Next Generation Identity and Access Management (Next Gen IAM) 

Next Generation Identity and Access Management (Next Gen IAM) 

 Featured I am 1


Having spent the last 17 years in the identity and access management (IAM) space, I know two things are certain: Evolution is inevitable, and change is constant. Functions, maturity, risks, trends and buying patterns all continue to evolve, mature and adjust to market conditions. One major change that has been underway is the entry point into identity management for clients.   


In our discussions with clients who are in various stages of investment and maturity, we have developed a clear set of high-level blueprints to guide those conversations. These blueprints assist clients in understanding the progression or continuous evolution of their own IAM-related investments that provide greater benefit and richer value to the organization as it grows.


Today we have four main blueprints:


  1. Considering IAM Investment
  2. IAM Implemented
  3. IAM Program Formulated
  4. Next Gen IAM Initiated and IAM Program Maturing


The focus of this post is next generation IAM. 


Identity is everywhere. It has become very clear that identity is not just a thing on its own, but it also is integrated into every other corner of an organization’s environment. 


The next generation of identity and access management (next gen IAM) is being driven by the constantly changing set of challenges associated with trying to provide an effective cyber security posture for an organization. The challenges are far greater and more complex than ever before:


  • The Internet of Things (IoT) is becoming more corporate and mainstream.
  • Security leaders are forced to demonstrate metric-driven business value.
  • Breaches are happening every day and there must be a coordinated attempt to manage and mitigate them.
  • The threat landscape is constantly changing, including an increase in insider threats.


This is causing clients to ask:


  • Can identity data do more for me?
  • Can identity enable more real time and risk-based decision making in the authentication process?
  • Can identity provide the flexibility required to manage access with an unlimited amount of touch points and device types?
  • Can identity minimize the burden of administration within the other investments we have made in cyber security? 


Our research to date has shown that IAM can provide more substantial value to your organization when integrated with any and/or all of the following cyber security areas:


  • Identity and Access Management (IAM)
  • Governance, Risk and Compliance (GRC)
  • Security Information and Event Management (SIEM)
  • Data Loss Prevention (DLP)
  • Privileged User Management (PIM)
  • Data Access Governance (DAG)
  • Cloud Access Security Brokers (CASB)
  • User Behavior Analytics (UBA)
  • Service Management 
  • Network Security (NetSec)
  • Enterprise Mobility Management (EMM)
  • Endpoint Security 


In each of these areas, IAM performs (at a high-level) two major functions:


  • Provides some level of flexible authentication integration.
  • Provides the context of a user and/or attributes so that more effective management and controls can be executed.


These integrations on their own also are in various levels of maturity and/or functionality. The approach to these integrations from the vendors (or between the vendors also differs):


  • Full-suite vendors are taking a more internal “look to me” approach for end-to-end integration in the various cyber security segments in which their solution focuses.
  • Vendors that provide a more individual segment approach are looking to each other through the use of technical alliance programs to support integration between their products, allowing an organization to make more informed decisions on possible integrations and holistic pictures into their data.


With the above in mind, an industry alliance has been created to help bring all views into one common community to participate and support. The Identity Defined Security Alliance (IDSA) is working to bring a unified platform for collaboration, conversation, community involvement and interoperability between the vendors and organizations that need this level of identity in their cyber security framework to be successful. It is an independent alliance built to be solution agnostic and foster community growth.


Identity defined security (or the next generation of IAM) will allow for intelligence-based, risk-based, adaptive decision making in all aspects of cyber security. The end goal is that threats, breaches and incidents will be managed and contained more dynamically, and CISO’s will be able to report on the health and well-being of the entire cyber security framework based on metrics from these integrations. 


To understand if your organization is prepared for the next generation of IAM, ask yourself these questions:


  • Have I begun to treat my IAM investment programmatically, and do I have a diverse set of advocates that next generation IAM is achievable?
  • Have my IAM investments been measured to be successful, enough so that I can focus on the next generation of IAM?
  • Does my organization understand the overall migration towards intelligence-driven management of risk and decision making?


If you can answer yes to these questions or desire to seek a path towards the next generation of IAM, you are on your way to successfully achieving identity defined security.

Danny Pickens
Practice Director, Enterprise Incident Management | Optiv
Danny Pickens has two decades of experience in the fields of military intelligence, counterterrorism and cyber security. Throughout his career, he has spent time at the tactical, operational and strategic level of intelligence and cyber operations within the United States military and various divisions of the Department of Defense and other U.S. Government organizations, as well as private enterprise. As the practice director of Optiv’s Enterprise Incident Management professional services team, Pickens is responsible for the direction and engagements of Optiv’s incident management services, encompassing both proactive and reactive incident management operations.