Achieving maturity in the process of identity and access management takes time. There are several stages of implementation and each stage has its pain points. Survey data from the latest CyberRisk Alliance research suggests pain points shift and change, depending on how far along an organization is with its IAM deployment.
CRA’s April 2023 Cybersecurity Buyer Intelligence Report (CBIR) on IAM featured 203 Northern American security/IT leaders, executives, practitioners, administrators and compliance professionals. In their correspondence, 98% said that they have either implemented or are considering implementing an IAM strategy.
Data reveals IAM challenge areas
Those who were in the earlier stages of planning and strategy development – aka “future adopters” – most frequently cited asset visibility difficulties caused by shadow IT as a top challenge. In fact, 44% of respondents rated their shadow IT concerns as a six or seven on a seven-point severity scale. The next most commonly cited major pain points among future adopters included unaffordable IAM products (41%); strained budgets (36%); adopting a zero-trust architecture (35%); and lack of resources (35%).
Among current adopters and implementers, perspectives were different. They identified zero trust implementation as their biggest challenge (32% scored it a six or seven on the severity scale) – followed by time constraints (27%), aligning IAM to business requirements (24%), IAM complexity (24%) and lack of budgets (23%). Meanwhile, shadow IT and lack of resources placed among the bottom three concerns for current IAM adopters (out of 12 listed pain point categories).
Even after the IAM implementation is complete, organizations are often faced with a new challenge: securing buy-in from your user base, whether the users are your employers or your customers.
Security professionals have shared concerns that the sheer time it takes to ‘win users over’ and the complexity of IAM products can end up becoming ‘inversely proportional to the interest of the end-users,’ states the CBIR report.
CRA’s Identiverse conference in Las Vegas is putting a spotlight on IAM concerns. According to the report, one survey respondent said, “Who wants to spend hours in understanding a product that always requires additional expertise to handle when its objective is to provide efficiency?”
Improving the IAM process
Emerging IAM solutions designed to introduce better efficiency and user friendliness can have their own unintended consequences. For instance, Google came under scrutiny earlier this year when it was discovered that its new Authenticator app feature that syncs 2FA passwords to the cloud is not using end-to-end encryption when uploading user secrets to Google’s servers. (Google Product Manager Christiaan Brand later stated that the company does intend to add encryption in the future.)
Another example: The increased acceptance of biometrics technology – a key ingredient in certain passwordless IAM solutions – “raises important ethical questions around diversity and inclusion, access and digital exclusion, privacy and regulatory balance,” according to a recently released Identiverse trend report, which features findings compiled from presentation proposals submitted to the conference.
In addition to business survey data, the CyberRisk Alliance CBIR report provides several IAM recommendations to help security professionals overcome various IAM implementation challenges. These include developing a game plan that maps IAM policies back to business needs; keeping the user experience a top priority; implementing IAM one or two projects at a time rather than trying to solve everything all at once; making identity the perimeter based on zero-trust principles; and allying with an IAM provider.
