Traditionally, IT has run within the walls of their perimeter. The IAM solutions were more monolithic and centralized. Identities were managed and stored on-premises. Local access controls were used to ensure that employees just have access to the resources that they needed through authentication, authorization, with abilities to audit user activity.
Federation extended the reach of where identity and access controls reside and allowed for the secure exchange of user information between divisions within an organization or between organizations in the same industry sector for example. Single Sign-On (SSO) systems gave users the ability to authenticate once across multiple IT systems and applications.
The need to move beyond only a single factor such as a password, due to its weak form of authentication, became strongly discouraged from use when accessing more sensitive resources. This drove the need to add a second authenticating factor, which can significantly increase the assurance that a user is who they say they are. Two-Factor Authentication (2FA) provides the Level of Assurance (LoA) for most organizations’ authentication needs.
Just as the terrain of cyber-attacks continues to change, so must the capabilities of modern-day access controls to protect against them. Modern cybersecurity products have leveraged the power of machine intelligence and data analytics. Although analytics has become a loaded term, in that it has come to mean a broad range of things. In its narrowest sense, it is the ability to perform data analysis by examining historical data and uncovering trends or pattern that can be used to improve the decision-making process. Machine intelligence gives the ability to make access decisions that can be acted upon based on the patterns and trends found through data analytics. Together, these technologies become tools to recognize abnormal user patterns that can be acted upon based on access policies.
Risk-based capabilities are being added to give access controls the ability to make access policy decisions based on the level of risk indicated by a user’s location, device, activity, behavior, etc. making it more context-aware.
As the enterprise becomes more mobile, employees are using multiple types of mobile devices from smartphones to IoT devices, which were once the exception but is now becoming the norm. External users accessing corporate systems and information has become a reality for most organization. Sometimes the devices are owned by the user’s Bring Your Own Device (BYOD), sometimes by the organization's Corporate Owned Devices (COD), or even enabled for personal use such as Corporate Owned, but Personally Enabled (COPE) device. But regardless of the model used, organizations still need to protect their corporate resources against the new security challenges in today's continually changing environment.
Another reality being realized is that most organization’s IT data, applications and services are spread across both on-premises and cloud environments. Inevitably there will still be business use cases that will ensure some IT data, applications and services remain on-premises, while other uses cases will drive the need to use cloud infrastructure and services, ensuring that this hybrid environment continues for the foreseeable future. The management of user identity and access must evolve into services that can address this new hybrid IT reality.
In short, IAM is continuing to evolve based on the growing list of IT security requirements and IBM is continually adapting to meet these changes.
IBM is a large fortune 500 company headquartered in Armonk, NY with a global presence in North America, EMEA, and APAC regions. IBM has customer deployments within many industry sectors, such as Financial and Business Services, Healthcare, Retail, Automotive, Technology, Public Sector, Distribution, Entertainment, Transportation, Utilities and Consumer Goods.