7 Reasons To Fear Identity and Access Management by Vince Portis, Core Security
According to a study in CBROnline, 79.7% of organizations are investing, in one way or another, in an Identity and Access Management (IAM) solution. By now, we all know that user credentials are hackers' favorite tools to breach your network. Yet, these numbers show a full 20% of organizations haven't even begun to implement IAM solutions. Why not?
No, these solutions are not cheap or plug and play. Identity and Access Management is scary and I don't mean the size or price tag. These solutions show us things we don't want to know are there, they open up our mess of entitlements and show us how vulnerable we are. But let's tackle our IAM fears one by one.
Big Scary #1: Death by Big Data
Between the number of applications and devices assigned to each user you can quickly reach over a million access relationships in your first day. When you add in multiple locations for those users, part time users and contractors, the "big data monster" can quickly eat you alive.
IAM makes sense of all the data and tells you what you need to know. You can identify all users and the applications, devices, and more that they have access to. Furthermore, you can tell when those users have more access than they should or when they are behaving unusually. IAM can break down the mess of data and show you what you need to see in order to secure access.
Big Scary #2: Fear of the Unknown
"Do you delete security groups?" I will never forget the looks on people’s faces when this question was first asked at a conference last year. You might as well have asked them if they lived on the moon. Most people don’t know what is there and are too afraid that if they delete something then they will inadvertently break something.
Can you imagine deleting your CEO's access to his email or the CFO's access to the financial data? With IAM, you can have more visibility into your security groups and would know what those relationships mean and what the consequences will be for any action.
Big Scary #3: Fear of Excess Privilege
What does "privileged data" mean in your organization? What data is actually privileged? Where does it live and who has access to it? How many levels it would take someone before they could breach your network and get to it? How they would worm their way in if they came in through a phishing email or a downloaded piece of malware?
While most IAM solutions will give you the visibility to see your privilege data and who has access to it, you can take that one step further with the addition of a Privilege Access Management (PAM) tool.
PAM tools can not only help you manage your privileged information, it can help you find it. Through auto-discovery and encryption, PAM helps secure your privileged credentials by automating credential access and usage and allows you to rotate credentials on demand or by schedule. You can view, control and manage your privileged access to corporate applications all at once.
Big Scary #4: It Never Looks the Same
Everyone has different challenges in their organization and even your closest competitor’s infrastructure, and therefore security, will look completely different from yours. Not only will your solution look different from anyone else’s, it will look different day to day and sometimes even hour to hour based on the employee and organizational changes.
Just because the solution is always changing doesn’t mean that you can’t learn and get the most out of it. In fact, a solution that is continuously and comprehensively monitoring your network should not only look different but it should be able to alert you when things are different. The things that stand out most that are probably the ones that shouldn't be there.
Big Scary #5: Plausible Deniability
Ignorance is bliss, isn't it? Until you have to answer to your board, an auditor, or worse, the authorities, when something happens.
Claiming ignorance is not going to save you or your company when there is a breach. Knowing what is going on and taking steps to correct it can sometimes be proof enough to your team and your auditors that you know about the issue and are taking the required steps to correct it as soon as possible.
Big Scary #6: Don't Want To Rock the Boat
Security versus usability -- why can't they just get along? How do you balance adding security without reducing employee efficiency or annoying the customer enough to leave?
Security is not here to rock the boat. The issue here is both communication and visibility. Make sure you are communicating with your employees and customers about the importance of your security measures and the benefits, and any changes will be better received.
Big Scary #7: Don't Know Where To Start
What goes into an Identity and Access Management solution and where do you even start looking IAM solutions involve provisioning, compliance, password management, password resets, multi-factor authentication, access requests, single sign-on, and more, so this is a valid question that only you, your team and sometimes a consultant can answer. The most important thing is to talk to multiple stakeholders internally, really listen to their needs, and then find a solution that can be tailored to your organization.
Vince Portis, a Sr. Customer Support Engineer with Core Security, has over 18 years of application support in call center, retail and correctional environments. He gets gratification by providing application support to customers using Core's solution to provide insight to their infrastructure. Vince is working to certify on Core's products. In his leisure time, his extreme hobby is racquetball and he enjoys camping with his wife and two daughters.