Cyber security professionals work hard to keep sensitive data under lock and key. But in an era where seemingly everything can be faked – including identity  –  the chances of bad actors getting past access protocols are very real.

For security professionals, that means needing to invest in solutions that provide both seamless and trustworthy access, and rapid growth in the market for identity and access management (IAM) solutions and related technologies. Numerous concepts have come to the fore, such as zero trust network access (ZTNA) and privileged access management systems that serve to minimise damage when that trust is broken.

Forrester's 2022 report The State Of Workforce Identity And Access Management places IAM within leaders' top four strategic information security priorities, while Gartner's latest forecast for IAM solutions suggests the global market will grow from US$15.87 billion in 2021 to US$32.42 billion in 2027. Gartner also reports that ZTNA has become the fastest-growing segment in network security, with expected growth of 31 percent in 2023 thanks to increased demand for protection for remote workers and organisations reducing their dependence on VPNs for secure access.

Effortless trust

One of the key challenges when implementing access management is the need to balance the requirement for security and trust against the needs of users for frictionless access.

Locking down access too tightly risks impeding their productivity and driving them to seek workarounds that undermine the IAM solution's effectiveness, while making access too easy risks opening the front door for cyber criminals. This challenge is compounded when users are accessing multiple systems – often from multiple providers.

Verizon's 2023 Data Breach Investigations Report found the use of stolen credential in breaches increased from 41.6 percent to 44.7 percent over the previous year.

Finding the right balance has also taken on a greater degree of urgency for those organisations that are bound by prescribed requirements. According to Forrester, regulatory compliance with frameworks such as PCI DSS and HIPAA are the number one driver of IAM purchases. In both cases, protecting sensitive data – patient data for HIPAA and card payment data for PCI DSS – requires user access controls and role-based rules to be implemented, and IAM is an accepted way to do that.

All of this means the need for reliable and effective IAM has never been greater. But there is yet another factor complicating the equation – that being the large assemblage of stakeholders who often seek a say in the implementation of IAM.

Building stakeholder engagement

By its very nature, IAM impacts everyone that uses it, which may include an organisation's entire workforce. Forrester has found that stakeholders such as operations teams, marketing, and HR can have different priorities to those of security professionals, which makes stakeholder engagement and collaboration a critical aspect of successful IAM implementations.

Few organisations demonstrate these competing requirements as clearly as universities.

For Anna Aquilina, chief information security officer at the University of Technology Sydney, providing secure access means satisfying the needs of a user community that includes students, staff, researchers, and more, as well as individuals who represent a combination of these personas.

“People always say identity is a journey, and it is a huge part of our overall security strategy,” Aquilina said.

"You can't have good cyber security without really good identity and access management."

While concepts such as zero trust and least-privilege are guiding Aquilina's thinking, they can be hard to deliver within an organisation that is culturally disposed towards providing broad access. For example, Aquilina said the university is often required to provide email access to students and some staff groups even after they have ceased their formal engagement – something that is not easily accommodated by many tools.

The complex nuances of university life led Aquilina to develop an overall security strategy that starts with uplifting the cyber knowledge of key stakeholders, to help them understand what is required to both protect data and provide appropriate access levels.

She credits this as being one of the reasons why the university was able to smoothly implement multi-factor authentication (MFA) for both staff and students – an imposition that can sometimes be rejected when users don't understand the need for it.

Beyond identity management

One of the clearest ways to improve user experience is to remove 'friction' in access processes, such as that created by usernames and passwords, and which can often be exacerbated through the introduction of MFA.

This need is driving many security professionals to investigate passwordless solutions that use other forms of identification, such as biometrics or registered devices or tokens, and possibly supported by geolocation, network address, or behavioural patterns and gestures – in fact, anything other than memorised information.

According to Statista, the market for passwordless technology will grow in value from US$18.5 billion in 2023 to US$53.6 billion by 2030, as organisations come to rely more on techniques such as security tokens, personal identification numbers, and an individual's unique biological characteristics such as fingerprint recognition, iris recognition, face recognition, and voice analysis, for identity and authentication.

While these technologies may go a long way towards creating frictionless IAM, their success requires numerous hurdles to be overcome first.

For instance, while Aquilina hopes to eliminate passwords altogether, the university's legacy infrastructure provides a significant barrier.

"I really want to get to the stage where we can remove passwords from the user experience, but currently our environment is too mixed and varied to allow this," she said.

The path to frictionless identity

The need to find the right balance between providing secure but effortless access becomes absolutely critical for those organisations that are consumer facing, that operate in highly regulated sectors, or that represent high value targets for cybercriminals.

The financial technology and payments company PayPal ticks all three boxes.

Its head of information security for Australia, Daniela Fernandez, said IAM plays a cornerstone role in the company's overall security strategy, by ensuring appropriate access to information and resources is provided based on secure access management and the least privilege principle.

"As a global financial services company, PayPal is in the business of security and trust – trust that our customers’ information and accounts are secure," Fernandez said.

PayPal has taken a multilayered approach to IAM, investing in governance capabilities as well as access management and authentication capabilities including Role Based Access Controls (RBAC), strict controls for privilege access, MFA and passwordless solutions, as well as through leveraging analytics capabilities for continuous monitoring and anomaly detection.

The use of passkeys, which allow users to log in to PayPal using the same biometrics or device password they use to unlock their device, is proving particularly effective.

Fernandez said PayPal is constantly looking for ways to streamline its branded payments experience by removing friction while keeping our customers’ security a top priority.

"Security by design and defence in depth are key principles we use to protect our assets," Fernandez said.

"We implement multiple layers of security controls for all technology stack to ensure we keep our systems secure and mitigate security risks adequately."

The artificial identity challenge

Such tactics may prove essential for all organisations as the techniques used by cyber criminals evolve.

One specific area of concern is the use of AI to enhance phishing attacks, and the potential for this technology to accurately impersonate authenticated users.

However, Forrester believes AI is also poised to lift some of the burden from cyber professionals, through its application in tasks such as by identifying anomalous activity or permissions for workforce identities, simplifying approvals and tasks, and feeding entitlement and access details into existing role-based models.

According to Fernandez, AI is not a new concept for PayPal, which already takes proactive measures to protect customers using data analytics, AI, and machine learning to detect new threats and prevent fraud.

"The majority of the potential threats we encounter are handled through automation, which helps us address security incidents faster," Fernandez says.

"In the future, we think generative AI technologies can help us simplify processes, improve our security services, and play a more active role in defensive strategies."