It has long been said, “the only constant is change.” In the world of business, the only thing changing faster than digitalization is childrens’ minds about which superhero or Hocus Pocus character they’re going to be for Halloween (#TeamNinjaTurtles). Digital acceleration, particularly post C-word (the pandemic, ya filthy animals), has challenged organizations to keep pace with new speeds of industry innovation and, consequently, has created new opportunities for market growth. For the companies that are poised to change and scale with agility, this means new avenues to propel success.
In order to be poised for new opportunities, companies need scalable security programs. The role of cybersecurity as a business, rather than merely IT, driver has come increasingly under the spotlight for its criticality not only in driving operational efficiencies, but also in sustaining compliance posture, driving sales, and keeping up with evolving consumer demands.
So, where do you start? I’m glad you asked…
Why focus on Identity Access Management (IAM)
Let’s start with the most obvious reason- it’s the most common breach vector.
According to Verizon’s 2021 Data Breach Investigation Report, compromised identity credentials account for 61% of breaches, with stolen usernames and password circulation increasing 300% since 2018 alone.
As an organization, in order to accelerate securely, Identity Management should be a foundational part of your program. Appropriately, IAM initiatives are generally recommended early in an organization’s lifecycle to optimize security posture and avoid establishing habits that lead to cumbersome (and expensive) work down the road. In fact, identity management helps to mitigate risk:
- Adding a complex layer of security to credentials through functionality like enabling multi-factor authentication (MFA). So even if employees use less than ideal passwords (ex: “Password123!” or “Rover1!”), a tangible device would be required to admit access.
- Helping to consolidate and centralize all user information. Proper identity programs eliminate duplicate data like having multiple usernames per identity, and then integrate with your HR platform to have a single-source repository for all access changes.
- Streamlining operational efficiency to support investment and scalability. For each day that users haven’t been fully provisioned to their necessary work applications, or for each additional resource needed to complete processes like manual access certifications- these hours and people equate to opportunity cost for an organization that could be invested in core business initiatives.
Why you need it & the potential risks of not having it
- Overprovisioned access- or the granting of access beyond the scope of what’s necessary for the user’s role in an organization. One of the greatest risks of over provisioned access is that it dramatically broadens your risk landscape in the event of exposed credentials. Overprovisioned access can also complicate our bullet point number two…
- Role based access provisioning- or (as I envision Merriam Webster would say), “the act of granting access to systems and applications based on the access of other users with the same or similar roles in an organization.” More often than not, the practical application of this process is to literally copy the access of another individual in that role and allocate the same access to a new employee. If the original access was overprovisioned, it’s easy to see how the situation can turn into an environment full of users with access they shouldn’t have.
- Helps control data sprawl- by establishing a strong foundation of security practices around your user identities, you can both help control the internal data that users are granted access to, and it provides a foundation to be able to functionally expand into data governance practices.
- Compliance obligations- we’ve already seen evolving regulatory standards around data protection and consumer privacy, which involve demonstrable elements of identity management. As we continue as a society to trend towards more expansive security standards, identity security practices will become not only more highly recommended, but also required for certain markets. As proof, you can start to see it in current audit frameworks. Whether you’re embarking on audit initiatives for regulatory purposes, to attract new customers, or to go public, most audit frameworks require basic, demonstrable identity security practices. As further proof of evolving identity standards, ISO27001 just released new requirements that expand upon IAM-related requirements.
What you can do about it
- Do an audit of all systems- understand what systems you have and what data, in particular sensitive data, they house. It’s critical to understand the systems that identity management practices will need to extend to.
- Conduct an asset inventory- much like the previous bullet point, understanding your asset environment is a critical first step in establishing a comprehensive IAM program to understand what your policies need to apply to.
- Establish a source of truth- establish a centralized repository for your user environment to be able to connect and more easily roll out identity management policies and technology.
- Invest in software- once you understand the scope of your environment and implement basic, organizational practices around user creation, you can capitalize on the benefits of software. It’s the evolving school of thought that with technology rapidly evolving toward cloud-first infrastructure, your relevant software should be similarly structured for consistent speed of scale and digital acceleration. Put in layman's terms, look for the following software with SaaS capabilities:
- Access Management Software: add a layers of security to user credentials using Single-Sign-On (SSO) and/or Multi-Factor Authentication (MFA) technology
- Identity Governance: put security controls around the access granted to users, be able to make automated and actionable decisions (think provisioning, de-provisioning, change management), and have this information visible from a single view. Many software providers will leverage AI/ML technology to help companies identify risks in user populations (ex: access anomalies)
- Privileged Access Management (PAM)- implements controls and monitoring around elevated access and permissions in your environment.
- Other complimentary software: data access governance technologies can help identify, remediate, and control both structured and unstructured data in your environment- and then tie it to your identities for enhanced identity management. Data Loss Prevention could be implemented to control the movement of data in and out of your environment. Similarly, cloud access management software helps to consolidate visibility and controls extending into public cloud infrastructures.
So, while we can expect security standards to continue to change as a reflection of continued digitalization, one constant will always be the need to secure user identities and data.