“Four million workers wanted. Immediate start. Must have knowledge, experience and an ability to be in several places at once.”
If the cybersecurity industry posted a job ad, it would sound something like this. That is the current reported size of the talent shortage, with “little optimism that the supply will catch up.”
The pool of IT security professionals might be small, but attack surfaces are growing. The continued shift toward hybrid cloud and multi-cloud environments means workers are more widely distributed beyond the traditional perimeter, further outside of traditional security and access protocols. By 2028 “most organizations will be leveraging cloud as a business necessity.” The rise in IoT means organizations often must manage insecure devices that come shipped with weak default logins, allowing past compromises such as RSOCKS to scale to “millions of devices.”
Even if there were enough identity and access management (IAM) experts to facilitate all the requests, it’s no longer simply a numbers game. It’s more about the type of tools being deployed by malicious actors. Cyber threats are continually evolving in sophistication, at velocities far greater than any human-only defense.
That’s why organizations are looking toward AI tools and automation to augment existing teams’ capabilities. These technologies offer a best-of-both-worlds solution – human and machine – for some of the challenges faced by modern IAM teams.
Facing the IAM challenges
Managing identities and permissions at scale is hard enough when you’re dealing with thousands of employees. However, there are growing numbers of applications, machines and entities making access requests. Manually mapping these, at great volumes, can quickly lead to bottlenecks, misconfigurations, accidental granting of excessive requests and vulnerabilities from orphan accounts.
The result can be inadequate identity and access management, which is cited by OWASP as one of the top 10 CI/CD security risks. One of the main concerns and challenges highlighted is “overly permissive identities.” This is where identities may be granted permissions beyond what’s necessary or past the time needed. The result is an insider threat in a ”state where compromising nearly any user account on any system, could grant powerful capabilities to the environment, and could serve as a segue into the production environment.”
There may also be follow-up impact from a regulatory and compliance viewpoint. NIS2 takes effect from October 18, 2024, an EU directive that impacts “public and private sector entities that provide certain critical services or critical infrastructure.” Organizations may be asked to show proof of technology and security capabilities for access control policies. Much like GDPR, any non-EU company doing business in the region should review their processes to check if they need to comply.
How AI and automation can transform IAM
By 2025, 39% of worldwide organizations will be at an experimentation stage of Gartner’s AI adoption curve. Naturally, there are plenty of areas where IAM can benefit over the next few years, across the four pillars of authentication, authorization, administration and auditing.
Streamlined provisioning
Few onboarding and offboarding processes take place without a checklist. Even fewer take place without a long checklist. Accounts, permissions, roles, licenses, tickets – they soon all pile up, often in the IT admin’s in-tray.
The good news is that while many of the steps are time-consuming, they’re also routine and repeatable – in other words, they’re prime candidates for intelligent automation. Tasks can be configured to complete with specified time periods. When these are completed, managers gain an automatic audit log to support governance and compliance. There’s less risk of errors from manual inputting and greater visibility over the entire employee lifecycle.
Dynamic access control
Different access control methods have pros and cons. Role-based may be suitable when dealing with fixed rules and thresholds, but this method doesn’t scale well in enterprises where roles and responsibilities expand. Attribute-based access can offer the necessary granularity but requires lengthy setup and advanced meta data for labeling and surfacing.
These complexities and edge cases place extra demand on scarce resources when provisioned manually. However, AI-powered systems can deliver dynamic access control, allowing Just-In-Time access based on user roles, context and behaviors.
Anomaly detection
AI’s ability to operate continuously and at scale offers potential to continuously authenticate identities, supporting Zero Trust and least privilege principles. Anomalies and behavioral deviations can also be monitored and detected with automated remediation, freeing up human resources to focus on edge cases.
AI can also lighten the administration load of setups, by automatically generating a baseline with accepted thresholds and patterns of behavior. Any unusual activity can either be flagged, trigger extra authentication requests or suspend accounts for further investigation.
