As businesses adopt more cloud services and remote work models, Identity and Access Management (IAM) is crucial, but can be difficult to get right.
Organizations struggle with balancing user convenience against security, managing the increased volume of digital identities, and integrating IAM solutions across diverse platforms.
We asked 7 experts to identify common IAM challenges and share their insights on navigating the complex IAM landscape.
Alex Simons, Corporate Vice President, Identity & Network Access Program Management at Microsoft:The biggest challenges organizations face in the Identity and Access Management (IAM) space today stem from the rapid evolution of identity-based threats. As organizations increasingly adopt multi-factor authentication, attackers are adapting their techniques to use more sophisticated phishing attacks that leverage adversary in the middle techniques that fool users into completing SMS and pushed based authentication so the attacker can steal that user’s identity tokens. Microsoft observes over 600 million identity-based attacks daily, underscoring the sheer scale of this issue.
Another significant trend is the exploitation of identity infrastructure as a foothold for broader network compromise. Adversaries increasingly focus on applications that manage access to sensitive resources, leveraging them as gateways to privileged accounts and critical data. This underscores the importance of securing these applications and enforcing least privilege access controls to limit the potential impact of a breach. Read the full Q&A.
Arnab Bose, Chief Product Officer at Okta: The threat landscape is rapidly evolving and in today’s distributed workplace environment, identity is security. Threat actors are targeting identity, with 80% of breaches involving some kind of compromised credentials. Any time employees, vendors, or partners are attempting to sign in, organizations must be equipped to authenticate that log-in attempt and verify the person behind the screen is who they say they are.
Along with the rise of AI in the enterprise, bad actors are getting more creative in their endeavors to leverage the technology for credential theft and account takeover. Generative AI is being used to conduct personalized phishing schemes, powerful brute-force attacks, and automated credential stuffing. As organizations look to combat these threats, Identity and Access Management (IAM) has been pushed to the forefront of the security conversation. Read the full Q&A.
Wes Gyure, Executive Director of Security Product Management at IBM: Poor Identity and Access Management (IAM) practices continue to be a leading cause of security breaches, according to IBM research. In our 2024 X-Force Threat Intelligence Index, we found a 71% year-over-year increase in cyberattacks leveraging stolen or compromised credentials.
The underlying challenge here is often the increasing complexity of the IAM space. Fragmentation is the norm, with businesses across industries trying — often unsuccessfully — to wrangle multiple identity solutions across multiple clouds and with limited visibility. Meanwhile, IAM risks and threats are being compounded by generative AI. Large language models make it easier than ever before for bad actors to hone and then scale phishing and other identity-centric attacks. Read the full Q&A.
François Amigorena, Founder and CEO, IS Decisions: Organizations face two big challenges at the core of Identity and Access Management (IAM) security. First, identity threats are consistently smarter and easier to execute at scale. This won’t change.
Second, identity sprawl and wider adoption of Software-as-a-Service (SaaS) platforms are expanding the digital attack surface. This introduces new risks and challenges. Attackers often exploit these weaknesses faster than security teams can mitigate them. Read the full Q&A.
Jay Reddy, Senior Technology Evangelist, ManageEngine:
The identity landscape is undergoing a profound transformation that goes beyond traditional security paradigms. We’re seeing the rise of ‘quantum identity states,’ where digital identities exist simultaneously across various planes—from cloud environments to IoT ecosystems and emerging metaverse platforms. As organizations pursue ubiquitous connectivity, they’re grappling with securing identities that are in a state of continuous flux. Traditional perimeter-based models weren’t designed for a world where identity exists everywhere and nowhere at once.
The threat landscape has evolved significantly, with the rise of cognitive attack patterns —AI-driven threats that adapt to defensive measures. High-profile breaches, especially those linked to cloud misconfigurations, underscore a critical truth: security now hinges on understanding and securing the complex web of identity relationships that define digital ecosystems. Looking forward, the convergence of AI, quantum computing, and bio-behavioral authentication will reshape our approach to identity. Read the full Q&A.
Duncan Godfrey, Chief Information Security Officer, Rippling: The threat landscape is complex, with attackers employing more sophisticated methods to exploit identity-based vulnerabilities such as phishing and credential theft to impersonate individuals and gain unauthorized access. These threats are evolving at a pace that outruns the ability of manual processes to keep up, requiring the use of automated systems to manage the complexity. Also, many organizations face difficulties implementing even the most basic security controls, let alone layering advanced security measures.
When threats feel like they are coming from every direction, some IT leaders freeze instead of taking action. It’s better to get started today and do the work than it is to worry every day that you aren’t protecting your business properly. Take the basic challenges seriously and implement good old fashioned security hygiene. Read the full Q&A.
Brook Lovatt, Chief Product Officer, SecureAuth:
The biggest challenge we see organizations grappling with today is balancing an experience that is acceptable to the user population with a level of security that is acceptable to the business. MFA approaches tend to vary widely between workforce and customer-facing solutions. When you’re dealing with the workforce, there is generally more control over the devices that the user is connecting from and/or has in their possession. When you’re dealing with end-users who are outside of your organization (whether they’re partners, distributors, retail customers or business users from your B2B customers) you don’t have that control.
In a workforce MFA scenario, businesses often fear that if the end user is inhibited by the requirements of a more secure authentication factor, their productivity will be affected. As a result, there’s often a fallback to standard password or less-secure MFA mechanisms such as email One-Time Password (OTP). Threat actors look specifically for organizations that have implemented such fall backs. While they generally cannot circumvent a properly implemented FIDO2 authentication method that’s device or URL bound, if they can fall back to OTP, the attacker can use a simple man-in-the-middle approach to gain access to accounts. Read the full Q&A.
Further reading:
