Billions of Impacted Users: The Current State of IAM Software

If the latest IAM software’s so great, how come we’re still seeing user identity breaches in the millions – if not billions – of users impacted? Have the supposed improvements in IAM software been illusory? Worse, have we been wasting our money on that software?

Are there Reasons for Persistent Risks and Breaches?

Despite significant advancements in IAM software, breaches and security risks persist. This is not necessarily a reflection of the software’s effectiveness but may rather be the result of a complex interplay of factors contributing to ongoing vulnerabilities.

1. Evolving Threat Landscape: Cyber threats are constantly evolving, with new attack vectors and techniques emerging regularly. IAM software must continually adapt to address these emerging threats, which can be a challenging task. Attackers are becoming more sophisticated, using advanced techniques like phishing, social engineering, and zero-day exploits to bypass security measures.
2. Advanced Persistent Threats (APTs): APTs involve attackers who are highly skilled, well-resourced, and patient. They might spend months or years inside a network, evading detection. Traditional IAM software isn’t usually designed to detect or respond to such sophisticated, low-and-slow attacks.
3. Human Error: Many breaches result from human mistakes, such as weak passwords, misconfigured systems, or social engineering attacks. IAM software can’t compensate for these errors if users don’t follow best practices. At best, IAM software may help mitigate its impact.
4. Insider Threats: Not all breaches come from external hackers. Employees, contractors, or former employees with legitimate access can misuse or abuse their privileges. IAM systems might not always detect or prevent malicious insider activities, especially if the actions mimic normal behavior.
5. Complexity and Interconnectedness: Modern systems and networks are increasingly complex and interconnected. This complexity creates more potential entry points for attackers, making it harder for IAM software to detect and prevent breaches, and harder for it to ensure that all access points are properly secured.
6. Legacy Systems and Technical Debt: Many organizations have legacy systems that are not designed with modern security standards in mind. Integrating IAM software with these systems can be difficult, leaving gaps in security.
7. Resource constraints: Small to medium-sized businesses might not have the necessary resources (e.g., budget, personnel, expertise) to effectively implement and maintain IAM software, making them more vulnerable to breaches.
8. Cloud and SaaS adoption: The increasing adoption of cloud and Software-as-a-Service (SaaS) solutions has introduced new security challenges, such as managing access to cloud-based resources and ensuring that SaaS providers have adequate security controls in place.
9. Lack of Integration with Other Security Measures: IAM software is just one aspect of a comprehensive security strategy. If not integrated with other security measures, such as network security, endpoint security, and incident response, its effectiveness may be limited.
10. Limited Visibility and Monitoring: IAM software may not provide sufficient visibility into system activity, making it difficult to detect and respond to security incidents. As the number of devices, applications, and users grows, it becomes harder for organizations to maintain visibility and control over their IT environments, making it more difficult to detect and respond to security threats.

Is the Improvement in IAM Software an Illusion?

No, the improvement in IAM software is probably not an illusion. IAM software has made significant progress in recent years, with advancements in areas such as:

1. Artificial Intelligence (AI) and Machine Learning (ML): Many IAM solutions now incorporate AI and ML to improve threat detection, anomaly detection, and behavioral analysis.
2. Cloud and Hybrid Support: IAM software now supports cloud and hybrid environments, providing more flexibility and scalability. And the IAM software itself has moved to the cloud. It’s less and less common to find on prem IAM software these days.
3. Identity Governance and Administration (IGA): IGA capabilities have improved, enabling better management of identity life cycles, access requests, and certification processes.
4. Multi-Factor Authentication (MFA) and Passwordless Authentication: MFA and passwordless authentication have become more prevalent, reducing the risk of password-related breaches.

It’s probably good to remember that IAM software alone cannot prevent breaches – it’s one layer of a well-architected security program involving people, processes and technologies working together effectively. Gaps will still exist.

Risk is also multi-dimensional – risks may be lowered in some areas by IAM (e.g. credential theft) but new risks introduced by digital transformations, cloud migrations, and expanded attack surfaces also introduce new challenges. Rapid innovation means new risks – the pace of change brings opportunities for misconfiguration and unseen vulnerabilities during platforms shifts.

IAM advancements over the last few years have probably lowered broad categories of risk and resulted in marginally better user experience, but that’s only when they’ve been deployed knowledgeably.

Are We Wasting Our Money on IAM Software?

While IAM software improvements have undoubtedly brought benefits, it’s reasonable to question whether the promised advances have materialized as expected. Moreover, it’s essential to acknowledge that IAM is just one aspect of a comprehensive security strategy. It remains essential to:

1. Properly Implement and Configure the Software: Ensure that the software is correctly configured and integrated with other security measures.
2. Monitor and Analyze System Activity: Regularly review system logs and analytics to detect potential security incidents.
3. Continuously Update and Patch the Software: Keep the software up to date with the latest security patches and updates.
4. Use IAM Software as Part of a Broader Security Strategy: Integrate IAM software with other security measures, such as network security, endpoint security, and incident response.

It’s still reasonable to question whether investments have matched expectations in some cases. But remember, returns on security spend are difficult to measure directly, unlike most business initiatives. And a lack of breaches isn’t the sole metric of success.

Declaring the investment a complete waste is probably an oversimplification. While IAM software has advanced, the threat landscape has also evolved dramatically, creating a moving target. And breaches of user identities in the millions or billions of impacted users often result from a combination of factors, not solely from IAM weaknesses. The usual suspects are listed above, some of which have nothing to do with the IAM software itself.

There’s an old joke in advertising that’s equally applicable to IAM software: Half the money you spend on it is wasted; the trouble is you don’t know which half.