For this week’s Discussion, consider that you want senior management to support a new Access Management program at your organization. While this may involve technology-based solutions, your budget may be limited and it is therefore essential that senior management provide support and encourage efficient use of the resources that the organization already has.
- Why is access management critical to today’s enterprise?
- What benefits does an enterprise gain from proper access management?
Krish Damany says
Access management is incredibly crucial in an organization’s enterprise. This allows users and groups to be assigned to specific privileges within the company based on their employment type or status. Certain access to areas of the company (both physical and virtual) should be given to those who need it and not more than that. This helps the overall security of the company as fewer people will have confidential credentials that could be exploited. In the Target breach, the third party HVAC company that was attacked had too much access to Target’s internal network, allowing the attackers to do more damage than thought possible. Having a proper access management would mitigate these types of attacks.
Vanessa Marin says
I think organizations are faced with this issue now more than ever considering our new world of remote working. You would think that IAM would be one of the very first things addressed and monitored and controlled for an IT Security team. IAM is probably the most targeted and attacked area in our cybsec landscape. Would you agree?
Rudraduttsinh says
Access and Identity Management (IAM)goes hand-in-hand when defining the organization’s security. IAM defines and manages the roles and access privileges of the individual network to various cloud or on-premises applications. With numerous types of devices, applications, persons interacting with the organization’s database or important resources. It becomes paramount to defines who has access and who does not. If the access is not managed properly, this can create many logs for the security personal to administer and manage. Centralized IAM can address this problem, where IAM provides one digital identity per individual or item. Once the digital identity has been established, it must be maintained and monitored throughout each user’s or device’s access lifecycle. IAM also helps in maintaining the organization’s corporate policies, compliances, and regulations.
References
Storm, D. (2021). IAM products provide IT managers, with tools and technologies for controlling user access to critical information within an organization. Retrieved from https://www.csoonline.com/article/2120384/what-is-iam-identity-and-access-management-explained.html
Krish Damany says
Hi Rushi,
The one digital identity IAM process is certainly the way to go in an enterprise. It’s much easier to manage an account than manage every single device that account is signed into. Especially in the event that device is lost or stolen, the admin can easily wipe the device of any account credentials and issue a new device to the employee, and all they have to do is log in.
Vincent Piacentino says
Identity and Access Management (IAM) is all about making sure that the identity of a user is authenticated to a high assurance level and that their role is authorized to access just the resources they need to get their job done. IAM also includes hardware and applications a user needs to access.
I feel like I touch on the Zero Trust model in every post but this is the core concept, “Verify Explicitly!”. You must be able to prove your identity at every access point and the IAM system must be able to create a behavioral baseline. It must always authenticate\authorize based on all available data points, including user identity, location, device health, service or workload, data classification, and anomalies such as: If you do not normally login from Russia at 2:00 A.M., the access attempt is treated as suspicious.
The benefits of AIM are: improved security, enhanced user experience (SSO), fostering of business goals, and increases the practicality of mobile device, remote working and cloud solutions. A key important element to an IAM system is the ability to audit user actions\access for investigations and compliance purposes.
Mei X Wang says
Hi Vincent, I agree the Zero Trust Model is the best way to go to assure no one is getting access to what they aren’t authorized for.
Having a properly configured IAM can indeed help mitigate risks that employees may face by offering SSO,(ex. fewer times the employee enters their password, less chance of a man-in-the-middle attack), a centralized overview of applications and access(transparency throughout the organization), and recognizing heuristic behavior of users(unusual behavior becomes easily recognizable).
Vincent Piacentino says
Hello Mei,
Heuristic behavior detection was R&D’d to overcome the main disadvantages of both signature and behavior based methods in attacks and also important in IAM. I agree with you that understanding deviations from normal employee behavior, employing SSO, and a “single pane of glass” for IAM adds layers of defense. All are very important to mitigating risks.
Jerry Butler says
Vincent,
I like your perspective on I&AM, you talk about its “ability to audit user actions\access for investigations and compliance purposes.” This is a key aspect because as a security professional, you want to able able to keep track of who is accessing the system and what they are authorized to do.
Amelia Safirstein says
Great point, Jerry. This information would also be vital in an investigation if an employee or a hacked account were to do something malicious.
Jerry Butler says
Vincent, that’s a great insight. i would also consider some of these aspects to be added to I&AM during authentication, for instance;
1. What you know
2. Who you are
3. What you have
4. Location (Location i now more important than ever as an additional security measure, )
Vanessa Marin says
Why is access management critical to today’s enterprise?
What benefits does an enterprise gain from proper access management?
Identity Access Management (IAM) is a framework that lets system administrators to manage electronic and/or digital identities using business processes, policies and technologies. It essentially enables administrators to diccy up access to critical data amongst its user base. IAM focuses on protecting data use by enacting privacy policies that limit access to resources thus preventing unauthorized access to data or applications. This can be accomplished by using role based access controls within an organization. There are also tools in the frameworks such as SSO. Two-Factor Auth, MFA, PAM/PIM. A combined use of these tools help store data and perform governance functions to ensure that only the minimum required data is accessed.
