The death of passwords has been announced many times. When my mum stops using them, I’ll be convinced that we’ve finally moved on to something better…:
Keeping track of user names and passwords sounds easy, but it is not. In a world where protected network resources are accessed by employees on mobile devices, outside contractors, web applications and internet of things (IoT) devices – passwords just don’t cut it anymore.
The stakes are high: Eighty-one percent of confirmed data breaches in 2018 involved a compromised identity, according the Verizon Data Breach Investigations Report.
Accordingly, breaches, attacks and increased complexities around these issues are spurring the emergence of a broad range of discussions around using identity- and access-management (IAM) solutions.
Earlier this week for instance, the OMB announced plans to harden its identity-, credential- and access-management policies. The move, similar to those in the private sector, is recognition that while traditional security approaches remain important, a new growing risk lies in poorly managed digital identities.
“While hardening the perimeter is important, agencies must shift from simply managing access inside and outside of the perimeter to using identity as the underpinning for managing the risk posed by attempts to access federal resources made by users and information systems,” wrote Russell Vought, director of the White House’s Office of Management and Budget (OMB) on Tuesday (PDF).
This IAM area of security is evolving fast, and sometimes hard to navigate — key players are using a mix of different definitions and acronyms to describe mostly the same thing. For example, the White House calls it Identity, Credential and Access Management (ICAM), Forrester Research calls it Identity Management and Governance (IMG), Gartner calls it Privileged Access Management (PAM) and still others refer to the area as Identity-as-a-Service (IDaaS).