Ever since humans started communicating, there’s been a need for protecting and controlling information access — what we refer to as Identity and Access Management (IAM). Even in the earliest days, the basic components of that control were much the same as today: proving who you are when you try to access information, which is the basis of “authentication,” and determining whether you can access a specific resource or take a specific action once you are authenticated — what is now known as authorization.
Of course, in ancient times proving your identity was as simple as having someone vouch for you. Determining what you could access and what you could do with it might depend on your status in society or the preferences of the person controlling the information. As societies became more sophisticated and both populations and the amount of information grew, more formal methods of authentication and authorization were needed.
That need for more formal IAM methods became especially pronounced with the development of networked computing in the 1960s and its pervasive use in the business world over the next three decades. Fortunately, until the 1990s many companies could get by keeping information behind network firewalls.
Their means of authentication entailed requiring usernames and passwords by those who needed access. Authorization involved checking each access request against predefined access control lists (ACLs) — ACLs that didn’t necessarily consider factors that could affect current resource entitlements. The overall IAM system consisted of spreadsheets, emails and more traditional methods to keep track of user accounts, access and entitlements.
With more businesses expanding geographically and employees coming, going and changing positions, IAM quickly became more complex and those simple tools time-consuming and ineffective. Automating some of the tasks helped, but then regulatory issues entered the picture.
In 1996, the Health Insurance Portability and Accountability Act (HIPAA) was passed to provide data privacy and security provisions for safeguarding medical information. In the late 1990s and early 2000s, major corporations were busted for fraudulent account and insider trading, leading to Sarbanes-Oxley (SOX), which mandated tighter internal controls. Other regulations followed.
No longer was it enough for companies to manage information access. They had to provide proof of their methods to internal and external auditors. As if that all wasn’t enough, web applications were making access outside firewalls possible, leading to more challenges — including those involving cybercrime.
There were few vendors that offered IAM solutions at the time. Most solutions focused on automating various tasks throughout the identity lifecycle, centralizing provisioning and enforcing access controls.
That was great for freeing up internal IT resources, but didn’t do much to counter increasing cybercrime and data breach issues or deal with compliance requirements. Vendors had to start upping their game, and treating IAM as more of a business issue than simply an IT issue. That led to the development of IAM solutions that also included governance and other components to help meet the much broader business requirements for identity management.
During this time, various access control models were also emerging, including role-based access control (RBAC) and attribute-based access control (ABAC).
Each offered its own advantages and disadvantages in the scheme of IAM. Efforts were also made to develop standard policy language and open-standard identity protocols to promote interoperability between access control implementations by multiple vendors.
Like most things technology-related, IAM isn’t remaining static. The issues and challenges continue to evolve and change. Increased awareness of security governance needs, distributed systems, BYOD, the Internet of Things (IoT) and cloud-based applications are just a few of the trends driving significant growth in the current IAM market..
With that kind of growth, expect to see more innovations in authentication and authorization mechanisms. For example, the use of biometrics in authentication is increasing, ranging from iris scanning to facial recognition. Some companies are moving from two- to three-factor authentication, combining something you know, something you have, and something you are.
Technologies such as risk-based authentication (RBA) are integrating open risk scoring and machine learning into the authentication process, enabling more advanced user auditing and reporting. With more people sharing information, devices and web applications, one-time and two-factor authentication methods no longer suffice, driving the need for continuous authentication. Behavioral biometrics and behavioral profiling are among the techniques making their way into new IAM solutions.
On the authorization side, expect to see more solutions employing “context” to not only determine what can and can’t be done within an application. It may also dynamically change the features, functions and information that can be accessed based on moving a secured company network to an unknown network. Machine learning and artificial intelligence are positioned to play roles too.
Bottom line: as a business needs to evolve and technologies change, so do IAM requirements and the solutions that can meet them. Look for a future blog on some of our predictions for what’s next in IAM.