Q&A: IS Decisions CEO And Founder On Confronting Identity Sprawl And Unifying IAM Deployments
Expert Insights interviews François Amigorena, Founder and CEO of IS Decisions.
François Amigorena is the Founder and CEO of IS Decisions, a company specializing in access management and multi-factor authentication (MFA) for Microsoft Windows and Active Directory environments.
Active Directory is critical for many businesses, controlling access for all users, resources, and apps. This of course means that it’s a top target for cybercriminals—so organizations with a Windows environment must have a strong strategy to protect against identity-based attacks.
Expert Insights recently reached out to Amigorena to get his insights on the state of the identity and access management threat landscape, and how CISOs should be prioritizing their security planning for 2025 and beyond.
Q. What are the biggest challenges facing organizations in the identity and access management space today, and how are threats evolving?
Organizations face two big challenges at the core of identity and access management (IAM) security.
First, identity threats are consistently smarter and easier to execute at scale. This won’t change.
Second, identity sprawl and wider adoption of Software-as-a-Service (SaaS) platforms are expanding the digital attack surface. This introduces new risks and challenges. Attackers often exploit these weaknesses faster than security teams can mitigate them.
Solutions to these weaknesses can be tricky to implement. Take MFA and single sign-on (SSO)—in a multi-application environment, these technologies are a must. But they’re hard to implement across hybrid environments, especially those using on-premises Active Directory (AD) for identity and authentication.
On-premises AD lacks native support for security layers like MFA and SSO. This forces organizations to invest in additional infrastructure, adding cost and complexity.
Microsoft’s solution to the problem is Active Directory Federation Services (AD FS), which connects to Microsoft’s cloud-based Entra ID and a synchronization tool, Entra Connect.
In theory, this works. In the real world, it can get messy.
Plus, some organizations don’t want to take the half-in, half-out cloud route. Many highly regulated organizations have mandates to keep authentication and identity on-premises. Others want to keep on-premises networks as simple as possible, minimizing management overhead. More complexity or cost asks more of already stretched IT security teams.
Even those moving away from on-premises usually send identity to the cloud as the last step of a several-year cloud migration project. A full cloud migration can take 4-8 years, depending on company size. CISOs need to secure access to the systems they have today.
Q. How does UserLock help teams address these challenges, and how do you differentiate the solution in this competitive space?
UserLock takes a pragmatic approach to IAM. We’ve been on this access security journey with the Active Directory community for two decades now—and if we’ve gotten where we are, it’s because we focus on solving this community’s real-world access security problems.
Since 2000, our mission has been to help the Active Directory community stay ahead of tomorrow’s threats with solutions designed for today’s systems.
This is how UserLock has evolved over the years, going from concurrent session limits to contextual access management, session management, auditing and reporting, and MFA. First on Windows logins, then for remote desktop, IIS, and VPN sessions, and then for SaaS connections.
Through it all, we’ve built the closest integration with on-premises AD of any solution. UserLock syncs with AD every five minutes, a must for teams that need real-time visibility and threat detection on network and cloud access. UserLock also allows you to set MFA and access policies according to AD users, groups, and OUs. When you change AD group policies, they sync in UserLock five minutes later.
UserLock is the only IAM solution that unifies identity management for both network and cloud access using the on-premises AD identity. By combining MFA and SSO for the on-prem AD identity, UserLock delivers a simple solution to a complex hybrid identity puzzle.
With the rise in remote work, organizations also come to UserLock looking to enforce MFA and access controls in offline scenarios. They want to maintain MFA policies on devices that aren’t connected to the internet or are disconnected from the LAN, and they want it to work out of the box. Since there’s no offline mode for users to activate and no temporary setting for admins to toggle, UserLock makes this easy.
As cyber threats get smarter, niche security measures are going mainstream. Take MFA for DMZs or air-gapped environments—we used to see these use cases rarely. Now organizations across all sectors are looking to secure access to these protected environments.
You can do that easily with UserLock because it’s lightweight and simple to set up. That’s intentional. The most effective security is security your team can live with and will use.
This ease of use is one of our biggest differentiators. UserLock makes it easier for IT security teams to do their job, not harder. End users almost forget it’s even there, which tells IT they’re balancing security and productivity well.
Q. What are your top recommendations for CISOs in the process of looking for an identity and access management solution?
We’d argue most CISOs don’t look for an IAM solution, per se. The Gartner quadrant is not necessarily how IT leaders filter security needs.
They want to get compliant, meet cyber insurance requirements, and/or meet security goals.
Along the way, they often realize that the solution to one piece of the access security puzzle might require big changes elsewhere.
When selecting an IAM solution, CISOs should consider:
- Where identity sits: Evaluate solutions that integrate with your existing identity provider (IdP), unless you’ve planned major infrastructure changes. If your IdP is on-premises AD, consider if that’s where you want or need it to stay, at least for now. Start here, and you’ll quickly narrow down your search.
- Security coverage: Put access security at the heart of your environment, where identity and authentication sit today. Look for a single IAM solution that can handle MFA and access management across on-premises systems, legacy apps, and cloud resources.
- Scalability: Choose a platform that you can roll out across all end users and will easily adapt to changing numbers of users and devices.
- Will it drive end users crazy: Opt for solutions that minimize friction for end users without sacrificing security. Look for single sign-on that doesn’t require logging into an SSO portal, and MFA policies that you can customize for different teams and contexts.
- Real-time monitoring and response: Implement solutions that deliver visibility, continuous monitoring, and automatic responses to suspicious user behavior.
- Compliance requirements: Support requirements without making security a burden, and without overlooking common security gaps such as offline and off-domain scenarios.
Q. What trends do you expect to see in the identity and access management space in 2025?
In 2025, we expect to see:
- Increased adoption of zero-trust architectures: Organizations continue to move towards zero-trust security frameworks, emphasizing continuous verification of user identities at and beyond the logon.
- Integration of AI and machine learning: AI-driven analytics will enhance threat detection and response, providing more proactive security capabilities.
- Expansion of passwordless authentication: The shift towards passwordless methods, such as biometrics and hardware tokens, will reduce reliance on traditional passwords.
- Enhanced focus on identity governance: There will be a greater emphasis on managing and auditing user identities and access rights. It’s not sexy, but it can make a big difference to prevent unauthorized access.
Q. What should organizations’ top identity and access management planning priorities be for 2025?
As mentioned above, a top priority is implementing solutions that support a zero-trust approach to minimize the risk of unauthorized access. Organizations should also prioritize:
- Strengthening MFA deployment: How MFA is implemented is the difference between effective security and security your team won’t use because it gets in the way. Ensure MFA is universally applied across all users, and that IT has control over how often and when to require it.
- Regular audits and compliance checks: Conduct continuous audits to prove you’re meeting security policies and regulatory requirements.
- User education and awareness: Invest in training programs to educate users about security best practices and the importance of IAM.
Further reading
- Learn more about UserLock by IS Decisions
- Read Expert Insights review of UserLock by IS Decisions
- Read our guide to the Top Identity And Access Management Solutions