The coronavirus changed everything. From an IT perspective, one of the most immediate changes was the abrupt closure of most workplaces, which caused massive interruptions to critical business functions.
Tens of thousands of businesses across the world were faced with two daunting choices: either convert to a remote workforce, or go out of business. Almost overnight, remote workers became commonplace and videoconferencing replaced in-person meetings. In addition to the need to hastily transition to remote work, many of these workers lacked company-managed computers and simply pressed their personal devices into service. Remote and mobile devices became the primary endpoints for the corporate world. The problem was to figure out who was trying to access internal networks and then determine what they should be allowed to do.
Couple COVID-19 with a pre-pandemic established upward trend in security and privacy compliance requirements, and the result is a compelling need to effectively manage the lifecycle of identities and their changing access needs. Privacy compliance requirements demand increasingly stringent protection of individual privacy, which depends on effective identity management.
Protecting identity is more important than ever. In fact, earlier this year saw the celebration of the first Identity Management Day to punctuate the importance of protecting cyberspace identities. Cornell University signed on as a champion for the celebration and published a resource to promote the cause.
The changing privacy landscape
Awareness of online threats to privacy did not start with COVID-19. One of the earliest privacy laws in the U.S. was the Privacy Act of 1974. This law set the stage for future laws worldwide that restricted how federal agencies could collect, use and distribute personally identifiable information (PII). Although the Privacy Act of 1974 only applied to federal agencies, it served as a model for later laws that extended its scope and coverage.
After the Privacy Act of 1974, the U.S. federal government focused its subsequent laws on specific types of organizations, as opposed to crafting general laws to protect data. The result was the introduction of several landmark laws, including:
- Gramm-Leach-Bliley Act (GLBA): Also known as the Financial Services Modernization Act of 1999, this law includes many banking and financial institution regulations and several requirements specifically focused on personal financial data privacy and security.
- Health Insurance Portability and Accountability Act (HIPAA): This law, passed in 1996, was written to modernize how personal health information (PHI) is collected, managed and exchanged between entities.
- Children’s Online Privacy Protection Act (COPPA): COPPA, passed in 1998, restricts the collection and use of personal information about children, defined as anyone who is under the age of 13.
The general privacy law approach in the U.S. is to avoid federal laws that attempt to solve privacy issues across all domains. That is why U.S. privacy laws focus on specific market or consumer segments. However, a growing number of U.S. states have passed their own general privacy and security laws. California, New York, Maryland, Hawaii and North Dakota all have their own privacy laws.
On the other hand, the European Union (EU) follows a more comprehensive approach. In 2016 the EU passed the General Data Protection Regulation (GDPR), a sweeping privacy and security law that aims to protect EU citizens’ private data, regardless of where that data may reside.
For more information, Varonis publishes a good online overview of U.S. privacy laws.
Solutions to help protect privacy
Since the body of regulations related to privacy continues to grow, it makes sense that the market for software and services to help with compliance will grow as well. The primary factor that relates all privacy laws is the notion of the individual. An individual is an entity that can be uniquely discerned using a set of characteristics that set them apart from all others. This set of unique characteristics defines an identity. Protecting an individual’s privacy boils down to protecting the data related to that individual’s identity.
All privacy controls start with an identity claim, which means that a person or process claims to be a certain identity. The authentication process challenges the claimant to provide additional information to verify the identity claim. If the claimant provides the proper authentication information, the system trusts that the identity claim is valid. From that point on, access is granted to resources based on the identity’s rights and privileges. The security of an environment’s resources — and the privacy of each individual — starts with managing identities well.
Identity and access management (IAM) is a set of policies and technology components that manage identity information throughout its lifecycle. IAM solutions can include policies, procedures, hardware and software components. These components work together from the time an entity registers a new identity through access and rights management, ongoing maintenance, use, and eventual disposal. The main purpose of an IAM system is to simplify and centralize identity management and make it easy for users to identify themselves.
Today’s IAM systems can be on-premises, cloud-based or a combination of the two. Although on-premises options work well with many legacy applications, cloud or hybrid solutions provide greater integration with decentralized applications. The point is that as more organizations face difficulties managing the increasing number of remote identities, IAM solutions are rising to the challenge.
The transition to a remote workforce has resulted in many changes, both operational and philosophical, to the IT environment. Gartner identifies “identity-first security” as one of its top security and risk management trends for 2021. The idea behind identity-first security is that protecting identities becomes the new perimeter security layer.
A traditional view of security focuses on keeping bad actors out by using perimeter controls, such as firewalls, to separate good and bad network traffic. With a large number of authorized users accessing a network from the outside, strong identity management becomes central to separating bad actors from the good guys. Consequently, IAM is necessary to support a remote workforce.
What to expect from identity and access management providers
Since IAM is fast becoming a central element of a security and privacy strategy for a remote workforce, it is not unreasonable to expect the IAM market to expand. Several organizations that study different markets agree with the IAM growth prediction. Fortune Business Insights predicts a growth in the IAM market from $9.53 billion in 2018 to $24.76 billion by the end of 2026. They attribute the growth to a combination of a growing remote workforce and continued decentralization of applications.
Similarly, Gartner reports that the IAM market will grow from $12.04 billion in 2020 to $13.92 billion by the end of 2021. Part of the Gartner report notes that the fastest growing market is the cloud access security broker (CASB). A CASB is a part of an IAM solution that provides identification, authentication and authorization for users wanting to consume cloud-based resources. A CASB can provide a one-stop shopping solution for an application that relies on multiple distributed pieces running on different parts of the cloud.
The general theme in nearly all market predictions is that decentralization will continue, and user and service separation will punctuate the need for flexible IAM solutions.
The takeaway is that IAM products are maturing and demand is growing. If your organization is looking for a good IAM product, take some time to do a little research. The market is dynamic, and with a little work you will likely find a product that meets your specific needs. Look at these Fortune Business Insights and GlobeNewswire articles for a starter list of IAM vendors.
As we struggle to find what our “new IT normal” is, you will likely be hearing a lot more about IAM.