Authored by Robin Cohan, Offering Manager, IBM Security Identity Management.

Many of today’s identity management environments were implemented many years ago, when the approach to identity management was quite different. Back then, identity management was seen as more of an IT productivity tool — used to automate account life cycle operations and provide self-service password management — than a security solution.

The Evolution of Identity Management

Back then, the goal was to ensure users had the right access to data and applications in a timely manner. Cumbersome, manual administration of user privileges led to expensive IT overhead and a system that didn’t keep up with the organization’s business needs. Identity management products were focused on IT administrator users with the goal of increased productivity, including extensive use of scripting for bulk data activities. It was assumed that the users of the solutions were technologically savvy.

Now, many of those deployments, which were built on older architectures and use product versions that may be out-of-support or based on discontinued offerings, are decaying. These systems expose organizations to security threats and need to be updated.

Furthermore, identity management as a discipline has evolved greatly. Over the years, the purpose of identity management solutions has expanded. Outdated or inappropriate access rights contribute to security and compliance issues, and compliance regulations have grown more strict over the years, as well. Organizations need stringent identity and access controls if they hope to improve security and avoid regulatory sanctions.

Using Identity Tools Today

So identity management has expanded in importance, becoming a front-line tool to address enterprise access governance and compliance requirements. Tools can trace and explain user entitlements and ensure regular review and re-approval of them. Furthermore, with the large number of recently publicized identity data breaches, identity management has also become the new perimeter for securing applications against unapproved use.

Identity management enables lines of business to take an agile approach to securely providing state-of-the-art applications not just to their employees, but also to partners and customers. Beyond the traditional IT user community, often privileged access rights must be extended to external IT contractors, which presents its own set of challenges. To further complicate matters, managed applications may exist either on-premises or in the cloud.

What hasn’t changed is the ongoing need for collaboration between IT and the lines of business on the setup and review of user entitlements. Identity management today needs to address several constituent needs: IT productivity, corporate governance, end user enablement and business application agility. Yet it is often still a challenge for organizations to engage line-of-business managers in order to ensure their identity management processes, policies and architectures meet the business and security needs of the organization.

Given these trends, many organizations need to take a fresh look at their identity management deployments with an eye toward making a clean start. This means not just replacing the aging infrastructure, but also taking the opportunity to streamline policies and processes to improve their effectiveness.

More from Identity & Access

Another category? Why we need ITDR

5 min read - Technologists are understandably suffering from category fatigue. This fatigue can be more pronounced within security than in any other sub-sector of IT. Do the use cases and risks of today warrant identity threat detection and response (ITDR)? To address this question, we work backwards from the vulnerabilities, threats, misconfigurations and attacks that IDTR specializes in providing visibility into. As identity threat detection and response (ITDR) technology evolves, one of the most common queries we get is: “Why do we need…

Access control is going mobile — Is this the way forward?

2 min read - Last year, the highest volume of cyberattacks (30%) started in the same way: a cyber criminal using valid credentials to gain access. Even more concerning, the X-Force Threat Intelligence Index 2024 found that this method of attack increased by 71% from 2022. Researchers also discovered a 266% increase in infostealers to obtain credentials to use in an attack. Family members of privileged users are also sometimes victims.“These shifts suggest that threat actors have revalued credentials as a reliable and preferred…

Passwords, passkeys and familiarity bias

5 min read - As passkey (passwordless authentication) adoption proceeds, misconceptions abound. There appears to be a widespread impression that passkeys may be more convenient and less secure than passwords. The reality is that they are both more secure and more convenient — possibly a first in cybersecurity.Most of us could be forgiven for not realizing passwordless authentication is more secure than passwords. Thinking back to the first couple of use cases I was exposed to — a phone operating system (OS) and a…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today