Authored by Robin Cohan, Offering Manager, IBM Security Identity Management.

Many of today’s identity management environments were implemented many years ago, when the approach to identity management was quite different. Back then, identity management was seen as more of an IT productivity tool — used to automate account life cycle operations and provide self-service password management — than a security solution.

The Evolution of Identity Management

Back then, the goal was to ensure users had the right access to data and applications in a timely manner. Cumbersome, manual administration of user privileges led to expensive IT overhead and a system that didn’t keep up with the organization’s business needs. Identity management products were focused on IT administrator users with the goal of increased productivity, including extensive use of scripting for bulk data activities. It was assumed that the users of the solutions were technologically savvy.

Now, many of those deployments, which were built on older architectures and use product versions that may be out-of-support or based on discontinued offerings, are decaying. These systems expose organizations to security threats and need to be updated.

Furthermore, identity management as a discipline has evolved greatly. Over the years, the purpose of identity management solutions has expanded. Outdated or inappropriate access rights contribute to security and compliance issues, and compliance regulations have grown more strict over the years, as well. Organizations need stringent identity and access controls if they hope to improve security and avoid regulatory sanctions.

Using Identity Tools Today

So identity management has expanded in importance, becoming a front-line tool to address enterprise access governance and compliance requirements. Tools can trace and explain user entitlements and ensure regular review and re-approval of them. Furthermore, with the large number of recently publicized identity data breaches, identity management has also become the new perimeter for securing applications against unapproved use.

Identity management enables lines of business to take an agile approach to securely providing state-of-the-art applications not just to their employees, but also to partners and customers. Beyond the traditional IT user community, often privileged access rights must be extended to external IT contractors, which presents its own set of challenges. To further complicate matters, managed applications may exist either on-premises or in the cloud.

What hasn’t changed is the ongoing need for collaboration between IT and the lines of business on the setup and review of user entitlements. Identity management today needs to address several constituent needs: IT productivity, corporate governance, end user enablement and business application agility. Yet it is often still a challenge for organizations to engage line-of-business managers in order to ensure their identity management processes, policies and architectures meet the business and security needs of the organization.

Given these trends, many organizations need to take a fresh look at their identity management deployments with an eye toward making a clean start. This means not just replacing the aging infrastructure, but also taking the opportunity to streamline policies and processes to improve their effectiveness.

More from Identity & Access

Passwords, passkeys and familiarity bias

5 min read - As passkey (passwordless authentication) adoption proceeds, misconceptions abound. There appears to be a widespread impression that passkeys may be more convenient and less secure than passwords. The reality is that they are both more secure and more convenient — possibly a first in cybersecurity.Most of us could be forgiven for not realizing passwordless authentication is more secure than passwords. Thinking back to the first couple of use cases I was exposed to — a phone operating system (OS) and a…

Obtaining security clearance: Hurdles and requirements

3 min read - As security moves closer to the top of the operational priority list for private and public organizations, needing to obtain a security clearance for jobs is more commonplace. Security clearance is a prerequisite for a wide range of roles, especially those related to national security and defense.Obtaining that clearance, however, is far from simple. The process often involves scrutinizing one’s background, financial history and even personal character. Let’s briefly explore some of the hurdles, expectations and requirements of obtaining a…

From federation to fabric: IAM’s evolution

15 min read - In the modern day, we’ve come to expect that our various applications can share our identity information with one another. Most of our core systems federate seamlessly and bi-directionally. This means that you can quite easily register and log in to a given service with the user account from another service or even invert that process (technically possible, not always advisable). But what is the next step in our evolution towards greater interoperability between our applications, services and systems?Identity and…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today