If your organization hasn’t yet made the vital connection between Identity and Access Management (IAM) and security consider this story about a school.
At 2016 Cloud Identity Summit in June, Alex Simons of Microsoft’s Identity and Security Services Division revealed details about a probable nation-state attack on a school. Microsoft had recently detected a huge increase in account lockouts and failed logins for the school during the implementation of a new set of algorithms for Azure Active Directory.
Simons didn’t name the school, so it’s unknown if it was a large university or a public high school, but the implication is striking regardless of the size of the facility: Hackers were trying to cudgel their way inside the network by attacking login credentials. “This is the kind of thing that happens all the time,” Simons said. “Enemies are evolving very quickly, and we need to keep evolving with them.”
Tales such as this one abound, and recently include a widely-publicized May 2016 breach of personal investment accounts of Charles Schwab customers. The company won’t say how many customers were affected, but it acknowledged that account sign-on credentials were probably taken from a source other than Charles Schwab and then used to access customers’ accounts, possibly exposing names, account numbers and transaction histories.
Identity is the new security perimeter, as several CISOs told NetworkWorld’s Jon Oltsik. Employee mobile device and cloud use has all but made existing network perimeters obsolete, so security policy enforcement decisions must be now driven by identity attributes such as user identity, role, device identity and location – rather than IP packet attributes.
But IAM infrastructure, as Oltsik notes, was built organically over the last 15 years, so it depends upon a muddle of disconnected and fragile elements. This muddle greatly affects security.
A recent ESG survey found that 23 percent of IT and cybersecurity professionals believe their IAM infrastructure was actually built for user convenience and not strong security. Yet because of employees using mobile devices and cloud applications, organizations’ cybersecurity has never been more at risk – and precisely at the time when those disconnected and fragile elements make for weak IAM.
No matter the size of your company, consider what happens when your IAM program can’t meet your security needs. Excessive manual processing coupled with irregular reviews and reports of user authorization prevent your IT and security teams from properly making the connections between employees, devices and services and all those authorizations. Without clear, intelligent IAM, the “movers, leavers and joiners” become an even greater cyber risk as you try to sort out authorization.
Nearly two thirds of organizations do not have well-defined and automated IAM programs, stretching their security remarkably thin. If identity is indeed the new security perimeter, organizations should stop thinking of IAM as basic IT infrastructure and instead consider it as a proven way to control authorization and ensure that identity isn’t exploited by hackers. Disconnected and fragile IAM elements just won’t do anymore.