6 signs your IAM strategy is failing, and how to fix it

Companies have been developing and executing identity and access management (IAM) strategies for decades. “It started with mainframe time sharing, so nothing is new,” says Jay Bretzmann, program director for security products at IDC. Despite that long experience, there are still opportunities for mistakes, especially when companies are upgrading their IAM platforms to those that can better deal with modern IT deployments.

Here are six ways to tell that a company’s IAM strategy is failing.

1. Users can’t access their applications, but criminals can

The primary goal of an IAM platform is to allow legitimate users to access the resources that they need, while keeping out the bad guys. If the opposite is happening, then something is wrong. According to the latest Verizon Data Breach Incident Report, stolen credentials were the most common attack method last year, involved in half of all breaches and in over 80% of web application breaches.

The first things that companies usually try to do is move away from simple username and password combinations, and add text message one-time passwords, says Bretzmann. This doesn’t help much, he says, and it aggravates users, to boot. “Done right, IAM is more than just single sign-on and multifactor authentication,” he says. “It’s about understanding the variety of users that request access to IT systems and solving their connectivity problems.”

According to Forrester analyst Andras Cser, users who fall under the purview of enterprise IAM systems include employees, business partners, and end customers. All require different approaches. For employees, enterprises often turn to identity-as-a-service providers such as Okta, or Azure Active Directory, or on-premises IAM systems, which, he says, are still more powerful and feature-rich than cloud-based options. For customers, some companies are starting to move from usernames and passwords to social logins like Google and Facebook.

A final IAM access category is machine identities. According to a survey released last fall by Pulse and KeyFactor, machine identities are a lower priority than user identities, but 95% of CIOs say that their IAM strategy can protect machine identities from attacks.

Enterprises also need to pay attention to the fact that they’re having to protect all these different types of users across a variety of environments—on-premises, cloud, SaaS, mobile, and work-from-home.

2. Siloed identity and access management platforms

Many organizations use different solutions for access management, for identity governance and administration, and for privileged access management, says Gartner analyst Henrique Teixeira. The siloes create extra work, he says. “And there are often gaps between each solution which attackers can take advantage of.”

Vendors are beginning to move toward unified systems to address this issue, Teixeira says. “Okta and Microsoft, for example, have started to offer more converged platforms.” By 2025, Gartner estimates that 70% of IAM adoption will be through those converged IAM platforms.  

Customer-facing IAM is lagging even further behind, Teixeira says. “Most organizations are using custom home-grown applications. That is problematic when addressing new regulation requirements for privacy and protecting the infrastructure against more modern types of attacks.”

3. Overly aggressive IAM rollout plan

It can be tempting to think that an IAM platform will do everything all at once. Executives can easily get over-enthusiastic about a solution, and vendors will over-promise, says Cser. “That’s problematic for a lot of organizations,” he says. “If you’re trying to install an access management solution and have to have all your 300 applications all go live in one day, that’s going to be a failure.”

Cser recommends a phased roll-out instead. Trying to do it all in one shot is unrealistic. For example, despite what vendors promise, companies typically have to do more customization and orchestration work to get their applications integrated. This is particularly true if a modern approach to IAM requires redesigning internal processes. He recommends that companies doing an IAM update use the opportunity to simplify and rationalize processes first. “And not implement the existing mess. It’s just like moving. When you move from one place to another, you want to throw things away first and not move them to the new location.”

4. Separate authentication and authorization

“IAM stands as a cornerstone for any security and IT program,” says Rohit Parchuri, CISO at Yext, a search technology company. Without it, other security controls have a diminished business value and won’t realize their full potential, he says. “You need to know what users and assets exist in your portfolio before you can start protecting them. IAM provides both the visibility of the access landscape while also enabling features to control that access.”

In previous positions, Parchuri ran into a couple of problems when deploying IAM. “When we originally ventured into the IAM execution, we missed adding a few things to our success criteria,” he says. The first issue was that authorization was treated as a separate entity from authentication. “With a separate authorization server, we had to bounce between authentication and authorization practices across two different systems.” This increased the total cost of ownership and put additional burdens on the team to manage two separate entities.

5. Authentication coverage blindspots

Another issue that Parchuri faced was that a few internal systems were not cataloged and still relied on local authentication. “Having local authentication on our internal systems, the visibility was lacking in terms of session management and user onboarding and offboarding practices,” he says. These tasks should have been taken care of by the IAM tool but weren’t.

The company spotted the mistake while doing a coverage exercise on its asset management program. “We found the applications noted in our configuration management database were not captured in the IAM tool,” Parchuri says. “Once we identified those applications, we also noted that the IAM tool outsourced the authorization validation to locally deployed on-prem systems, although they existed in the IAM tool as an entity.”

To fix the issue, the hardest part was to figure out whether the IAM tool and the internal tools could be integrated using Security Assertion Markup Language (SAML) or cross-domain identity management (SCIM). “Once we were able to get that going, the rest was execution and perpetual management,” Parchuri says.

6. Multiple IAM systems causing visibility issues

Companies sometimes have challenges integrating disparate IAM platforms, says Luke Tenery, partner at StoneTurn, a global advisory firm specializing in regulatory, risk and compliance issues. “If they have too many identity management systems, it makes it difficult to find relationships between security anomalies,” he says. “That’s where the pain is.”

Many cyberattacks, for example, involve some form of email compromise. If the same identity is also used for, say, access to a company’s Salesforce system, there could be a significant delay before that second attack vector is discovered. “If it’s the same username and password but managed in a decentralized way, they might not see the compromise taking place in Salesforce,” Tenery says. “If the dwell time is longer, there’s an increased risk of impact to the organization. The longer the cancer is in the body, the more time that threat has to do damage.”

Tenery says he saw one case where threat actors were able to get into a Salesforce database for a loyalty program of a global hospitality provider, getting access to millions of customer records. The solution is to create a holistic view of identity and access management across the enterprise. “It can be a painstaking process to bring that connective tissue together,” he says, “but there are platforms available to help organizations consolidate their IAM functions.”

If direct integration is not an option, Tenery says, there are advanced tools that leverage machine learning and artificial intelligence that can create automations to build those linkages. In the case of Salesforce and Office 365, direct integrations are available. “And there’s third-party tooling, like Obsidian Security, that we use,” he says. “It’s a platform that leverages different forms of automation and machine learning to identify identity linkages to detect security anomalies and manage identity risk.”