E-guide

IAM:
Manging identity
remains key to
cyber security

In this e-guide
Mitigating social engineering
attacks with MFA
How to bolster IAM strategies
using automation
Passwordless enterprise
already possible, says RSA
Digital business is connected
business, says
KuppingerCole
New approach to risk
management needed, says
Gartner
IAM market evolves, but at a
cost
The benefits of IAM can far
outweigh the costs
Page 1 of 47
IAM: Managing identity remains key to cyber security
In this e-guide:
IT and regulatory environments are changing rapidly driven by
the EU’s GDPR and digital transformation that is seeing
accelerated adoption of cloud and IoT-based technologies, and
while identity remains key to cyber security, organisations need
to reassess and adapt their identity and access management
(IAM) strategies accordingly.
While end user awareness remains vital, a key shift needs to be
to multifactor authentication, particularly as social engineering,
and phishing in particular, remains a top method for attackers
getting inside corporate IT environments, underlining the fact
that the ability to restrict access to legitimate users based on
passwordless digital identities is essential to protecting
systems and data, and therefore to the associated regulatory
compliance.
Another key shift needs to be to automation to keep pace with
provisioning, deprovisioning and real-time updates to identity
information in applications on-premise and in the cloud. In the
 IAM: Managing identity remains key to cyber security

digital era, businesses also need to build the capability to

In this e-guide
Mitigating social engineering
attacks with MFA
How to bolster IAM strategies
using automation
orchestrate data, identities and artificial intelligence to enable
new applications and services, while keeping a firm hand on
third-parties. These shifts inevitably come with a cost, but in
light of the fact that IAM can boost data security and
governance, it can be well worth the investment.

Warwick Ashford, security editor

Passwordless enterprise
already possible, says RSA

Digital business is connected

business, says
KuppingerCole

New approach to risk

management needed, says
Gartner

IAM market evolves, but at a

cost

The benefits of IAM can far

outweigh the costs

Page 2 of 47

In this e-guide
Mitigating social engineering
attacks with MFA
How to bolster IAM strategies
using automation
Passwordless enterprise
already possible, says RSA
Digital business is connected
business, says
KuppingerCole
New approach to risk
management needed, says
Gartner
IAM market evolves, but at a
cost
The benefits of IAM can far
outweigh the costs
Page 3 of 47
IAM: Managing identity remains key to cyber security
Mitigating social engineering attacks with
MFA
Peter Allison, guest contributor
Social engineering attacks are one of the most prevalent forms of attack against
organisations. They can target any organisation, regardless of size or type.
In fact, many of us will have experience of them, such as automated calls
claiming to be from your internet service provider or emails offering
“unbelievable” discounts, for example. They can vary in sophistication, with
some easy to spot, while others are highly convincing.
Europol’s Internet organised crime threat assessment (IOCTA) 2018 highlights
the growing prevalence of social engineering attacks, stating that “criminals use
social engineering to achieve a range of goals: to obtain personal data, hijack
accounts, steal identities, initiate illegitimate payments, or convince the victim to
proceed with any other activity against their self-interest, such as transferring
money or sharing personal data”.
Phishing attacks can have a hugely damaging effect on businesses and
individuals, according to the Home Office.

In this e-guide
Mitigating social engineering
attacks with MFA
How to bolster IAM strategies
using automation
Passwordless enterprise
already possible, says RSA
Digital business is connected
business, says
KuppingerCole
New approach to risk
management needed, says
Gartner
IAM market evolves, but at a
cost
The benefits of IAM can far
outweigh the costs
Page 4 of 47
IAM: Managing identity remains key to cyber security
“That is why we have invested more than £200m since 2010 in the law
enforcement response and are funding local specialist cybercrime units to
ensure that cyber criminals are brought to justice,” a spokesperson tells
Computer Weekly.
Social engineering attacks can be broadly broken down into three distinct types,
with the first being the most frequent:
 Phishing – Email or social media based social engineering attacks.
 Vishing – Voice-based social engineering, frequently over the phone but
can also be in person or VoIP (i.e. Skype).
 Smishing – Mobile phone-based text messaging (SMS) social
engineering attacks.
Whaling and spear phishing
Targeted phishing attacks against senior management (whaling) and specific
people/organisations (spear phishing) have also recently become a popular
form of social engineering attack for criminals.
Spear phishing may act as a precursor to a much more damaging attack. For
example, a spear phishing attack could be used with the intent of acquiring
access to a network, with a subsequent data breach taking place once access
rights have been acquired.

In this e-guide
Mitigating social engineering
attacks with MFA
How to bolster IAM strategies
using automation
Passwordless enterprise
already possible, says RSA
Digital business is connected
business, says
KuppingerCole
New approach to risk
management needed, says
Gartner
IAM market evolves, but at a
cost
The benefits of IAM can far
outweigh the costs
Page 5 of 47
IAM: Managing identity remains key to cyber security
One of the reasons that phishing is so frequently used is that it does not rely on
vulnerabilities in an organisation’s security infrastructure in order to be effective,
but on the natural goodwill of people. It is for this reason that it can be so
effective, as people are naturally inclined to be helpful and efficient – the same
qualities that makes employees good at their jobs.
Therefore, no matter the technological solutions in place (such as limiting
access rights, identifying external senders or preventing users from installing
software), phishing attacks can still be successful if employees are insufficiently
trained to detect them. Therefore, it is crucial to educate employees, especially
those in public facing roles, in how to detect social engineering attacks and
report them.
Educating employees in this matter can provide a valuable contribution to an
organisation’s network defences. This education should be non-judgemental
and explain the common indicators of a phishing message that employees
should be on the lookout for.
Simulated phishing scenarios are an effective tool for educating employees in
how to detect social engineering attacks, by providing real-world examples of
what can be expected without any genuine threat to the organisation. However,
care should be taken.
While such simulations can help provide an understanding of susceptibility to
specific phishing messages, it could also impact upon productivity through

In this e-guide
Mitigating social engineering
attacks with MFA
How to bolster IAM strategies
using automation
Passwordless enterprise
already possible, says RSA
Digital business is connected
business, says
KuppingerCole
New approach to risk
management needed, says
Gartner
IAM market evolves, but at a
cost
The benefits of IAM can far
outweigh the costs
Page 6 of 47
IAM: Managing identity remains key to cyber security
uncertainty of genuine emails, as well as employees feeling as if they have
been tricked by their organisation.
Another option is to request that all employees complete an e-learning course,
which will allow them to practise spotting phishing emails. Such courses
typically conclude with a test in order to verify that the required competence has
been achieved.
Providing a tool for employees to report phishing incidents, even just an email
address for forwarding suspected phishing emails, can also help organisations.
Not only does this allow trained professionals to review suspected phishing
emails, but it can also alert security teams if the organisation is being targeted
as part of a spear phishing campaign.
One technological solution that has proven successful against social
engineering attacks, especially when the goal has been for acquiring access
details, is the implementation of two-factor authentication.
Two-factor authentication (2FA), and multifactor authentication (MFA), are
access management systems that require two – or more – pieces of evidence,
whether it be knowledge (such as passwords), possession (a physical token for
example) or inherence (eg fingerprints) in order for access to be granted.
The reason that 2FA/MFA is so successful is that should one of their verification
stages (such as a password) become compromised, a hacker will still be unable
 IAM: Managing identity remains key to cyber security

to gain access to the organisation’s network without the other pieces of

In this e-guide authentication.

