The importance of a strategy-first approach to Identity and Access Management
Posted on August 20, 2018
Malware, ransomware and other cyber security threats dominate the headlines while other regulatory deadlines, such as the Mandatory Data Breach Reporting Scheme are keeping CISOs up at night. So how can a CISO prioritise what to address first? The answer is different from most other IT projects, where technology is viewed as the first and often only answer.
The advantages of a strategy-first approach to IAM
Identity and access management (IAM) is covered under the umbrella of cybersecurity measures and “ensures the right individuals to access the right resources at the right times for the right reasons.”
In its simplest terms IAM authenticates the identity of users, authorises certain users to access or perform certain roles, offering role-based access control and protects personal information and digital identities.
The roles which allow access are defined according to job competency, authority and responsibility within the enterprise and are commonly mission-critical, allowing system administrators to regulate access to systems and networks.
An organisation’s IAM becomes a framework for business processes which facilitates the management of digital identities. This framework includes the organisational policies for an enterprise and because it needs to be business-aligned, the development and evolution of the framework requires business skills and not simply technical competence.
Internal and external data breaches can be reduced—a particularly compelling strategy in the light of the new Australian legislation on mandatory reporting, because organisations can properly manage digital identities and have greater control over user access.
A strategy-first perspective with regard to IAM extends well beyond this framework and can actually provide an innovative communication plan. Furthermore, organisations with developed IAM capabilities can reduce their identity management costs and can be more agile in supporting new business initiatives.
What constitutes a successful IAM strategy
IAM projects tend to be quite complex with thorough planning and analysis required to ensure their success.
A cloud firewall is the first, broad step to address network wide access. Having automated IAM systems allows businesses to operate more efficiently, freeing up limited resources to deal with specific security issues in a very fast-changing environment.
An IAM system should include the ability to capture and record user login information. It should also be capable of managing all user identities across the organisation in a centralised directory as well as the assignment and removal of access privileges, dependent on role. If administrators have an overview of a centralised directory of users, they can help to avoid privilege-creep, where users gradually gain access to areas beyond the authority of their role.
A good IAM strategy balances security measures with employee and customer experience. The authentication and authorisation processes should be streamlined, balancing speed and automation with administrative control. The system should allow administrators to view and change access rights as well as being able to grant external users access to appropriate parts of the network without compromising security. This can promote increased efficiency, collaboration and productivity with decreased operating costs.
These goals should be effectively communicated to executives. Because IAM projects don’t directly impact on profitability or functionality, it can be difficult to get funding.
The most effective IAM strategies require multiple (but manageable) stakeholder input. These include cyber-security experts, HR, application developers and enterprise management across operations, budgeting, and processes. The process is an iterative one and it’s imperative the IAM strategy can evolve to the changing business environment
Critically, a good IAM strategy cannot disrupt essential existing services.
Inadequate IAM processes increase business risk, but could lead to regulatory noncompliance. Data breaches could be overlooked or not detected in a timely manner. If the organization is audited, it will be difficult for management to prove that company data or captured personal information is not at risk for being misused.
IAM systems help companies better comply with government regulations and legislation. Using IAM systems companies can also demonstrate that any data needed for auditing can be made available quickly and on-demand.
In short, with a defined strategy, CISO's have a better chance of addressing a problem, rather than becoming a symptom of it.