In these days a company is judged by its management of data. One key way data can be compromised is by faulty practices in access management. Breaches due to a lapse in these types of controls can result in a serious loss of trust from the consumer, regulatory fines, costs associated in recovery of data or a compromised system, loss of life, etc. One breach can cost your organization… the entire organization. It is wiser to make an up front investment in tools that mitigate this risk significantly by just implementing some best practices. Benefits of having a robust IAM:
– Enhanced Data Security – mitigate the risks to identity theft, data breaches and illegal access to sensitive information. Preventing unauthorized logins or a compromise of credentials is a preventive measure to protect against hacking, ransomware, phishing and many other cyberattacks.
– Increased Efficiency – streamlining processes from the policy level that trickle down throughout the enterprise can be done in one fell swoop. If you can update policy and have your authorization and directory services pre-configured then user management and authentication services can be updated.
– Increased Compliance – Preconfiguration of IAM can be done such that it complies with HIPAA, SOX, PCII-DSS, etc.
– Increased Confidentiality – Restricted use secures sensitive data and help managers have a clearer view of the users that are associated with projects.
All these will have an overall positive impact on your organization.
Vanessa
Vincent Piacentino says
Great post, Vanessa!
I agree organizations that do not take a best-practices, layered defense approach seriously are doomed to fail. Like you said, “One breach can cost your organization… the entire organization”. I also agree it is of paramount importance to mitigate these risks significantly. Only let pass who\what are allowed to pass. Seeing an uptick these days with ransomware should really have organizations on their toes and their backups fresh!
Mei X Wang says
One of the biggest security problems organizations deal with is controlling access. How can organizations provide efficient access to perform business needs while also protecting their own confidential information? We learn about concepts of least privilege, segregation of duties, and access controls but the looming issue is bigger than just what IT/IS can provide.
For organizations to effectively deploy a technology-based solution such as an Identity Access Management tool, there has to be a large amount of support from stakeholders/top-level management. IAM tools are not cheap and if the budget/business priorities don’t support a standalone tool, some options our organization may have to explore cloud-based IAMs. This means we have to standardize our employee data, applications and making them fit off-the-shelf solutions. It’s crucial we do have top-level management support because implementing these solutions requires resources, cooperation, and communication from all departments feeding into the solution, i.e. On the IT side, they must create workflows and standardize data to be put into the tool. On the IS side, we have to figure out how access control is defined in our policies and procedures and how can we build our solution around it.
Access Controls are a big part of most audits so if the company is publicly traded, SOX/SOC2 audits will fail if access isn’t properly controlled, monitored, and reviewed on a scheduled basis. Not supporting access control solutions means financial loss, potential data leakage, potential reputational loss, and may even result in the business shutting down. Having a progressive IAM solution can lead to many benefits for the organization, there will be less chance of corporate espionage, less impact from human-based attacks(employee theft, phishing attacks,…). If the industry argument is “humans are the weakest link”, having an IAM controls what access the employees have on a real-time basis, reducing the risk of human-based attacks. Overall access is still an issue organizations struggle with, supporting an IAM tool can help provide transparency on how access is granted, revoked, controlled, and monitored on a real-time basis.
Vanessa Marin says
Great post, Mei!
You’re definitely on point with the implementation of cloud based IAMs and having the right policies/training. That’s one half of the battle. The other half is follow through. Once these things are established you have to have all parties follow through with what is set in the policies. All the way from revisiting and analysis the technological space and everything contained in it for relevance to the organization to ensuring that policies are up to date to doing periodic audits to ensure compliance, everything should be kept relevant. The investment is not restricted to implementation of IAMs. It’s the culture and mentality of the organization that has to be impacted greatly so all levels of staff follow through with the vision.
Would you agree?
Vanessa
Mei X Wang says
Hi Vanessa, I strongly agree with your point. It doesn’t matter how high-tech the tool may be if the organization doesn’t follow through on what is defined in their policies AND progressively try to better their access controls to maintain this level of security.
When new technologies such as cloud computing are introduced, attackers may still be able to infiltrate the systems. Having the right tools in place is equally as important as users following up with the upkeep.
Vincent Piacentino says
Great post, Mei!
So many factors to consider when it comes to IAM, right?! Like you said, stakeholders need to buy into this (whole heartedly) because of the criticality. As you point out, these solutions are $$$ but the benefit definitely outweighs that, depending on the size of the organization.
Jerry Butler says
Access management is very critical because it determines who has the authorized access to the system. And with today’s environment where more people are working remotely. hacks/breaches through remote access have increased and hence, it’s more critical today for companies to manage access since it’s the gateway to the core system.
Proper access management improves user experience, for instance SSO enables users to sign into several accounts using the same credentials. In addition, it reduces password issues, enhances security, and reduces IT operational costs.
Amelia Safirstein says
Access management is critical in today’s enterprise because it limits the possibility of employees/insiders acting maliciously with data or systems or making mistakes that affect more critical systems/data. Additionally, access management limits the attack surface of an organization. Without access management, an attacker could simply gain access to any employee’s account and have full access to all systems and stored data. Lastly, many companies have to implement access management to secure stored PII and keep compliant with laws and regulations.
This mitigation can save companies money from losses, fines, and lawsuits in the long run.