Identity and Access Management as the Foundation of the Modern Enterprise
Identity and Access Management (IAM) gained notoriety as a business enabler 15-20 years ago. It is seeing a resurgence today because many people now understand that IAM can solve many of the emerging challenges facing businesses today.
We hosted a roundtable that brought together a group of Cloud architects, IT, software engineers, information security, intellectual property and process & innovation professionals to take a deeper look at:
- How IAM serves as the final perimeter, as part of the zero trust framework
- How modern enterprises balance privacy and access for consumers
- How organisations balance greater development velocity and increased security when releasing software to support their digital transformation goals
Rela8 Group’s Technology Leaders Club roundtables are held under the Chatham House Rule. Names, organisations and some anecdotes have been withheld to protect privacy.
About Broadcom
With its roots based in the rich technical heritage of AT&T/Bell Labs, Lucent and Hewlett-Packard/Agilent, Broadcom focuses on technologies that connect the world. Through the combination of industry leaders Broadcom, LSI, Broadcom Corporation, Brocade. CA Technologies and Symantec, the company has the size, scope and engineering talent to lead the industry into the future.
IAM
As organisations implement new technologies and go through a programme of digital transformation, they continue to rely on a modern IAM solution to serve as the foundation of this change. But companies still have to find the right balance between privacy/security and frictionless access for their customers.
Zero trust principles
Zero trust is not necessarily a single product or solution, it is more of a mindset and a way in which organisations can stay in control, now some of their personnel are working from home using public networks. Before the pandemic, they were not allowed to log on unless they were on the corporate local network or a VPN, but the world doesn’t work like that anymore.
There are signs when a company doesn’t understand the value of identity management, for example when the answer is that they ‘have always done things this way’. This doesn’t just signify a fear of change, but also complacency.
Everyone want the convenience of access to applications, but this goes hand-in-hand with security risks. Security has to be successful 100% of the time, because the one time it doesn’t work and a breach happens, is the one time that people will remember.
One of the biggest issues is in JML, because access is attributed as someone goes along, so there are no controls. Similarly, access management can fall down if managers just auto-approve everything for fear of taking someone’s access away – it is therefore important to look at the process, and not just depend on humans to make the right choice.
Supply chain risks
The security of an organisation depends on staff identities, and this is at the heart of their planning and the turning around of legacy implementation. But additionally, they also need to identify risks in the supply chain and asses the impact they may have on identity management.
Many businesses rely on services to provide cyber ratings on their suppliers, which are integrated with their supply chain process as part of onboarding. As part of risk management, businesses may also assess what operational harm could be caused if a supplier should drop out of the chain or if a cyberattack should occur. Collaborative working exacerbates this problem, because a partner in one project may be a competitor in another, so creating access and sharing data has to be tightly controlled.
Identity management risks
An organisation needs to function and do business at the speed of light – furthermore, the Board challenges everyone to move business with secure processes and identity, yet still be able to send emails without the fear of blocking. In reality, a business can fail because of a lack of trust - whether a process, technology, people or people getting phished.
In response, a zero-trust framework goes down to basics – the Board cares about protecting the crown jewels, so build a high value assets policy around that data, using role-based access control within DLP, and tie DLP tools into the high value data.
Another risk inside the organisation is its people – employees should be educated within the context of their role to understand what a threat looks like for their function. It doesn’t matter how many levels of security there are if they don’t understand how to verify who a request comes from. Additionally, employees should better understand social engineering and the principles of IAM so they can apply it in real time.
Educating staff is a better control than any technical control, because getting them to think and double check, and to interrogate what they are dealing with, means the organisation can focus on the fundamentals needed to secure an environment – and secure identities, access and authentication.
Design planning for solutions
Compiling a meaningful set of requirement can be difficult because of the scale needed. The organisation needs to look at what has to be achieved, for example for compliance or governance, and if this is not achievable through a technological solution, hire the workforce to do it. This may also be true for JML processes, which may need a manual review.
Designing one solution for such a complex environment is very difficult. If you can’t get every ‘must-have’, and only ‘certain nice to haves’, then the rest has to be prioritised accordingly. There may be a number of different solutions needed across mainframe, AS400, and the cloud. This raises the problem of identifying a single actor doing things on different systems, and tying those things together in the SOC.
Combatting risks in IAM
Finding a balance between a secure environment and a frictionless experience is difficult. Everyone wants access to be convenient, but quite often, the easier the access the bigger the security risk – and if personnel auto approve everything through fear of denying access, the whole system can fall down.
Companies also have to look to their supply chain when putting together risk assessments – if a supplier is hacked, it could pose a risk, or affect business continuity.
Another concern is around lack of trust within a business – systems can go down through a lack of trust in a process, the technology, other people or even as a result of an employee clicking a phishing email. So employees should know what a threat looks like for their role or department – if an employee doesn’t understand why and how to verify a user, it won’t matter how many different levels of security a business employs.
There is no one solution fits all, and design planning in such a complicated environment is difficult because a number of solutions may be needed for mainframe, AS400 and the cloud.