Identity and access management (IAM) has gone from being a largely operational function to a critical pillar of a modern security strategy. Our Information Security, Identity Management 2022 study examines the challenges, usage, growth and adoption hurdles of the current authentication and identity management landscape.
Much of the increased relevance of IAM has been driven by the ongoing evolution — or revolution — toward cloud-based computing architectures and zero-trust security frameworks. The latter helped to supplant older, perimeter-based methods that relied primarily on location to control access to resources. In a world where applications and other IT resources, devices, and users are highly distributed, identity has emerged as one of the most relevant contextual factors for access management. This is reflected, in part, by ongoing M&A activity in the IAM sector, which for the past five years has been among the most fertile ground for both strategic and financial acquirers.
Summary of Findings
User experience remains a top IAM pain point. Ensuring employees have the correct access rights, mitigating poor user experience and managing passwords are top organizational concerns when it comes to deploying IAM. Managing access rights is straightforward in theory, but it can be exceedingly complex in practice, particularly as organizations combine legacy on-premises infrastructure with cloud-based resources and applications. User experience, however, has long been a hurdle limiting broader adoption of multi-factor authentication (MFA); improving the user experience has been a driving force behind recent innovations such as passwordless authentication and adaptive or risk-based authentication.
Passwords are still everywhere. Despite the many complaints about passwords, they are still hard to get away from: 58% of respondents indicate they still use passwords, despite their well-known limitations. In fact, passwords lead by a comfortable margin over the next most chosen options, mobile push-based and SMS-based MFA. These latter methods have their own challenges, particularly the increasing awareness of each method’s potential security limitations — “push fatigue” in the case of the former, and man-in-the-middle attacks for the latter. Biometric authenticators are chosen by less than one-third of respondents, despite considerable hype over the years. Hardware-based USB keys come in last, likely reflecting their niche usage for high-risk/high-security use cases.
MFA is the most common form of authentication technology. Organizations looking to go beyond standard username and password for authentication have historically had a wide range of options. Our survey finds MFA is the number one choice by a long shot (61%), well ahead of cloud-based single sign-on (38%) and passwordless authentication (32%). Only 22% select risk-based or contextual authentication, despite growing awareness in the industry.
Trends in Application Security Testing
MFA is gaining momentum as a key security control for zero trust and ransomware. Our survey respondents also identify MFA (59%) as the most important security control for supporting a zero-trust initiative. Privileged access management (PAM) is a distant second at 35%, followed by network access control/device integrity checking (28%). With respect to privilege escalation and ransomware prevention, MFA (59%) is the top choice again, by a wide margin over second-place increased auditing and logging (41%) and third-place PAM (39%).
While MFA adoption is trending upward, several barriers remain. The number one hurdle is setup costs (28%); lack of support for legacy applications (24%) is a close second, and poor user experience (23%) rounds out the top three. Our results also show that, on average, companies are protecting roughly 53% of their applications with MFA, and the most-cited reason is lack of support for IAM protocols such as Security Assessment Markup Language, OpenID Connect or open authorization.
Want insights on information security delivered to your inbox? Join the 451 Alliance.