With non-human identities outnumbering humans more than 10:1, identity management has become business-critical.
Today, as hyper innovation and rapidly evolving technologies drive organizations, mature identity programs are becoming business-critical to secure and enable digital capabilities at scale.
The identity access and management market has been projected to reach a market value of USD 11.70 billion – with 33% of its anticipated growth led by the APAC region.
With the growth of IoT devices and the coming metaverse, we can only expect more non-human identities that we need to manage in our organizations and networks. With the talent crunch we’re experiencing, can AI/ML help?
CybersecAsia discussed these aspects of business-critical identity management with Grady Summers, Executive Vice President, Product, SailPoint.
What is the significance of rising non-human identities in the APAC landscape?
Grady Summers (GS): Non-human identities are different in their quantity, behavior, and ownership. In many organizations, we’ve found that non-human identities outnumber humans more than 10:1.
In our recent survey, ‘The Horizons of Identity’ we found that machines make up 43% of all identities for the average enterprise. Additionally, non-human identities will be one of the fastest-growing categories of digital identities over the next 3-5 years. The task of managing non-human identities is just larger in scope than managing human identities.
APAC, in particular, can expect to see an explosion of non-human identities with businesses here in the deep-end of their digital transformation journeys – involving a multitude of software bots, physical robots, and Internet of Things (IoT) devices within the enterprise IT ecosystem. Regulatory bodies in the region have also been key catalysts for the growth of non-human identities; in fact, spending on Smart City enablement will account for one third of the IoT market by 2026.
Notably, these accounts have a different lifecycle than human accounts in that they are not tied to a person’s employment status or job department—they persist over many years. While someone needs to own them, that ownership will change over a period of years or decades. It is clear that all identities are not created the same, and this is especially apparent when comparing human to non-human identities. Additionally, machine identities are often linked with privileged accounts, and usually have a much bigger footprint than traditional human privileged accounts within modern IT infrastructures.
Particularly for countries in the region, like Singapore, that are embracing Industry 4.0 and technologies like RPA that enable industrialization at scale – exploited digital identities can wreak extensive damage. It is no surprise then that governments in the region are ensuring high standards for security are being enforced, alongside penalties for regulatory non-compliance. For us this means that more of our customers are talking to us about non-human identity governance than perhaps anywhere else in the world.
What differentiates ‘laggards’ from the ‘leapfrogs’ in identity security maturity?
GS: We have actually done a lot of research on this lately. At a high level I can tell you that less mature organizations still tend to have a lot of manual processes, and identity management is fragmented across a lot of different departments—sometimes resulting in a single person having disparate identities across the organization.
More advanced organizations have digitized most of their identity lifecycle, meaning that a person has the access they need on Day 1, and changes to their jobs result in instant changes to their identity entitlement. The most advanced organizations employ artificial intelligence to automatically adjust access based on when and how it is needed, based on parameters that might not be apparent to a human in a manual process.
Looking closer at the APAC region, businesses here are still at a beginning stage in their identity security journeys. Based on our survey, only 14% of APAC businesses have the highest level of maturity, which reveals room for businesses to recalibrate their approach. Especially as the threat surface increases with a proliferation of digital identities in the coming years, APAC businesses – especially those in Singapore – will need to quickly move from laggards to leapfrogs.
What are the challenges faced by businesses in maturing, particularly SMEs?
GS: The most fundamental challenge is awareness – meaning that so many organizations do not realize the mess they have under the surface. They say ‘all of our employees have single sign-on, we’re in good shape’ but they don’t realize that access is the easy part—security is what is hard.
When they start to dig deeper, they see that they have rampant over-entitlement, meaning that people have access to far more resources than they should. Or they have active accounts that are tied to people who left the organization years ago. Or they have users getting access by mistake, or because they merely cloned one user’s access as new people joined the department….you name it. It is a long list, but I find that organizations can make massive improvement once they understand the security and compliance risks.
While this does not have to take a lot of money, it does need attention! After all, identity maturity does not correlate with spending. In fact, our Horizons of Identity survey shows that it is companies at the beginning of their maturity journeys that are spending the most, without realizing the full value of their investments. As a point of comparison, 71% of more mature companies spend a smaller share of their budget but get more value.
How does leveraging AI/ML identity tools help businesses realize better ROIs?
GS: Leveraging artificial intelligence and machine learning provides benefits in so many dimensions. From a security perspective, organizations can clean up the over-entitlement that I mentioned previously. They can get compliant with regulations by ensuring that the right people have access to the right resources at the right time—and with an audit trail!
And they can improve productivity by giving workers (and customers) access to everything they need to do their jobs. There are few IT projects in the world that can simultaneously reduce costs, improve security and compliance, and make life easier for users—and identity security projects are one of the few that connects all of these dots.
All in all, heightened identity security capabilities are directly tied with improved business value. Stronger security perimeters through AI and ML were found to enable businesses to detect threats 40% faster, while also improving the efficiency and innovation capacity of businesses by driving an 85% decrease in the manual processing of security tickets. On the compliance front, businesses were also found to have saved nearly three times in expenses, owing to automated practices that have cut manpower while improving threat detection and remediation capabilities.