More Organizations Need a Mature IAM Program as a Security Strategy

Bart Allan

December 16, 2021

A widening gap exists between aspiration and achievement for organizations attempting  identity-based security strategy modernization. Many organizations have identified that more sophisticated identity access management (IAM) and privileged access management (PAM) processes and policies offer more secure user access to data, applications, and systems. Yet only 16% of organizations have a fully realized and mature IAM program, according to a recent survey conducted by Pulse on behalf of Hitachi ID.

The Zero Trust maturity model represents a gradient of implementations across distinct stages, where minor advancements can be made over toward optimization and ZT operational maturity. It is a path to support organizations as they transition to Zero Trust. With this four-stage ZT maturity model, you can bridge the gap between vision and attainment. The blueprint will also help you identify your organization's stage on a journey towards operational Zero Trust alignment and learn why that’s vital to a modern identity-centric security strategy.

 

Stage 1 - Fragmented Identity

Your organization is just waking up to complex security demands with a reactionary or sporadic approach to security. Fourteen percent, according to the same survey, are at this level, focusing on establishing identity information quality, and it’s usually characterized by:

  • High reliance on the perimeter
  • Active directory on-premises
  • No cloud integration
  • Passwords wherever 

 

Stage 2 - Unified IAM

IT and security decision makers realize the need to centralize security systems and adopt a consistent approach to audit and compliance. Over half of organizations are focused on establishing a central identity management concept in the Unified IAM level, which is commonly defined by:

  • Single sign-on across employees, contractors, and partners
  • Contemporary MFA
  • Cooperative policies across applications and servers
  • Vaulting and randomizing of privileged accounts

 

Stage 3 - Contextual Access

Your organization has reached the latter stages of identity and access management adoption and looking ahead to other security operations advancements. One in four organizations have reached this stage, looking to separate identity storage from application and systems at the contextual access level, which typically includes:

  • Context-based access policies
  • Automated joiner/mover/leaver processes deprovisioning those leaving
  • Group management
  • Multiple factors deployed across users
  • Secure access to APIs
  • Safeguarding services, non-human accounts, and containers

 

Stage 4 - Adaptive Access

Your security-first organization has already embraced zero trust principles and adopted most identity and access management best practices. Only 10% of organizations have attained this stage and are concentrated on integrating identity-driven business systems in this final adaptive access achievement level usually marked by:

  • Risk-based access guidelines
  • Adaptive and continuous authorization and authentication
  • Frictionless access
  • Diminished emphasis on the perimeter
  • Centralized provisioning

 

The Problem With Falling Short 

With 65% of organizations currently at level one or two of their identity management roadmap, it’s no surprise the overall average identity and privileged access management maturity of the companies survey is 2.12 out of 4. This score leaves many identity programs underpowered when protected against an evolving landscape of threats. 

Less advanced IAM and PAM programs often have more varying user validation abilities, forgo regulatory compliance mandates, and sometimes miss privileged access management entirely. On the other hand, Mature IAM and PAM programs promoting Zero Trust principles are an excellent way to prevent hackers and ransomware from gaining control of data and infrastructure against a slew of cybersecurity challenges.

Zero Trust treats all traffic, including that already inside the perimeter, as hostile. This type of identity-based security policy results in stronger security that travels with the user and tasks wherever they are — in the cloud, a hybrid environment, a container, or an on-premise network architecture. In this way, Zero Trust reduces the attack surface and effect — that is, the impact and severity — of a cyberattack, which diminishes the time and cost of responding to and cleaning up after a data breach. 

 

The Road Ahead

Organizations are accelerating their digital transformations, but cyberattacks’ rising sophistication, speed, and volume is a substantial concern. Almost half of organizations can adequately manage access management on several levels: web, application, server, and more, but only 9% of respondents have evolved their program into a consistent access management system or a Zero Trust security strategy

Evolving network landscapes have demonstrated that perimeter-based security architectures lack the finesse and control needed to defend against the new normal, and a methodology like Zero Trust is necessary. Determine your Zero Trust roadmap, discover how to make it happen with achievable strides, and more with our eBook: Zero Trust Security: A Journey, Not a Destination

See the full results of our survey and learn more about IAM automation aspiration, achievement, and benefits for modern organizations with our infographic: Despite Being Vital to an Organization’s Security Strategy, Only 16% of Organizations Have a Fully Realized and Mature Identity and Access Management Program.

 

Download the One-Minute White Paper