Identity and Access Management (IAM) is bound to be increasingly an integral part of our personal and business lives as the technological and societal landscape continues to rapidly change. Although we can not fully and accurately predict anything beyond the near future, it is likely that technology will continue to change our lives in future years which will require a new approach to identity and access management.

“When considering that users’ inability to protect and manage passwords causes over 90% of cyber attacks, it is evident that our current IAM approach which mostly uses passwords for authentication can not support the security of the future state where many devices will be interconnected” says Henry Bagdasarian, Founder of Identity Management Institute and cybersecurity thought leader.

For example IAM will expand beyond humans, pets, and other living things to include identities of robots and smart devices. Anything that needs to be connected to something for data sharing and automated tasks will be connected to make human lives easier, collaborative, and more productive.

As distributed and interconnected systems increase in numbers, seamless, continuous, and accurate access to all resources with advanced authentication systems such as biometric and artificial intelligence technology will be prevalent. Password will be the thing of the past as user controlled access will be replaced by machine controlled access management. There will be no more passwords to access systems or badges to enter buildings. Smart systems will be able to recognize and greet us using some of our personal and distinct features when we use ATMs, enter stores and restaurants, visit online websites, enter office locations, drive cars, and access business systems.

Identity management and artificial intelligence will revolutionize security beyond people, places, and things that we manage today as increasing number of devices and systems will communicate with and learn from one another without human intervention. For example, household systems which will be a big part of the Internet of Things will communicate with each other to control and manage our lives. Refrigerators will order food items when the inventory goes down, fire detection systems will contact the fire department and other nearby households in case of fire, doctors will be notified when our vital signs show trouble and much more. Almost everything will have an identity which will change today’s definition of identity theft.

Form a business standpoint, distributed and trusted identity concept will be adopted by every object, service, and system.  A person may have multiple identities but still be recognized as the person and the identities of smart things will be linked to persons owning the objects. With the increasing number of highly potent identities, global identity service providers will register identities and maintain identity directories.

Biometric Authentication

Biometric authentication uses a person’s characteristics to identify and authenticate the person. Biometric technology is advancing rapidly and the market for biometric systems is estimated to increase from $10 billion in 2015 to about $40 Billion by 2022 according to various research reports. Artificial Intelligence embedded in the future IAM products will be able to learn about the user for access management and user activities will be analyzed and anomalies will be reported automatically.

The list of biometric authentication options includes:

  • Face recognition,
  • Finger print and geometry although it is easier to copy or steal a finger than other human parts,
  • Hand geometry,
  • Ear geometry by simply pressing it against the phone screen during a phone call. No two ears are alike even on the same person,
  • Eye iris or retina recognition,
  • Gait or behavioral biometric such as keystroke dynamics, mouse use, and walking patterns.
  • Heart rhythm can be used in wristbands and other devices for wireless identification to the computer, cars, house, and in stores for making payments,
  • Butt biometrics can be used to authenticate a user by the way they sit. This technology can be used in cars to start the car and adjust car preferences automatically,
  • Nose can be used to identify a person as it is a distinct human feature although it is often surgically modified and rendered useless for authentication,
  • Vein matching also uses a finger or a palm, but provides a few additional security benefits through vein analysis of only alive persons which makes it difficult to fake,
  • Sniff test although in early stages with 10% failure rate can filter out smells like hand cream or changes in odor caused by diet and disease with an artificial nose to identify a person.

Accuracy and affordability will determine which biometric technology will be the market leader. However regardless of product leadership, with increasing number of interconnected systems and devices, unauthorized parties must be kept out of systems and authorized parties must not be denied access to approved resources. Both scenarios present a big risk to the business whereby one leads to data breach with all sorts of consequences and the other leads to lost productivity and  inefficient operations. These challenges will be addressed by advanced identity and access management solutions which will shape the future of cybersecurity.

Future IAM Skills

Many of today’s identity and access management tasks will be automated whereby the work of access administrators will be handled by machines in which case robots will authorize and grant access to resources.

The rapid changes in technology and huge dump of data by robots will require future identity and access management professionals to have analytical and critical thinking skills to sort out useful data and make sense of all the machine reported  data. The work of identify and access management specialists will be to design the automated tasks performed by robots, override machine decisions, and act upon reported data.

Learn about professional IAM certifications and get certified to prepare your career for the future.

This identity and access management market analysis is made possible by existing research reports and assessments made by Identity Management Institute based on publicly available information which indicate a fast growth in the Identity and Access Management (IAM) segment of information security.

