Identity and Access Management was born out of enabling the business. We discovered that as technology systems began to proliferate throughout our companies, we needed a way to quickly and efficiently give people access to the devices and applications they needed to do their job.
Then came the auditors. We layered compliance controls into our processes to ensure that people were only getting and keeping the right level of access with the right approvals.
The next big shift coming to IAM professionals is to see ourselves as members of the cybersecurity community. We are seeing more IAM departments reporting to CISOs instead of IT Ops. There might still be a separate team responsible for IAM apart from the network security team or the vulnerability management team, but there are areas for collaboration that need to be explored in order to better protect our companies. These team boundaries need to be broken down and everyone should be viewed as cyber-security team members. IAM will still be responsible for business enablement and making sure our end users get what they need – in a compliant manner, of course. However, this shift into security focused IAM can’t be ignored. Why? Here are the 3 big reasons:
1. IAM is the first lines of defense
Bad actors start with trying to find credentials. Once they compromise an account and gain entry into your system, they attempt to elevate the permissions on that account. That’s when they start having their fun.
If we are better able to protect our accounts – through password management, privileged account management, multi-factor authentication or tight controls on elevating permissions – we better deter bad actors from doing what they want to do.
2. Least Privilege = Securing Your Data
When setting up roles and permissions, IAM professionals attempt to follow least privilege enforcement – only giving people the bare minimum level of access they need to do their job. We’ve been doing this for years because it’s “best practice.” It’s also a great way to protect your most sensitive data.
Insider threats are limited when they can’t get to the good stuff. By making sure you’re only granting access to what each person needs – and continuously monitoring accounts that have access to sensitive data or business critical applications – you’re focusing your attention on the riskiest identities and increasing your organization’s healthy security posture.
3. IAM is the last line of defense
IAM provides a lot of ways to “take action” once you’ve detected something isn’t quite right. If a vulnerable system becomes compromised, you could:
- Remove the entitlements of that system from accounts that have access
- Change the passwords for accounts that have access to that system
- Disable the accounts
- Step up authentication requirements
- Isolate the accounts to only that system (so the attack can’t spread)
All of these ways of responding to a bad actor’s game sit under IAM’s control.
IAM is a big responsibility. We continue to meet the demands of our end users to make sure we give them what they need. We continue to meet the demands of our end users to ensure we give them what they need all while meeting the ever-growing list of requirements that auditors and regulations throw our way. And now, whether you’re ready or not, the cybersecurity world is going to start knocking on our doors and “asking” for collaboration.
How does your IAM solution stack up? Can it continuously and comprehensively monitor and alert your team to any discrepancies? Well, ours can. To see our Core Access Assurance Suite in action, download our recorded product demo hosted by myself and Mike Lynch, our Solutions Engineer.