As a cybersecurity leader who has served for two decades in seven industry-leading enterprises, I’ve witnessed a total evolution in Identity & Access Management (IAM). Once described as the last stop for mediocre IT talent, IAM was often viewed as a place for repetitive administrative work that was labor-intensive and plagued by outdated legacy systems.
IAM today is not your grandpa’s Oldsmobile. It’s a beacon of technical innovation built on data science, dramatically shaping how cybersecurity controls are implemented across the enterprise. The advent of AI/ML has transformed IAM from a mundane administrative task to a cutting-edge technological function, enhancing user experiences and risk management.
In short, IAM has become cool.
Historically, an employee joining an enterprise would have to slog through tedious manual approvals for network access. At one company, we found that wait times amounted to over 300 years in just one year! We also calculated that more than 15% of a manager’s time annually was applied to access recertifications for regulatory compliance.
But in today’s enterprise, the systems provisioned for many end users are cloud-based (SaaS) and no longer attached to proprietary data centers. Thanks to data science, 80% of the approvals for provisioning entitlements can be eliminated. This represents a significant improvement in fulfillment time, improving productivity for employees.
Let’s look closer at the forces reshaping IAM, how CISOs can make the case for change—and guide their teams successfully through the transformation.
Regulatory requirements often mandate annual entitlement recertification. Most of these can be automated using AI/ML models. Behavioral profiling reduces the need for human oversight—and the long wait times for approvals. Data analysis enables enterprises to enforce the objective of least privilege, resulting in lower operating costs, better user experience, and improved risk management. This makes a compelling case to transform the IAM function using (AI/ML models) as a foundation.
User Behavioral Analytics (UEBA) plays a significant role in the modern IAM function. The key is to cultivate IAM talent with a foundation in data science to leverage data models from your existing security investments—whether it’s a standalone UEBA tool, your DLP solution, your threat detection platform, or the IAM platform itself. The good news is, many technology choices now incorporate AI/ML functionality suitable for both on-prem and cloud-based applications.
The crux of IAM lies in defining normal user patterns. By leveraging data points and thresholds, one can automate actions (like revoking system access) based on deviations. Such processes happen in milliseconds with computing capabilities, including streaming data architectures, data lakes, and cloud computing resources. It changes the game for IAM, where behavioral models can be applied to identify when credentials are compromised.
For decades, IAM used secrets management (passwords) for authentication. Unfortunately, passwords are not the problem today. The number of digital assets requiring passwords is the problem. Users have too many passwords to remember, so they reuse them—making it easier for cybercriminals to apply credential-stuffing techniques to obtain access to customer data.
A better way to think about advanced authentication (that does not require passwords) is to think of authentication as a continuous process and no longer an event. Continuous authentication helps determine the user’s identity, replacing the conventional Multi-Factor Authentication (MFA) models.
Behavioral models can drastically streamline both access provisioning, resulting in fewer points of human approval, higher productivity, and lower operating costs.
IAM professionals need to understand how to use data analytics (behavior patterns, baseline risk scores, deviations) to design and implement IAM controls that are not dependent on the consistent use of administrative labor. But IAM staff who thrived in labor-intensive, repetitive tasks may reject retooling their analytic skills—or can’t invest in learning.
The CISO’s role is to serve employees and guide those unable to learn new skills to areas where they can contribute. The opportunity might not be in IAM anymore. This transition is difficult due to established IAM norms, but new skills and analytics are crucial. A redesigned process using models for automation requires fewer resources, fewer people, and lower costs.
CISOs should own the IAM operations and promote professional development for the IAM staff, dividing the team into Plan, Build, and Run areas. The Plan team develops the blueprint and identifies necessary platform changes, while the Design team creates new workflows and advanced analytics.
Don’t worry if your data scientists have limited cyber experience; they will likely be hungry to learn domain expertise in cybersecurity over time. IAM professionals who understand the fundamentals of applying data science (AI/ML models) to IAM transactional data represent the skillset that you should emphasize as most useful to the IAM team.
Data science and AI/ML don’t just drive more efficient controls at reduced costs, they are at the heart of IAM transformation. Top technical talent is attracted to the extensive use of AI/ML capabilities displacing older labor-intensive processes. It opens up tremendous opportunities for all IAM professionals.
Employees thrive when they actively pick skills, with leaders suggesting ways to learn. Leaders must make employees aware that they’ll need to pinpoint skills they aim to perfect and record them in a development plan.
The knowledge I’ve shared here isn’t theory—it’s based on applied practices in several enterprises. I’ve seen firsthand how the most effective leaders, especially in transformative roles, are also adept educators. Their commitment to fostering learning can shape employee response to change and boost talent development and acquisition. This equips IAM professionals for future challenges and is the key to leading a successful IAM transformation.
It’s how we make IAM cool!