Tackle IAM with a risk-based approach, says KPMG

A risk-based approach is the best way to tackle identity and access management, says KPMG

A risk-based approach is the most successful strategy for identity and access management in the modern enterprise, according to consultancy KPMG.

This means identifying the most critical applications and systems for business operations, said Martijn Verbree, director at KPMG's information protection and business resilience practice.

"Rather than trying to boil the ocean by trying to cover everything at once, organisations that are doing identity and access management (IAM) well are tackling it based on risk," Verbree told Computer Weekly.

Successful organisations are recognising the importance of using access governance tools to find out what permissions exist for current and former employees.

"This enables organisations to clean up all the excessive and inappropriate access permissions that have been built up over the years," said Verbree.

This exercise also helps organisations to get a better understanding of what systems are used for, and who in the organisation has access to them.

"Once a clean-up has been done for the highest risk applications, it is easier to move towards prevention of granting inappropriate permissions in the first place based on that better understanding," said Verbree.

Why businesses struggle with IAM

Even though the need for identity and access management has been around for years, many organisations still struggle to get it right, he said.

Verbree ascribes this in part to the fact that the problem was initially tackled by IT department engineers, whose aim was to make setting up accounts or account provisioning easier and faster.

"This approach started in the late 1990s and continues in some companies even today, but has often resulted in a lot of money being wasted," he said.

The problem with this approach, said Verbree, is that it is aimed at automating a poorly understood process.

"This usually meant they were automating the bad stuff and simply doing the bad stuff a bit more efficiently, which often had a huge negative impact on the business," he said.

Focus on access governance

The challenge of access and identity management has become progressively bigger as the number of regulatory requirements has increased.

"This has resulted in a second wave of tools and initiatives that are much more focused on what we call 'access governance'," said Verbree.

This approach, he said, generally works better because usually the chief information security officer (CISO) or equivalent drives the project, and not just the IT department trying to figure out what should be done.

While the old-fashioned approach of deploying provisioning tools is aimed at making things easier for the IT department, Verbree said the access governance approach is focused on the controls required to address access-related risks.

"The tools are typically much more orientated towards users; they are slicker, have user-friendly interfaces and require a lot less technical configuration to deploy," he said.

CISOs' audit challenge

But despite these advances, Verbree said many organisations are struggling because departments do not understand well enough what type of access the business needs.

"They are also struggling with what can be termed 'IAM debt' that has been built up over decades because no-one really looked into fixing this problem.

"And as new systems were introduced they were poorly documented, so no-one has really bitten the bullet to look into that and find the best way of going forward," he said.

Consequently, this is now a huge challenge for CISOs faced with audit issues and questions from the board about whether they are vulnerable to attacks they read about in the media.

Read more about identity and access management

  • Achieve better SQS access control using Amazon IAM
  • Best practices for using AWS IAM groups and roles
  • UK companies use IAM for business not security, study shows
  • AWS IAM tools essential to secure cloud services
  • Identity and access management (IAM) in the cloud: Challenges galore
  • McAfee jumps into IAM with one-time password, cloud SSO products
  • Strategic vision should head up IAM goals for 2012
  • IAM solution implementation: Challenges & resolution
  • New SaaS identity access management tools emerge, outdo legacy IAM
  • Cloud IAM catching on in the enterprise

"But many CISOs will not have the answer because they are unable to determine where the critical data sits in their company's IT systems or how access to that data has been allocated," said Verbree.

"As a result, they are unsure of how to protect those data assets and who really needs access to it to do their job," he said.

Verbree said that, while this is a common problem in many organisations, the ones that are tackling it effectively, are doing so by adopting a risk-based approach.

IAM issues in cloud computing

However, he said few are managing to extend identity and access management to third-party services as organisations turn to cloud computing to cut costs and improve mobility.

"For most companies it is difficult enough to get it right for the vanilla case of managing internal employees and maybe contractors accessing internally managed systems," said Verbree.

Investment banking is one area where organisations are engaged in tackling the problem of access management for cloud-based applications.

"But it is much tougher to do because organisations do not always have control over these applications and you do not always know who is accessing those applications," said Verbree.

A common problem is that there is often nothing to prevent employees from signing up for cloud-based applications without the IT, security or compliance teams knowing about it.

"With cloud-based systems there is the huge risk that employees will still have access to systems they used on behalf of the company long after they have left," said Verbree.  

This is the largely unsolved problem facing every organisation where employees are using cloud-based systems to do their jobs, he said.

"For this reason, any organisation using web-based systems must ensure that all requests and approvals for access to such systems go through the company in the same way as internal systems," said Verbree.

"Make sure you know which of your users are accessing external systems and that you understand what they can do with access so you can disable those accounts as soon as they leave," he said.

Company policy and shadow IT

From a technology point of view, Verbree said there are some "clever things" organisations need to do to remove access to externally hosted business applications automatically when employees leave.

There are also things that can be done at a technical level to see who in the organisation is accessing external systems.

However, he said it is important to raise awareness of the risk posed by "shadow IT" and ensure that business and IT have a "mature discussion" to define company policy.

Verbree believes raising awareness of the risks and having dialogue between business and IT is a better approach than monitoring users and blocking access to external systems.

"Moving to cloud-based services should be encouraged, but at the same time you want to make sure that it is being controlled and that someone can be held accountable for it," he said.

Verbree emphasised that CIOs and CISOs should also ensure there is an open discussion between the business and IT to ensure many of the typical problems do not arise in the first place.

Read more on Identity and access management products

Data Center
Data Management