From IDM to IAM to ITDR: A history of Identity and Access Management

Identity and Access Management (IAM) has evolved to become a critical component of any organization’s security strategy. It manages users’ access to applications, data, and other resources. IAM solutions provide organizations with tools for managing user identities, authentication, authorization, roles, and privileges across multiple systems. In addition to providing secure access control through single sign-on (SSO), IAM also enables organizations to monitor user activity to detect suspicious behavior or potential threats. Companies can ensure that only authorized personnel can access their sensitive information by leveraging powerful identity management technologies such as multi-factor authentication (MFA), biometrics, and privileged access management (PAM).

But this wasn't always the case; the IAM market has come a long way in the last two decades. Identity Management (IM) has a long and varied history, with its roots stretching back to the early days of computing. As organizations began using computers for more than just data processing, they started looking for ways to control access to their systems and protect sensitive information. This led to the development of IM solutions that would provide users with secure access through authentication methods such as passwords or tokens.

The first IM solutions were limited in scope and did not address other important aspects, such as authorization or user roles. Access Management (AM) was introduced to address this limitation, which provided additional controls over who had access to what resources on a system. AM also enabled administrators to assign different levels of permissions and privileges based on user roles within an organization. With the emergence of web-based applications, Single Sign-On (SSO) became popular, allowing users to authenticate once for multiple services without remembering multiple passwords.

As applications grew in number, so did the users that needed to access them. Even more pressing were the functions in which the applications represented. Organizations faced the need to be able to accurately keep track of what users had access to what applications. But it wasn't until the introduction of regulations, such as Sarbanes-Oxley, that pushed the IAM industry into it's next phase of evolution. Enter the creation of the Identity Governance and Administration (IGA) market. Driven by the need for organizations to better manage their user identities and access controls and provide auditable proof that controls were put in place that restrict users from having too much access. Identity starts to become a rising topic amongst executives, and organizations begin to raise the amount of investment into technologies to help them manage.

IAM was now a growing collection of technologies and use cases organizations had to have. However, this wasn't an easy or cheap problem to solve. IAM was scattered into separate but related categories:

Identity Management

Access Management

Privileged Access Management

Identity Governance and Administration

Each of these areas represents an important set of use cases that organizations need to solve; all of them together represent a complete IAM architecture. Organizations begin to pour millions into not only the purchase of these technologies but in their implementation of them as well. At this point, organizations are still deploying these applications on-premises, as the cloud is still known as the fluffy white things in the sky that take funny shapes. But of course, as we know, that would change.

Two technological changes would push the IAM market into its next change phase. Cloud Computing and API-driven application development. Combined, these two tech advancements would cause an increase in the number of applications within an organization, which in turn increases the number of identities for an organization to manage. Additionally, sharing data across applications created an environment in which we saw access to applications indirectly tied to data access. Increasing the need to control which users can access which application and which data.

With this, we also see the rise of standardization within the IAM space. Industry standards such as OAuth, OIDC, SCIM, and SAML created an integration pathway for the disparate IAM technologies, bringing us to where we are today.

IAM platforms sit with a treasure trove of data-rich with context about users and what they have access to. As security teams face an uphill battle to protect sensitive information and privileged accounts and data, the IAM industry looks to become more security-like in it's approach. We see the rise of concepts like Identity Threat Detection and Response ( ITDR). A security-like approach to protecting identities and the IAM platforms within an organization. Although I would say it goes further than that, ITDR is the first wave of IAM becoming a central part of the security landscape in the effort to protect an organization's systems and data. Detecting threats against identities by combining context from identity platforms and security platforms. Responding to those threats by orchestrating actions in both IAM and security platforms.

We are also seeing a consolidation of these technologies into one platform. IGA, AM, IM, and PAM tools are combined into integrated platforms that allow organizations one place to manage all use cases. Meanwhile, off on the horizon, shimmering silhouettes can be seen approaching us. The onset of concepts like decentralized identity and verified credentials bring with them the next evolution of how we manage identity. Their mere existence forces us to question assumptions we made decades ago and presents opportunities to drastically change how we interact with identity data.

Exciting times ahead