Ian Kilpatrick, Strategic Advisor for Cybersecurity at Nuvias, explores the growing need for Identity Access Management, as migration to hybrid environments gains pace.
Identify Access Management or IAM, refers to a framework of policies and technologies for ensuring that people in an enterprise have access to the appropriate and authorised data and tools. In short, it enables the right individuals to access the right resources at the right times and for the right reasons.
While this might appear to be a no-brainer for anyone looking after IT systems and data, it is surprising how many companies still pay lip service to robust IAM. In some sectors such as financial services, compliance directives such as MiFID II forces companies to invest in IAM, while GDPR is helping to focus minds and accelerate the pace of adoption.
But just as CISOs were thinking they were getting on top of IAM, the goalposts are moving. The seemingly inexorable migration to the cloud and hybrid environments means that applications and end users could be literally anywhere around the world, presenting a whole new set of security challenges. We are moving from protected security boundaries to a network of disparate endpoints, applications and data located in the cloud.
In a hybrid world, IAM is not an option and if you don’t have strategies, policies and solutions in place there is a good chance you will end up in a crisis. But in a hybrid world even the starting point is complex. How can you manage all the access rights when you don’t know how many applications you have in the cloud and where they are? Business managers or renegade development teams may spin up an application without the IT department even knowing. If someone hacks into an unprotected cloud app, you may never know they have been there until it is too late.
And in a hybrid world, it’s difficult to keep track of people. With hiring, firing, moving and promoting, many organisations don’t have IAM built into their HR and systems management. If someone changes office or role, they run the risk of getting lost in the system, particularly in international organisations. And when they leave – they may still retain access rights tied to their former role. And then there are contractors, suppliers and customers to worry about.
IAM – in any environment but particularly in a multi-device, multi-location and multi-application hybrid set up – has to start with policy that should embrace functions such as single sign-on, authentication and session management. And an IAM strategy is not just for Christmas. It needs to be reviewed every 12-18 months.
If you can’t do the whole IAM piece, there are certain elements that should be non-negotiable. Take authentication. I can’t remember how long commentators have been claiming that passwords on their own are dead – yet they are still very much alive and kicking. Everyone should be using Multi-Factor Authentication in 2019, full stop. Single sign-on is also critical in hybrid environments. With different passwords for different apps, there is more chance of interception and compromise.
IAM has never been easy but has become more difficult in a hybrid world. The fact is that few organisations have all the components in place. While SMEs can get away with using point products, larger organisations, in excess of 5000 people, really need an integrated and automated solution.
Automation is a key element of identity protection, eliminating the complexities and time-consuming processes often required to govern identities, manage privileged accounts and control access. It is important to define a clear, strategic path to access control, privilege management and ultimately, governance.
As we move to a more complex hybrid world, the challenge of identity and access management combined with increasing regulatory demands is placing heavy demands on organisations. Most companies have something in place as a starting point. What they need to do now, with a sense of urgency, is to roll out more integrated elements to build up a comprehensive, automated IAM system, which is suitable for on premises, hybrid and cloud environments.
Perhaps part of the problem with adoption is the initial approach. Organisations need to understand how IAM fits into their overall business strategy to aid core business development, rather than hampering it. To this end, proper planning is important to achieve a successful roll out. For example, once deployed, IAM will not live in isolation but will depend very much on the existing directory of users and accounts, which in most cases should be related to the current business structure. If not properly maintained, this could lead to a complete disconnect between the key questions of who needs what access and why?
It is therefore of prime importance that the underlying planning and preparation is done to create the foundation for a successful deployment of IAM across an organisation.