Top Reasons to Update Your Identity and Access Management (IAM) Strategy
Articles and blogs about Identity and Access Management (IAM) can be found on just about any technology-related website. Many articles point out the benefits of the myriad tools and products that will magically give you a complete IAM system or fill some gap in your IAM posture. But for those who are a little less mature in their journey or who have not revisited their IAM Program since the iPhone 4, there’s good reason to review your IAM strategy and capabilities. While not new, over the past few years much has changed in these six areas: remote workers, contractors and partners, consumers, regulation, cloud applications, and IOT and API’s. It is imperative that every organization examine how its IAM program is currently supporting these concepts.
1. Remote Workers
Though we’ve been supporting remote and mobile workers for a long time, we’ve never done so under the circumstances we see today. Due to the COVID-19 crisis, most organizations had to send a majority of their workforce home, practically overnight. IT organizations had to scramble to support the exponential growth of their remote workforce with technologies that weren’t designed for the sheer quantity or complexity. While most IT organizations were able to quickly scale their systems to support the size of the new remote workforce, many were unable to adequately adjust to the complexity that it brought.
In terms of complexity, a few areas should be considered. First, how are the endpoints (and associated) traffic being secured? Many of our security tools and controls were built with the idea that the end user would be within the corporate walls. For the (relatively few) mobile users, we would force all traffic back to corporate to be subject to those same controls. With a majority of users remote, however, it is no longer feasible to force all traffic back through a single chokepoint. Organizations need to leverage a more distributed or cloud-based toolset to enable the same inspection and controls as before. Second, many of the group or user-based access controls we previously had in place were based on a physical presence on the office network. Now we need to provide that same level of differentiated and segmented access to remote users. Lastly, we need to think about the devices themselves. Are our employees now able to use personal devices to connect to corporate resources and, if so, how are we ensuring identity, device security, and data governance with those? With many children attending school from home, are those children occasionally using their parents’ corporate devices? If so, what security threats could that be introducing and how do we contain them?
2. Contractors and Partners
This is another area we’ve supported for a long time, but the advent of Coronavirus has changed the requirements. In some cases, we may have been providing system access to a partner via a secured site-to-site VPN. If the partner’s employees are remote, we may need to rethink this architecture. Similarly, if our partners or contractors had been coming to our location to access systems but now are forced to be remote, how do we keep providing that same secure, differentiated access to them remotely? Lastly, many organizations have a proliferating group of partners and contractors—which leads to additional questions: How are we providing provisioning and deprovisioning governance? How do we provide periodic recertification? What identity store do we use—should we mix employees, contractors, vendors, and partners into the same identity store?
While many organizations offer customer-facing applications, the pandemic has accelerated the growth and use of these apps. Customers have generally stopped interacting with us physically; but they’re interacting with our digital presence more than ever. It’s easy enough to develop these apps, but are we stopping to examine how we’re managing and storing customer identities? Here again, do we mix customer identities into our employee identity database or create a separate one? What kind of metadata will we keep with the identity and will we use it to make app-level access decisions? What password polices should we use in our customer apps? How critical is it to provide 100% identity assurance in our consumer applications?
We deal with an acronym-soup of compliance regulations on a daily basis. Over the last few years, the biggest change has been how such regulations are being enforced with stiff penalties for non-compliance. GDPR and CCPA were the first to enact such penalties. But with state and federal governments worldwide taking a more hands-on approach to their constituents’ cybersecurity, we’ll continue to see more regulations and penalties for non-compliance. Each of these regulations have provisions dealing with identity management. It’s a good time to review which regulations your company is subject to and how compliant you are in supporting the identity provisions within the regulations.
5. Cloud Applications
The move to cloud-based applications began years ago but has accelerated over the last few years and exponentially since the pandemic began. While this has alleviated a lot of strain in corporate datacenters and decreased our reliance on infrastructure operations, it has increased your need to think about Identity and Access Management. The first question is whether you’ve architected the capability to support cloud-based identity systems or is everything still on-premises? Then are you able to leverage your cloud-identity store with your SaaS apps or can you federate? If not, how will you manage the separate identity store within the SaaS app? Are you able to automate the provisioning and deprovisioning process? How do you recertify accounts? Can you provide the necessary differentiated access? What governance features do they have? Are there single-sign-on capabilities? How do you provide the same experience, not only across multiple cloud-based apps, but also in your on-premises apps?
6. IOT and APIs
In 2018, a hacker was able to take control of a family’s baby monitor and threaten to kidnap him. In 2017, it was shown that a hacker could easily take control of implantable cardiac devices and control shocks, administer incorrect pacing, and deplete the battery. In yet another event, hackers were able to break into a casino network by exploiting an internet-connected thermometer in an onsite aquarium. These examples–and many more–highlight the exponentially increasing attack surface enabled by IOT and API’s. Most organizations consider people and human-to-machine interaction in their identity and access management strategy, but many forget to also consider machine-to-machine interaction via IOT devices, API’s, and Bots. To protect the organization from arguably the largest attack surface, a complete Identity Management strategy must account for these devices and interactions. You should consider these questions: How do you authenticate control traffic to IOT devices? How do you authorize data collection? How do you limit which devices can communicate with other devices? These questions (and more) also apply to API’s and Bots.
While none of these concerns are new to the IAM world, recent changes in the macro environment are cause for additional focus on how our IAM strategies deal with them. Now is a great time to reach out to Anexinet to help craft and implement your IAM strategy and ensure you’ve considered the best approaches to effectively incorporate these concepts into your strategy.