Mitigating social engineering Although broadly similar, each type of 2FA/MFA methodology can be broadly
attacks with MFA subdivided into the following categories;

 Email – a unique one-time password is sent to the user’s email address.

How to bolster IAM strategies
using automation  SMS – a unique one-time password (OTP) is sent by text to the user’s
mobile phone.
Passwordless enterprise
already possible, says RSA
 Application – a unique one-time passcode sent to an app on the user’s
smart phone.

Digital business is connected  Device – a unique one-time passcode displayed on a separate physical
business, says device.
KuppingerCole
 Token – a physical token that can be inserted into a USB port.

New approach to risk  Biometrics – reading aspects of the user’s body to check they are who
management needed, says they claim to be.
Gartner
Version of authentication
IAM market evolves, but at a
Commonly, for the authentication system to be robust, each stage of the
cost
2FA/MFA process relies on a different channel being used.

The benefits of IAM can far

outweigh the costs

Page 7 of 47

In this e-guide
Mitigating social engineering
attacks with MFA
How to bolster IAM strategies
using automation
Passwordless enterprise
already possible, says RSA
Digital business is connected
business, says
KuppingerCole
New approach to risk
management needed, says
Gartner
IAM market evolves, but at a
cost
The benefits of IAM can far
outweigh the costs
Page 8 of 47
IAM: Managing identity remains key to cyber security
“There are lots of different versions of authentication, but they broadly boil down
to being unique every time you log on, and that is why they are so good,” says
Colin Tankard, managing director of security firm Digital Pathways.
Email, SMS, device and application based 2FA/MFA systems all work on the
same principle of sending the user a one-time passcode when they are
attempting to log in. This passcode has a brief window in which it can be
entered, otherwise it becomes invalid.
This is commonly 30-60 seconds for Email, app, or device methods, but SMS
commonly has a longer window of two minutes, to allow extra time for the SMS
message to be received.
Some SMS-based authentication systems offer the opportunity to send multiple
one-off passcodes. This allows users to have a stock of pre-generated
passcodes in advance, which can be helpful in areas where there is limited
coverage by mobile providers.
However, this is also carries the risk that someone might be able to obtain the
phone and acquire the passcodes. The lifespan of these passcodes sent in
advance can vary from weeks to months or even years, and their duration is
dependent upon the risk attached.
SMS is potentially the weakest method, due to the extended duration in which
the code remains valid and the potential for the message being intercepted.

In this e-guide
Mitigating social engineering
attacks with MFA
How to bolster IAM strategies
using automation
Passwordless enterprise
already possible, says RSA
Digital business is connected
business, says
KuppingerCole
New approach to risk
management needed, says
Gartner
IAM market evolves, but at a
cost
The benefits of IAM can far
outweigh the costs
Page 9 of 47
IAM: Managing identity remains key to cyber security
That said, this is such a comparatively low risk that it remains a robust method
of 2FA/MFA.
Application-based methods
The application-based method of 2FA/MFA methodology is comparatively
recent, as well as becoming the most common, with apps like Google
Authenticator and Sophos Authenticator being easily available for organisations
to use.
Furthermore, this does not require the additional expense of purchasing more
devices, as would be required with token and device-based 2FA methods.
“The primary issue with these is that you do need a backup method of getting in.
If your phone breaks or gets lost, your account will most likely be inaccessible,”
says Chris Johnson, a solutions architect.
“Many sites get around this by providing a set of rescue codes that you can print
out or save somewhere in case of phone loss.”
Device-based 2FA/MFA relies on the user having a small device with them
(typically credit-card sized). It may also require them to enter a pin-code in order
to activate the device to receive the passcode, adding a further layer of security
to the process.

In this e-guide
Mitigating social engineering
attacks with MFA
How to bolster IAM strategies
using automation
Passwordless enterprise
already possible, says RSA
Digital business is connected
business, says
KuppingerCole
New approach to risk
management needed, says
Gartner
IAM market evolves, but at a
cost
The benefits of IAM can far
outweigh the costs
Page 10 of 47
IAM: Managing identity remains key to cyber security
One downside to this method, is that the batteries can run out or the device be
lost, which will necessitate a new device being sent, with the user unable to
access the organisation’s network during that time.
Physical tokens
Physical tokens, such as USB keys, carry within them a second passcode. Care
has to be taken with these, as there have been instances where users have
kept their token in the same bag as the laptop it is designed to unlock. Users
should be encouraged carry tokens on their key rings or security lanyards; a
habit that can be encouraged by adding a keyring to the token.
“I’ve used various forms; the most common was RSA Security’s one-time
tokens which we've used to protect sensitive environments, as these just work
and last for years,” says Johnson. “The downside is that they aren't the
cheapest when you ramp up the user count.”
Token and device-based systems also have the advantage of ensuring
employees cannot login after they leave an organisation, because at the exit
interview, they are typically required to return all equipment belonging to the
organisation.
Biometrics have become the holy grail of 2FA/MFA because it is an
authentication method that is inherently unique to the user and cannot be easily

In this e-guide
Mitigating social engineering
attacks with MFA
How to bolster IAM strategies
using automation
Passwordless enterprise
already possible, says RSA
Digital business is connected
business, says
KuppingerCole
New approach to risk
management needed, says
Gartner
IAM market evolves, but at a
cost
The benefits of IAM can far
outweigh the costs
Page 11 of 47
IAM: Managing identity remains key to cyber security
taken from them. Biometric authorisation can be performed using fingerprints,
voice-print or retina-scanning, but each carries significant challenges.
Fingerprint scanning is the most commonplace, as many smart phones and
laptops carry fingerprint scanners, but they are also the most unreliable and
inaccurate. Rather than requiring a specific match, fingerprint scanners allow for
some accuracy deviation – to compensate for dirty fingerprint readers – and
thereby potential false-positives.
“It is like saying you got your password a little bit wrong, but I am going to let
you in, which you do not have if you are using the token readers,” says Tankard.
Storage security
There have also been several instances of fingerprints being spoofed, and there
is the additional concern of where the fingerprint is stored and how secure this
storage is. This point was illustrated by the recent discovery by security
researchers of a publicly accessible database of biometric information, including
unencrypted fingerprint records.
Retina scanning remains most the reliable method of 2FA/MFA. However, as a
vast number of people remain phobic about eye scans, and the equipment is
still expensive, it remains impractical for mass-market adoption.

In this e-guide
Mitigating social engineering
attacks with MFA
How to bolster IAM strategies
using automation
Passwordless enterprise
already possible, says RSA
Digital business is connected
business, says
KuppingerCole
New approach to risk
management needed, says
Gartner
IAM market evolves, but at a
cost
The benefits of IAM can far
outweigh the costs
Page 12 of 47
IAM: Managing identity remains key to cyber security
Voice recognition, frequently used in telephone banking (many will have had to
repeat “my voice is my passport”), bridges the age gap and does not require the
additional devices that apps or device-based 2FA/MFA can require.
Voice-based 2FA/MFA systems can also be combined with speech recognition
systems to provide an additional layer of security, with users having to state an
additional passcode. However, the sensitivity of the system is such that it may
not recognise the user where there is a poor connection.
Before implementing any biometric system, it is important to ensure that any
current or future employees with disabilities will not be affected adversely.
With the exception of biometrics – and especially retina scanning – the price of
2FA/MFA technology has dropped in recent years, making them a readily
affordable solution for many organisations.
No unified standard
However, this recent rapid emergence of 2FA/MFA systems has meant there is
no unified standard amongst security providers. For example, Google
Authenticator will not work with Sophos Authenticator. That said, some
platforms allow for a range of 2FA methodologies under the same system,
which some industry commentators see as being key to making passwordless
access to systems ubiquitous.

