Managing identity and access management in uncertain times

Spread the love

If we remember one thing from 2018, it is that we are all victims now through one breach or another. Every day, we hear more news about another data breach affecting millions of users with significant financial and reputational consequences to its victims. With massive breaches like Equifax, Facebook, Deloitte, Quora and Yahoo, it is clear that breach notification services and multi-factor authentication (MFA) are not enough to prevent the next data breach headline from appearing in tomorrow’s newspapers.

Organizations have started thinking holistically, and rightly so, about risk and approaches to security using frameworks such as CARTA, Zero Trust, NIST SP 800 and IDSA.  These frameworks offer progressive thinking and valuable approaches to modern identity strategy, but there is no one size fits all. These frameworks are akin to buying furniture from IKEA; assembly required, but with a lot more complexity and a lot more at stake.

What’s wrong with IAM?

In 2017 I wrote about 3 ways to improve the security of identity and access management, where I identified some of the critical vulnerabilities in today’s IAM landscape. The risks that end-of-life IAM systems, provisioning silos, weak architecture and failure to focus on end-to-end experiences represent are not well understood or discussed often enough. The problem is that on-premise IAM solutions were driven by conformist and reactionary approaches to IT service management, such as single sign-on, centralized policy and log management. Cloud computing and SaaS largely disrupted on-premise IAM and changing business models resulted in a predictable decline of benefits realized over time through atrophy of on-premise assets.

Management and operations, adjacent disciplines within IAM, come with their own set of risks. Developers can integrate and automate all the things until the cows come home, and they often do with transformative results on business enablement and operational efficiency. However, until business leaders begin to address the underlying issues – IT being managed in stakeholders’ interests and run as a personal fiefdom – the risk of devastating data breaches will grow unabated.

Frameworks and guidelines

Modern frameworks and guidelines for IAM and security help to mitigate some of the business risks through documented best practices and fundamentals that focus on the people, process and technology aspects of an IAM program. Alliances and working groups help to accelerate the innovation lifecycle and democratize the security models and strategies that enterprises can easily adopt.

Zero Trust security

The Zero Trust security model has been with us for years but has only recently become popular in the wake of high-profile breaches. As businesses increasingly rely on 3rd parties and contractors, Zero Trust security acknowledges that controlling access through legacy perimeter-centric models is no longer effective.

Source link