Identity and Access Management (IAM) may be one of the most important security programmes an organisation can implement in the fight against cybercrime. This is for the simple reason that the ultimate goal for hackers is to appear like legitimate users within the organisation. They want to log in and be undetectable whilst doing bad things, stealing data or pilfering intellectual property.
Therefore, whether they realise it or not, most organisations have some default controls in place to limit what information employees have access to, how they are authenticated and authorised to view that information and finally, a process in place to audit or prove how information is accessed.
>See also: The future of identity and access management
However, all too often, IAM projects don’t live up to expectations because they are incomplete or poorly executed. Troubles can quickly mount, either costing the organisation too much time and money; or in the worst-case scenario, a failed IAM project has the potential to break an organisation, particularly as data protection comes to the fore in new government legislation.
The biggest challenges for organisations are complexity and inconsistency due to the diverse environments and disparate systems in use in modern business, from cloud computing, on premises or legacy systems, even social media and remote working which are now every day parts of corporate life.
Due to this diversification, the margin for error has exploded – especially when it comes to managing identities in larger organisations. Furthermore, different cloud applications and every day productivity tools come with their own set of rules leading to many organisations merely trying to keep up with the change on a continuous loop.
This can manifest itself a number of ways, including the ‘death by one-off’ scenario where multiple solutions from multiple vendors provide similar functionality, but in multiple pockets of the organisation’s infrastructure.
For instance, having a manual process for provisioning Active Directory with native tools while using a highly customised provisioning framework for the rest of the business; or forging a home-grown solution for authentication to internally developed applications and another for single sign-on to legacy ones.
In addition, an organisation can limit itself by choosing a big platform vendor for an enterprise solution that, at first glance, appears to meet its IAM needs, but a few years into the project, the company finds it is still performing way too much IAM manually and buying too many point solutions with siloed functionality. Or the organisation simply attempts IAM by provisioning only in attempt to control access for standard and privileged users which is short-sighted and doesn’t achieve good governance.
While the complexities of modern organisations grow, IAM in whatever form it takes becomes more about addressing new problems and relieving the pains it brings at that moment. Companies are at risk of burying their heads in the sand when the perceived problems become too big to solve quickly.
Getting IAM right
First and foremost, companies should think of IAM as a hierarchy with governance – or the processes, mechanisms and principles put in place to guide business initiatives – at the top. And all the tactics to get there, such as access, security, control and management come underneath the governance umbrella. Tactical initiatives need to support governance – always.
So, if all you’re doing is solving a tactical issue that isn’t moving closer to governance, then it should be reconsidered. Failing to operate with governance in mind and only concentrating on tactical issues is how organisations end up wasting a lot of money and time.
Successful IAM programmes are a combination of the right technology, internal policies and people all working in tandem to achieve governance. Choosing the right technology is important – it can provide a single source of truth and can be applied to everything and everyone (either remotely or on premises) using automation.
However, when IAM is applied as a pure technology exercise, then the root issues do not get solved and instead they continue to mount. It’s not unheard for organisations to be years into IAM projects trying to manually sort processes, which proves ineffective and laborious.
>See also: The rise of the access clones
In addition, the best technology will have the flexibility and depth to touch everything in the organisation, but what needs to be sorted up front is the underlying concepts that support governance and steer the technology.
Top advice for companies embarking on or in the middle of IAM projects:
Make sure the IAM programme is eliminating complexity
Does it unify access, authorisation, administration and authentication with as little repetition as possible? Ensure that staff member roles in an organisation are simplified and that users are not associated with more than one role to reduce complexity.
Make sure you’re solving immediate problems, but also ensure that you can leverage the solution or strategy for the fix in the future. Stop fighting fires and think more about how you can prevent the fire in the first place.
Drop the island mentality
So, you’ve migrated applications to the cloud, don’t treat it as a separate entity – make sure it is encompassed in the overall IAM strategy. Technology solutions make this possible. During a merger or acquisition, make sure everything is integrated, don’t treat the new company as its own project tagged on to your existing IAM programme. Doing the legwork up front will save the company effort in the long term. It’s important not to be short-sighted when it comes to IAM.
Ultimately, companies should avoid dealing with today’s problem today, constantly customising controls to deal with one issue at a time. Doing this means they will be stuck in a vicious cycle of evaluate, test, deploy, repeat – and they will end up spending way too much money in the process.
Make no mistake about it, a successful IAM programme is not a quick fix; but the time it takes to get it right can be dramatically reduced with the right technology, partners and practices in place.
Box-out 1: A government agency utilised its whole IT department to be hands on with the manual setting up of user accounts, managing their passwords and dealing with issues that arise from users forgetting passwords, provisioning and deprovisioning. It worked out that it cost the agency an average of $250 per incident for IT to deal with problems. It decided to implement Active Directory tools that automated these administrative processes and encompassed all of its (Unix and Linux) servers to minimise IT intervention and unify identities, authentication, and authorisation. This alone saved the organisation $45 million in expenses after just one year.
Box-out 2: An offshore energy organisation had many different facilities all acting as their own entities. The company works with many different partners and each time a partner needed access to information, it had to be manually granted by a member of staff. The company implemented an access solution, backed up by the governance that clearly defined who was able to access what, so that it could be done instantly and automatically. This saved the company time, money and made the whole process more secure and easier.
Sourced by Todd Peterson, product marketing manager at One Identity