In this e-guide
Mitigating social engineering
attacks with MFA
How to bolster IAM strategies
using automation
Passwordless enterprise
already possible, says RSA
Digital business is connected
business, says
KuppingerCole
New approach to risk
management needed, says
Gartner
IAM market evolves, but at a
cost
The benefits of IAM can far
outweigh the costs
Page 13 of 47
IAM: Managing identity remains key to cyber security
Organisations must carefully choose which 2FA/MFA solution to use, as each
platform has its own limitations. “I do not think we will ever get to a point where
there will just be one unified approach for multifactor authentication, and that is
going to be the problem,” says Tankard.
Nonetheless, 2FA/MFA remains a valid solution for mitigating the effects of a
social engineering attacks, especially spear phishing and whale phishing
attacks where the intent is to acquire access information to an organisation’s
network. With a 2FA/MFA system in place, even if a name and password is
acquired by hacker, access will not be permitted unless the corresponding
passcode(s) are also entered.
“We moved from manual to third-party software for driving licence and vehicle
checks to meet our obligations for our grey fleet [use of an employee's private
vehicle for business use] and company car drivers,” says Darren Pulsford, a
finance analyst.
“To meet IT protocols, we asked them to add 2FA,” he says. “Implementation
was easy enough, and by and large we have had no difficulties. The company
has since moved to 2FA for remote logging on, so all our mobile or travelling
users are accustomed to it.”
Given that social engineering is a key element to the majority of data breaches
hitting the headlines, organisations should investigate what multifactor
 IAM: Managing identity remains key to cyber security

authentication methods would be best suited to their need to shut down a

In this e-guide vulnerability that is routinely exploited by attackers.

Mitigating social engineering

attacks with MFA Next Article

How to bolster IAM strategies

using automation

Passwordless enterprise
already possible, says RSA

Digital business is connected

business, says
KuppingerCole

New approach to risk

management needed, says
Gartner

IAM market evolves, but at a

cost

The benefits of IAM can far

outweigh the costs

Page 14 of 47

In this e-guide
Mitigating social engineering
attacks with MFA
How to bolster IAM strategies
using automation
Passwordless enterprise
already possible, says RSA
Digital business is connected
business, says
KuppingerCole
New approach to risk
management needed, says
Gartner
IAM market evolves, but at a
cost
The benefits of IAM can far
outweigh the costs
Page 15 of 47
IAM: Managing identity remains key to cyber security
How to bolster IAM strategies using
automation
Nicholas Fearn, guest contributor
Identity and access management (IAM) processes, policies and technologies
play an important role in the security operations of modern organisations,
allowing them to manage electronic and digital identities effectively.
As technology continues to dominate the way businesses operate, and data
privacy becomes a crucial part of the corporate agenda, IAM systems are
gaining importance because they enable IT managers to control the information
that users can access and the actions they can perform.
User actions, such as viewing or editing a file, are typically governed by the
person’s role or level responsibility within an organisation. Common IAM
systems include single sign-on (SSO) multifactor authentication (MFA) and
privileged access management (PAM), which not only ensure that the most
relevant data is shared, but also that user data is stored securely.
While IAM systems are far from new, they are quickly evolving to help
organisations meet the demands of the interconnected economy and mitigate

In this e-guide
Mitigating social engineering
attacks with MFA
How to bolster IAM strategies
using automation
Passwordless enterprise
already possible, says RSA
Digital business is connected
business, says
KuppingerCole
New approach to risk
management needed, says
Gartner
IAM market evolves, but at a
cost
The benefits of IAM can far
outweigh the costs
Page 16 of 47
IAM: Managing identity remains key to cyber security
emerging security threats. Automation capabilities, in particular, are making it
easier for IT teams to create and manage identities and avoid human error.
Eradicating manual tasks
In the past, IAM processes and technologies have been largely manual and
relied on input from humans. But automation promises to speed things up and
help organisations protect vital data in real time.
James Litton, CEO of IAM specialist Identity Automation, says: “Provisioning,
deprovisioning and real-time updates to identity information occur in on-premise
and cloud applications as changes are detected in the various authoritative
source systems used by an organisation. This eliminates repetitive physical
tasks for IT staff, while creating valuable bandwidth for more strategic
initiatives.”
Litton argues that automation is also important for protecting critical data assets.
“An example of this is when an employee leaves an organisation or a
technology supplier relationship ends,” he says. “Automation can ensure that
their accounts do not remain in an active state, thus eliminating a potential
avenue through which bad actors can access data. When implemented
properly, automated IAM solutions can also identify orphan accounts
automatically and alert system owners.”

In this e-guide
Mitigating social engineering
attacks with MFA
How to bolster IAM strategies
using automation
Passwordless enterprise
already possible, says RSA
Digital business is connected
business, says
KuppingerCole
New approach to risk
management needed, says
Gartner
IAM market evolves, but at a
cost
The benefits of IAM can far
outweigh the costs
Page 17 of 47
IAM: Managing identity remains key to cyber security
Identity management systems comprise users, applications and policies, all of
which govern how people are able to use software. Litton says automated IAM
systems can fully automate identity creation at scale; automatically manage
user access; apply role- and attribute-driven policies; and completely remove
the need for passwords, helping to improve the user experience, while
decreasing the helpdesk support burden.
“Once an IAM solution has been deployed, the enforcement and management
of users and their access to data assets can be automated,” he says. “And if the
application of an organisation’s policies is automated, you stand a much better
chance of mitigating risk from the negative consequences that result from poor
policy management practices, while increasing operational efficiency and
improving the user experience.”
Identity Automation has helped a number of organisations to modernise their
IAM strategies, including Saint Luke’s Health System in Kansas City, US. IT
manager Michael Marker says its clinicians are saving time each day. “For
example, we have had physicians say they are able to see two to three more
patients a day with the additional time it saves,” he tells Computer Weekly.
The firm has also been working with Charlotte County School District to
implement automated identity management. Executive director Christopher
Bress says: “We did an analysis of our procedures and concluded that they
were ripe for automation. By having people do this work manually, we were
basically building unnecessary delays into the process.

In this e-guide
Mitigating social engineering
attacks with MFA
How to bolster IAM strategies
using automation
Passwordless enterprise
already possible, says RSA
Digital business is connected
business, says
KuppingerCole
New approach to risk
management needed, says
Gartner
IAM market evolves, but at a
cost
The benefits of IAM can far
outweigh the costs
Page 18 of 47
IAM: Managing identity remains key to cyber security
“Also, as the number of people using resources continues to go up, we were
finding ourselves spending an inordinate amount of time at the beginning of the
year creating and provisioning accounts.”
Matt Lock, technical director at security firm Varonis, believes automation has
become a critical tool in a security team’s arsenal and agrees that it is
particularly useful for managing IAM datasets.
“Organisations are great at generating huge amounts of information, but often
do a terrible job of keeping track of it and making sure it’s secure,” he says. “On
average, about one in five folders, some of them containing sensitive data, are
open to every employee. When you are dealing with thousands of folders and
millions of files, automation is the only realistic alternative.
“The size and complexity of today’s networks make watching and securing your
most valuable digital assets far more than a full-time job. It is incredibly time-
consuming and it must be done right or you will remove access for those who
need it. And maintaining least privilege requires constant upkeep.
“Automation can take on the issue of overexposed access in days instead of
months or years, and removes the grunt work that skilled IT and security pros
shouldn’t be spending time on.”

