We all know that Identity and Access Management is not simply an application you can download in five minutes and be ready to go. This is a major program and investment for your company. But why is it that after we go live, we tend to forget about it?
If you are implementing this solution to check a box for compliance or just to help with provisioning, then you aren’t getting the most out of your solution. Here are five things you can do to improve your IAM solution.
1. Multi-Factor Authentication
Year after year we see that the top reason for organizational breaches comes from stolen credentials. Some legacy applications (I’m looking at you, mainframe…) don’t support strong password policies. Meanwhile, other organizations are concerned about the end user experience of forcing password resets for business critical applications. It’s hard to reconcile securing your organization and not wanting to inconvenience your end users. Think about how many times you had to reset a password in the past week and then multiply that by everyone in your company -- that’s a lot of resets!
Do you have a mobile option for your team to reset their passwords themselves? If not, you’re not giving them the best user experience possible and you’re adding to help desk frustrations. You’re enabling the help desk to take away valuable time your team could be spending on other tasks. Manually resetting your password is expensive, especially considering it is the #1 source for service help calls.
What you need is multi-factor authentication. By increasing the authentication security with additional authentication choices and devices, you’re protecting your employees and their information with an extra layer of security. Furthermore, implementing a mobile password reset option will allow your team to reset their passwords themselves, from anywhere, with options on their mobile phone.
While this won’t solve all of your stolen credential problems, it will help strengthen your IAM solution with one more layer of security and provide your users with a world-class user experience. (Want to give them something to “wow” about? Consider using biometric authentication as their second factor.)
2. Understand Real Risk vs. Regulatory Risk
Is your IAM solution just for checking off the compliance box for your organization? I get it. HIPAA, SOX, PCI and the list of regulations goes on and on and is becoming as much of a job to stay compliant as it is to stay secure. When you have a team that is stretched thin which, let’s be honest, most of us do – how can you make the decision between securing against your real risk and doing all of the things required to be compliant?
Like we said in the beginning, this isn’t a plug and play fix. It’s a solution meant to secure your organization and you should be getting the most out of it. There is more to your network than just compliance and if you are too focused on the boxes that you need to check to make HIPAA happy, then you might miss a real risk in your network.
To manage both real and regulatory risk, you need to deter inappropriate access to information and processes. Since motivated bad guys have proven that they still might find creative ways in, you need to detect when that happens. Once you do that, you can take rapid steps to remediate these breaches quickly.
3. Implement Access Certification
In previous blogs, we have talked about the issue of “rubber stamping” when it comes to provisioning access within companies. The problem is, there are so many people and so many applications that it’s hard to keep up with which ones they should have and even harder to research which ones they shouldn’t. Administrators and managers simply hit approve and hope for the best. Access certifications help mitigate this.
There are some applications that just about everyone needs access to–such as your email platform. However, there are others that should be vetted a bit closer, like your payroll system. Go a bit deeper. There are people with admin access to the payroll application that probably shouldn’t. Unfortunately for you, their access request was rubber stamped and they now know how much you make and could potentially give themselves that pay raise they think they deserve.
With access certifications, you will not only certify and manage employee access rights, but you will also help your compliance. When your auditors ask how many users have been added or removed since your last review, you will have a detailed list of every new or altered user’s access requests. And you can stop those inadvertent raises.
4. Know your Privileged Accounts
Do you know what it takes to be named a privileged account in your organization? Do you know how many privileged accounts you have? Do you know what each of those accounts has access to? If you can’t answer these three questions you could be in big trouble.
Every organization has elevated access to critical IT assets and these are important to get the job done. However, these accounts also require continuous monitoring and auditing. With our constrained resources, it’s not always possible to have visibility into your privileged accounts. To gain this visibility you should implement a Privileged Access Management (PAM) solution with your IAM program. A PAM can help you discover, control and monitor your privileged access accounts and their activity on a continuous basis.
These solutions help you automatically discover what accounts in your organization are listed as privileged so that you can verify that these identities should or shouldn’t have this access. This solution can be deployed in days and integrates with most IAM solutions. While this is an add-on, it’s a highly valuable addition to your organization.
5. Implement Intelligent Analytics Tools
At the recent RSA conference in San Francisco, there were several sessions and even more conversations around security analytics and their role in the future of cyber-security. The truth is that analytics and intelligence are growing rapidly and can be used to both resolve threats and improve ongoing monitoring in your IAM solution.
The theme of this blog has been the amount of data, access requests, applications and more that we see every day in our organization and that isn’t going to change. With an intelligent analytics tool, you can make sense of the gigantic amounts of data in your organization by continuously and comprehensively monitoring your data.
Intelligence can help categorize and remediate access risks automatically in your network.
So, does your IAM solution pass the test? Do you want to know more about analytics and the effect they will have on your organization?
Download our newest Gartner article “The Fast Evolving State of Security Analytics” for more information on the future of cyber-security analytics.