Information security is really about IT governance, which is a multifaceted practice involving policy creation, enforcement and ongoing risk mitigation. A critical component of a security/governance program is identity and access management. is more than a decade old -- several decades if you look at the basis of what it's trying to accomplish. Yet, given the benefits of IAM, it's not quite as pervasive in the enterprise as one would expect.
One of the most important identity and access management benefits is the ability to simplify the complicated. Enterprise identities have evolved beyond standard user accounts. Take a holistic view of identities across the typical organization and you'll find there are many types of identities to be managed. Among them are the following:
- internal employees
- external partners
- applications and services
- IoT systems
- mobile devices
Where IAM can fill in the gaps
Many IT and security shops are so busy with their day-to-day work they haven't yet realized what's needed to manage these identities -- both periodically and in real time. This is one area where IAM can help fill the gaps.
Additionally, today's security requires more adaptive identity governance beyond traditional spot-check audits to eliminate blind spots. For example, consider user accounts that are either added or removed at a certain point in time. Traditional identity access audits that only take place every few months can overlook the fact that these accounts should have been modified or disabled, thus making their mapping inaccurate. This leads to the situation where ongoing audits are "passed" and checkboxes are checked. In this hypothetical case, the organization is not in compliance with its own policies or the requirements of government or industry regulations that may apply. In fact, it could be more at risk due to this lack of visibility in the IAM process.
Another benefit of IAM is how it highlights the identity and access approval process. Infosec professionals are familiar with the generic requests of so-and-so new employee or contractor needing access to the network, the ERP system and all doors within the building. This is appropriate in smaller organizations, but for larger businesses, this request fails to illuminate a number of important areas. Among them are the following:
- the actual rights that are needed on the network or enterprise applications;
- whether or not the request is unusual;
- similar access levels that other employees currently have; and
- the most common role(s) accessing such requests.
To have true IT governance, especially across various business units, all the right people need details. It's critical to ensure that identity and access decisions are made not only based on generic policies or workflows, but also because they include detailed contextual information outlining specific business needs and potential risks.
IAM might be complicated to oversee, but it's worth it
It's clear that IAM is worth the fuss. A modern IAM system is flexible and extensible enough to adapt to how an organization works, rather than forcing the business to adapt to IAM. IAM products have evolved and improved in recent years; however, the essence of IAM and how it can help enterprise security/governance programs has not changed and it can be well worth the investment.
If an information security program is to remain healthy and effective over the long term, everyone must work toward the same goal to reduce business risk. The only reasonable way to implement, manage and enforce identity- and access-related policies is to utilize an IAM system. Be it in-house or cloud-based, the more complex the network, the greater the need.
Don't yet have an IAM system or feel it is underimplemented? Take a step back and see how things can be improved. Consider whether your current processes work for or against the security goals. Think about what can be improved, which steps can be simplified and which can be eliminated altogether.
Make sure that everyone's time is used wisely -- from the business unit manager making an initial request to the IT or security team charged with approving and managing network addresses. The benefits of IAM will give the enterprise the necessary visibility and control needed to oversee network accounts as well as satisfy ongoing governance. Anything less will likely facilitate -- if not create -- risks the business can't afford to contend with.