In this e-guide
Mitigating social engineering
attacks with MFA
How to bolster IAM strategies
using automation
Passwordless enterprise
already possible, says RSA
Digital business is connected
business, says
KuppingerCole
New approach to risk
management needed, says
Gartner
IAM market evolves, but at a
cost
The benefits of IAM can far
outweigh the costs
Page 19 of 47
IAM: Managing identity remains key to cyber security
A changing threat landscape
With technology evolving quickly and new threats always emerging, IT teams
must stay one step ahead by developing and implementing robust security
approaches. Phillimon Zongo, co-founder and director at learning provider
Cyber Resilience, says rapid cloud adoption, tightening regulations and soaring
cyber threats are all putting pressure on traditional identity and access
management processes.
“Managing IAM manually is now untenable,” he says. “It raises both costs and
business risk. When done correctly, IAM automation can materially enhance
compliance, lower costs, reduce cyber risk exposure, and free up humans to
work on value-creating initiatives.”
However, organisations need to consider what tools are needed to develop a
sophisticated automation-driven identity and access management system.
According to Zongo, IAM automation use cases are as varied as the
organisations putting them to use. “Through federation and cloud-based single
sign-on solutions, organisations are centralising IAM across several on-premise
and cloud-based applications, eliminating dozens of unique passwords,
boosting user experience, reducing cyber risk and streamlining access
provisioning process,” he says.
Many organisations are relying on traditional spreadsheet-based user access
reviews with automated workflows, says Zongo. “Businesses are aggregating

In this e-guide
Mitigating social engineering
attacks with MFA
How to bolster IAM strategies
using automation
Passwordless enterprise
already possible, says RSA
Digital business is connected
business, says
KuppingerCole
New approach to risk
management needed, says
Gartner
IAM market evolves, but at a
cost
The benefits of IAM can far
outweigh the costs
Page 20 of 47
IAM: Managing identity remains key to cyber security
access rights from multiple heterogeneous applications, presenting simplified
dashboards for management review, automating escalations and enhancing
IAM governance through comprehensive reporting.”
Facial recognition technology – perhaps more controversial – has also emerged
as a popular IAM method in recent times. “Airports are verifying travellers’
identities on arrival, before issuing unique biometric tokens that travellers can
use throughout the entire verification process,” says Zongo. “This removes the
need for passport and boarding pass checks. Notwithstanding the privacy
concerns, automating passenger verification processes can significantly uplift
travel experience while lowering security risks.”
But Kushal Puri, cyber security innovation lead at London-based innovation
centre and co-working space Plexal, says there are no specific requirements or
tools to aid the introduction of automated IAM. “This is very much dependent on
the complexity and the needs of the company,” he says.
However, organisations and technologists can make use of various solutions
aimed specifically at automating aspects of an IAM framework, says Puri.
“These include single sign-on, password management and helpdesk ticket
automation,” he says. “From a security perspective, the ideal situation would be
to use a single tool that automates as much of the IAM framework as possible.
This is something we would like to see developed in future years.”

In this e-guide
Mitigating social engineering
attacks with MFA
How to bolster IAM strategies
using automation
Passwordless enterprise
already possible, says RSA
Digital business is connected
business, says
KuppingerCole
New approach to risk
management needed, says
Gartner
IAM market evolves, but at a
cost
The benefits of IAM can far
outweigh the costs
Page 21 of 47
IAM: Managing identity remains key to cyber security
Puri says the first steps in the automation of IAM are automating processes
such as password management, identity lifecycle management and finding
orphan accounts, because doing these things will lead to significant benefits.
“Not only this, but if implemented well, automating certain aspects of helpdesk
ticket routing and app access management will also lead to huge cost and time
savings for IT staff,” he points out.
However, Puri admits that the best way of introducing automation into a
company will vary based on individual circumstances. “Typically, a company
should take a phased approach by automating low-risk processes first, such as
password management, before progressing gradually to processes that interact
with multiple systems, such as app access management,” he says.
The benefits of automated IAM
When it comes to implementing any new technology, return on investment is a
major consideration for organisations. “By eliminating human error, especially
de-provisioning processes, the effectiveness of the IAM system from a security
perspective will be greatly increased,” says Puri.
Business output levels can also be significantly boosted, he adds. “For example,
manual provisioning of a new user can take up to 30 minutes, while an
automated provisioning process can be executed in under five minutes,
including ‘human in the loop’ checks. Similar to output levels, by drastically
reducing the amount of time needed to gain access to apps, reset passwords,

In this e-guide
Mitigating social engineering
attacks with MFA
How to bolster IAM strategies
using automation
Passwordless enterprise
already possible, says RSA
Digital business is connected
business, says
KuppingerCole
New approach to risk
management needed, says
Gartner
IAM market evolves, but at a
cost
The benefits of IAM can far
outweigh the costs
Page 22 of 47
IAM: Managing identity remains key to cyber security
and even logging into various apps on a daily basis, employee productivity can
also be improved by a huge margin.”
There are also financial benefits, says Puri. “IT staff costs can be lowered by
reducing the need for IT staff intervention on IAM-related helpdesks,” he says.
“Currently, each password reset request costs an estimated £20-30 in IT time.
With automated IAM, this will no longer be the case.”
Neil Thacker, CISO of US security software company Netskope, says
automation not only improves access management, but has also become
essential to manage access in the cloud era. “The Netskope August 2019 Cloud
Report identified that businesses now use, on average, 1,295 different cloud
services – a mix of sanctioned and unsanctioned apps,” he tells Computer
Weekly.
“IAM teams struggle to stay on top of a few dozen apps. The old model simply
doesn’t work. Automation is the only way to maintain and align with security
policies without impacting productivity and innovation within a business.”
Thacker believes that as well as making full use of automation, identity and
access management must be built on a zero-trust approach. “User, device,
application, activity and location are all means of authenticating identity, so we
should no longer be completely dependent on two-factor authentication (2FA) or
basic policies relating to allowing access to services based on an IP address,”
he says.

In this e-guide
Mitigating social engineering
attacks with MFA
How to bolster IAM strategies
using automation
Passwordless enterprise
already possible, says RSA
Digital business is connected
business, says
KuppingerCole
New approach to risk
management needed, says
Gartner
IAM market evolves, but at a
cost
The benefits of IAM can far
outweigh the costs
Page 23 of 47
IAM: Managing identity remains key to cyber security
Chris Pope, vice-president of innovation at digital workflows platform
ServiceNow, also claims there are countless benefits in managing access this
way. “Time to provision and deprovision access, consistency of provisioning,
central source of truth and management of a single identity are all benefits that
provide security with the added benefits of knowing who has access to what and
when and, more importantly, why,” he says.
“Features include time base access lists and anomaly detection for outliers of
access. In addition, audits and controls can be managed easily and the revoking
of over-entitled users is as simple as a click of a button, shutting off access as
required to prevent data loss or loss of sensitive information.”
IAM procedures and technologies already play an important role in modern
security strategies, but as new threats emerge, it will become even harder for
organisations to manage the identities of all stakeholders.
Automation removes manual processes that could be stifling the effectiveness
of IAM strategies, but also allows security teams to handle growing datasets
and respond to more sophisticated security threats as they emerge.
Next Article

