Published 1/21/22, 10:00am

Just how important is identity and access management when looking at the bigger picture of cybersecurity? To answer this question, think about network infiltration using hacked passwords. Though it may sound like an overused plot twist from every Hollywood action flick of the last thirty years, this is in fact one area where Hollywood probably gets some of it right. Password reuse, inadequately managed permissions, and misconfigurations—and the subsequent threats and attacks associated with these issues—all feature heavily in the real-world list of “why businesses need a good identity and access management solution.”

The lesson in these Hollywood hacker flicks is clear. Control your users and the access they have to systems or suffer the consequences.

In order to not suffer the dire effects of letting your CEO repeatedly use the passwords “qwerty123” or “footballrocks,” choosing the right IAM technologies for today’s various business environments (e.g., on-premise, cloud, and hybrid) is crucial, as is selecting an IAM solution that can support any device and platform and provide scalability and cost-effective deployment.

Why are IAM solutions important?

Before we answer the above question, let’s first quickly cover some fundamentals. To start, what is identity and access management (IAM) and why do organizations need it to improve their cybersecurity posture?

IAM is a framework that ensures the right people have the right access levels to sensitive resources. IAM uses predefined roles and policies to verify user identities and grant the appropriate levels of access, allowing organizations to improve their cybersecurity posture by giving only legitimate users access to critical assets.

Identity and access management (IAM) solutions are important for three reasons: (1) They ensure your users have access to the right assets within the right context; (2) They secure and protect your enterprise assets—including on-premise or cloud-based systems, data, networks, and software applications—from both external and internal threats; and (3) They help ensure compliance with corporate policies and government regulations.

5 Key Identity and Access Management Things to Consider

All IAM solutions should be scalable and easy to deploy, manage, and use. To select an appropriate IAM approach, businesses need to focus on five key areas:

1. Determine what the IAM solution needs to protect—everything connected to the network, including users, systems, data, and devices—or just a specific system or network.
2. Establish whether the business has the personnel, skill sets, and budgets in place to implement and manage IAM technologies independently or if it makes more sense to work with a managed IAM services provider that has an established and trustworthy IAM framework and governance model supported by industry best practices.
3. Identify the current and future environment, e.g., on-premise, cloud-based, or hybrid.
4. Identify and document all applications, including any cloud-based software as a service (SaaS) that should integrate with the IAM solution.
5. Determine current business trends and potential future growth to ensure IAM solution scalability.

Key IAM Strategies, Processes, Tools, and Features

With clarity around these five key decision factors, a business then needs to make sure that its chosen IAM technology includes the following strategies, processes, tools, and features:

Identity Access Governance & Administration: A process or component that examines IAM attributes and evaluates how those attributes can help support and secure enterprise operations, including compliance and architectures. The governance and administration component should also include a process for developing a blueprint and roadmap that identifies gaps and prioritizes approaches in phases throughout the initiative.

Access Management: The development of a solution blueprint based on the enterprise’s current state and future goals. Involves identifying gaps and then creating a roadmap with an approach (including tool recommendations). Access management implementation services support an enterprise’s efforts to plan, design, build, test, and rollout access management tools, technologies, and policies, including things like single sign-on and multi-factor authentication.

Privileged Access Management (PAM): Privileged access management (PAM) helps organizations securely administer access rights and permissions for privileged account users. Privileged access is the unique or special access given to a user that goes above and beyond the access granted to a standard user. Organizations apply the principles of privileged access to secure their systems, data, applications, and infrastructure. Privileged access management includes:

• Granting and revoking access
• Ensuring those with privileged accounts have the right access to encourage user workflows and productivity
• Creating policies and expectations for intended use
• Behavior and user/identity activity monitoring
• Anomaly detection
• Session isolation
• Risk remediation

Single Sign-on (SSO): An authentication process that enables an individual user to log into different systems, networks, or applications using a single identifier (such as a username) and a password. Single sign-on usually only requires the user to log in once to access multiple systems and does not require the user to re-enter credentials.

Multi-Factor Authentication (MFA): The process of multi-factor authentication protects against password compromise by requiring the user to log in to a system, device, network, or application with a combination of two or more different components, usually something the user knows (a username and password), something the user has (a security token), and something the user is (facial recognition, voice recognition, fingerprint).

Password Management: A password management tool or policy can help establish and enforce password standards across devices, systems, and platforms. It can also facilitate password requirements, such as length and character type, as well as password encryption. Generally, password management is part of Identity Governance and Administration solutions.

Role-based Access Control (RBAC): Role-based access control helps manage the user access component of IAM. With RBAC, users are assigned one or more roles, that are in turn designated with one or more privileges specific to the users. RBAC helps manage complexities associated with exclusive roles or role hierarchies. RBAC can enable administrators to limit user privileges and enforce ‘least-privilege’ approaches. Most modern IGA solutions support RBAC. These solutions also support role mining to take a bottom-up approach to role design and management. Modern approaches include AI/machine learning for performing role analysis to proactively make role composition recommendations.

Provisioning: Automated provisioning helps IT and security teams assign account privileges to new users and strip privileges away when a user’s role changes or the user is terminated (sometimes also referred to as the “joiner,” “leaver,” and “mover” user lifecycle.) Lifecycle processes are supported by IGA solutions.

Application Programming Interface (API) Security: Today, it just isn’t people signing into systems or connecting to other devices, it is the devices themselves. Internet of Things (IoT) devices often connect to other devices to conduct operations or share data. Therefore, any device with API components requires identity and access management to help ensure security.

Monitoring, Auditing, and Reporting: IAM best practices, as well as regulations, often require that IAM staff observe, track, manage, and report on user activities. IAM monitoring, auditing, and reporting capabilities are common components of identity and access management solutions and strategy.

Know Your IAM Vendor

When selecting an IAM solution, one of the most important components is the reliability of the IAM vendor.

1. Examine the IAM vendor’s experience and track record. Have they implemented IAM projects of similar scope and scale before?
2. Compare vendor claims and promises to their technology. Will their promises stand up or is there a disconnect between the technology they offer and what they claim they can provide?
3. Consider the costs. Are the vendor’s fees consistent with other IAM vendors? What do the costs include?
4. Determine how the vendor’s solution will impact both users and the business. Are the policies proposed by the vendor too complex or too simplistic for users and the business model?
5. Is the vendor experienced with industry compliance and regulatory issues that affect IAM?
6. Does the vendor take risk management seriously? Do they have experience managing a security incident? What is their risk management process?

This is Not Your Grandpa’s Password

Today, IAM is central to the way an organization conducts business. By implementing the right IAM solutions, organizations can improve operations, comply with regulations, and reduce operating costs. Achieving the necessary equilibrium between access, security, compliance, and low-cost/high-output operations means choosing the right IAM solution. A well-constructed identity and access management solution can help businesses successfully integrate IAM more fully into operations to help reduce risk and costs and comply with regulations.