The Unified Identity Imperative: Breaking the Cycle of Fragmentation

This is the first in a three-part series taking a look at modern conjoined identity and the benefits it can bring to complex hybrid, human and non-human environments.

The costs of identity fragmentation

1. Rise of the Blind Fortress
2. Lack of Visibility and Control

The mid-to-large-size organization is facing a growing identity and access management (IAM) crisis due to the critical fragmentation of the key pillars that make up today’s IAM capability set. Changing requirements, legacy technologies, and static operational management often result in the IAM building blocks being entirely isolated from both the business they serve and the orthogonal technologies they need to integrate against and improve. IAM capabilities were often not centralized from the start, with login and access management functionality often embedded natively within databases, mainframe systems, and early web portal platforms. The concept of unification or even federation two decades ago was not seen as a strategic imperative—even if commercial solutions existed and could support such use cases.

Instead, overlapping, competing, and duplicate capabilities emerged, and basic concepts like having a single view of identity data or using a single strong authentication login function were rare. Those early design decisions and concepts have proliferated even with the rise of commercial systems and the pattern of externalizing the key IAM components away from downstream systems and applications. We now see a range of authentication, authorization, governance, and privileged access management systems operating within their own silo. Separate budget holders and operational management teams are creating pockets of both identity data management areas and trust boundaries. 

The result is what looks like a strong identity "fortress," but instead has created a plethora of visibility and control blind spots. Identity governance and administration (IGA) platforms have no knowledge of user activity or permissions usage. Strong authentication credential issuance is not linked to the identity verification (IDV) processes that occurred during employee onboarding. The policy enforcement point (PEP) that forms part of the centralized policy management system is not part of the IGA access review process. Just some simple examples, where each silo and fiefdom contributes to an incomplete picture of the business and threat landscape—too fragile to change and unable to identify and respond to modern cybersecurity threats.

Asset-centric focus stagnating transformation

1. Patchwork Operation and Technical Management of IAM
2. Post Authentication Access Complication

A system and asset-centric approach is much to blame for this. Sometimes that was the result of operational boundaries and organizational and business unit design that focused on specific technical areas and use cases. If you had a “network” team, they were incentivized to manage the network. The “directory services” team had no mandate to improve the servers the directory sat upon, and so on. The end result was basically a set of monolithic management areas, which had very little incentive or ability to integrate both technically and operationally. Productivity reduced, and security decisions were often made on a pillar-by-pillar basis. Whilst this did result in incremental risk reduction through the design and implementation of specific controls, they focused on a subset of users, applications of use cases.

A significant and now growing issue is seen in the post-authentication activity of both standard and high-privileged users. Whilst the upfront design of onboarding and initial access provisioning and credential management has matured, once a user authenticates, the visibility and control plane options reduces significantly. Permissions are rarely removed—merely added to. Sessions can be long-lived with limited ability to alter runtime access and permissioning. Intent analysis that goes across applications is rarely achieved with cyber response mechanisms traditionally reliant logs and post-incident response.

The end result is a stagnated approach to both business and technical transformation as decision-making tends to be more reactionary and isolated. Strategic movements to concepts like cloud and mobile first, being AI ready, and post-quantum prepared become slower to implement. Competitive agility and employee satisfaction also deteriorate as personalized experiences and the ability to share more and collaborate become more complex.

Moving towards IAM unification

1. Being Holistic and Access-Centric
2. From Static to Dynamic Visibility & Management

A more conjoined IAM model is not simply about creating a meta-platform that caters to all use cases in one product. We need to consider how we unify the dataflows between features and capabilities in order to improve assurance across entire suites of use cases. Our consideration needs to be on the entire end-to-end life cycle of the identity, and that needs to cover the B2E workforce as well as non-humans too.
‍

The life cycle has numerous sub-life cycles, such as credential issuance and renewal, as well as access request and contextual permission removal. Each of those processes, when combined and able to integrate with other parts of the identity and access management world, becomes less isolated and more informed from a risk management and threat intelligence point of view. The context that exists across an organizational operating model that covers usage, best practices, values, and decision-making helps the underlying IAM functions operate much more effectively. Permission removal is no longer guesswork when it can be tied to usage analytics or perhaps the context surrounding ticket event closure. The ability to identify hidden access pathways is the counterpoint, so being able to see accounts that have access which they shouldn’t and in turn automatically remove it.
‍

A conjoining of identity data flows essentially supports not only a more informed way of making IAM related risk decisions, but also aligns with a more timeline approach to identity. Identity never operates in a vacuum and is in a constant state of flux. That flux should align consistently with both business and security objectives for maximum effectiveness, yet rarely does. By designing with unified data pipelines in mind as a conceptual framework and in turn overlaying with both data and runtime analytics, it supports a more flexible and continuous approach to both authentication and activity as well as access and provisioning. We can essentially move from system-centric to access-centric in nature.

Benefits it brings

1. Support for hybrid landscape
2. Agile and Future-Proofed

That “flux” is an ever-present and natural part of a strong and growing organizational structure. Organizations that can adapt to change, competitive pressures, and the constraints they have to operate under are typically the most successful. By delivering a more conjoined and responsive IAM transformation allows the business to achieve its core aims. There are likely multiple innovation gaps within most organizations too. Cloud adoption, AI adoption, and data sharing are all on huge trajectories for continual growth, yet the underlying IAM and security innovation pipelines (when focused on isolated pillars of development) often lag behind. A clear example is related to that cloud adoption journey. Over the past decade organizations have embraced the cloud in numerous ways. From specific departmental applications delivered as software as a service (SaaS) to entire technology outsourcing to cloud service providers (CSP) and global platform as a service players. Whilst delivering operational and productivity improvements, the net result from an IAM point of view is a set of disjointed user experiences, control planes, and configuration avenues a lack of visibility and an inability to centralize the cyber incident response process.

The hybrid landscape is here to stay with the continued need for on-premises and private cloud containerization, often on local virtualization technologies. IAM also needs to sit as close to the integrated applications as possible, and many for compliance reasons are often not all cloud-deployed. To that end, a more access-centric and identity journey point of view is a much more strategic approach to broader access governance that covers both the hybrid landscape and also the increasing variety of identity types that now need support within that hybrid world. Non-human and agentic identity requirements are on the rise and require the same visibility, control and governance capabilities as people-centric models.

A movement to a more preventative and continuous approach to identity can deliver both security and productivity benefits, as well as support more emergent identity use cases for agentic-AI such as just-in-time access that supports optimization as well as ephemerality of credentials.

About the author

Simon Moffatt has over 25 years of experience in IAM, cyber, and identity security. He is the founder of The Cyber Hut, a specialist research and advisory firm based out of the UK. He is the author of CIAM Design Fundamentals and IAM at 2035: A Future Guide to Identity Security. He is a Fellow of the Chartered Institute of Information Security, a regular keynote speaker, and a strategic advisor to entities in the public and private sectors.

‍

‍