ICAM applies the concept of 'Zero Trust'
With the spread of cloud, remote work, and working from home, Zero Trust is emerging as a new trend. Zero Trust has a philosophy that doubts all approaches, verifies, and monitors, and allows only correct behaviors.
The reason for the popularity of Zero Trust is that the existing security systems are unable to support various environments using lots of different devices and networks as employees and devices access outside the corporate network. IAM (Identity and Access Management) is developing in accordance with an access control policy applying Zero Trust, and now it is evolving into ICAM (Identity, Credential, and Access Management) incorporating even credential management.
The right user access, the right resources at the right time.
"Identity and access management (IAM) is the discipline that enables the right individuals to access the right resources at the right times for the right reasons." says Gartner.
The Zero Trust-based IAM is the next level of IAM. It centrally controls user accounts and access rights, minimizing the information that users have to manage themselves. In addition, it doesn't believe in the user's “good will” and minimizes the scope of the user's management by issuing, revising, and revoking the credentials of authorized users according to policies.
This next-generation IAM restricts the services that can be accessed with user privileges by applying a minimum privilege policy, and blocks an attacker who has stolen account privileges from accessing other services with this privilege. It can centrally and systematically control all user accounts and access even in decentralized environments such as cloud, remote work, and working from home, and can meet the needs of complex compliance requirements such as privacy laws, GDPR, and HIPAA.
According to the Markets & Markets' report, the global IAM market size is projected to grow from USD 12.3 billion in 2020 to USD 24.1 billion by 2025, at a Compound Annual Growth Rate (CAGR) of 14.5% during the forecast period. The increasing venture capital funding and growing investments in IAM technology to drive market growth.
Identity fraud amplifies the need for Zero Trust.
The most important factor driving up the growth of IAM is the loss of identity fraud. Attackers easily disable the system to detect abnormal log-in attempts using the accounts of right users.
Sam Cook, Data Journalist, privacy advocate and cord-cutting expert said that around 10% of Americans have been a victim of identity fraud, 21% of whom have been victimized more than once. He also emphasised that those numbers indicate that if you live in the US, you have likely been a victim of ID theft or known someone who has (whether they’ve admitted to it or not).
Identity information is called "Credential", in which passwords, certificates, public/private key pairs, and biometric information are widely used. Recently, credentials include non-person entity (NPE) such as IoT devices, RPAs, and applications. Now, credential protection solutions are being integrated into IAM and evolving into ICAM.
Zero Trust is also being applied to credential management. In general, credentials are encrypted and protected, but passwords used as encryption keys are not secure because they are easily stolen. Passwordless, which is managed centrally by eliminating passwords that users remember and input, is proposed to strengthen account security.
swIDch's one-time authentication code (OTAC) further enhances account security through a random authentication code generated by the device even in networkless environment. Even if an attacker steals credentials, the credential generated by OTAC cannot be reused, so damage caused by a credential fraud attack can be prevented. OTAC is used to build a strong cyber security infrastructure such as smart cities and smart factories, e-commerce and payment, drones and IoT, as well as corporate ICAM.