Modernizing identity access management with zero trust

CISOs tell VentureBeat they’re taking an increasingly pragmatic approach to modernizing identity access management (IAM) — and this starts with reducing legacy app and endpoint sprawl. The goal is a more efficient, economical, lean tech stack that’s solid enough to scale and support their enterprise-wide zero-trust frameworks. 

Identities are under siege because attackers, criminal gangs and advanced persistent threat (APT) organizations know identities are the ultimate control surface. Seventy-eight percent of enterprises say identity-based breaches have directly impacted their business operations this year. Of those companies breached, 96% now believe they could have avoided a breach if they had adopted identity-based zero-trust safeguards earlier. Forrester found that 80% of all security breaches start with privileged credential abuse.

Delinea’s survey on securing identities found that 84% of organizations experienced an identity-related breach in the last 18 months. And Gartner found that 75% of security failures are attributable to human error in managing access privileges and identities, up from 50% two years ago.  

Protecting identities is core to zero trust

Consolidating existing IAM systems into a unified cloud-based platform takes expertise in how merged legacy systems define and organize data, roles and privileged access credentials. Leading IAM providers’ professional services teams work with CISOs to preserve legacy IAM data and identify the areas of their taxonomies that make the most sense for a consolidated, enterprise-wide IAM platform. Noteworthy providers assisting organizations to modernize their IAM systems and platforms include CrowdStrike, Delinea, Ericom, ForgeRock, IBM Cloud Identity and Ivanti.

CISOs tell VentureBeat that the costs of maintaining legacy IAM systems are going up — without a corresponding rise in the value these legacy systems provide. That’s forcing IT and security teams to justify spending more on systems that deliver less real-time data on threat detection and response.

Cloud-based IAM platforms are also easier to integrate with, streamlining tech stacks further. Not surpriingly, the need for more adaptive, integrated IAMs is accelerating enterprise spending. The worldwide IAM market is forecast to increase from $15.87 billion in 2021 to $20.75 billion this year.  

The goal: Streamlining IAM to strengthen zero trust 

More IT and security teams are fighting endpoint sprawl, as legacy IAM systems require more and more patch updates on every endpoint. Add to that the siloed nature of legacy IAM systems with limited integration options and, in some cases, no APIs, and it’s easy to see why CISOs want a zero trust-based approach to IAM that can scale fast. The time and risk savings promised by legacy IAM systems aren’t keeping up with the scale, severity and speed of today’s cyberattacks.

The need to show results from consolidating tech stacks has never been greater. Under pressure to deliver more robust cyber-resilient operations at a lower cost, CISOs tell VentureBeat they are challenging their primary vendors to help them meet those dual challenges.

The pressure to deliver on both fronts — resilience and cost savings — is pushing consolidation to the top of nearly every major vendor’s sales calls with leading CISOs, VentureBeat learned. CrowdStrike, continuing to listen to enterprise customers, fast-tracked extended detection and response (XDR) to the market last year as the foundation of its consolidation strategy. Nearly all CISOs had consolidation on their roadmaps in 2022, up from 61% in 2021. 

In another survey, 96% of CISOs said they plan to consolidate their security platforms, with 63% saying extended detection and response (XDR) is their top solution choice. As they confront overlapping and often conflicting identity, role and persona definitions for the same person, as well as zombie credentials and unprotected gaps across cloud-based PAM systems, CISOs tell VentureBeat they see modernization as an opportunity to clean up IAM company-wide.

One of the many factors CISOs cite to VentureBeat for wanting to accelerate the consolidation of their IAM systems is how high-maintenance legacy systems are when it comes to endpoint management and maintenance.

Absolute Software’s 2021 Endpoint Risk Report found 11.7 security agents installed on average on a typical endpoint. It’s been proven that the more security controls per endpoint, the more frequently collisions and decay occur, leaving them more vulnerable. Six in 10 endpoints (59%) have at least one IAM installed, and 11% have two or more. Enterprises now have an average of 96 unique applications per device, including 13 mission-critical applications.

Where and how CISOs are modernizing IAM with zero trust 

Getting IAM right is the first step to ensuring that a zero-trust security framework has the contextual intelligence it needs to protect every identity and endpoint. To be effective, a zero trust network access (ZTNA) framework must have real-time contextual intelligence on every identity. CISOs tell VentureBeat that it’s ideal if they can get all Access Management (AM) tools integrated into their ZTNA framework early in their roadmaps. Doing so provides the authentication and contextual identity insights needed to protect every web app, SaaS application and endpoint. 

