Businesses, enterprises and organizations need the expertise of identity management consultants to address the increasing challenges posed by the rapid pace of technological change. As internet of things (IoT) technology, artificial intelligence (AI) and machine learning (ML) play bigger roles in networks across industries and more services migrate to the cloud, security needs are expanding beyond the capabilities of onsite IT resources. 

Identity and access management career path with job titles and job descriptions with duties and tasks.

Identity management consultants can offer much-needed insight and assistance by assessing risks, developing solutions and implementing better systems for identity creation, user management and access control. The job covers a range of important duties and requires a combination of education and experience to address the unique needs of businesses in a variety of industries. 

Identity Management Job Overview

Identity management consulting incorporates a wide range of duties to provide optimal security through proper access control. 

Audits and Assessments 
Access and security audits are key in identifying vulnerabilities within existing systems. It’s the job of an IAM professional to conduct these audits along with threat and risk level assessments. 

Identifying Risks and Mitigating Threats 
The best solutions are built to the specifications of individual businesses and organizations. IAM specialists understand the complexities of modern systems and work to identify potential risks unique to each situation. Using this information, they deliver appropriate solutions to prevent as many threats as possible. 

Conducting Research, Analyzing Data and Creating Reports 
Auditing and risk management both require detailed technical research and understanding of the resulting data. Many businesses lack the resources and expertise required for proper analysis and need a third party to condense the findings into accessible reports from which suitable solutions can be built. 

Choosing Appropriate Types of Access Control 
Existing systems may be operating with outdated access control protocols and require modernization to strengthen security. An identity consultant understands the difference between rule-based and role-based access control and chooses the most appropriate option to maintain a “least privilege” level of access for all users. 

Designing, Configuring and Implementing IAM Solutions 
Complex systems require robust identity and access solutions, and IAM consultants may find it necessary to incorporate a wide range of tools to create an appropriate protocol, including: 

• Onboarding and offboarding 
• User provisioning and deprovisioning 
• Modern access management options, such as single sign-on (SSO), federated identities, multi-factor authentication (MFA) and privileged account management 

This requires working with one or more of the current identity and access solutions used by modern businesses and collaborating with other professionals to reach a successful outcome. A typical team may include consultants, analysts, programmers and other IT professionals. 

Ongoing Support 
Once new protocols are in place, identity management consultants stay on board to guide companies through the early days of implementation and provide additional support, ensuring all procedures are properly followed. 

Identity Management Job Titles

Identity management consulting is often a full-time job and demands varying levels of expertise. Lower-level positions may be listed with titles like: 

• Identity and access management consultant 
• Cyber identity and access management consultant 
• IAM technical consultant 
• IAM analyst 
• IAM engineer 
• IAM solution engineer 

It’s common for these positions to require less experience and education and include identity management duties such as managing networks, applications and users. High-level positions include: 

• Cloud security specialist 
• IAM experienced consultant 
• IAM senior consultant 
• IAM specialist 
• IAM technical specialist 

Because these jobs involve creating, implementing and overseeing complete identity management systems designed to meet specific security needs and also involve complex compliance standards, additional higher education is necessary. Some employers require identity and access management certifications and numerous years of experience working with relevant protocols, software and systems. 

Importance of the Identity and Access Management Role

Statistics show the critical need for more comprehensive IAM solutions across industries:

• Only 7 percent of businesses have “good visibility of all critical data” 
• Only 20 percent of businesses maintain complete visibility of all users 
• 77 percent of IT professionals say their organizations lack solid cybersecurity incident response plans 
• 56 percent of IT professionals cite targeted phishing as the biggest threat to network security 

Add to this a growing number of users, increased device diversity and the need for many companies to onboard either temporary employees or third-party vendors, and risk levels skyrocket. More endpoints being introduced into networks create more areas of potential vulnerability, leaving IT departments to face challenges for which they’re not prepared. 

The consequences of poor identity management and other weak security practices can be staggering: 

• The average cost of a data breach in 2018 was $3.86 million 
• “Mega” breaches, in which 1 million to 50 million records are involved, can cost between $40 and $350 million 

Eighty percent of breaches involve privileged credentials, and this highlights the importance of defining proper access levels, determining the appropriate scope of access for each user and maintaining boundaries across systems. Improving identity management procedures is a key component of risk reduction, and IAM consultants can provide the services businesses and organizations require to offload their IT departments and maximize the use of existing IT resources. 