Identity and Access Management Market Analysis

According to a recent study, IAM market is estimated to grow from about USD $10 Billion in 2019 to over $22 Billion by 2024. The identity and access management segments of the study included access provisioning, single sign-on, advanced authentication, audit, compliance, governance, directory services, and password management. The audit, compliance, and governance segment is expected to grow at the highest rate. The adoption of identity & access management solutions in the Asia-Pacific region is expected to grow at the fastest rate due to the significant growth in the industrial sector as well as rising demand for cloud-based solutions from manufacturing and other verticals.

Growth Drivers

Major growth drivers of the IAM market include compliance, process inefficiency and errors, increase in hacking incidents and data breach cases which concern global organizations, and, changes in technology, societal, and operating trends.

Below is a list of drivers that fuel the identity and access management growth:

  1. The identity and access management market growth is primarily driven by the increased demand in security governance, enforcement concerns, distributed systems and workforce, as well as lower quality of security services within organizations. Security policy enforcement challenges arise when  systems, people, and access management practices are distributed requiring single sign-on and federated identity management as well as older systems lacking the proper settings to be configured in accordance with the stated security policies and standards.
  2. Stolen employee access credentials is by far the leading cause of system hacking cases and data breach incidents which will cost businesses about $5 trillion by 2024. In fact, stolen employee password and human error are responsible for around 90% of data breaches according to leading industry and government reports.
  3.  Changes in technology and way of life are forcing organizations to seek identity and access management solutions. Consider the following:
    • The Internet of Things (IoT) will make almost every object connected to the Internet and each other including drones, cars, and household devices to name a few.
    • Bring Your Own Device (BYOD) policies by many organizations which slowly but increasingly allow users to use their personal devices for work purposes making security and privacy a real challenge. For example, device identification and authentication process must be effective and software installed by companies onto their employees’ personal phones or devices which can track non-business related data such as employee location, texts, photos, and almost everything else must follow policies that are well defined, communicated, and enforced.
    • Mobility and remote workforce make authentication and access management a real challenge.
    • Rise of cloud computing and storage due to lowered cost of maintaining a dedicated data center and improved system management present a new set of security risks which include reliance on third parties to maintain controls.
    • Online file sharing and collaboration for increased efficiency and productivity also present new security and privacy risks.
  4. Challenges related to on-boarding and off-boarding such as manual and slow processes for access provisioning and inappropriate approvals in decentralized environments in which system owners decide who can access which resources is also driving identity and access management market growth higher. Delayed access to resources results in lost productivity and potentially revenues, and, delayed removal of departed users from systems creates security risks.
  5. Approving and adjusting user access in accordance with their new job duties as they move across the enterprise is a real challenge to manage in larger organizations. This is another main area where IAM technology can support organizations to manage their security risks. “In the future, more important than technical skills, security professionals must have analytical and critical thinking skills to analyze data reported by security systems” says Henry Bagdasarian. “As the automated IAM systems generate reports and information about system access such as excess user access and privileged accounts, dormant or inactive accounts, system attacks, and active accounts belonging to departed users, security analysts must be able to quickly digest the data, analyze trends, and take swift actions to minimize the risks” he continues.
  6. The acknowledgement that a single-factor authentication is no longer acceptable in the expanding digital world and stronger authentication mechanisms are needed to improve security such as a multi-factor authentication or biometric authentication is another IAM growth driver.
  7. Regulatory compliance is another driver of the IAM market growth as many organizations must comply with a variety of regulations which are sometimes overlapping and can make compliance inefficient. Identity and access management solutions help compliance, measurement, and reporting more efficient as IAM solutions can eliminate redundancy and automate assessments, communication, and reporting.
  8. Fast changing, hostile, and competitive environments often force management to make quick decisions. The deployment of identity and access management solutions allow organizations to quickly identify issues and make decisions for mitigating risks.

Shortage in Cybersecurity Experts

This identity and access management market analysis also considers the global cybersecurity expert shortages and unfilled jobs to be a major risk.

Identity and Access Management certification

Professional Certifications

Identity and access management certifications are gaining popularity due to the growing IAM market and risks. Visit the certification page to learn about the IAM technology, governance, operations, and risk management certifications.

Identity and Access Management market report and predictions for 2021 and beyond.

Identity and Access Management Market Report and Predictions for 2021 and Beyond

After over four years of discussion, the EU’s General Data Protection Regulation (GDPR) was adopted on April 27, 2016 and became effective on May 25, 2018. The GDPR replaces the EU’s Data Protection Directive (95/46 EU) which has served as the main instrument of the EU for almost two decades. GDPR is directly applicable to all EU Member States without the need for implementing national legislation.

This website offers an identity management blog with hundreds of FREE and original  articles which are accessed by thousands of monthly global readers through various access points including an active newsletter called Identity Management Journal, search engine referrals, and our various social media channels. These identity and access management articles discuss the latest threats and related solutions including identity theft, system intrusions and data breach, authentication methods, identity lifecycle management, compliance and much more. Many businesses take advantage of this free service by referring their customers, employees and business partners to this blog in order to reduce their operating costs associated with education, training, and fraud prevention. This is one of the ways that we give back to the community and IAM industry.