In this e-guide
Mitigating social engineering
attacks with MFA
How to bolster IAM strategies
using automation
Passwordless enterprise
already possible, says RSA
Digital business is connected
business, says
KuppingerCole
New approach to risk
management needed, says
Gartner
IAM market evolves, but at a
cost
The benefits of IAM can far
outweigh the costs
Page 24 of 47
IAM: Managing identity remains key to cyber security
Passwordless enterprise already possible,
says RSA
Warwick Ashford, security editor
The security industry has long recognised the need to move away from
password-based authentication and is finally on the brink of achieving that, says
Jim Ducharme, vice-president of identity at RSA.
“We are on the cusp of some things that can really change the game and make
passwordless security ubiquitous,” Ducharme told Computer Weekly, adding
that it is already a reality for some organisations.
Enterprise users and security professionals alike are frustrated by the
inefficiency and lax security of passwords for user authentication, a recent
survey by IDG and MobileIron showed, with 90% of security professionals
reporting that they had seen unauthorised access attempts because of stolen
credentials, 86% saying they would get rid of password use as an authentication
method if they could, and 62% reporting extreme user irritation with password
lockouts.
“Most ‘passwordless’ options in the market today do not truly eliminate
passwords because, ultimately, they rely on a password for enrolment, account

In this e-guide
Mitigating social engineering
attacks with MFA
How to bolster IAM strategies
using automation
Passwordless enterprise
already possible, says RSA
Digital business is connected
business, says
KuppingerCole
New approach to risk
management needed, says
Gartner
IAM market evolves, but at a
cost
The benefits of IAM can far
outweigh the costs
Page 25 of 47
IAM: Managing identity remains key to cyber security
resets or replacing lost credentials, with consumer market options such as the
Apple iPhone’s Touch ID and Face ID systems still requiring users to enter
passwords or passcodes from time to time,” said Ducharme.
“These and other so-called ‘passwordless’ authentication methods are simply
proxies for a password that lives underneath it. The iPhone has done a good job
of integrating a passwordless experience to unlocking your device, but there is
still a password underneath.
“So although Touch ID and Face ID have reduced the number of times that a
password is needed, they have not really eliminated it or improved security
because if I know your AppleID and password, I could establish a passwordless
biometric authenticator to unlock a device and pretend to be you.”
According to Ducharme, the way to test if an offering is truly “passwordless” is
to examine how it handles enrolment and account reset or credential recovery,
which RSA has invested in addressing.
“Most security suppliers are typically still lacking the credential enrolment and
credential recovery piece of it,” he said. “So while many suppliers have support
for passwordless authentication methods and even have them integrated into
the back end, they are still rooted in an Active Directory password.”
The key to enabling a passwordless enterprise is to solve these two challenges
and give organisations the ability to cope with a wide variety of authenticators,

In this e-guide
Mitigating social engineering
attacks with MFA
How to bolster IAM strategies
using automation
Passwordless enterprise
already possible, says RSA
Digital business is connected
business, says
KuppingerCole
New approach to risk
management needed, says
Gartner
IAM market evolves, but at a
cost
The benefits of IAM can far
outweigh the costs
Page 26 of 47
IAM: Managing identity remains key to cyber security
including biometrics, hardware tokens and even mobile devices, said
Ducharme.
To meet these challenges, RSA access management products use SAML
(security assertion markup language) and other means to integrate a broad
spectrum of passwordless authenticators into applications on the back end, and
enable passwordless enrolment and credential recovery either by using existing
RSA SecureID or third-party hardware tokens that comply with Fido standards
or single-use QR codes that customer organisations can send to new
employees.
RSA is also working on a third option, which is based on the belief that there is
a lot of potential for enabling friends and family to vouch for each other in
building trust relationships, said Ducharme. “When you want to enrol in
something, you should be able to establish cryptographic connections to other
people who are trusted to establish a new trusted relationship,” he added. “So if
you lose your credentials, your recovery mechanism is your cryptographic
connection to your circle of friends, colleagues and family.”
Despite RSA’s successes in this area, Ducharme said that for the passwordless
enterprise to be an option for all organisations, standards such as the Fido
authentication standard and the OAuth standard need to be widely
implemented.

In this e-guide
Mitigating social engineering
attacks with MFA
How to bolster IAM strategies
using automation
Passwordless enterprise
already possible, says RSA
Digital business is connected
business, says
KuppingerCole
New approach to risk
management needed, says
Gartner
IAM market evolves, but at a
cost
The benefits of IAM can far
outweigh the costs
Page 27 of 47
IAM: Managing identity remains key to cyber security
“For passwordless authentication to be ubiquitous, standards like Fido and
OAuth need to bridge that last mile to integrate with applications,” he said. This
would enable more suppliers in the security industry to deal with the credential
enrolment and credential recovery challenges.
But, for the first time, a ubiquitous and truly passwordless future is within reach,
said Ducharme. “Fido holds great promise and is gradually being supported by
more browsers, Microsoft’s Windows Hello biometric authentication technology
will soon start to be rolled out in enterprises as the latest versions of Windows
are deployed, and with each hardware refresh cycle, enterprises are increasing
the number of laptops with integrated fingerprint scanners and webcams,” he
said.
Looking to the future, Ducharme believes the security industry needs to be
guided by the approach and successes of the anti-fraud industry to shift the
focus from the front end to the back end and move beyond conditional access
technologies.
“Right now, the biggest area of VC [venture capital] investment in IT security is
in all new types of authentications,” he said. “The industry’s propensity is to look
at new things that the user has to do to prove that they are who they say they
are.
“But if you look at the anti-fraud market, the propensity is for new types of data
to look at during that transaction to understand if an activity is anomalous.

In this e-guide
Mitigating social engineering
attacks with MFA
How to bolster IAM strategies
using automation
Passwordless enterprise
already possible, says RSA
Digital business is connected
business, says
KuppingerCole
New approach to risk
management needed, says
Gartner
IAM market evolves, but at a
cost
The benefits of IAM can far
outweigh the costs
Page 28 of 47
IAM: Managing identity remains key to cyber security
“Anti-fraud looks to evolve the controls on the back end of the transaction, but in
the workplace, we are constantly looking for new ways to put controls on the
front end of the transaction.”
Although there are some advancements in the market with the introduction of,
for example, conditional access based on device ID and location, Ducharme
said that does not get rid of the password and typically leads to another policy
management problem.
“Attackers can find holes in your policies and it is too easy to spoof a lot of the
conditional-based access, so while it is better than just a password on its own –
and I am not saying don’t do that – it is not sufficient to go truly passwordless,”
he said.
By focusing on back-end security controls and processes, said Ducharme,
banking institutions have been able to protect the bank accounts of customers
that are otherwise protected only by a debit card and a four-digit PIN, which is
much easier to remember than a complex, frequently-changing password.
“The IT security industry should tackle the problem in the same way by
implementing security controls and adding intelligence on the back end to detect
when there is strange behaviour, which is where artificial intelligence [AI] and
machine learning risk-based authentication technologies really come into play,
much like the anti-fraud industry has been doing for years,” he said, adding that
AI and machine learning can detect a lot of the same things as conditional
 IAM: Managing identity remains key to cyber security

access, but they are not static, are not reliant on policy, and can identify
In this e-guide patterns that security teams are unaware they should be looking for.

Mitigating social engineering
attacks with MFA
How to bolster IAM strategies
using automation
“There are are all sorts of methods that we are looking at that are largely
workflow-based and process-based that remove the need for a password
altogether, including back-end processes to support enrolment and credential
recovery using backup credentials that are not password- or knowledge-based,”
said Ducharme.