Behavioral analytics
Insider threats remain one of the top challenges for businesses, with threat actors commonly deploying identity-based techniques. Abuse of valid credentials accounted for almost half (44.7%) of all data breaches in 2023, with PII often used for extortion and social engineering attacks.
Machine learning algorithms have become the first line of defense for organizations and their insider risk management strategies. First, by analyzing historical activity to understand standard behaviors, and to identify potential threats, such as logins from unrecognized locations. Then, using the analytics to build risk profiles for individual users and entities to understand their access needs and requests. These can be risk-scored in real-time with pattern recognition mechanisms to ensure seamless user experiences without compromising security.
Predictive modeling
Combine ML algorithms with a source of enriched data, and organizations can evolve from reactive to proactive IAM. Organizations can run simulations to assess statistical probabilities of a breach using multiple variables that would take many hours to assess manually. Potential misconfigurations or vulnerabilities can be detected and remediated in advance, minimizing downtime.
What’s more, the advance of Natural Language Processing means many functions can be triggered by users without coding expertise.
No-code and low-code solutions
The rise in no-code and low-code platforms allows non-technical users to build all types of products, platforms and apps. Think of marketers using pre-built templates to build websites, or ecommerce owners entering product data to launch online stores.
Naturally, the human-centric and intuitive processes can be extended to IAM frameworks. Teams can bypass skills gaps by using generated commands and prompts, a self-service model that lightens the load on existing IT professionals.
Democratizing cybersecurity
By 2027, 50% of CISOs are expected to adopt new security behavior and culture programs (SBCP). These involve enterprises moving internal cyber security programs away from a focus on awareness and toward long-lasting cultural change. AI will be at the heart of this cybersecurity democratization, learning individual employees’ behaviors to learn where they need more support and education.
Organizations can then deliver more personalized security training beyond one-size-fits-all workshops or online simulation platforms. AI will also provide the necessary analytics and automation for teams to measure and optimize outcomes.
The human element
You can have all the AI and IAM tools in the world, but without the human element, IAM-related data stays siloed. The solution is to use technology to enhance and augment existing expertise, helping to bridge the labor and skills gap.
AI as a partner tool
When interpreted correctly, the insights can also function as a strategic asset, indicating when and where to make decisions: for example, where there are access bottlenecks and potential risks from over- or under-provisioning. Ingested data can also help show cost savings and impact on growth metrics, such as accelerating time taken to authenticate users. Further C-suite benefits come from the ability to generate reports to satisfy auditors and regulators.
Upskilling
With data being collected and aggregated, the business can use this as a basis to upskill existing IAM professionals. AI can be used to power single pane dashboards that generate visualizations to help interpret results. Here’s where the need for accurate interpretation won’t just offer business benefits – it will also lay the foundation for future regulatory requirements around AI.
Transparency
Back on October 30, 2023, the US government issued an executive order on the safe, secure and trustworthy development and use of AI. This aligns with NIST’s statement that, “Trustworthy AI systems are those demonstrated to be valid and reliable; safe, secure and resilient; accountable and transparent; explainable and interpretable; privacy-enhanced; and fair with harmful bias managed.”
As AI becomes more embedded in everyday processes, it’s evermore business-critical to maintain transparency, fairness and accountability for outputs. For IAM, a big advantage is that every touchpoint and action can be recorded. Any removal, approval or other action is available to be retrieved, crunched and contextually interpreted by humans. As long as this takes place within a centralized platform, IT security professionals can harness AI’s advantages for present and future demands.
The future of AI and IAM
Identity is the new perimeter for businesses operating in today’s cybersecurity landscape. This offers advantages in terms of agility and security, as long as it’s based on intuitive systems accessible to the wider workforce. This prevents existing IT security professionals from being overloaded, while also ensuring infrastructure stays protected.
Incorporating AI within IAM is the first step to making it happen, offering intelligent, dynamic and sustainable identity threat detection and remediation. Through automated responses, real-time data analysis and predictive technologies – supporting human decision-making, democratizing cybersecurity and optimizing productivity – it is poised to equip teams with adaptive defense systems that learn continuously, while reducing false positives that take up valuable manual approval time.
