For years, identity and access management (IAM) was that painful necessity that businesses knew they had to spend time and resources on, but it was always done kind of grudgingly. Oh, how times have changed! CIOs and CISOs alike have recognized the critical role that identity plays in an overall digital transformation and security program centered around Zero Trust. Businesses are evaluating how they can modernize IAM to address today’s hybrid multicloud challenges.

IAM is all about providing secure, frictionless access for any user to access any resource. In the context of identity, “user” represents a very broad category of people and things. People include privileged users, the workforce at large including employees and contractors, and consumers. Things include servers, service accounts, application programming interfaces (APIs), and even internet of things (IOT) devices. To enjoy a consistently secure and frictionless environment, these users need a common experience regardless of whether the resource they are accessing resides on-premises, or across various public and private clouds.

Organizations understand that this can’t be accomplished with a hodge-podge of identity solutions that only work in specific silos: one solution for access management, another one for governance, another one for privileged users, another one for customers, and so on. At the same time, ripping and replacing all existing IAM solutions is rarely an option that organizations are willing to explore. What if there were a smart, modernized and modular platform that could integrate into the existing environment and provide a consistent, secure experience and the ability to adopt new use cases over time? What would the three key pillars of this solution look like?

Tap Into Contextual Insights

The more an organization can tap into deep contextual insights such as behavioral biometrics, device attributes, user behavior patterns, environmental attributes, and user activity, the less need there is for the friction associated with authentication. A central tenet of Zero Trust approaches is to never trust and to always verify, but a smart identity solution leverages adaptive access that uses artificial intelligence (AI) technology to perform this “always verify” step in the background. AI can be used to help build risk scores, or, as I prefer to call them, “trust scores,” determining the level of trust associated with each user at any particular time.

When these AI capabilities are combined with an access policy engine, they allow the organization to make dynamic decisions based on that trust level. Low-risk accesses can be given a streamlined or even passwordless experience, while high-risk accesses can be challenged with multifactor authentication (MFA) or denied access. Contextual insights allow the verification process to occur continuously and transparently so that the friction associated with MFA is minimized without sacrificing security.

Context in the form of identity analytics can be used to help decision makers make better decisions. Gone are the days of rubber-stamp approvals that are fine for checkbox compliance but actually do nothing to reduce risk in the business. Analytics can be used to get a 360-degree view of access risks and then recommend actions based on those risk insights.

Finally, context is a critical part of a modernized threat management program. The telemetry that identity solutions provide must be integrated for consumption by Security Incident and Event Management (SIEM) solutions. If adaptive access indicates risk is high, incident response cases should be automatically created for follow-up. But the context needs to be bi-directional too so that if remediation is needed, IAM can become a control point. Automated response playbooks should be able to perform remediation tasks such as password resets and account suspension without human intervention.

Make Identity Consumable

Developers need a way to infuse identity capabilities into their applications without being IAM experts. Open source communities provide the ability to easily add authentication to applications and secure services across any cloud. Smart options include alternatives to passwords for strong authentication such as customizable authentication flows for Mobile Push, QRCode, and FIDO registration and authentication.

Smaller growing organizations need to be able to easily consume IAM capabilities. This means having options for microservices-based capabilities delivered through identity as a service (IDaaS) and being able to leverage a variety of identity capabilities via a modular approach. Organizations can benefit from a variety of use cases such as single sign-on, advanced authentication, and identity governance over time via a common platform with a common user experience and workflow.

Comprehensive Capabilities from the Cloud

Supporting the rapid shift of workloads to the cloud necessitates a cloud-based approach to IAM. In order for organizations to truly modernize their identity environments, they need comprehensive capabilities that include access management, identity governance, and privileged access management. The benefits of IDaaS are clear, but too often solutions focus on one aspect of identity or another, rather than delivering holistic capabilities. Another key Zero Trust concept is enforcing the principle of least privilege. Cloud-based access certification enables organizations to stay ahead of compliance requirements by periodically recertifying who should have access to what resources. So, it’s not just about facilitating the access, but ensuring that it is the right access.

Introducing IBM Security Verify – Smart Identity for a Hybrid Multicloud World

IBM is introducing the industry’s most comprehensive identity solution to infuse identity as a key pillar of any Zero Trust strategy.

IBM Security Verify delivers a modernized IAM platform for any organization to:

  • Leverage unparalleled context for decisions about who should be able to access what, and combine identity with threat management and incident response.
  • Secure applications across any cloud through a common stellar developer experience without requiring IAM expertise.
  • Incorporate broad identity workflows, including access management, identity governance, and privileged access management.

IBM empowers organizations to give the right people the right access at the right time, with the design, implementation, and integration expertise to help them at each step of their journey to cloud.

See smart identity in action

More from Zero Trust

SOAR, SIEM, SASE and Zero Trust: How They All Fit Together

Cybersecurity in today’s climate is not a linear process. Organizations can’t simply implement a single tool or strategy to be protected from all threats and challenges. Instead, they must implement the right strategies and technologies for the organization’s specific needs and level of accepted risks. However, once the dive into today’s best practices and strategies begins, it’s easy to quickly become overwhelmed with SOAR, SIEM, SASE and Zero Trust —  especially since they almost all start with the letter S.…

Contain Breaches and Gain Visibility With Microsegmentation

Organizations must grapple with challenges from various market forces. Digital transformation, cloud adoption, hybrid work environments and geopolitical and economic challenges all have a part to play. These forces have especially manifested in more significant security threats to expanding IT attack surfaces. Breach containment is essential, and zero trust security principles can be applied to curtail attacks across IT environments, minimizing business disruption proactively. Microsegmentation has emerged as a viable solution through its continuous visualization of workload and device communications…

Why Zero Trust Works When Everything Else Doesn’t

The zero trust security model is proving to be one of the most effective cybersecurity approaches ever conceived. Zero trust — also called zero trust architecture (ZTA), zero trust network architecture (ZTNA) and perimeter-less security — takes a "default deny" security posture. All people and devices must prove explicit permission to use each network resource each time they use that resource. Using microsegmentation and least privileged access principles, zero trust not only prevents breaches but also stymies lateral movement should a breach…

What to Know About the Pentagon’s New Push for Zero Trust

The Pentagon is taking cybersecurity to the next level — and they’re helping organizations of all kinds do the same. Here’s how the U.S. Department of Defense is implementing zero trust and why this matters to all businesses and organizations. But first, let’s review this zero trust business. What is Zero Trust? Zero trust is the most important cybersecurity idea in a generation. But “zero trust” is itself a bit of a misnomer. It’s not about whether a person or…