With almost two decades of experience analyzing identities, data platforms, and overall application and system landscapes, Rita provided her expert insight on IAM strategies, identity hygiene, and privileged access management in this Q&A. Why is IAM so core to security?
Implementing an effective Identity and Access Management (IAM) strategy within large enterprises reduces the risk of sensitive data falling into the wrong hands, improves compliance, and increases efficiency across the organization as a whole. A lack of identity governance and administration can lead to excessive and redundant access to sensitive data, including overlooked active directory, applications, servers, and least privileged security policies.
Practicing effective “Identity Hygiene” means having the necessary visibility and remediation workflows in place to immediately reduce the risk of a breach by identifying and remediating excessive access issues and minimizing the cyber-attack surface of an organization's IT environment, keeping their most sensitive data safe and secure.
How have IAM strategies shifted over the past few years? What factors have impacted the shift?
Record-breaking increases in not only the frequency, but also the severity of data breaches and ransomware attacks over the past few years, coupled with a global pandemic that left many employees with no choice but to work remotely, has forced organizations to implement digital transformation initiatives quicker than expected as they accelerated their migration to cloud-native infrastructures. Threat actor groups have become more sophisticated and creative in their methods and tactics, and recent talent shortages in the cybersecurity industry have forced many organizations to rely on cloud and managed security services to protect their most sensitive and important data.
IAM strategies have shifted to utilize automation and cloud capabilities to reduce risk and govern environments both efficiently and effectively. Organizations are finding that making the move to the cloud and automated services can replace time-consuming manual efforts - saving valuable time and money in the process. Utilizing software-based IAM solutions with automated processes allows large enterprises to control who exactly has access to specific data, while enforcing security policies and access controls across an entire IT environment, all with one solution.
How has end-user sentiment changed over IAM? (common use of auth apps, etc. now in corp environments)
Unlike in previous years, there is an urgency and understanding that Identity and Access Management is a critical part of an IT security program. In response to high profile data breaches, such as the Okta breach or the SolarWinds attack, end-users are more aware that mitigating this risk is a priority.
98% of the organizations surveyed in an Identity Defined Security Alliance report said they experienced rapid growth in the number of their identities. Due to the shift to cloud-native infrastructures, attack surfaces areas for organizations have expanded significantly and become more complex. This study also found that 80% had fallen victim to an Identity-related breach in the past year. Identity is now the new security perimeter at the forefront of security leaders’ minds. Also, with shifting regulatory requirements across the globe, organizations are now in need of data governance and access management solutions to help stay in line with changing data protection measures.
What are some of the remaining challenges of IAM?
One of the biggest challenges companies face when implementing IAM is that they fail to fully “embrace the challenge.” IAM tools are not a one-size-fits-all solution that will fix all access governance woes. There needs to be an understanding that before anything is done, all stakeholders must be fully committed and ready for the change. A lack of strategy and understanding of IAM programs is holding back many organizations from tapping into effective and holistic Identity Hygiene. IAM programs are multi-year and multi-phase. The maturity model requires constant review and realignment on a regular basis.
Another challenge is incomplete implementation. This is where IT and security teams silo the parts of an IAM program between different attack surfaces. IAM needs to be approached holistically, where devices, applications, data, infrastructure, users, and processes are all taken into consideration. IAM is the foundation of an infosecurity program. It takes into account who has access to what, why, and when at all times. Organizations should pay special attention to the life cycle program implementation. While the IAM program achieves its maturity state, to prevent data breaches, preventing controls must be implemented. This can be a hefty and long-term undertaking, but it is absolutely worth it if done right.
Read more here