Since the EU passed the General Data Protection Regulation (GDPR), companies around the world have been scrambling to get ready for a new reality in cybersecurity compliance. Identity and Access Management (IAM) is one of the central and most critical components of any organization’s security and a prominent aspect of GDPR. Aside from GDPR and other legal requirements, the old paradigm for identity and access management is just not capable of dealing with a mobile workforce, cloud-based networks and applications, and distributed labor at scale. So whether or not your company is doing business in the EU, you need a rock-solid IAM system to protect your critical assets.
But not any IAM system will do. You should select an IAM that you can rely on to provide the right kind of protection for your company.
Almost all companies have their own security needs, but here are six key features for any modern identity and access management system.
Onboarding a new employee to the company and setting them up with access rights to the relevant assets is not a “set and forget” task. As the employee changes roles and responsibilities during their employment lifecycle at the company, they will need access rights data and applications. During this process, old permissions that are no longer required are often not revoked, mostly due to manual processes and overwhelmed IT staff. This can cause severe security issues. A Compensation Manager in the HR department should no longer have access to payroll when they move across to a Financial Analyst role in another department. When you select an IAM, make sure that employee state changes trigger automatic mechanisms that properly manage employee access. And when a user comes to the end of the lifecycle, your IAM must make it easy to offboard these users that are no longer employees.
One of the biggest problems with old-style legacy IAM systems is that identity management for account requests and creation are controlled by scripts and manual processes. In that paradigm, fulfilling authorization and authentication requests was a time consuming, inefficient, and labor intensive, often prone to inaccuracies. Modern IAM systems do away with the old method and rely on automated and scalable processes to manage large volumes of requests with high accuracy.
One of the biggest challenges for IAM today is interoperability. As an organization grows, it becomes more and more difficult to manage identities and access across dozens of different types of technologies running on the network at any one time. Often, the assets that need to be protected are proprietary or custom-made, which creates another level of complication. Most importantly, the IAM system must be able to easily interface with both on-premises applications and cloud-based networks, such as Azure and AWS, each of which has its own requirements and standards.
Furthermore, cloud-based IAM provides the flexibility to adapt to new technologies as they come along.
“...leveraging cloud identity management has benefits such as faster adoption of new capabilities , reduced burden of infrastructure and administration management, as well as improved user experiences as users and applications move outside the walls of the enterprise.”
When considering an IAM system, check that it is not bound to one type of technology and can support many types of networks and applications, including having the flexibility to be deployed on premises or on the cloud, according to your company’s changing needs.
Having an IAM system that does everything you want it to do is fantastic. But not being able to adequately query the data and manage it properly renders it inadequate. When the IAM system is not only used by IAM professionals and IT managers, but also by management teams and business leaders, effortless navigation through the data becomes crucial to understanding it. Data presented in an uncomplicated visual way ameliorates the decision making process. Make sure that the IAM system you choose has a graphical interface and data visualization that are clear, intuitive, and understandable.
As a company grows and evolves, new technologies and methodologies are adopted. IAM is no exception to this rule. Over time, policies and procedures are put into place to shore up defences and strengthen security to combat new and existing threats. The by-products of this are legacy systems that remain because, for whatever reason, they cannot be changed. This leads to a situation where you have varying IAM policies in place for different assets. For example, the financial and accounting software might require Role-Based Access Control (RBAC), but the HR network on AWS might use Policy-Based Access Control (PBAC). It is vital to you ensure that your IAM architecture can support multiple types of entitlements, policies, and roles, including Attribute-Based Access Control (ABAC), RBAC, and PBAC.
Identity and access must be properly managed, which is why you need to audit it to identify weak points and anomalies in the system. Best practices mandate periodically auditing your IAM system to ensure that it is configured correctly to meet your company’s security policies and business requirements, and any new threats that come about.
Auditing without reporting is inadequate. You need to be able to create the kinds of reports that are useful to you so that you can make sure that your company’s data is safe. Using strong analytics to understand user connections and what they can access is important for avoiding issues such as Separation of Duties (SoD) violations.
An article in Boss Equity on 5 May 2017 stated:
“...there is an increasing focus on risk management. Data leakage through unauthorised access can result in significant financial losses and damage to corporate brand.”
So to avoid massive fines and public relations failures, it is critical that the IAM system you select provides you with the auditing, reporting, and analytics features to help you keep on top of your data.
There are many considerations that you need to take into account when selecting IAM software, and much of it has to do with how your company is structured, where the people are, and what applications and services they use. However, when assessing IAM systems for your company, keep these six key features in mind and you can’t go wrong.