Many companies are still fighting to get a handle on the data they receive, transmit and store, especially as cloud migration becomes more common. Identity management makes both onsite and cloud network environments safer for employees and customers by providing solutions for creating, protecting and managing identities in ways designed to prevent unauthorized access. 

New access management solutions and sign-in protocols are making it harder for hackers to steal, guess or fake credentials. However, it’s still common for businesses and organizations to use outdated identification and authentication methods with loopholes even amateur hackers can exploit. Because 75 percent of breaches are the result of external threats, it’s essential to close these loopholes. 

Profile of an Identity Management Consultant

Ideal candidates for identity management consultant positions are self-driven and not afraid to take the initiative. The job requires strong leadership and management skills, a commitment to hard work, the ability to juggle diverse projects and good problem-solving and troubleshooting capabilities.

Companies frequently list the following educational and technical requirements that IAM consultants must demonstrate in their identity and access management resumes: 

• Bachelor’s or master’s degree in information technology, cybersecurity, computer science, information systems security or a related field 
• One or more IAM certifications 
• One or more years of IT consulting experience 
• Two or more years of experience implementing key elements of IAM protocols 
• Knowledge of IAM software and systems, such as Oracle, SailPoint, CA Identity Suite or IBM’s security solutions 
• Proficiency in word processing, presentation and reporting software, cloud systems, HTTPS, XML and/or Java 

Additional experience with specific aspects of identity management may also be required depending on the level of the position. Other critical skills include: 

• A solid understanding of IAM concepts and systems 
• Knowledge of key IAM standards 
• The ability to work with a variety of identity, access and privileged account management solutions 
• Aptitude in technical research and the willingness to perform necessary research 
• Ability to work with others to create, implement and teach new protocols 
• Knowledge of current compliance regulations and the solutions necessary to meet them 

Ongoing training is often an integral part of a career in identity management. Companies also prefer candidates with customer-oriented mindsets and the desire to fulfill the specific needs of clients. 

Where to Find Identity Management Jobs

The same technologies creating the high demand for IAM specialists also make it possible to perform many consulting duties remotely. Employers are increasingly offering this option, but most positions appear to involve at least some amount of travel to onsite locations. 

Companies across industries are facing similar network security challenges requiring input and guidance from consultants in the IAM field. Individuals with the proper qualifications can find positions with: 

• Educational institutions, especially colleges and universities 
• Enterprise-level companies seeking help to establish essential protocols 
• Financial institutions 
• Healthcare providers and networks 
• IT consulting firms 
• Providers of IAM products 
• Security product and service providers 
• Small- and medium-sized businesses setting up or expanding their networks 

Salaries in the field are generous and range from around $43,000 to over $123,000 per year. According to PayScale, the average annual salary for identity management consultants is just over $76,000; Glassdoor reports a higher average of $100,408. Depending on the identity management job position, responsibilities and company structure, additional income may be available in the form of commissions and bonuses. 

Certified Identity Management Professional (CIMP)

Challenges for Today’s Identity Management Professionals 

Identity management consultants address the challenges faced by companies in diverse industries as they seek to improve security protocols and incorporate more stringent rules for access control. Trends in technology necessitate the retirement of outdated login and authentication methods, such as single-factor or password-based logins, in favor of options incorporating factors recognized as more reliable. Protecting login credentials from theft and compromise could prevent the majority of breaches. 

To minimize the potential extent of breaches should they occur, IAM specialists must address other common challenges: 

• The accumulation of access rights beyond those needed to successfully perform a job or role 
• Lack of regulation for device access, especially in companies with BYOD policies 
• User access via unsecured connections, such as Wi-Fi hotspots 
• Increasing numbers of remote workers using devices with varying levels of security 
• The need to assign unique identities to devices and applications for smoother workflows 
• Proper user provisioning and deprovisioning 
• The need to bridge the gap between applications with different authentication protocols or security standards 

The introduction of new IoT technologies and the incorporation of the blockchain into IAM protocols will create greater complexity within systems in the future, and compliance standards are likely to continue to adapt in response. Companies are already struggling to meet existing standards, including GDPR, and face significant penalties if they fail. It’s the job of IAM consultants to provide help navigating these changes and ensure all protocols meet the required standards. 