“Achieving a passwordless enterprise will make it much easier to manage a

Passwordless enterprise
dynamic workforce because organisations will be able to provide different
already possible, says RSA
credentials for different user populations that are best suited to the way they
work and their security requirements.”
Digital business is connected
business, says
KuppingerCole
Next Article

New approach to risk

management needed, says
Gartner

IAM market evolves, but at a

cost

The benefits of IAM can far

outweigh the costs

Page 29 of 47

In this e-guide
Mitigating social engineering
attacks with MFA
How to bolster IAM strategies
using automation
Passwordless enterprise
already possible, says RSA
Digital business is connected
business, says
KuppingerCole
New approach to risk
management needed, says
Gartner
IAM market evolves, but at a
cost
The benefits of IAM can far
outweigh the costs
Page 30 of 47
IAM: Managing identity remains key to cyber security
Digital business is connected business,
says KuppingerCole
Warwick Ashford, security editor
Digital business is connected business, according to Martin Kuppinger, principal
analyst at KuppingerCole.
“Businesses need to build the capability to orchestrate data, identities, artificial
intelligence (AI) and services to enable new applications and services for digital
business,” he told the European Identity & Cloud Conference 2019 in Munich.
“Aim to connect to identities – not manage them yourself, orchestrate services
and don’t invent what already exists, segregate data from applications so that it
can be used and is not locked, and use AI as a service to augment your use of
data to create new services to drive digital business,” he said.
These were Kuppinger’s top recommendations in his opening keynote
presentation on navigating identity and access management (IAM) in the digital
age, where consumers, business, data and AI are all connected.
From the consumer perspective, he said, it is important to understand that
consumers want to have a few reusable identities over which they have control,

In this e-guide
Mitigating social engineering
attacks with MFA
How to bolster IAM strategies
using automation
Passwordless enterprise
already possible, says RSA
Digital business is connected
business, says
KuppingerCole
New approach to risk
management needed, says
Gartner
IAM market evolves, but at a
cost
The benefits of IAM can far
outweigh the costs
Page 31 of 47
IAM: Managing identity remains key to cyber security
that work for every device, that are secure and do not have cumbersome “know
your customer” processes attached.
From a business perspective, Kuppinger said two big trends were towards
sharing data and AI.
“This is a fundamental change because it is about a totally different supply
chain,” he said. “Data and IT services are increasingly becoming part of the
supply chain, where businesses are consuming services based on data, which
is changing the way we are dealing with data.
“As a result, we need to be thinking more about sharing data and shared APIs
[application programming interfaces] because data is the fuel of what is
happening in the transformation of businesses.”
In the digital era, said Kuppinger, businesses need to ensure that data becomes
consumable as a service that can be monetised, shared and used for various
business purposes. “And this requires us to unlock the data,” he said, so that it
becomes accessible to services and AI-based technologies that run on data.
In this light of the digital transformation of business, Kuppinger said, identity has
to change or evolve even further. In the past, identity has evolved from user
management through identity management, identity federation and consumer
identity management.

In this e-guide
Mitigating social engineering
attacks with MFA
How to bolster IAM strategies
using automation
Passwordless enterprise
already possible, says RSA
Digital business is connected
business, says
KuppingerCole
New approach to risk
management needed, says
Gartner
IAM market evolves, but at a
cost
The benefits of IAM can far
outweigh the costs
Page 32 of 47
IAM: Managing identity remains key to cyber security
“The next step we need to do in the context of sharing data and services is to
move to public, shared, universal identity,” he said, adding that in this new
ecosystem, it was essential to segregate identities, applications and data.
“If we segregate data, we make it reusable in a variety of different business
contexts in a far more flexible manner, and what you need for that is
microservices, which deliver from an architectural perspective the required
agility and can be used in a variety of ways and orchestrated to react to
business demand.”
From an enterprise IT perspective, Kuppinger said business in the digital era is
about connecting everyone to every service. “It’s about having one consistent
identity service that helps us connect everyone (employees, partners and
customers) to all these services (cloud, federated or legacy).”
For this reason, he said, businesses need to consider rethinking their identity
and access management architectures. “We need to think about what I call an
‘identity fabric’ – something that helps us in a consistent way allows us to
connect everyone to all the services.”
Creating revenue-generating applications and services for the business, said
Kuppinger, is about bringing together the necessary data, identities and
AI. “Digital business is connected business,” he concluded.

In this e-guide
Mitigating social engineering
attacks with MFA
How to bolster IAM strategies
using automation
Passwordless enterprise
already possible, says RSA
Digital business is connected
business, says
KuppingerCole
New approach to risk
management needed, says
Gartner
IAM market evolves, but at a
cost
The benefits of IAM can far
outweigh the costs
Page 33 of 47
IAM: Managing identity remains key to cyber security
New approach to risk management
needed, says Gartner
Warwick Ashford, security editor
The majority (83%) of organisations that engage third parties to provide
business services identified third-party risks after conducting due diligence, a
Gartner study has revealed.
The survey of more than 250 legal and compliance leaders reveals that the
standard point-in-time approach to risk management is no longer effective in the
light of today’s fast-paced, rapidly changing business relationships.
With an increasing number of third parties performing “new-in-kind” and non-
core services for organisations, the Gartner report said material risks cannot
always be identified prior to the start of a business relationship.
The report’s finding is significant in light of the fact that a growing number of
cyber attacks are related to vulnerabilities in suppliers that are exploited to
target partners, highlighting the need for greater emphasis on supply chain
security.

In this e-guide
Mitigating social engineering
attacks with MFA
How to bolster IAM strategies
using automation
Passwordless enterprise
already possible, says RSA
Digital business is connected
business, says
KuppingerCole
New approach to risk
management needed, says
Gartner
IAM market evolves, but at a
cost
The benefits of IAM can far
outweigh the costs
Page 34 of 47
IAM: Managing identity remains key to cyber security
Only 29% of business and IT executives globally know how diligently their
partners are working regarding security, with 56% relying on trust alone, a
recent survey revealed.
Modern risk management, the Gartner report said, must account for ongoing
changes in third-party relationships and mitigate risks in an “iterative way” or on
a continual basis, rather than at specified intervals.
“Legal and compliance leaders have relied on a point-in-time approach to third-
party risk management, which emphasises exhaustive upfront due diligence and
recertification for risk mitigation,” said Chris Audet, research director for
Gartner’s legal and compliance practice.
“Our research shows an iterative approach to third-party risk management is the
new imperative for meeting business demands for speed and stakeholder
demands for risk mitigation.”
According to Gartner, a number of factors have contributed to the shift in the
nature of third-party risk, including that fact that:
 Third parties provide new-in-kind technology services for 80% of
organisations polled, including startups and business model innovators;
 Two-thirds of legal and compliance leaders find third parties are providing
services outside of the company’s core business model;

In this e-guide
Mitigating social engineering
attacks with MFA
How to bolster IAM strategies
using automation
Passwordless enterprise
already possible, says RSA
Digital business is connected
business, says
KuppingerCole
New approach to risk
management needed, says
Gartner
IAM market evolves, but at a
cost
The benefits of IAM can far
outweigh the costs
Page 35 of 47
IAM: Managing identity remains key to cyber security
 Third parties now have greater access to organisational data;
 There is increasing variability in the maturity of organisations’ third-party
networks;
 Third parties are working with an increasing number of their own third
parties.
With a point-in-time risk management approach, compliance leaders attempt to
identify potential third-party risks upfront with extensive due diligence before
contracting and again at recertification, but this fails to capture any risks that
may arise due to ongoing changes throughout the relationship.
Among survey respondents who identified risks post-due diligence, 31% of
those risks had a material impact on the business.
“Ninety-two percent of legal and compliance leaders told us that those material
risks could not have been identified through due diligence,” said Audet. “The
only way to surface those risks was through actual engagement with the third
party and through ongoing risk identification over the course of the third-party
relationship.”
The Gartner report said the survey data shows that an iterative approach to risk
management allows legal and compliance leaders to improve risk and business
outcomes in terms of speed to engage, and by remediating and identifying third-
party risks before their impacts materialise.

