For years, the two fundamental pillars of identity and access management (IAM) came to pretty much the same thing.
1. Identity: Is the person who is attempting to access your corporate information exactly who they say they are?
2. Access: Does the person who is attempting to access your corporate information have permission to do so?
Before the days of technology, identity and access management was all about physically stopping the wrong people from accessing the wrong filing cabinet in the corner of the office. If the wrong employee tried to retrieve a document from the cabinet labelled “sensitive — board directors only”, you’d be able to put a stop to it immediately.
When workplaces moved towards digital filing systems and corporate networks, many companies invested in IAM software to do the job that humans could no longer do because hackers and malicious employees could simply hide behind a computer screen.
>See also: The rise of the access clones
And that’s where IAM has traditionally found its niche — security. The primary reason that businesses have, to date, invested in IAM has simply been because they had to. Cybercriminals are getting smarter, networks are getting more complex, everyone’s a target, and it’s a risky world without effective IAM.
Now, though, a number of significant technology trends are shaping the future of IAM, turning it into something much more than just a security add-on. One example of that significant trend is the Internet of Things (IoT).
How the IoT is changing identity and access management
The IoT is redefining the concept of identity and access management — and the two are now inextricably linked. Saniye Burcu Alaybeyi, research director at Gartner strongly believes that “IAM will soon become, if not already, an integral part of each and every IoT solution.”
So why is the IoT having such an impact on IAM? More than 20 billion IoT devices will be in use worldwide by 2020, according to Gartner. So, while traditional IAM was designed to manage just employees, IAM in an IoT world is evolving to manage employees, customers, devices and connected ‘things’ — and the complex digital relationships between all of them.
>See also: How can the enterprise build identity-aware infrastructure?
While the number of ‘identities’ is growing, IAM systems are becoming smarter. Now, IAM systems no longer rely simply on a username and password to grant or deny access.
They use additional contextual information, like login location, time of day, browser, operating system, IP address and much more to build up a holistic profile of the person or device attempting access. Then, if an access attempt features something irregular, like a login attempt from a new device or at an unusual time of day, the IAM system automatically restricts access and mitigates any potential danger.
While using these contextual ‘signals’ to determine identity improves security (because it collates a lot of different pieces information to build up a profile), this expanded way of using IAM opens up new ways to improve digital experiences for customers:
1. Ironing out the kinks of the customer experience
IAM can now make access to data and networks a much more convenient process. “Password-less” access, for example, could remove a considerable barrier in the authentication process through recognising the location of the login and whether it’s on a pre-approved device.
2. Providing a more tailored digital experience for customers
Using contextual signals, organisations can tailor digital experiences according to different audiences or consumers. For example, an airline could provide a different authentication experience for customers in London and customers in Bangkok — adapting to the different types of consumer behaviour in different countries.
>See also: Targeting the enterprise: 4 things SaaS vendors need to get right
Organisations can tailor experiences to more than just geography — Google Chrome users could be directed to one kind of digital experience and Firefox users to another. Or mobile users to one particular digital experience and desktop users to another. The possibilities are virtually endless, depending on whatever the organisation needs.
3. Putting power back in the hands of customers
Moreover, IAM can be part of a strategy to help you solve a long-standing customer issue, which is data privacy — something organisations need to consider seriously thanks to the upcoming GDPR. Many see the GDPR as a compliance tick-box exercise, but it’s so much more than that. The GDPR an opportunity to improve the relationship you have with your customers.
So how do you go about doing that? Consumers are increasingly worried about data privacy, and want more visibility into what they’ve shared with an organisation, what the organisation is doing with that data, and with whom it’s being shared.
>See also: Top 10 security predictions for 2017
In addition, many customers want the right to be forgotten. IAM makes it easy for businesses to be able to locate and determine any device the consumer has interacted with and determine how those devices are using customer data, so if any customers ask, the organisation will have the answer at their fingertips.
4. Making everyday business operations more efficient
IAM can also improve the day-to-day operations within a business. IAM data can feed into different parts of your business for different purposes — sales and marketing can improve customer profiling to deliver on personalisation strategies, R&D departments can improve future iterations of products based on actual performance data, senior management can make better decisions based on real-time, up-to-date information.
This sort of capability is vital to achieve a competitive edge and ultimately drive customer loyalty and revenue, helping an organisation to become better at what they are already doing as a business.
5. Improving the basics — security
Finally, context-aware IAM is inherently more secure than simple username and password combinations because of the profile of information IAM collects. Putting it into practice, for example, context-aware security could’ve halted the WannaCry ransomware attack on the NHS, dead in its tracks.
>See also: Where does a business’s data live?
With automated contextual awareness, authentication systems could have detected the wrong desktops attempting to access sensitive data, and restricted access automatically to contain the damage.
What you should look for in IAM for the IoT
Businesses should ideally look out for IoT-ready “identity relationship management” (IRM), which should be scalable, flexible and high-performing while offering a single view of an entire IoT estate — whatever the level of sophistication.
With an IoT-ready identity platform, organisations can support a huge range of devices, whether they’re healthcare wearables or connected cars, or any yet-to-be-invented “thing” that organisations and their customers will use in years to come. IAM is no longer just a security tool, it’s an asset that helps you to better serve your customers.
To find out more, view this video that KCOM put together with IAM software vendor ForgeRock on how IAM is evolving to become about much more than just security
Sourced by Andy Cory, head of IAM practice, KCOM