Ever tried to fit a square peg into a round hole? Doesn’t work, does it? It is futile to even try – a logical fallacy. When something is designed with a specific intent yet used for something else without a good fit, the result may end up as a waste of time, money, effort and resources. Unfortunately, such is the state of Identity Management today.
The problem begins at the very root of intent. Cybersecurity, of which IAM is a key component, had traditionally been treated as an extra investment rather than a necessity. This attitude continues even today. The probable reason for this might be solutions that have been designed with the intent of sale rather than that of security. The entire landscape of internet-related business has been a rich money-making opportunity. It can be likened to the California Gold Rush in the 1950s; everyone wants a piece. But this can’t be the goal of the cybersecurity industry, not the primary goal at any rate.
Cybersecurity is a business opportunity made possible by cybercriminals. Strange as it may sound, those that profit from it must acknowledge that there is something tainted at the core of it all. The prime incentive of profiteering from something that is meant to protect innocent citizens is just in bad taste. The industry must first aim to provide solutions that work, at affordable prices, and that provide a robust barrier against cyberattacks. Then, and only then, can one look at the profit motive. But the current identity management landscape is in reverse.
IAM has all kinds of products and vendors try to create solutions that sell – but do they do the job well? For some vendors, the singular goal is volume and duplication – sell the same product to as many companies as possible. But not all companies are alike – companies vary in size, segment, and scope. For instance, how can a product meant to cater to the common bottom line fully protect a mid-sized business with specific needs? Take the manufacturing industry. The midmarket manufacturing industry has very unique needs. For one, they have shop floor machines that typically utilize thick-client, on-premise software. They also need password management and single sign-on for these applications – just as much as a corporate business requires them for their daily IT activity. And the midmarket demands high ROI, short implementation times, and budgetary consideration when it comes to cost. Many of the popular IAM products on the market shut out these business with their high price tags.
Smaller businesses also need to save on license costs. But nobody has developed a single sign-on feature that allows a single license to be used by different users. The reason is a lack of vision. Content with providing standard cookie cutter features that customers have been trained to expect, no one is innovating on a level that offers features that customers actually need. Instead, developers are offering what they think customers want.
When it comes to Identity Governance, businesses could save time and money if they had a solution to handle access requests intelligently. Businesses know they need this feature, yet the market has only been offering the bare minimum, just enough, to sell the product – but is it enough to get the job done well? For instance, an effective solution should enable employees to see the risk score of a requested access. This is the feature that indicates the likelihood of being approved for that access based on the employee’s role and position. So much time would be saved with this process, let alone the frustration of not knowing why the access wasn’t approved.
The approval side of access requests can also be improved. Currently, most solutions offer manager level approvals. But what happens when a manager is not confident about approving certain access for a role? What if they are simply too overburdened with access requests to ensure proper allocation? That calls for another feature – a delegation feature – to enable an appropriate person to become involved in the approval process.
The bottom line is – IAM vendors can provide far better features than they currently do. Blindsided by ‘what sells’ rather than ‘what’s best for the customer,’ products have been created that do what the customer has been conditioned to expect – from the common bottom line of what vendors offer. It is a vicious cycle. IAM customers need to be educated on what they really need in order to achieve right levels of security. Vendors need to preemptively solve their challenges, not just engineer products based on what the latest and greatest features are.
There are few products in the IAM market that cater to these needs today. It is time that companies in the IAM space start adopting a different approach that is more focused on actual customer needs that will advance the betterment of the industry. Customers should be able to choose between multiple vendors to match their exact needs, and each vendor’s product should reflect the pinnacle of their capability in understanding and catering to customer needs, rather than trying to fit square pegs into round holes.