don’t control your IAM, you don’t control your digital business. Period.

Conclusion

The evolution of IAM represents more than just a technological shift. It is a strategic imperative for today’s digital businesses. As identities became the new perimeter and permissions the new attack surface, having solid IAM solutions in place is now crucial. The future of IAM lies in its ability to adapt to the dynamic nature of organizations, offering frictionless experiences for users while ensuring stringent security measures. The integration of AI and automation, along with the rise of decentralized identities, promises to create a more secure, efficient and user-friendly IAM landscape. To maintain control over their digital assets and ensure compliance with regulatory standards, businesses must prioritize simplified, integrated IAM solutions as they move forward. These principles are key for navigating the complexities of the digital world and safeguarding business operations.


References:

[1] Role explosion occurs when the number of roles in a role-based access control (RBAC) system grows out of control, making access management complex.

[2] Permission creep refers to the progressive accumulation of access rights or permissions that exceed the real needs of an individual or a system to accomplish its tasks.

[3] Physiological biometrics is based on unique physical characteristics, such as fingerprints and facial recognition.

[4] Behavioural biometrics analyses action patterns, such as the rhythm of keyboard typing, vocal habits or the gait.

[5] authentication is the verification that an individual is the one expected (1-to1), ignorant of its citizen identity, while identification is the verification of which individual is presented amongst a population (1-to-many)

[6] https://hub.ebsi.eu/conformance/learn/verification-offering for technical descriptions