You are here

You are here

How IAM powers cyber resilience: 5 best practices

public://pictures/robm.jpeg
Rob MacDonald Security Evangelist, Micro Focus
 

Here’s a hard truth: You can have the best application security tools, the best encryption technology, and, in general, the sharpest, most advanced cybersecurity stack, but that will amount to little without solid identity and access management (IAM).

To put it simply, IAM is the foundation upon which your cybersecurity infrastructure must be built. You must have a comprehensive handle and an unimpeded, always updated view of the identities flowing across your IT environment.

With IAM, you allow only the right people, devices, and services get the right access to the right applications and data at the right time. Anything less and your organization faces a considerable risk of suffering a catastrophic security breach.

By having tight control over identities, you boost your cyber resilience. Strong IAM makes your organization able to absorb the constant, inevitable changes, big and small, that businesses experience: mergers and acquisitions, new technology adoptions, continuous staff changes, pandemics and the like.

Here are five key best practices for boosting your cyber resilience through IAM.

1. Choose IAM technology that’s flexible and extensible

By choosing flexible, extensible tech based on open standards such as OpenID Connect and OAuth, you can leverage industry-standard REST APIs and connect to modern cloud platforms and applications for authentication and provisioning. Otherwise, you’ll end up locked into proprietary, legacy IAM technology that, instead of facilitating your adoption of IT innovations, will hinder it, slowing down your digital transformation, providing inferior identity and access protections, and weakening your cyber resilience.

2. Manage your IAM infrastructure centrally

Make sure your IAM infrastructure can ingest all identities (reguardless of type) and from ID stores wherever they’re located—on premises or in cloud—and manage them centrally, so that when changes happen, such as someone leaving or joining the company or changing roles, you can sync and consolidate the identity types in real time, without lags in status updates that cyber attackers are always ready to pounce on.

3. Consolidate and unify IAM technology

Your finance and marketing departments shouldn’t have their own IAM systems. With a single IAM platform, you’ll be able to create company-wide policies that apply to every one of your enterprise end users, and talk CIAM at a later date. It will also give you the end-to-end visibility to adjust access rights granularly across the organization according to types of employees, applications, devices, and so on. All of this will contribute to a more cyber-resilient organization.

4. Ease of use is key for effective execution

Strive to provide an IAM service that’s intuitive and easy to use. If your end users find it cumbersome and inconvenient, they will cut corners or find ways to bypass it. For example, if you require that all users change their passwords too frequently, many end users will resort to things such as changing only one letter or digit and leaving the rest of the password untouched. If required to use more than one password for different systems, they might simply modify the same password slightly. End users can be your weakest security link, so being mindful about providing security that is easy and that they want to adopt is critical.

5. Pay attention to emerging technologies

Become acquainted with emerging technologies in the IAM space. For example, machine learning (ML), artificial intelligence (AI), and user behavior analytics (UBA) are starting to make their way into IAM products and deployments, with substantial benefits, such as being able to detect anomalous behavior from an otherwise properly authenticated identity.

By learning the expected and normal behavior of, say, a typical sales engineer, an IAM platform that uses ML, AI, and UBA can, in real time, flag unusual behavior as a suspicious action—for example, if a sales engineer were to access financial data that’s normally not used by such employees. This could signal that the employee’s credentials have been stolen or the employee is up to something. Such a capability elevates the precision and effectiveness of IAM and of the security pros involved, because it’s going beyond simply assigning employees a level of access privilege and stopping there. AI, ML, and UBA make IAM much more intelligent and nuanced.

When these advanced algorithms and behavior analytics are embedded into the IAM platform, it’s not necessary for security pros to have data science or advanced math skills to leverage these capabilities. It’s a democratization of emerging, advanced IAM technology that until now was too costly and complex to deploy, and thus outside of the scope of most IT teams.

Key trends driving the need for IAM

The sudden shift to telework we’ve experienced this year as a result of the global pandemic is a good example of why IAM is needed more than ever. With a strong IAM system and process, an organization can minimize the risks from such an abrupt and disruptive change. Throw in a different authentication method to validate users working from home, and you’re good to go, because the identity information is always current and centrally managed, regardless of employees’ geographic location. It’s a little oversimplified, I know, but it’s true

Likewise, if your company acquires another firm, the event shouldn’t throw your identity management for a loop when hundreds or thousands of new employees have to be incorporated into your corporate structure in one fell swoop. With a solid IAM system and process in place, you just point your ID management infrastructure at the acquired company’s ID store, ingest all its employee IDs, and add them to your unified ID infrastructure. Again, I know it is oversimplified but at a high level view, it’s true.

And the importance of IAM will keep growing, as IT environments become more hybrid, distributed, and dynamic and as business processes continue getting digitized. Without strong IAM, modern IT technologies such as cloud computing, mobility, containers, and microservices won’t be as efficient or as secure as you’d like them to be. That’s because identities will become increasingly fragmented and siloed, making their management complex, erratic, and insecure.

Identity powers cyber resilience, and acts as the basis for the secure adoption of modern IT innovations, and for the pursuit of digital transformation initiatives that are essential for business competitiveness.

Keep learning

Read more articles about: SecurityIdentity & Access Management