Never Trust, Always Verify – The New Identity and Access Management Paradigm

Published: July 14, 2021, 9:00am

Throughout my two-decade career in cybersecurity, I’ve come to realize that Identity and Access Management (IAM) is central to everything I’ve touched. Starting with my time in network infrastructure and security and moving into risk management, data privacy and data loss prevention work, and finally to IAM, I was exposed to the fundamentals of my clients’ infrastructure and organizational structures. If network security, DLP, and other practices are the locks we put around our Information Assets, Identity and Access Management is the key we use to access it. What makes IAM so intriguing is that it’s not a single product or solution, it’s a fundamental set of policies and standards that are enforced to achieve a set of key business objectives, including reducing operational cost, reducing risk to information assets while improving user experience and productivity.

Not too long ago, the perimeters of an organization were easily defined. Critical applications and data were maintained in on-premise data centers where access, both physical and digital, was applied at various levels, including at the perimeter. Users were generally located inside company-owned networks using company-owned infrastructure to access information assets. Of course, there were other use cases like allowing access to business partners, service providers, vendors, suppliers and customers. Along the way, various standards emerged to support these use cases, including VPN for remote network connectivity and federation standards for authentication and access management of partners and service providers. Put simply, this was the era of “trust but verify,” when organizations could mostly rely on the fact that the people accessing critical information assets were supposed to be, with approaches like adaptive authentication and multi-factor authentication to address risk associated with various user access patterns.

In recent years though, the “trust but verify” model has fallen short of the realities we face. As more and more organizations have shifted their resources to the cloud, the lines between external and internal have blurred, and the perimeter is no longer so easily defined. Compounding this shift in operations, the last year has brought on a rapid workforce diaspora, stressing the limits of the tools and policies that have been the norm for so long. In addition, the sophistication of cyber-attacks has continued to rise. These ongoing disruptions have necessitated that organizations take a new approach to cybersecurity called zero trust.  The zero trust model is based on the principle of “never trust, always verify,” and Identity and Access Management is a key piece of this approach. Identity is now the new perimeter. IAM has always evolved to address key business challenges and has always been central to conducting business in the digital world.

This is why I’m excited to be leading GuidePoint’s expanded Identity and Access Management program. GuidePoint has always been focused on helping clients across different industries build world-class cybersecurity programs, and in recent months there has been increasing demand from our customers for focused help with Identity and Access Management. While we previously offered solutions and managed services in Access Management and Privileged Access Management areas, we are now expanding our services into assessments, planning, and implementation of Identity Governance and Administration. 

Through every stage of my career, I’ve personally seen the improvements that a well-structured Identity and Access Management program can bring to a business. Automation of key business processes such as joiner, leaver and mover, as well as automated access reviews brings efficiencies to these processes, while reducing cost and risk associated with granting improper access to critical information assets. My team and I are more than prepared to work with our clients to co-develop these programs and prepare them to benefit from the changing business landscape through innovation and thought leadership.