In prioritizing which steps to take in modernizing IAM for zero trust, CISOs tell VentureBeat these are the most effective: 

First, do an immediate audit of every identity and its privileged access credentials. 

Before importing any identities, audit them to see which are no longer needed. Ivanti’s chief product officer Srinivas Mukkamala says that “large organizations often fail to account for the huge ecosystem of apps, platforms and third-party services that grant access well past an employee’s termination. We call these zombie credentials, and a shockingly large number of security professionals — and even leadership-level executives — still have access to former employers’ systems and data.”

Modernizing IAM needs to start by verifying that every identity is who it says it is before providing access to any service. Attackers target legacy IAM systems because identities are the most valuable control surface any business has — and once they have it under control, they run the infrastructure.

Next, thoroughly review how new accounts are created, and audit accounts with admin privileges.

Attackers look to get control of new account creation first, especially for admin privileges, because that gives them the control surface they need to take over the entire infrastructure. Many of the longest-dwelling breaches happened because attackers were able to use admin privileges to disable entire systems’ accounts and detection workflows, so they could repel attempts to discover a breach.

“Adversaries will leverage local accounts and create new domain accounts to achieve persistence. By providing new accounts with elevated privileges, the adversary gains further capabilities and another means of operating covertly,” said Param Singh, vice president of Falcon OverWatch at CrowdStrike.

“Service account activity should be audited, restricted to only permit access to necessary resources, and should have regular password resets to limit the attack surface for adversaries looking for a means to operate beneath,” he said.

Enable multifactor authentication (MFA) early to minimize disrupting user experience.

CISOs tell VentureBeat that their goal is to get a baseline of protection on identities immediately. That starts with integrating MFA into workflows to reduce its impact on users’ productivity. The goal is to get a quick win for a zero-trust strategy and show results.

While getting adoption to ramp up fast can be challenging, CIOs driving identity-based security awareness see MFA as part of a broader authentication roadmap — one that includes passwordless authentication technologies and techniques. Leading passwordless authentication providers include Ivanti’s Zero Sign-On (ZSO), a solution that combines passwordless authentication, zero trust and a streamlined user experience on its unified endpoint management (UEM) platform. Other vendors include Microsoft Azure Active Directory (Azure AD), OneLogin Workforce Identity, Thales SafeNet Trusted Access and Windows Hello for Business.

Early on, replace legacy IAM systems that can’t monitor identities, roles and privileged access credential activity.

VentureBeat has learned from CISOs that now is the breaking point for legacy IAM systems. It’s too risky to rely on an IAM that can only track some identity activity across roles, privileged access credential use and endpoint use in real time.

Attackers are exploiting the gaps in legacy IAM systems — offering bounties on the dark web for privileged access credentials to financial services’ central accounting and finance systems, for example. Intrusions and breaches have grown more multifaceted and nuanced, making constant monitoring — a core tenet of zero trust — a must. For those reasons alone, legacy IAM systems are turning into a liability.

Get IAM right in a multicloud: Select a platform that can provide IAM and PAM across multiple hyperscalers — without requiring a new identity infrastructure.

Every hyperscaler has its own IAM and PAM system optimized for its specific platform. Don’t rely on IAM or PAM systems that haven’t proven effective in closing the gaps between multiple hyperscalers and public cloud platforms.

Instead, take advantage of the current market consolidation to find a unified cloud platform that can deliver IAM, PAM and other core elements of an effective identity management strategy. The cloud has won the PAM market and is the fastest-growing platform for IAM. The majority, 70%, of new access management, governance, administration and privileged access deployments will be on converged IAM and PAM platforms by 2025. 

Making IAM a strength in zero-trust strategies 

CISOs tell VentureBeat it’s time to start looking at IAM and ZTNA as cores of any zero-trust framework. In the past, IAM and core infrastructure security may have been managed by different groups with different leaders. Under zero trust, IAM and ZTNA must share the same roadmap, goals and leadership team. 

Legacy IAM systems are a liability to many organizations. They’re being attacked for access credentials by attackers who want to take over the creation of admin rights. Implementing IAM as a core part of zero trust can avert a costly breach that compromises every identity in a business. For ZTNA frameworks to deliver their full potential, identity data and real-time monitoring of all activities are needed.

It’s time for organizations to focus on identities as a core part of zero trust, and modernize this critical area of their infrastructure.