Posted: 18 Mar. 2021 10 min. read

Beyond passwords

The future of identity and access management

Identity and access management (IAM) is a cornerstone of cyber security and a key element in digital delivery for any organisation. Understanding who a user is, and whether they have the access rights to only the required resources is a central requirement of cyber systems. While it sounds simple enough, this is a complex task.  

Cyber criminals commonly target user identities as a way to gain initial access. Why? It’s easy pickings. Unauthorised access is among the highest ranked attack vectors1 for Cyber criminals.

Passwords have traditionally been the mainstay of authentication controls but are both difficult to use and often ineffective. Most people know they should use a different password for each system, but it’s virtually impossible without a password manager. It’s little wonder so many people repeat passwords despite knowing better2.

But innovation is emerging as the answer. Moving forward, passwords won’t be our default means of protection. New technology is both challenging identity and access management legacy protections and providing new ways to address it.

The Australian Government’s recently launched Cyber Security Strategy focuses on the need for better identity and access management to prepare businesses for a technologically enabled future. But there are still numerous, efficient moves businesses can make today to get on the front foot.

What can Australian businesses do today?

The Australian Government’s Cyber Security Strategy lists actions that should be taken by all businesses to manage security. Unsurprisingly, identity management is a key focus. Here we suggest some focus areas to help guide identity investments for Australian organisations.

  1. Improve and uplift baseline security

    Have standing agenda items at board level to track key identity metrics, mapped to appropriate risks. Organisations need to truly understand their identity management maturity and be able to provide assurance, often directly to the board, around how the lifecycles of identities are managed by the organisation. We’ve created a template to help you assess how far along the digital identity transition journey you are against your competitors and disruptors across the seven key transition areas. Organisations would be well served to verify identity maturity independently and periodically by an appropriately qualified, independent organisation and map deficiencies to a properly maintained risk register with appropriate ownership and treatment plans. Every organisation also needs to effectively use privileged access management solutions to help protect the organisations “crown jewels”.

  2. Uplift the cyber security of SMEs

    Leadership need to ensure SMEs have constant access to best practice identity management software, training, and resources. Identity teams need to understand what the skills gaps are and understand where the key focus areas will need to be in the future in order to address them and ensure the right people within the organisation are involved with relevant identity working groups and forums.  Managers should also provide regular support and training to all staff to foster a culture of cyber awareness.

  3. Create a more secure Internet of Things

    Ensure there is a current, accurate view of all IoT devices within your organisation and apply industry leading identity management principles to properly understand the identity and security requirements of your IoT devices. Identity management systems and processes should be used to properly identify and secure your IoT devices and securely manage IoT devices from deployment through to decommission.

  4. Block threats automatically

    Use emerging access control standards and technologies to keep out unwanted attackers and use identity management as part of a zero-trust toolset to reduce reliance on perimeter defences and help prevent a data breach. A trusted, centralised record should be maintained of who did what, where, when, and why at every point within your organisation.

  5. Centralised identity schemes

    We recommend the Government continues to support the Trusted Digital Identity Framework (TDIF) as a mechanism for providing trusted digital identities for citizens as a mechanism for minimising cybercrime and fraud in reliant services.  In November 2017, the introduction of the Consumer Data Right (CDR) was announced by the Federal Government. The intent of the CDR is to provide people with greater control over their personal data, including how it is used. Initiatives such as this should continue to be regularly monitored by OAIC and enforced. We also recommend the government and private sector to collaborate via working groups to implement and improve trusted identity sharing frameworks.

This blog is authored by Andrew Hayes, Richard Alleman, Anthony Treyvaud and  David Loone.

1. ForgeRock Consumer Identity Breach Report: https://www.forgerock.com/about-us/press-releases/forgerock-consumer-identity-breach-report-us-breaches-cost-over-18-trillion
2.  8 Scary Statistics about the Password Reuse Problem:https://securityboulevard.com/2020/04/8-scary-statistics-about-the-password-reuse-problem/

More about our authors

Andrew Hayes

Andrew Hayes

Partner, Risk Advisory

Andrew is a leader in enterprise architecture, identity and access management and service oriented architecture, communications, and mobile application development. Andrew possesses an extraordinary depth and breadth of skills, from developing low-level code to making boardroom presentations focused on enterprise-wide strategy. His focus is on leveraging his prodigious expertise to lead projects to deliver the very best solutions for his customers.