You may think you have a solid identity and access management (IAM) strategy. After all, the capability has been...
around for decades. But emerging technologies -- in particular, cloud, software-defined everything, the Internet of Things and mobility -- are placing stress on traditional approaches to IAM. Herewith, the top five steps for security professionals to take in revising their IAM strategy.
Know what your roles and policies are
Start by revisiting your roles and policies. Of course, if you don't already have a defined set of roles and policies, now is an excellent time to construct one. If they do exist, chances are that they were developed years ago, and things have changed. Are your current policies consistent across cloud services and mobile devices? Do they cover non-human users, such as devices on the Internet of Things, which may be requesting access to sensitive resources?
Keep up with the new tech on the block
Second, reassess your IAM tool suites in light of the requirement to integrate with emerging technologies. Many companies have homegrown code that's based on directories such as Microsoft's AD. That may have worked until now, but if you're moving to Office 365, is your code moving with you? Or should you consider third-party suites and services such as IAM Cloud?
And if you're using Amazon Web Services (AWS), you'll surely want to take advantage of Amazon IAM -- but what will it take to integrate Amazon IAM into the rest of your tools? Similarly, if you're using mobile device management like Good, Airwatch or MobileIron, is it tied into your existing IAM strategy?
Once again, if you haven't yet deployed IAM, consider integration with cloud and mobile technologies one of the most important selection criteria. There are a host of vendors and technologies in the IAM space. In addition to the aforementioned IAM Cloud, you'll want to look at vendors like Avatier, Aveksa, Courion, Evidian, GlobalSign, SailPoint and Varonis. And that's just the tip of the iceberg: vendors of systems, applications and cloud services like Amazon, CA, Dell, IBM, Microsoft, Oracle and SAP offer their own IAM solutions.
Be aware of software-defining everything
Third, take a close look specifically at software-defined everything (SDE). If you're like most companies, the majority of your workloads are already virtual. Now you're virtualizing everything that's left, including network and storage functions. Most likely, there's a handful of users within your organization with privileged access to these devices. You'll want to translate that access to virtual functions, which means you need to assess and select SDE tools that support your existing access policies. As you assess SDE offerings from vendors like BigSwitch, Cisco, Dell/Force10, F5, VMware and others, make sure you understand how they fit into your IAM strategy.
Give multifactor authentication another look
Fourth, plan to deploy multifactor authentication for highly sensitive access. Many companies have given up on MFA because of concerns about user overhead -- now's the time to take a second look. For one thing, MFA has gotten more user-friendly over the years -- for instance, instead of carrying a token, you might use a mobile phone app. Also, the stakes have risen sharply: With the high-profile breaches at Target, Sony, JPMorgan and others, many companies are willing to slightly increase the overhead to users in order to dramatically increase security.
Automate your analysis
Finally, consider deploying advanced security analytics (ASA) -- specifically user behavioral analytics -- to refine and fine-tune your user access policies. Many solutions in this space will alert managers to users who have too much access, either in comparison to their peers or based on their job functions. The real value to ASA is that it automates this kind of analysis, so you don't have to manually scan through logs and lists to see who has access to what.
The bottom line? A new era is dawning, and it's time to update your IAM strategy.
Learn how user behavioral analytics can improve your environment's security
Find out why enterprises view IAM as central to managing data security
Uncover how IAM can address the risks of enterprise unstructured content