Even as security measures improve, hackers are adapting their strategies to get around new solutions. IT professionals report an increase in targeted attacks on individuals, such as spear phishing, in an attempt to steal privileged credentials and therefore gain deeper access into networks. Companies must be prepared with the latest access management tools and the knowledge required to identify and prevent potential cyberattacks. 

Providing identity management consulting services is a demanding undertaking but opens the door to a lucrative field with many opportunities for growth. Qualified individuals enjoy good job prospects across industries. Although the position requires a significant amount of education, knowledge and experience, compensation is often generous. Those who are willing to continue learning to stay abreast of changes in regulations and standards can enjoy a dynamic work environment in which new innovations brings new challenges in need of creative solutions. 

Identity and access management certifications

Federated identity management challenges are presented with the rising adoption of identity federation among businesses and can have particular benefits at the enterprise level. By creating one central identity to access all network applications, companies simplify workflows and remove barriers to productivity. However, a unique set of security challenges must be met when using federated identity technologies. 

Security Concerns of Identity Federation by Identity Management Institute

Why Federated Identities? 

With 83 percent of enterprise workloads expected to be handled by public, private and hybrid cloud environments by 2020, the adoption of more efficient sign-on methods is critical. The extensive number of applications, projects and use cases at the enterprise level can’t be managed adequately using a system in which employees must sign in with a different set of credentials each time they move between platforms. Doing so creates several problems: 

• Each login is a point of vulnerability 
• Repeated logins reduce productivity 
• The login process creates distractions and undermines efficiency 

A federated identity makes it possible for users to sign in to any application within the “federation” using the credentials from a single application. This centralized identity forms the basis of single sign-on and is independent of platforms and technologies. By using federation, an enterprise can integrate multiple applications into a single system without the need to create a custom authentication protocol. 

Security Concerns in Federated Identity Management Challenges

Switching to federated identities as an alternative to outdated authentication methods isn’t without its risks. Most companies adopting federation only do so for a handful of applications and find it difficult to build a network in which all programs can be accessed using a single identity. This makes some areas of the network subject to common security risks, including breaches caused by the use of weak passwords. Complicating the matter is the lack of federated identity management plans in many businesses. The rapid spread of technology has left enterprises without the capabilities to implement the level of management necessary to ensure security across the board. 

For federated identities to work, user information must be shared with the third party entrusted with authentication. The nature of this information and how it’s shared, processed, stored and protected has an impact on the safety and privacy of users. Not all providers within a federation conform to the same security standards, and the use of multiple providers creates additional points of vulnerability. Enterprises must understand the security protocols and compliance measures used by third-party providers before committing to any partnerships. 

Insider threats and identity theft, two common and troubling security concerns for modern enterprises, remain problematic even with the use of a federated system. Companies need to be completely certain of the trustworthiness of users in the network and have authentication protocols designed to ensure each user is who he or she claims to be. Employee education is necessary to minimize the risk of human error, because a single compromised set of federated credentials can grant hackers access to multiple applications and allow a breach to spread rapidly across a network. 

Improper provisioning leading to privilege creep can also leave the door open for devastating breaches. A user’s federated identity should allow only the level of access required for his or her job, and any temporary access necessary for short-term projects should be revoked as soon as it’s no longer needed. Automated solutions for granting and revoking access are becoming more common as enterprises seek to improve network security and reduce the risk of data loss or theft. 

Creating a Reliable Federation Strategy

Despite its potential drawbacks, the use of federated identities has significant advantages for enterprise-level businesses. Unifying diverse applications to eliminate bottlenecks and silos creates a smoother user experience and empowers employees to work efficiently. 

To meet the security concerns among federated identity management challenges and leverage the associated benefits: 

• Focus on applications designed for federation 
• Determine the standards required to maintain interoperability
• Establish strong security standards for proprietary and third-party applications 
• Seek a provider with minimal data sharing requirements 
• Ensure the provider is in compliance with relevant regulations 
• Automate user provisioning 
• Perform routine identity audits 
• Remove dead, abandoned or orphaned accounts 

Enterprises relying on applications with which federated identities can’t be used should consider if the same functionality can be achieved with newer applications or if the existing application can be updated for integration into a federated system. Critical programs lacking the functionality for federation require additional considerations to ensure security. 

As identity federation becomes more common, the resulting partnerships between providers and businesses are likely to drive the establishment of tighter security policies across the board. Recent changes in regulations governing data privacy require diligence on the part of all parties involved in the creation and management of federated identities, so businesses desiring to enjoy the benefits of this modern authentication method must understand the risks and take steps to mitigate as many as possible.