The original identity management articles for this progressive and unique identity management blog are written by experts and writers at Identity Management Institute. These identity management articles specifically raise awareness of the risks, and discuss strategies for managing identity and access management risks.

Click below to access the identity management blog and read the latest articles.

Identity Management Blog by Identity Management Institute




The KAGE data protection framework is developed by Identity Management Institute to propose a simple data protection roadmap.

KAGE™ is an information security framework proposed by Henry Bagdasarian, Founder of Identity Management Institute to simplify the information protection risk management process and offer a roadmap that management and security professionals can use to develop a data protection strategy which addresses information protection risks. KAGE simplifies the data security risk management process to effectively protect all business information assets and is incorporated into the Certified in Data Protection (CDP) certification course.

The KAGE security framework is so simple that its unique acronym makes it easy for management to remember the main objectives and steps when building the information security strategy. The KAGE data security framework can be used by companies and their executives responsible for corporate information protection to create and maintain a continuous information risk management and safeguard process. This security framework is necessary to ensure continued protection of business confidential information including personal information of clients and employees.

Information protection directives must always be based on current risks facing the companies and individuals. “It would be naïve and risky to assume that an information protection plan is static and does not have to be updated to reflect the current risk landscape” says Henry Bagdasarian. Many companies make the mistake of developing information security policies without any regard for continuous risk assessments, updates, communication, and monitoring. An information security policy is only effective when it is developed and revised based on current risks and communicated to all employees who must be aware of such policies in order to follow management directives for protecting confidential information.

For an information security program to be effective, there are 4 main focus areas which must be addressed. The KAGE acronym stands for Know, Articulate, Guide, and Enforce. Each area is described below:

KNOW – In order to implement an effective information protection strategy and program, professionals must first identify and know what information they want to protect for their companies. For each company, confidential information types may be different. For example, confidential data may include various trade secrets and employee or consumer personal information. Depending on type, format or amount of information available, management must decide what information is important or rather vital to the success of their business. Each type of business information may provide a varying type and amount of risk to the company. For example, a consumer personal information breach may lead to identity theft, identity fraud, and potential lawsuits. Or, a loss of trade secret or intellectual property may result in loss of competitive advantage and revenue. Therefore, for each organization, management must decide what information is important to their businesses based on the risks that they might present.

Next, management must also decide and know how they intend to protect the information based on internal and external needs or requirements. In order to develop an appropriate information protection strategy, risk assessments are required to identify risks associated with confidential information as well as the required countermeasures to be included in policies, procedures, standards, and guidelines. Risks may be derived from the unnecessary collection and sharing of data, lengthy retention of data, unsecured storage location, inappropriate disposal and handling of information, as well as unauthorized disclosure and edits. Once data protection professionals know what information to protect and how they want to protect them, they formally document their information protection scope and vision through security strategies, policies and standards.

ARTICULATE – Once the relevant data security scope is established, policies and procedures are documented, and responsibilities are defined, the data protection strategy and requirements must be effectively and clearly articulated or communicated to the appropriate staff and other parties to make sure everyone understands how the company intends to protect its information and how others may contribute to achieve the overall data protection goals.

GUIDE – Sometimes, employees have a hard time understanding and interpreting the security requirements and purpose and therefore management must make an effort to guide and help employees to understand what is expected of them to help the company better secure its confidential information. As part of the communication, security guidelines can be provided to help employees implement and follow the strategy and policies. Information security guidelines are meant to provide direction for employees to follow and reach the desired security protection goals. Information security awareness training can also be developed and provided periodically to educate employees, reinforce the requirements, and confirm employees’ understanding of those requirements. Employees who are assigned data protection tasks or can unknowingly introduce risks for the company, must be provided periodic awareness and training to be guided in the right direction and be reminded of their responsibilities and capabilities for helping the company achieve its goals.

ENFORCE – Finally, the information protection program and its underlying polices and procedures must be enforced to be effective. Without monitoring and enforcement, violations may not be detected and management directives may be ignored.

Following the creation and communication of the information protection program and all relevant polices and procedures, management must enforce compliance with its security directives through continuous monitoring. Enforcement and monitoring can be automated in some areas or manual in other areas. The principle goal of enforcement is to ensure employees are following management directives and supporting the strategy for protecting confidential information and keeping the security risk exposure to the minimum at all times.

The KAGE data protection framework is addressed in more detail within the Certified in Data Protection (CDP) certification course. The overall concept and the acronym is created to simplify the data protection process. Click below to visit the Certified in Data Protection page to register and become certified.