The challenge is to grant access to the enterprise assets that users and devices have rights to in each context, and to keep up with changes in these contexts as computing needs evolve. That includes onboarding users and systems, permission authorizations, and the offboarding of users and devices in a timely manner. One example of these changes was what happened in our post-Covid world, as users migrated to more remote work that required modifications to maintain access to their internal systems. This put stresses on IAM systems and policies, to be sure.

But even without the changes from the pandemic, the IAM fabric construct places new demands on existing security software. Take privilege access managers as an example. In the past, this software focused on ensuring that users had the correct basket of access rights to local resources, and that administrators’ rights were assigned sparingly. As the collection of cloud apps has grown, this means ensuring that these apps are setup properly, with the philosophy that Gartner calls “no privileged account is left behind” as the number of machine identities outstrip those assigned to humans. “An average midsize to large organization uses hundreds of SaaS applications. Managing access separately for each application simply doesn’t scale,” Gartner said.

The move to the cloud has brought other complications. Many companies have evolved their access control policies over time, and the result is that they have overlapping rules and role definitions that are usually outdated and, in some cases, provisioned incorrectly. “You have to clean up your identities and revoke all the extra privileges that users don’t need so that you don’t migrate a mess,” Forrester’s Andras Cser tells CSO. “This means spending more time on upfront design.”

Part of the problem is that vendors too often treat machine identities in tools that were originally designed for just human identities. The two use cases are different: machines require careful API access that leverages automated routines, with potential exploits that can be quickly identified and stopped. “It is time to prepare for a world in which more customers are bots, which may require redesigning existing services,” says Gartner. Authenticating non-human entities such as application keys, APIs, and secrets, agents and containers is a lot more difficult, just because of the different contexts that these entities operate. For example, application keys may be hard coded inside a particular cloud application, placed there temporarily by a developer who has since moved on and forgotten about them. These are low-hanging fruits for attackers to leverage their way into your enterprise.

In the past, many IAM vendors segregated their products into those that focused either on customer identities or workforce identities. The former was used to manage external users and devices while the latter was used for internal users and devices. That distinction is disappearing, thankfully, and now many vendors combine the approaches.

Another problem is that workflows have grown and gotten convoluted and complex, requiring customized IAM protection policies for their protection. As zero trust moves from “nice to have” to a prerequisite for compliance, this places a bigger responsibility on IAM to manage everything. It also means migrating away from manual integration of new apps to a more automated way of delivering appropriate security. “You need to make sure any IAM solution is usable, secure, easy to automate and cost-effective,“ Okta stated in a blog from last fall.