In this e-guide
Mitigating social engineering
attacks with MFA
How to bolster IAM strategies
using automation
Passwordless enterprise
already possible, says RSA
Digital business is connected
business, says
KuppingerCole
New approach to risk
management needed, says
Gartner
IAM market evolves, but at a
cost
The benefits of IAM can far
outweigh the costs
Page 36 of 47
IAM: Managing identity remains key to cyber security
Organisations that applied an iterative approach experienced a doubling in
capacity to remediate risks prior to impact and 1.5 times greater ability to
identify risks prior to impact.
“An iterative approach will enable legal and compliance leaders to manage their
changing and expanding third-party networks, while also satisfying business
demands for quicker onboarding,” said Audet.
“To effectively mitigate third-party risks, compliance leaders must streamline
their current due diligence processes to focus on critical risks to eliminate
burdensome duplicative process and focus attention on the risks that have the
biggest impact on the organisation,” he said.
Nigel Ng, vice-president of international at digital risk management firm RSA
Security, said that part of the problem with gaining full visibility is the “sheer
intricacy” of today’s digital ecosystems.
“Companies are increasingly reliant on third parties to deliver core services, and
while these partners create a lot of value for businesses, they also introduce
digital risks that need to be managed and can significantly add to the complexity
of the security protocols required.
“Third parties – such as systems integrators or contractors – often need direct
access to your systems. In these instances, firms need a clear understanding of

In this e-guide
Mitigating social engineering
attacks with MFA
How to bolster IAM strategies
using automation
Passwordless enterprise
already possible, says RSA
Digital business is connected
business, says
KuppingerCole
New approach to risk
management needed, says
Gartner
IAM market evolves, but at a
cost
The benefits of IAM can far
outweigh the costs
Page 37 of 47
IAM: Managing identity remains key to cyber security
their security protocols to determine how much trust to place in them and how
much access to grant.
“Businesses also need even stronger identity and access management [IAM]
processes to authenticate third-party users, ensure they are who they say they
are, can only access what they’re allowed to access, and that their credentials
have not been compromised.”
John Sheehy, director of strategic security services at security services and
research firm IOActive, said any organisation not protecting is own own network
against basic threat actors, doing due diligence to properly patch, and holding
suppliers accountable for securing their own networks has no hope of protecting
against threat actors.
“This is where third-party testing comes in handy to trust and verify your
suppliers,” he said.
To build a supply chain security programme, Sheehy recommends that
organisations:
 Ensure they know all suppliers and take a full inventory of who they do
business with so they can identify any weak links;
 Conduct a risk assessment of each supplier’s cyber security posture,
including software and hardware components, to identify the risks they
may pose;
 IAM: Managing identity remains key to cyber security

 Use third-party testing to test internal security systems and those of

In this e-guide suppliers to identify and prioritise what needs to be fixed;

 Regularly scan and patch all vulnerable systems;

Mitigating social engineering
attacks with MFA  Teach employees about the importance of using strong passwords and
not recycling them across accounts;
How to bolster IAM strategies
 Ensure staff has set up multifactor authentication everywhere possible;
using automation

 Conduct regular security awareness training to teach employees how to

Passwordless enterprise identify phishing scams, update software and become more security-
already possible, says RSA conscious;

 Harden the security of the devices connected to your networks.

Digital business is connected
business, says
KuppingerCole Next Article

New approach to risk

management needed, says
Gartner

IAM market evolves, but at a

cost

The benefits of IAM can far

outweigh the costs

Page 38 of 47
 IAM: Managing identity remains key to cyber security

In this e-guide
IAM market evolves, but at a cost
Mitigating social engineering
Jesse Scardina, guest contributor
attacks with MFA

The identity and access management market is rapidly changing.

How to bolster IAM strategies
using automation
Passwordless enterprise
already possible, says RSA
Technological disruptions such as artificial intelligence are advancing the
capabilities of identity and access management (IAM) software, while
organizations struggle to modernize systems and manage employee identities
both in the cloud and on premises.

Attendees at Identiverse, an identity and security conference that recently took

Digital business is connected
place in Washington, D.C., were there for strategic as well as practical reasons.
business, says
KuppingerCole They wanted to learn about what's coming to the IAM market, how to combine
identity management with the corporate security strategy, and how to deliver the
best service to employees and customers on a tight budget.
New approach to risk
management needed, says
"We've been moving our identity management within our security focus," said
Gartner
Jon Fondrie, senior information security analyst at TIAA, a New York-based
financial services company. "I think the industry is moving that way. Once you
IAM market evolves, but at a
start moving into this hybrid world and your network can no longer be your first
cost
line of defense, identity becomes more of a source of security."

The benefits of IAM can far

outweigh the costs

Page 39 of 47

In this e-guide
Mitigating social engineering
attacks with MFA
How to bolster IAM strategies
using automation
Passwordless enterprise
already possible, says RSA
Digital business is connected
business, says
KuppingerCole
New approach to risk
management needed, says
Gartner
IAM market evolves, but at a
cost
The benefits of IAM can far
outweigh the costs
Page 40 of 47
IAM: Managing identity remains key to cyber security
Maintaining ROI with IAM
Fondrie's sentiment echoed that of many conference attendees. Some were
searching for validation that what they're organization was doing was correct,
while others wanted to learn how best to implement IAM while also maintaining
a good ROI.
"A lot of [these capabilities] are cool, and the more you automate and the more
you move to the cloud, the more you simplify things," said Michael Daum, tech
lead for identity and access management at State Auto, an insurance company
based in Columbus, Ohio.
Daum said that his organization is working to upgrade its IAM systems, while
also not breaking the bank.
"We're in this spot with a lot of technical debt," Daum said, adding that State
Auto is a G Suite customer and is in the cloud with AWS, but is hesitant to add
on another vendor just for identity management. "We're paying a lot of money to
a lot of different companies and we're trying to find a way to see which of those
companies can be used for identity services. No offense to Ping Identity or
Okta, but why pay them however much money if we can limit the amount of
cooks in the kitchen."
Emerging capabilities within IAM products intrigued Daum, but never bested
ROI.

