wladimir1804 - stock.adobe.com
Identity and access management, or IAM, refers to a framework of policies and technologies for ensuring that people in an enterprise have access to the appropriate and authorised data and tools. In short, it enables the right individuals to access the right resources at the right times and for the right reasons.
While this might appear to be a no-brainer for anyone looking after IT systems and data, it is surprising how many user companies and resellers still pay lip service to robust IAM. In some sectors, such as financial services, compliance directives such as the Markets in Financial Instruments Directive (MiFID II) force companies to invest in IAM, while the General Data Protection Regulation (GDPR) is helping to focus minds and accelerate the pace of adoption.
But just as chief information security officers (CISOs) were getting on top of IAM, the goalposts move. The seemingly inexorable migration to the cloud and hybrid environments means applications and users could be literally anywhere around the world, presenting a whole new set of security challenges. We are moving from protected security boundaries to a network of disparate endpoints, applications and data located in the cloud.
IAM an essential tool
In a hybrid world, IAM is not optional – if you don’t have strategies, policies and solutions in place, there is a good chance you will end up in a crisis. But in a hybrid world, even the starting point is complex. How can you manage all the access rights when you don’t know how many applications you have in the cloud and where they are? Business managers or renegade development teams may spin up an application without the IT department even knowing. If someone hacks into an unprotected cloud app, you may not know they have been there until it is too late.
And in a hybrid world, it’s difficult to keep track of people. With hiring, firing, moving and promoting, many organisations don’t have IAM built into their human resources and systems management. If someone changes office or role, they run the risk of getting lost in the system, particularly in international organisations. And when they leave, they may still retain access rights tied to their former role. And then there are contractors, suppliers and customers to worry about.
Ian Kilpatrick, Nuvias
IAM – in any environment, but particularly in a multidevice, multilocation and multi-application hybrid set-up – has to start with a policy that embraces functions such as single sign-on, authentication and session management. And an IAM strategy is not just for Christmas – it needs to be reviewed every 12-18 months.
If you can’t do the whole IAM piece, there are certain elements that should be non-negotiable. Take authentication. I can’t remember how long commentators have been claiming that passwords on their own are dead – yet they are still very much alive and kicking. Everyone should be using multifactor authentication in 2019, full stop. Single sign-on is also critical in hybrid environments. With different passwords for different apps, there is more chance of interception and compromise.
IAM has never been easy, but it has become even more difficult in a hybrid world. The fact is that few organisations have all the components in place. While SMEs can get away with using point products, larger organisations that have in excess of 5,000 people really need an integrated and automated solution.
Automation is a key element of identity protection, eliminating the complexities and time-consuming processes often required to govern identities, manage privileged accounts and control access. It is important to define a clear, strategic path to access control, privilege management and, ultimately, governance.
A role for resellers
As we move to a more complex hybrid world, the challenge of identity and access management, combined with increasing regulatory demands, is placing heavy demands on organisations. Most companies have something in place as a starting point. It is up to resellers to instil a sense of urgency to roll out more integrated elements and build up a comprehensive, automated IAM system, which is suitable for on-premise, hybrid and cloud environments.
Perhaps part of the problem with adoption is the initial approach. Resellers need to help their customers understand how IAM fits into their overall business strategy to aid core business development, rather than hampering it. To this end, proper planning is important to achieve a successful roll-out.
For example, once deployed, IAM will not live in isolation but will depend very much on the existing directory of users and accounts, which in most cases should be related to the current business structure. If not properly maintained, this could lead to a complete disconnect between the key questions of who needs what access and why?
It is therefore of prime importance that the channel works closely with vendors and customers to ensure that the underlying planning and preparation is done to create the foundation for a successful deployment of IAM.