In the current age of Cyber Security, it’s easy to get lost in the wave of new threats. There are hundreds of companies specializing in each niche of Cyber Security, but the basics of Identity and Access (IAM) management hold firm and remain a cornerstone of an effective security program. Identity and Access Management gaps are often cited as contributors to data breaches; thus, it is paramount to ensure an effective IAM program. In this article we’ll take a high-level look at the segment and pose a few questions for you to consider when evaluating the maturity of your current IAM program.
Critical Identity and Access Management Questions
Identity and Access Management (IAM) concepts are simple and can often draw comparisons with physical security concepts. IAM asks 3 critical questions that apply to all environments whether on-premise, cloud, or hybrid:
- Who has access to what?
- How is access obtained (who approves it)?
- Is access still needed?
These same questions are also required for industry regulations, such as Payment Card Industry Data Security Standard (PCI DSS), Sarbanes-Oxley Act (SOX), Model Audit Rule (MAR), and Health Insurance Portability and Accountability Act (HIPAA). Nearly every industry vertical is regulated to ensure only the correct people have access to critical information (especially financial reporting). This means IAM should be considered critical to protecting your infrastructure. In today’s economy, privacy concerns also take a front seat. The EU General Data Protection Regulation (GDPR) has really stepped up the responsibility of organizations in the role of data use, protection, and distribution. Successfully navigating the concepts of privacy and consent requires modern IAM tools that enable consumer consent, self-service capabilities, and distributed environments to store data in specific regions.
IAM has been around for a long time, so most organizations already have a sizeable investment. This could take the form of manual processes, a homegrown solution, or purchased software. If that is true, it’s easy to let IAM take a back seat when budget rounds occur. I myself have been faced with the budgeting dilemma…”Can we just pay maintenance this year?” Yes, you could, but I’m here to tell you that now might be a great time to reevaluate. If you haven’t made any changes in your IAM stack recently, there have been great advancements in efficiency, integration, and process that have made it the right time to invest.
Identity and Access Management does more than fulfill audits and increase efficiency. Identity can improve your consumer and employee user experience. There have been real advancements in standards to create a password-less experience through FIDO v2 (UAF/U2F). Browsers have embraced these frameworks with WebAuthN to create a consistent experience for users across mobile devices. Omni-channel experiences are now possible and strengthen cross-collaboration between business groups (such as marketing) and security programs. In addition, APIs are growing at blistering rates, thanks in part to microservice architectures and new development methodologies that shorten release cycles. API security is a top consideration for public facing applications, and that requires a solid integration with Identity. Even firewalls can take advantage of identity aware policies. These examples show that a modern IAM solution can help security become a business enabler.
For existing investments, make sure to leverage the data that is already being collected. Identity Analytics can provide insight into efficiencies and patterns that might stand-out as out of compliance. Analytics can provide key performance indicators as well. It is as important to ensure that identities are created quickly for efficiency, accurately for compliance, and removed in a timely fashion for governance.
Consider these three questions as you evaluate your current IAM environment:
- Is it efficient and accurate?
- Does it meet the needs of the organization?
- Can I leverage my existing investment to gain a competitive advantage?
There are new attacks every day, and that makes a solid security foundation even more important. Ultimately, the latest and greatest protections will be ineffective without a solid IAM framework. Consider looking at the big picture of IAM and how well the components are working together to solve the needs of the organization. And listen for opportunities to make security work for the business (such as improving the user experience). Check security.com for more information on how you can lay the groundwork for a security cornerstone and future articles regarding IAM.
NIST guidance for this space is covered in SP 800-63:
|SP 800-63-3||Digital Identity Guidelines|
|SP 800-63A||Enrollment and Identity Proofing|
|SP 800-63B||Authentication and Lifecycle Management|
|SP 800-63C||Federation and Assertions|