Identity and access management certifications

Privilege or access creep poses a threat to security in all networks but can be a particular problem in larger companies where many employees share enterprise resources and inappropriate access levels often go unnoticed for a long period of time which can potentially lead to devastating breaches.

Understanding Access Creep

Privilege creep occurs when employees accumulate more access rights than are required to perform the tasks associated with their positions. Also called access creep, the process occurs gradually over time and is often the result of: 

• Failure to revoke temporary access granted for special projects 
• Updated job duties or requirements 
• Promotions or changes in position within the company 

In all these cases, employees may retain access to data, applications and resources unrelated to their duties, thereby putting the system at risk in a number of ways. The most notable of these risks include: 

• Increased potential for insider threats resulting from the use of excessive access for personal gain or retaliation by disgruntled or dissatisfied employees 
• Hackers’ ability to infiltrate higher levels of the network using a single set of stolen credentials 

Accumulation of unnecessary privileges also poses a threat to compliance, especially in enterprise environments handling highly sensitive data, such as Social Security Numbers or health records. Failing to maintain compliance with privacy laws and regulations or suffering a breach in which large amounts of data are lost or compromised can have severe financial and reputational consequences.

Excessive Access in Privileged Accounts

Some users within enterprise systems, such as administrators and managers, require access to sensitive data or resources to do their jobs efficiently. Services and applications may also need a higher level of access to ensure workflows proceed without interruption and communication across the network is maintained. Alarmingly, the 2016 Verizon Data Breach Investigations Report revealed 53 percent of breaches result from the misuse of credentials associated with privileged access. It’s not uncommon to find credentials for sale on the Dark Web, and a hacker needs to purchase only one set to undermine the integrity of an entire enterprise system.

In many cases, users make it easy for hackers to obtain login information and access networks without buying credentials. About 80 percent of access breaches in enterprises result from weak or stolen privileged account credentials, and once hackers hijack these accounts, it can be difficult to determine the true extent of a breach. Privilege creep exacerbates the problem by extending hackers’ access deeper into the network. It can take IT professionals a considerable amount of time to sort through access information, pinpoint the cause of the breach and implement countermeasures to restore network security. 

Smart Strategies to Maintain Appropriate Access Levels

Proper identity and access management strategies can prevent privilege creep and reduce the risk of associated data breaches. Enterprises must focus on following best practices to establish and maintain strong identity governance policies.

Least Privilege

The principle of least privilege provides a baseline for managing all user accounts. By granting each user the lowest level of access necessary to fulfill his or her role within the company, enterprises can ensure smooth workflows while preventing unauthorized access across the network. Enterprises should also consider implementing role-based access in lieu of user-based methods to assign access levels based on the tasks a user must complete rather than associating privileged access with individual accounts.

Reduce the risk of access creep with periodic access audit and certification.

Auditing and Recertification

Routine access audits clarify access needs for enterprise users and pinpoint areas of weakness, including abandoned or orphaned accounts. Removing these accounts eliminates points of weakness hackers could otherwise exploit. Periodic recertification subjects active user accounts to scrutiny to determine if current access levels are appropriate or need to be adjusted. These processes are an essential part of access management and could benefit the 52 percent of enterprises unable to account for all privileged credentials within their networks. Clear policies for managing temporary access and processing changes in employee roles within the enterprise reduce the risk of access privileges extending beyond what’s appropriate. Identity Management Institute members include experts in access audit and certification.

Modernizing Access 

Many enterprises continue to rely on passwords and other outdated authentication methods, and a surprising 54 percent use paper or Excel spreadsheets to store details about access credentials. In situations where the use of passwords remains necessary, credentials must be managed in a secure centralized location to prevent loss or compromise. Switching to multi-factor authentication relying on stronger methods, such as the use of hard tokens, one-time PINs and geofencing, makes it more difficult for hackers to penetrate deep into networks. 

Preventing privilege creep at the enterprise level starts with clarity regarding access needs throughout the company and the establishment of strategic access management strategies. With the use of intelligent identity management tools and strong authentication methods, it’s possible to manage employee access to reduce the risk of internal and external breaches resulting from the misuse or compromise of privileged credentials.

Subscribe to the Identity Management Journal to receive periodic announcements and articles.

Identity and access management certifications