Hybrid IAM: Securing Asia’s distributed IT future

Recent trends in the digital economy have accelerated the transition to a distributed IT infrastructure. In response to these changes and the increasing demands of an interconnected world, there has been a shift in how IT systems are managed, moving from a centralised hub to a decentralised model.

One of the major drivers behind this shift is an ongoing global transition towards hybrid work that has been accelerated by the pandemic. This has solidified a distributed workforce as part of the new economic reality. In addition, the rise of bring-your-own-device (BYOD) policies and growing adoption of the Internet of Things (IoT) have led to a significant increase in devices connecting to enterprise networks. This trend is set to continue in Asia-Pacific, where IoT spending is estimated to reach US$435 billion by 2027, according to IDC.

Distributed IT infrastructure has become a cornerstone of digital-first markets, particularly in rapidly digitising regions like Southeast Asia. In economies like Malaysia, a majority of IT leaders are adopting a multi-cloud approach to support business needs. A distributed model consists of multiple cloud and on-premises environments working alongside legacy systems, which may still be essential to run critical workflows. This approach enables enterprises to benefit from a combination of systems while reducing risks related to single-vendor reliance.

However, these competitive advantages could come at the cost of increased cybersecurity risk if the proper safeguards are not implemented.

The growing case for identity and access management

An enterprise’s risk posture is today reliant on the ability of its cybersecurity team to accurately verify the identity of a user or device seeking access to the network, and then apply controls to ensure the right level of access to applications and resources. These capabilities are grounded in effective use of identity and access management (IAM) technologies, making them the foundation of modern enterprise cybersecurity.

Where traditional cybersecurity focused solely on perimeter protection, optimising security within a distributed work dynamic requires a vastly different approach. Working across varied, typically disjointed systems can create data and identity silos that impact an enterprise’s ability to effectively monitor user access or suspicious activity across the network. After all, security teams can’t protect what they can’t see.

In a volatile threat landscape, lapses can lead to data and network breaches that often result in significant financial losses and damage to brand reputation for enterprises. Multiple disjointed systems also hinder the flow of data throughout the enterprise, affecting the ability to provide seamless user experiences, innovate, and adapt to rapidly changing market conditions.

While IAM can help bridge disparate platforms and eliminate siloed systems and identities, it is vital to recognise that not all IAM solutions are created equal.

Securing distributed IT environments with hybrid IAM

The first step to maximise cybersecurity in modern connected enterprises is to understand the differences between the various IAM architectures available today and select the best solution for distributed IT environments. 

Legacy IAM systems were largely designed to function solely within on-premises IT infrastructure. As a result, these systems generally lack the capabilities to secure newer IT systems such as cloud platforms. With cloud adoption increasing across Asia-Pacific, the gaps and blind spots created by the missing functionality of legacy IAM solutions can become costly to overcome. Conversely, increasing use of cloud also led to the rise of IAM systems designed exclusively for cloud platforms; these often lack support for on-premises applications and business processes, leaving enterprises open to attacks.

Combining the best of both worlds, hybrid IAM systems are purpose-built for distributed IT infrastructure. These systems are capable of unifying, authenticating, and securing all digital identities across multiple platforms. To achieve the best outcomes, enterprises should also customise their IAM systems to the unique needs of the industry they operate within.

For example, highly regulated industries such as financial services will likely require an IAM solution that can coexist with on-premises solutions, offer true data isolation, enable fine-grained transactional authorisation, and integrate with anti-fraud solutions. In contrast, IAM systems in healthcare organisations will need to manage identity relationships between parent and child or doctor and patient, and factor contextual information on these relationships into the decision-making process.

Modernising IAM for the hybrid world

According to ForgeRock’s 2023 Breach Report, unauthorised access remains one of the leading threats to businesses today. In the Southeast Asian technology hub of Singapore, unauthorised access was the second most popular attack method, with more than 3,700 incidents reported in 2022. Indeed, it takes just a single compromised credential for threat actors to breach an enterprise’s network, enabling cybercriminals to either launch further attacks or exfiltrate data.

To further optimise cybersecurity outcomes, enterprises can integrate other security strategies with hybrid IAM deployments. This includes zero-trust policies that ensure no person or device inside or outside of an enterprise’s network can access enterprise systems until authenticated, and are continuously verified and monitored for any anomalies or malicious behaviour.

Enterprises tend to underestimate the risks associated with weak passwords. However, a better approach adds passwordless authentication and applies safer authentication when critical resources are being accessed, and thresholds are crossed. Practices like single sign-on (SSO), and passwordless authentication can replace traditional passwords with a more user-friendly, secure method of authentication that ranges from tokens, certificates, authenticator apps, or biometrics.

Integrating these practices into hybrid IAM models can provide enterprises a higher level of security and improved user experiences.

The future of hybrid IAM 

The continued adoption of cloud, IoT, and remote working models will inevitably widen the gaps and blindspots created by legacy IAM solutions. In the coming years, artificial intelligence (AI) is likely to play a central role in strengthening Hybrid IAM capabilities.

An AI-augmented approach to IAM can help enterprises quickly identify and neutralise threats at massive scale, reducing the risk of unauthorised access. AI-driven threat detection, contextual authentication, and authorisation capabilities will equip security teams to make intelligent decisions more quickly and with greater confidence and precision. This can also lead to lower deployment costs and simpler integration.

While organisations must transition to the cloud quickly, they also need to support business-critical applications running on-premises. Securing all these vital applications is not an option but a mission-critical imperative. Overlooking the importance of hybrid IAM solutions for long-term success and growth would be a grave mistake for modern enterprises.