It’s not individual products, but the approach that needs fixing
I’ve been in many conversations, where customers of existing access management products - whether they deal with workforce access, privileged access, governance or compliance - express their frustration with the products. There are, of course, grades in how much dislike is expressed, but it’s a theme. This stands out in contrast to single sign-on or MFA products, which are generally well-liked by customers for their seamless and consistent delivery that leaves them feeling manageable and not time consuming.
My colleague, a former employee of a different security technology company, told me “I was once cat-called in an airport because of the logo on my backpack and someone’s love for our product!”
The lesson here is that access management products should be business enablers and accelerators that give back time to customers, with the potential to be loved like MFA or SSO products. So what is impeding the enthusiasm for access management or authorization, PAM, IGA and other identity tools?
When you get into the details of recent identity technology product announcements, various features or integrations come up, and in general it seems to be that these products are hoping to reduce solution complexity. Yet, if you look into how these new features are built, one sees a pattern that they are relying on the same relatively static and legacy models such as RBAC to address what are clearly dynamic access requirements that require continuous updates.
Modern day access management challenges need to operate at the speed a modern enterprise does, which really means the technology should be built on a foundation of dynamic, automated controls for how individual access decisions are made.
This is not to say that RBAC doesn’t work or should be thrown out - it is highly effective in providing birthright access, or the general access and systems you indisputably need. But conventional controls associated with RBAC and ABAC are not expressive enough to deal with the complexity and dynamism many systems or access management scenarios require.
Despite this, RBAC is used like a hammer to strike every access management problem with, like:
Even in the most sophisticated ABAC deployments, policies need to be managed and enforced in a number of places in every application that uses it. In addition, one also needs to manage the data sources for the attributes. As a result, managing ABAC can feel like trying to use 5 RBAC hammers at once!
If RBAC is the hammer that people try to hit every access management problem with, ABAC is like using 5 RBAC hammers at once!
Both these approaches are flawed because of the limitations of the models, their dependence on manual processes, static data, and insufficient centralization leading to additional policy work in apps or other tools to control more granular access.
The challenges identity teams face are steep: Protect growing, fragmented identity perimeters; Juggle cloud and on-prem environments; Manage access across hundreds or thousands of applications; And manage an enormous user population. These challenges cannot be met by new products that follow the same models that have been disliked by teams for over a decade, even if they have fancier user interfaces. What really needs to change is the underlying approach to how identity technology solves access management.
Any new approach to address modern access management challenges must:
SGNL was born out of the frustration with the status quo, and the inability of the industry to provide more than incremental solutions. Our continuous access management approach checks all the above described desirable qualities.
To see these attributes in action, request a demo!
Want more of the latest identity-first security topics and trends delivered to your inbox? Helpful and insightful content, no fluff.