Over the last twelve months, the world of Identity & Access Management has moved with tremendous pace. From what I have witnessed, the focus is moving toward three main areas of maturity: Cloud, Client access and Control. These are what I call the ‘triple C’s’, which I’ll outline in more detail below.

I see these three areas of maturity being at the forefront for IAM plans going forward, as the key indicators from discussions with Senior leadership / Board level provide appetite to minimize ongoing costs and add control around processes. As we move away from current levels of maturity and towards cloud, client access and control, this means they will bring a level of stability for the growth within IAM over the next 2 years, allowing the security strategy to be built.

(1) Cloud

Why is everything moving towards the Cloud? It removes the requirement to have physical data centres and removes the costly overhead of running a data centre by storing data within the Cloud virtual infrastructure. It also helps to build an agile, cost effective function with scope to grow at a rate faster than having a physical ‘on premise’ infrastructure, managed within a data centre.

Managing the Cloud delivery, which is moving at such a pace, for the expected applications and services that should be managed within the Cloud comes at a cost for the IAM function. It raises many questions: (i) what does Cloud mean for managing access? (ii) who should manage access for Cloud accounts? and (iii) how do we monitor what’s being built and removed?

To answer these questions, the key fundamental approach is firstly, to make sure policies and standards are updated to provide guidance on managing access within the Cloud. As the Cloud is often regarded as a common application, there is speculation that it could fit within the current documentation and structure. However, some organisational structures will require change. Then, it is important to identify an owner who is responsible for accounts to help drive naming convention, attestations for access and management of Privileged accounts. The final piece of the jigsaw is ‘Control’ in terms of looking at what functionality is in place to monitor the servers to track usage. IAM is always at the forefront of Auditors and the Regulators’ visits and evidence requests, to find deficiencies, so make sure you have a strong audit trail and controlled processes.

(2) Client/Customer Identity Access Management (CIAM)

The new buzz word in IAM is CIAM which is the concept of managing external 3rd party access to ‘in house’ applications and services. How do we manage Client/Customer access and expectations? It is not an easy task, but one that is essential to mature a company’s Information and Cyber Security strategy and sets an expectation for your CISO, CIO and key stakeholders.

The target is to remove time constraints for the requester of access that include numerous forms requiring completion for our customers to gain access to applications and services. With the inclusion of security tooling such as Single Sign On (SSO) and Multi Factor Authentication (MFA), this will bring a stronger policy for managing access as well as adding data protection for critical client/customer data.

"As we move away from current levels of maturity and towards cloud, client access and control, they will bring a level of stability for the growth within IAM over the next 2 years"

The target is to have the ability to build a single user profile for all applications. This will provide controlled service level agreements that will help to meet client/customer expectation. It also removes the risk of elevated and unwanted access that reduces risk around internal and external threat using privileged access to gain entry to company applications and services.

This now leads me on to the final of my three ‘C’s’…Controls.

(3) Controls

A ‘control’ is the identified action that sits between key documentation, Policies and Standards and the business processes which provides detail that will explain the minimum level required to meet expectations of ‘best practice’ within a business. Numerous controls build a control framework. The National Institute of Standards and Technology (NIST) provide a good starter for building a control framework.

A strong ‘signed-off’ control framework will bring stability for businesses to function as there is a baseline of expectation to build from. Once a control framework matures over a period of time it will also help provide business cases for budget proposals as the evidence shows the level of maturity within the function.

It takes some time to build a control framework and it also takes a great deal of input from identified control owners / subject matter experts with the control during the period of workshops. The key for a good delivery is participation and open discussion, be patient but determined as the final result will mould the IAM team.

Look at the main processes within your team, as each one will be the Header for the control. i.e., Privileged Access Management - PAM, User Access Governance - UAG joiner, mover and leaver – JML and finally Logging& Monitoring. Each one of these processes forms the market definition of the IAM lifecycle.

Finally, work with the Compliance and Risk teams to identify what risks and deficiencies have been raised to include in the framework. There are plenty of Control delivery analysts in the market that can facilitate the workshops to build a framework.

So, to summarise my take on the three current IAM focal points. (1) Cloud; be prepared as ‘IT WILL’ be part of your IAM function, if it’s not already being used within your company. It will save money to store data, and ‘inhouse’ applications, and services out of physical data centres (2) CIAM; drive maturity to meet the client / customer expectations and deliver a strong function that includes reducing Information and Cyber Security risk. (3) Controls; providing stability and a level for guidance to meet regulatory, audit and business ‘best practice’.

Remember, IAM is an easy process to follow. Essentially, someone wants access to a service or application at a certain time for a reason. Then you just need to dedicate your own time for educational analysis to build knowledge to provide maturity within your estate.