Access Management in a Disruptive & Digitally Transforming World

In this digitally transforming world, identity and access management have become more critical than ever before. Be it a financial system, a patient records database, or a streaming service, ensuring that the right person is getting access to the right resources is of pivotal importance. Multi-factor authentication (MFA) and one-time-passwords (OTPs) are being used to verify identities, some argue, at the cost of customer convenience. So how do you implement security controls for your customers without asking them to do too much?

The need for IAM

A CISO mentioned that they pay out 40% commission on sales to their agents, and identity plays an essential role in ensuring accurate commission calculation and processing for every agent. Moreover, they are also actively interacting with customers via smartphone apps, storing and processing photos of their faces and other sensitive information to provide individualized experiences; identity plays an important part.  

Challenges faced while implementing IAM

An executive talked about how their distributor network grew exponentially during the pandemic. As their registration was digital, they were having doubts regarding the legitimacy of the growth. Is this natural business, or is it an attempt to gamify the system, where people register new accounts to get more commissions? How do you verify this? Do you ask people to come in? Through the collaboration of their legal, security, and sales teams, they developed a frictionless user validation process that was secure and didn’t ruin the customer (distributor) experience.  

A few speakers raised usability concerns regarding MFA. Do you roll out MFA for all your customers or a particular high-risk segment? How do you ensure that it doesn’t damage the user experience too much? As pointed out by an exec, a popular strategy is to allow people to opt-in for MFA. A few other attendees echoed that MFA should be kept optional because even though it significantly improves your security posture, it can sometimes be detrimental to customer experience.

An IAM leader for a famous streaming service shared that they built most of their IAM solutions in-house during the old days when there weren’t many good third-party systems out there. Today, they face a major build-up-or-buy dilemma: Do they keep improving their in-house solutions to be on par with the market standards? Or do they just buy the more sophisticated solution? Another challenge is that they have developed some increasingly technical security controls into their in-house solution, and asking third parties to replicate those isn’t always possible.  

The motivators to implementing IAM

A solutions engineer of an identity product said that some companies realize the need for an IAM solution after experiencing a cyber-breach. They will do just about anything to prevent incurring the same magnitude of loss ever again, so an IAM solution is the perfect investment for them. Other times, companies are motivated to implement an IAM solution to offer seamless, Omni-channel customer experiences. Since IAM allows for easy and secure authentication, self-service, and MFA, it’s something that customers prefer over dated login mechanisms.  

Cyber-insurance vendors ask companies questions like, “Do you have an identity and access management solution?”, “Are you providing multi-factor authentication,” and “How do you manage risk?” Etc.  

Replacing passwords as the primary authenticator?

A participant posited that replacing passwords with fingerprint or retina scans could help prevent identity theft and/or account takeover. Since it’s easy to steal or misplace a password, but not so much a finger or an eye, however, some speakers raised concerns on the efficacies of such systems by saying that virtually anything can be faked using modern AI algorithms and engines.  

‍