Sergey Nivens - Fotolia

Picking the right IAM tools is based on more than today’s needs

With remote working now normal, it is important to take proactive steps in managing credentials across platforms that can be subject to multiple data protection regulations. IAM services can streamline this process, but care must be taken to ensure the correct one is chosen

This article can also be found in the Premium Editorial Download: MicroScope: MicroScope – February 2021: The forecast on channel security

Cloud networking has become a critical aspect of modern business practices, due to the need to manage access to information stored in the cloud, and therefore ensure it remains secure. Identity and access management (IAM) enables the management of multiple levels of credentials across an organisation’s various networks and platforms. 

The cloud is a comparatively recent element of modern business practice, so a certain level of conservativeness is expected. New technologies need to have a proven track record in reliability and robustness before they are utilised for sensitive information.

“If you look at the past three or four major technological shifts that have hit in the broader application market, security is typically five to 10 years behind all of them,” says Steve Van Till, president of Brivo.

Many people are now working from home, and it is likely that they will continue to do so once the pandemic has passed. A consequence of this is that there are now more businesses relying on remote working than ever before.

“The clear thing is that Covid-19 accelerated the future,” says Van Till. “It is going to accelerate the transition to cloud-based services.”

Ensure different levels of access

It is not just employees that need access to an organisation’s network. Partners, contractors, suppliers, some clients and other third parties need to be considered too. All of these will require access and need different levels of permissions granted to them.

If access is required only for a single network, the solution can be comparatively straightforward. However, in the cases where an organisation is based in multiple offices, across diverse regions, and uses a variety of online platforms and cloud services, managing credentials can become challenging. 

“If you’ve got 10 buildings around the world and you’ve got a population of 10,000 people, they will all need access privileges,” says Van Till. “The cloud is aware of the identity of all those people because you’ve either typed in their names and their credentials or synchronised them with an identity service.”

This rapid and fundamental shift in our working paradigms has proven to be a challenge for some organisations, especially those that were unprepared for these levels of credential management.

It is possible to simply select and purchase IAM tools, then install and manage these in-house, but using an IAM service provider could save time and resources

Such organisations have found themselves juggling the credentials of internal and external stakeholders, across multiple platforms, as well as trying to ensure that they meet all the applicable data protection requirements.

Export control regulations, for controlled items – including information and software – that are restricted from being sent to certain destinations, may need to be considered as well. This is especially the case for multinational organisations, which could have employees from multiple countries accessing information based in another country.

IAM essentially streamlines the whole process of access management, allowing organisations to have a single point of contact for managing all identities across their cloud networks. It is possible to simply select and purchase IAM tools, then install and manage these in-house, but using an IAM service provider could save time and resources.

“From an operational perspective, IAM as a service can be beneficial, allowing an organisation to focus on the business and security aspects, not the technical operations,” says Martin Kuppinger, a board member at KuppingerCole Analysts.

“This could be done in a range of ways, from full Identity-as-a-service [IDaaS] solutions that deliver IAM services as security-as-a-service [SaaS] platforms, to IAM solutions managed and operated by managed service providers [MSPs]. The latter also might allow for a lift and shift approach of already implemented IAM solutions to a managed service.”

Choosing an IAM service is not a simple procedure. While they all offer a broadly similar service functionality, it is not a case of one size fits all. In choosing the correct service provider, there is a need to first carefully consider the scope of the services offered by each provider.

Without fully understanding an IAM service’s coverage, it could lead to a particular facet of a cloud network being inadvertently exposed. Taking the time to negotiate with the IAM provider, with each party’s responsibilities being recorded in a contract, provides a common understanding of what is expected by both parties.

“A thorough evaluation of service levels and a clear definition of services is required. It is specifically important not to have the tail wagging the dog, such as the MSP selecting the IAM tool or pushing the customer into certain types of lock-in,” says Kuppinger. “The MSP is the provider; decisions must be made by the customer.”

Many organisations will only have a broad understanding of where they will be in 10 years’ time. However, they should understand their expected and target growth, and what services they will require to achieve these goals. As such, not only should there be consideration as to whether the service is the correct one for their cloud network as it is currently set up, but also whether it will be the right one for them in the future.

Compliance with global regulations

In addition to the technical considerations, organisations also need to be aware of regulatory requirements that will be expected of them in regard to their user data.

Due to the global nature of modern business, it is entirely possible for the resident of one country to be working for an organisation that is based in another country, with their identity information stored in a third country. In such a scenario, the organisation would become subject to multiple data protection regulations.

The potential for conflicting data protection regulations is much lower than it once was, mostly due to the General Data Protection Regulation (GDPR) becoming a template for modern data protection legislation. For example, the California Consumer Privacy Act (CCPA) shares many similarities with the GDPR. Nonetheless, while the various data protection laws are broadly similar, they can have differing regulatory requirements.

To ensure compliance with regional data protection laws, organisations need to ensure that the IAM service selected has the appropriate measures in place to meet the requirements for storing personally identifiable information (PII).

IAM services can also enable the auditing of who has accessed certain types of restricted or personal information, and when this took place. The ability to record such data is a requirement of certain data protection regulations.

It is important to be aware of the risks that come with being locked into a contract with an IAM service that no longer provides adequate security. As such, early negotiations with IAM service providers should clarify the duration of contracts. In the case of extended or rolling contracts, discussions should include negotiating cut-off periods or annual contract evaluations, thus allowing contracts to be ended without penalty.

“The most common error is underestimating the fact that the IAM tool might have a longer lifecycle than the MSP relationship,” says Kuppinger. “If the MSP controls and decides too much, this might lead to a lock-in with the MSP.”

Seek professional advice

Due to the complex nature of IAM and its service providers, there may be a need for personnel with the appropriate skills or understanding of IAM technologies.

If recruitment is not an option, security consultants can be approached for advice and security reviews. While contracting consultants can be an additional expenditure, it is one worth considering as their skills may be particularly valuable at the time of startup and reviews, as well as for any issues that occur.

“With people doing more work remotely from home, due to Covid-19, remote management has become a premium. We’ve seen a rush of people coming in, saying they wish that they had been on the cloud before this”
Steve Van Till, Brivo

The time it takes to install IAM services depends entirely on the extent of the work. A comparatively simple cloud network should take less than an hour to integrate with an IAM service. However, the more complex and extensive the cloud networks and platforms, the longer it will take.

If required, IAM can incorporate physical security as well. This can allow organisations to apply access credentials in both the cloud and at their premises. The appropriate electronic security locks would need to be put in place, but it then enables the audit of staff movements, such as into restricted areas.

Ultimately, choosing the appropriate IAM provider is all about understanding your requirements, running a thorough tools choice assessment and evaluating MSPs. There are also specialists that can provide support, as neutral third parties.

“With people doing more work remotely from home, due to Covid-19, remote management has become a premium,” says Van Till. “We’ve seen a rush of people coming in, saying they wish that they had been on the cloud before this.”

Read more about IAM

Read more on Identity and access management products

Data Center
Data Management