In this e-guide
Mitigating social engineering
attacks with MFA
How to bolster IAM strategies
using automation
Passwordless enterprise
already possible, says RSA
Digital business is connected
business, says
KuppingerCole
New approach to risk
management needed, says
Gartner
IAM market evolves, but at a
cost
The benefits of IAM can far
outweigh the costs
Page 41 of 47
IAM: Managing identity remains key to cyber security
"Where's the value added?" Daum said. "Everyone is talking about cloud and
password-less and zero trust. Those buzzwords sound nice, but the cost to
implement is still huge."
Zero trust is a security architecture introduced by Forrester Research that is
designed to assess threats not just from outside the network, but from within it.
It uses the principle "never trust, always verify" anything trying to connect to the
network to ensure it remains secure.
Easing ID management for customers
New capabilities like zero trust and passwordless sign-in, which uses other
unique identifiers, including biometric or text-based verification, can be useful
for IAM, but they can also be difficult for IT admins to implement, especially if
they're trying to improve identity management for customers rather than internal
end users.
Stephanie Kesler, senior technologist at General Communication Inc. (GCI), an
Alaska-based telecomm company, came away from conference sessions
feeling validated about how her company's implementation of IAM has gone,
especially with internal identification of GCI employees. She also wanted to find
ways to ease identity management for GCI customers. That's something easier
said than done, as customers have different preferences and tend to have less
patience than employees.
 IAM: Managing identity remains key to cyber security

In this e-guide
Mitigating social engineering
attacks with MFA
How to bolster IAM strategies
using automation
"One thing I've been looking at is how other people and organizations are
solving these problems," Kesler said. "It's much easier to implement some of
these things on the enterprise side first. And once you've gained that
knowledge, you can start looking at the consumer-facing side of things."
Kesler said she had been researching trends like multifactor authentication
(MFA) and zero trust, but wanted to be sure to balance those IAM features with
customer experience.

"MFA is difficult to implement for customers. We don't want to be that annoying

Passwordless enterprise
company that makes you do multiple things to log on," she said. "Internally, you
already possible, says RSA
have a captive audience where it's easier to implement things like MFA or zero
trust. But on the customer side, it's a larger base where you don't have as much
Digital business is connected
control."
business, says
KuppingerCole

Next Article
New approach to risk
management needed, says
Gartner

IAM market evolves, but at a

cost

The benefits of IAM can far

outweigh the costs

Page 42 of 47
 IAM: Managing identity remains key to cyber security

In this e-guide
The benefits of IAM can far outweigh the
Mitigating social engineering costs
attacks with MFA
Kevin Beaver, guest contributor
How to bolster IAM strategies
using automation
Information security is really about IT governance, which is a multifaceted
practice involving policy creation, enforcement and ongoing risk mitigation. A
critical component of a security/governance program is identity and access
Passwordless enterprise
management. is more than a decade old -- several decades if you look at the
already possible, says RSA
basis of what it's trying to accomplish. Yet, given the benefits of IAM, it's not
quite as pervasive in the enterprise as one would expect.
Digital business is connected
business, says
One of the most important identity and access management benefits is the
KuppingerCole
ability to simplify the complicated. Enterprise identities have evolved beyond
standard user accounts. Take a holistic view of identities across the typical
New approach to risk organization and you'll find there are many types of identities to be managed.
management needed, says
Among them:
Gartner

 Internal employees
IAM market evolves, but at a
cost  Customers

 External partners
The benefits of IAM can far
outweigh the costs

Page 43 of 47

In this e-guide
Mitigating social engineering
attacks with MFA
How to bolster IAM strategies
using automation
Passwordless enterprise
already possible, says RSA
Digital business is connected
business, says
KuppingerCole
New approach to risk
management needed, says
Gartner
IAM market evolves, but at a
cost
The benefits of IAM can far
outweigh the costs
Page 44 of 47
IAM: Managing identity remains key to cyber security
 Contractors
 Applications and services
 IoT systems
 Mobile devices
Where IAM can fill in the gaps
Many IT and security shops are so busy with their day-to-day work they haven't
yet realized what's needed to manage these identities -- both periodically and in
real time. This is one area where IAM can help fill the gaps.
Additionally, today's security requires more adaptive identity governance
beyond traditional spot-check audits to eliminate blind spots. For example,
consider user accounts that are either added or removed at a certain point in
time. Traditional identity access audits that only take place every few months
can overlook the fact that these accounts should have been modified or
disabled, thus making their mapping inaccurate. This leads to the situation
where ongoing audits are "passed" and checkboxes are checked. In this
hypothetical case, the organization is not in compliance with its own policies or
the requirements of government or industry regulations that may apply. In fact, it
could be more at risk due to this lack of visibility in the IAM process.

In this e-guide
Mitigating social engineering
attacks with MFA
How to bolster IAM strategies
using automation
Passwordless enterprise
already possible, says RSA
Digital business is connected
business, says
KuppingerCole
New approach to risk
management needed, says
Gartner
IAM market evolves, but at a
cost
The benefits of IAM can far
outweigh the costs
Page 45 of 47
IAM: Managing identity remains key to cyber security
Another benefit of IAM is how it highlights the identity and access approval
process. Infosec professionals are familiar with the generic requests of so-and-
so new employee or contractor needing access to the network, the ERP system
and all doors within the building. This is appropriate in smaller organizations, but
for larger businesses, this request fails to illuminate a number of important
areas. Among them:
 The actual rights that are needed on the network or enterprise
applications
 Whether or not the request is unusual
 Similar access levels that other employees currently have
 The most common role(s) accessing such requests
To have true IT governance, especially across various business units, all the
right people need details. It's critical to ensure that identity and access decisions
are made not only based on generic policies or workflows, but also because
they include detailed contextual information outlining specific business needs
and potential risks.
IAM might be complicated to oversee, but it's worth it
It's clear that IAM is worth the fuss. A modern IAM system is flexible and
extensible enough to adapt to how an organization works, rather than forcing

In this e-guide
Mitigating social engineering
attacks with MFA
How to bolster IAM strategies
using automation
Passwordless enterprise
already possible, says RSA
Digital business is connected
business, says
KuppingerCole
New approach to risk
management needed, says
Gartner
IAM market evolves, but at a
cost
The benefits of IAM can far
outweigh the costs
Page 46 of 47
IAM: Managing identity remains key to cyber security
the business to adapt to IAM. IAM products have evolved and improved in
recent years; however, the essence of IAM and how it can help enterprise
security/governance programs has not changed and it can be well worth the
investment.
If an information security program is to remain healthy and effective over the
long term, everyone must work toward the same goal to reduce business risk.
The only reasonable way to implement, manage and enforce identity- and
access-related policies is to utilize an IAM system. Be it in-house or cloud-
based, the more complex the network, the greater the need.
Don't yet have an IAM system or feel it is underimplemented? Take a step back
and see how things can be improved. Consider whether your current processes
work for or against the security goals. Think about what can be improved, which
steps can be simplified and which can be eliminated altogether.
Make sure that everyone's time is used wisely -- from the business unit
manager making an initial request to the IT or security team charged with
approving and managing network addresses. The benefits of IAM will give the
enterprise the necessary visibility and control needed to oversee network
accounts as well as satisfy ongoing governance. Anything less will likely
facilitate -- if not create -- risks the business can't afford to contend with.
 IAM: Managing identity remains key to cyber security

In this e-guide
Getting more CW+ exclusive content
Mitigating social engineering
As a CW+ member, you have access to TechTarget’s entire portfolio of 140+
attacks with MFA
websites. CW+ access directs you to previously unavailable “platinum members-
only resources” that are guaranteed to save you the time and effort of having to
How to bolster IAM strategies
track such premium content down on your own, ultimately helping you to solve
using automation
your toughest IT challenges more effectively—and faster—than ever before.

Passwordless enterprise
already possible, says RSA
Take full advantage of your membership by visiting
Digital business is connected
www.computerweekly.com/eproducts
business, says Images; stock.adobe.com
KuppingerCole
© 2019 TechTarget. No part of this publication may be transmitted or reproduced in any form or by any means without
written permission from the publisher.
New approach to risk
management needed, says
Gartner

IAM market evolves, but at a

cost

The benefits of IAM can far

outweigh the costs

Page 47 of 47