IAM - An Information Security Enabler
Identity and Access Management has become a key security program to enable new and ever-changing business, and technology needs with the right amount of security. As each organization defines their appetite for risk and how much they are willing to pay for it, they must assure that the foundational security process and technology are in place to deliver. As our organizations develop and deliver new and creative solutions, they can inadvertently create new blind spots within our security and IAM programs. If your security team lacks visibility or awareness of these solutions, the unacceptable or unknown risk is likely being introduced to your organization. There are new technology standards, tools, and architectures needed that many traditional IAM programs may not have. If your organization has not recently done an IAM strategy and gap analysis for your IAM program, now is the time.
Common IAM Blind-Spots
Applications and infrastructure are moving to the cloud. Maybe a little at a time, perhaps all at once, and perhaps even without Information Security knowing about it. Workforce and customer identities, as well as data access control, need to extend to the cloud environments to support this. Many traditional tools may not be up to the task.
• Integrating workforce and customer identity lifecycle with and across various cloud services, applications, and platforms.
• Technical identity standards support (SCIM, SAML, OAuth, OpenID, FIDO, etc.)
• Data security and data loss prevention
• Authentication and privileged account management
Customer identities are managed in a very different way than workforce identities, and many organizations don’t consider this
to be a part of the IAM program. Business increasingly desires to give their customers more control over the security and use of their information access and authentication methods. Make CIAM a part of your IAM program to limit risk to the organization by providing secure solutions supporting your business customer security objectives. Customer identity is focused on customer choices rather than prescriptive control.
There are new technology standards, tools, and architectures needed that many traditional IAM programs may not have. If your organization has not recently done an IAM strategy and gap analysis for your IAM program, now is the time
• Data access and release authorization
• Social login – using your Gmail account for authentication
• Multi-factor authentication
• Password-less authentication and authentication tokens
• Self-service and profile management
• Risk-based authentication
With increasing mobile workforces, BYOD & IoT, 3rd party service providers, off-shore contractors, and cloud computing, our corporate networks are starting to look a lot more like the internet. Which side of the firewall your users are on is much less important than whom they are and what they should have access to. A new paradigm is gaining momentum, and it is based on leveraging user identities to establish the security perimeter of your systems.
• Verify everything, trust nothing
• Automated identity lifecycle management for internal and external users
• Role-based access control and attribute-based access control
• Multi-Factor authentication enforcement for privileged accounts
• Risk-based authentication and user behaviour analytics
• Network micro-segmentation
With all these factors playing a significant role in organizations, enterprises should strive to increase their security standards and make their IAM programs like an extra layer of protection from unknown security vulnerabilities and cybersecurity breaches. It is only with a robust IAM infrastructure that we can ensure consistent and standard access rules and policies across organizations.