Reflecting on 20 Years in the IAM Industry
This month, I have my 20th anniversary in joining iC Consult and entering the area of Identity & Access Management – a marginal niche within IT operations or cybersecurity back in 2004. And the only real constant since then has been the change – a significant change. But on this day, I don’t want to look back (because this would be more interesting for me than for you), but I want to invite you to discuss the future of our industry.
Evolving Challenges in Identity Management
Many Identity-related domains benefited from the advancement of standard protocols over custom integrations, configuration over custom software development, and standardization over individual requirements that do not add value to the business. However, this does not imply that our work is becoming easier. Over time, digital identities have emerged as the main – and sometimes also hidden – access point to all vital IT assets in organizations. The degree of importance, the degree of complexity due to the diversity of users and devices, and the intensity of attacks are reaching unprecedented levels.
Besides managing the lifecycle, assigning roles and privileges, and enforcing multi-factor authentication, modern Identity & Access Management has other duties and patterns that are essential for successfully safeguarding the most precious IT assets.
The Impact of GenAI and the Shift to Zero Trust
The IT landscape has been changing for a long time, moving from on-premise to IaaS and then to SaaS. Now we are facing the biggest transformation in IT since the birth of the Internet. GenAI is enhancing our efficiency, but it also gives attackers a huge advantage. GenAI tools that use Large Language Models (LLMs) without any constraints, such as WormGPT and DeepFake, are not only rendering passwords obsolete but also most of the MFA methods available. Static solutions like a robust role concept with clear approval processes are also reaching their limits.
We are investing heavily in user-friendly and secure MFA, so all touchpoints are well protected, and users are forced several times to perform MFA challenges per day. Why shouldn’t we put trust in their access to IT assets?
For good reasons, most MFAs are taking place out-of-band on a separate device. So, an Authentication must be confirmed after biometrics on a mobile phone have been applied. This increases the level of security significantly, but keep in mind that the evil GenAI tools allow attackers to build excellent phishing scenarios, which are accurate in wording and perfectly individual to the company and even a specific user. In other words, very sophisticated social engineering attacks can now be performed on scale and in a cost-efficient way.
Accepting this fact justifies the Zero Trust approach – we are not just considering the authentication, but all the other contexts as well to evaluate the request:
In this case, the attacker might be stopped because the device he is using is not managed and, therefore, insufficient to access this crucial resource. So, validating device compliance to open the VPN is a good idea, isn’t it?
Of course, this is not the right place – even if still some enterprises are following the pattern of forcing all requests through a VPN, even to route it to SaaS afterward, it is just a question of time until more and more exceptions are implemented for specific users, locations or devices, and the attacker can get access to more critical systems in the cloud (e.g., the HR system to onboard himself as new, imploringly looked for IT administrator).
Towards an Identity-First Future
The Identity-First paradigm makes the Digital Identities themself the perimeter preventing attacks – not specific points in the network:
This new situation requires rethinking former certainties but also taking action. During the next months, we will zoom into the following topics:
- How are PAM, CIEM, and phishing-resistant MFA helping us build our reliable identity-first security layer?
- Prevention is good, Identity-Threat-Detection-and-Repsonse is better! Why Identities are a cornerstone to detecting attacks and stopping.
- Zero Trust – Zero Vista? Will GenAI help us in handling the complexity of authorization?
- How does the role of Decentralized Identities fit into modern identity-driven cybersecurity? Is less control more control at the end of the day?
I’m much looking forward to your thoughts and am super excited about what 2024 might bring to all of us in the world of digital identities.
Best regards
Andre Priebe
CTO, iC Consult