With cybercriminals constantly knocking on the front door, it is the job of identity and access management (IAM) to determine who gets in. But in a world where it is becoming harder to establish whether anyone really is who they say they are, the challenge facing modern IAM systems is becoming progressively more difficult.

Numerous techniques are emerging to strengthen these processes, but no individual tool will solve every challenge. Hence buyers are spending more on solutions, with Grand View Research estimating that the global IAM market will grow from US$15.93 billion ($24.11 billion) in 2022 to US$41.52 billion ($63.25 billion) by 2030.

One of the key trends of 2023 has been the phasing out of older methods of establishing identity, such as the use of passwords, in favour of passwordless systems including encrypted passkeys hosted on phones or other devices. Passkeys are becoming the default method for establishing identity for some online service providers, although they do not solve all of the problems of establishing robust identity, with Fortune Business Insights finding the global password management market was valued at US$2.35 billion ($3.56 billion) in 2023 and is projected to reach US$9.14 billion ($13.83 billion) by 2032.

Difficulties with establishing identity have led many organisations to adopt a zero-trust approach to IAM. How this is achieved is evolving rapidly, with traditional models like multi-factor authentication being supplemented by technologies such as biometric identification, including use of fine resolution palm prints and facial recognition.

Another area of development is the use of behavioural monitoring, such as the tracking of work behaviours and even typing patterns, with the goal of ensuring that identity is maintained through the entirety of a user's interaction.

Security professionals are also seeking to limit the damage that can be done by a compromised identity, using techniques such as dynamic access control, which provides a granular approach to providing access to specific resources based on well-defined rules.

Furthermore, adoption of the internet-of-things is increasing the number of devices that are seeking access to privileged systems, raising the need to ensure that all devices are afforded appropriate access levels.

Yet more challenges loom for IAM, including from the rapid evolution of generative AI. Given that AI can be readily trained to mimic the voice of an individual, and the demonstrated potential for voice spoofing to defeat voice-based verification systems (and even other human beings), new protocols are needed to prevent this technology becoming another means of gaining unauthorised access to systems.

Collectively, the increasing pressure that organisations face to maintain effective IAM is leading many to investigate the role of service providers, and specifically cloud based managed IAM services. These can meet needs for flexibility, scalability, and cost effectiveness while offering the latest in advanced authentication protoc3.84ols and real-time monitoring, with Verified Market Research estimating that the cloud IAM market was valued at US$3.84 billion ($5.81 billion) in 2021 and is projected to reach US$19.9 billion ($30.13 billion) by 2030.

Another significant trend sees all responsibility for IAM effectively outsourced through the use of federated identity systems – a proposal undergoing active development within Australia -  where credentials are established and maintained by a trusted third party, with these credentials then able to be used with multiple entities.

This is appealing to organisations that have multiple interactions with the same individuals, such as governments, but potential exists for these identification systems to apply across a wide range of service providers, allowing them to effectively forgo the need to retain identifying information on customers and users.

In this way the use of federated identities may assist organisations to meet increasingly stringent privacy requirements by alleviating the need to hold and retain customers' personally identifiable information.

But with reports suggesting that more than 80 percent of breaches are related to stolen, weak, or reused passwords, the challenge of IAM will remain prominent for cyber professionals in 2024 and beyond.

AusCERT director David Stockdale has observed the rise of new models of identity and access management but cautions that they can be challenging to apply to complex environments.

“Applying these models into your existing portfolio of systems and services is almost impossible in many organisations because of the size they are and their complexity and the legacy nature of many of them,” he said.

“I think there can be a lot of expectation that just because something exists and it's a great idea that it's easy to do and you should have had it done in a short period of time. This is just not realistic.”

Still, given the prevalence of security incidents that use stolen and/or privileged credentials in some way, Stockdale sees IAM as a key focus area for practitioners and teams. His view is that a one-size-fits-all approach to managing privileged access is challenging and likely to cause friction.

“If you've got a model where your security controls are very strict and there's a lot of them, applying that to the majority of people in your organisation is just going to lead to friction, non-compliance and workarounds.”

A more effective approach is to apply “appropriate levels of privilege” across the organisation. “I think what we’re starting to see is an appreciation that the right level of controls for the type of work that people do is the important thing. It’s not about who you are but what you do.”

South Australia’s sole electricity distributor SA Power Networks is applying a strong focus around reducing cyber security risk, particularly that connected to digital identities.

“Digital identities are the usernames and passwords that our users use to log onto services and systems within our organisation,” said head of cyber security and IT resilience Nathan Morelli.

“We really wanted to reduce the risk of those identities being used maliciously against us.”

The electricity distributor undertook a process to identify risks around managing digital identities. “That might be a compromised identity [due to] a user falling for a phishing email, or it might also be around where a user has excessive access to systems and services within our networks,” said Morelli.

“In understanding those two areas, we reduced risk around knowing when an account could potentially be compromised and put in place actions that responded automatically and immediately to those potentially malicious behaviours. We also went through a process that we called attack path analysis, so when someone does get a compromised account and they are a malicious actor, what would they do with that account when they did get into our environment?”

Morelli adds that the ability - and opportunity - to prompt re-verification of an identity if it performs certain actions or triggers certain settings is important.

The work is summarised in SA Power Networks’ cyber security annual report, a detailed account of its security posture and strategic efforts. “We take the security of our digital identities seriously, which is why we’ve established several conditional access policies within the Microsoft Identity,” the report states.

“From requiring MFA every 24 hours for personal devices, and blocking access from suspicious locations and networks to controlling access to privileged portals and applications, we’re taking proactive steps to protect our organisation’s assets. With these policies in place, we’re reducing the risk of threat actors using stolen credentials to access and exploit our systems.”

Australian retailer Chemist Warehouse is set to modernise both its workplace identity and customer identity access management (CIAM) practices. “We’re a unique organisation with some fairly complex requirements, so we are investing quite seriously in identity and access management to future-proof the organisation and allow it to scale,” CISO Nigel Hedges said.

“Both workplace and customer identity are going to be moved to modern IAM platforms.”

Broadly speaking, Hedges says the IAM space, at least from a technology perspective, has improved considerably over the past two decades. Where implementing IAM was once a labour-intensive endeavour, products and solutions available today mean provisioning and deprovisioning user access to business applications, and on- or off-boarding users, can be performed quickly using off-the-shelf capabilities in the tools. Some organisations have long corporate memories of drawn-out IDAM projects, however, and this may be limiting investment in more modern tools.

More companies would modernise their workplace IAM platforms if they understood the ROI benefits of doing so aren’t limited to improved security - but also productivity as well, Hedges theorised. Modern IAM enables new staff to be onboarded quickly and seamlessly. It also makes the process trackable and manageable. When new staff are ready to do their jobs “as close to day one as possible, that represents a productivity gain.”

Northern Beaches Council has set an “aspirational goal” of establishing a single source of truth for customer identity.

Customer identity covers over 500,000 citizen and business users of its services across the Northern Beaches of Sydney.

“Most council services, such as council rates, development applications, childcare, library accounts, park bookings and more, require customer information,” CISO David Griffiths said. “Our aspirational goal is a single view of our customers across our platforms, which means a single source of truth for customer identity.

“Maintaining the quality of that information is a strategic challenge. Securing personal information whilst enabling the business is a key focus tied to governance, management and protection initiatives.”