The Evolution of IAM
This is Part 4 of our ‘What is IAM’ blog series. Make sure to check out the beginning of the series:
- Part 1: What is IAM
- Part 2: The Definition of IAM and Its Criticality to Good Security Hygiene
- Part 3: The Components of IAM
Written by Paul Mezzera, Ravi Erukulla, and Ramesh Gupta of the CSA IAM Working Group.
IAM is not a novel solution. It has been around since the first computers were developed but became a more prominent discipline during the client/server era, where applications became more distributed and contained their own identity silos. Every user and entitlement had to be managed with the application, which greatly contributed to the proliferation of a multitude of user identities and passwords required to access these applications.
Directory services were designed to address this problem by providing centralized user repositories, along with an access protocol called lightweight directory access protocol (LDAP). Directory services were utilized to enable single sign-on across multiple platforms including operating systems, databases, and web servers. During this time, Microsoft’s Active Directory became the corporate standard for managing computers as well as providing an architecture to manage users, groups, and access policies. During the early days of the internet, the problem with multiple credentials and sign-on was exacerbated and web-single sign-on (SSO) was developed to facilitate authentication and authorization of users across an organization's applications, leveraging an LDAP directory in most cases as the identity store.
In addition, the problem of managing user lifecycle management and access policies was mostly automated through custom-built applications, which eventually became productized as user provisioning and administration solutions. Governance features were also required to address regulatory requirements and eventually converged with identity administration and provisioning solutions to become what is now known as IGA solutions.
Over the last decade, these solutions were being offered as cloud solutions that leverage all the benefits of the cloud, including the maintenance of IAM platforms, which in many cases required specialized resources to maintain. To further streamline identity and access management use cases and deployments and reduce the costs and burden associated with implementing a multitude of solutions, solutions are converging to provide a combination of IAM solutions such as IGA and PAM and Access Management and CIAM.
IAM in the Cloud
Given the proliferation of cloud-based solutions, further accelerated by the shift to remote work, many organizations are taking a more aggressive cloud-first strategy when adopting applications and security solutions. What’s more, cloud platforms implement IAM solutions to manage users and entitlements, which are unique to each platform.
Many organizations are struggling to have the right visibility and management of their users and entitlements which more commonly are across several cloud platforms, in addition to the management of the cloud services that implement a more ephemeral set of workloads that are typically instantiated by DevOps tools. IAM solutions must include the management of access across cloud services such as containers, serverless infrastructure, and DevOps and CI/CD tools that all require access policies to function.
Learn about IAM stakeholders and adoption challenges in Part 5.
Sign up to receive CSA's latest blogs
This list receives 1-2 emails a month.