Identity and access management (IAM) is a major challenge for businesses today. Companies must secure and manage identities while also ensuring that employees, customers, and suppliers find the system easy to use. Adding too many layers of access controls can create friction—processes that slow down employees and make their jobs harder.
Scott Swalling from PA Consulting points out that many organizations start with short-term goals, poor identity data, and immature systems. If IAM processes are cumbersome, users may find ways to bypass them, leading to security gaps and potential breaches. Despite advancements like multifactor authentication (MFA) and biometrics, access is still a weak link in enterprise security. The move to flexible work arrangements and cloud applications has made effective IAM essential.
The statistics are alarming. Verizon’s 2024 Data Breach Investigations Report shows that stolen credentials were behind 77% of attacks on basic web applications. Google’s 2023 Threat Horizons Report found a similar trend, with 86% of breaches involving stolen credentials.
Akif Khan, a vice-president analyst at Gartner, stresses the need for an identity-first security culture. “If you don’t know who is accessing your systems, how can you ensure they’re authorized to do so?” With the rise of remote work, the old notion of a secure perimeter is outdated. Recent breaches at Ticketmaster and Santander highlight the risks of relying solely on perimeter security.
Management of privileged accounts must go hand in hand with strong identity controls and initiatives like zero trust. While zero trust requires long-term investment, it’s crucial for CIOs and CISOs to improve existing security measures now. This includes adopting policy-based and risk-adaptive access controls that can trigger MFA for high-risk actions or block them outright. A clear IAM strategy is key to these efforts.
“Start with the basics to ensure you know who’s accessing your resources,” advises Swalling. “Make sure your identity data is solid, and combine it with strong privileged access management.” Incorporating automation and machine learning can help streamline administrative tasks and reduce user frustration.
Mustafa Mustafa from Cisco notes that frustrated users are more susceptible to security risks. Cisco supports a zero-trust approach but acknowledges that few organizations have fully implemented it. Research shows that 86% of enterprises have started but only 2% are mature in their zero-trust journey. The zero-trust model emphasizes continuous verification for everyone, including users and devices.
Zero trust is worth the effort, according to Mustafa, as it bolsters security while simplifying operations. However, enterprises still need to invest in MFA, identity governance, and privileged access management. This creates a dual focus for CIOs: advancing current security measures while planning for a future with zero trust.
In coming years, AI will increasingly help identify unusual user behavior that might indicate a breach. This could lead to IAM models that assess risk as much as identity—also known as adaptive authentication. Real-time risk assessments will allow organizations to grant access based on context rather than just identity.
Cunningham highlights the importance of addressing fragmented systems in the pursuit of effective IAM. Global identity wallets (GIWs) could streamline verification processes. While they’re often connected to government initiatives, they can pair well with onboarding staff or customers and help minimize fraud.
According to Gartner, over 500 million people are projected to use phone-based digital identity wallets by 2026. “In principle, you could have an identity wallet on your phone, similar to an authenticator app,” says Khan. Open standards and interoperability will likely drive wider adoption of GIWs, making it easier for businesses to onboard users efficiently.
While GIWs will not replace internal identity management systems, they will become an integral part of the IAM landscape. Organizations will need to verify the details stored in these wallets against their own identity frameworks. As enterprises seek solutions that enhance security and user convenience, digital wallets can play a substantial role in daily authentication processes.
Cunningham envisions broad adoption for GIWs in sectors like healthcare, government, and border control. Digital wallets can also enhance MFA and provide extra support for security teams as they transition toward zero trust. If utilized well, these wallets could bolster security and ease user experience, reducing support costs along the way.