Leveraging Identity and Access Management (IAM) in Today’s Convoluted Digital World
The acceleration of digitalization, the birth of new business models and the adoption of innovative work arrangements have put tremendous pressure on organizations to evolve and transform rapidly. However, this, in turn, has multiplied the security risks faced by organizations. With these risks and challenges affecting us in various ways, the need to focus on a holistic approach to enhance organizational security posture has arisen. A key requirement is to ensure end-to-end secure access to critical assets, facilities, and infrastructure. Essentially, all access needs to be authenticated, authorized, and verified. A question facing many companies is whether this is even possible and which types of controls can be put in place to achieve this goal. What approach should organizations take to enhance their security posture in both the physical and digital realm?
Before we examine these questions, we can reasonably acknowledge that the pandemic is the black swan event of the decade and has caused extreme upheaval in the way we work and interact within the workplace. Frost & Sullivan’s research indicates that more than 90 percent of organizations will not be reverting to the pre-pandemic status quo (no surprise there) in the way we work and operate. This essentially means that organizations and service providers need to put in place protection and controls to ensure that they are able to secure their assets and their customer’s assets, regardless of where the assets, data and facilities may reside.
At the same time, an increased focus on digitalization and the need for scalability and flexibility have significantly expanded an organization’s operating perimeter. Today’s perimeter encompasses a complex array of remote access points, cloud services delivered through a hybrid environment, and a gamut of different types of users including employees, vendors, partners and even customers. This essentially increases the risks faced by organizations due to a much larger and more complex user base and architecture. With this complexity, companies face a huge task in ensuring that all access activity is secured, to protect the confidentiality and integrity of their assets and data.
Furthermore, old challenges remain and continue to exert pressure on organizations and the IT and security professionals guarding them. Survey data from a recent Frost & Sullivan research shows that “users with excessive privileges,” “dormant accounts which have not been removed” and the use of “multiple IAM solutions” with limited end-to-end coverage (leaving gaps) are some of the most common causes of security breaches. Hence, modernizing traditional IAM infrastructure with a focus on automation and scalability is essential to protect our workforce and customers from the physical and digital breaches that continue to occur.
How Does Zero Trust Come Into Play in This Context?
We can no longer assume that all entities accessing our assets and resources can be trusted. The common definition for Zero Trust is “Never Trust, Always Verify” and at the core of this is a robust and flexible IAM solution set, which is able to support your organization’s complex operating environment and expansive perimeter. Furthermore, the need for constant distrust and monitoring of entities accessing your organization’s assets has grown. This might seem like overkill but it actually mimics our own interpersonal behaviour. As humans, we are constantly assessing our acquaintances before increasing our trust level of individuals. To a certain extent, this concept is similarly applied in the context of Zero Trust — always verifying access.
Our control systems need to know who/what is accessing assets and these systems need to be able to constantly monitor the activities undertaken. Essentially, you should expect your users to be doing something from a location where you would expect them to be. From an implementation standpoint, this may seem overwhelming and that’s where a holistic IAM approach will come in to support your journey towards the goal of Zero Trust.
What Is Expected From IAM and Solution Partners?
Leading IAM solutions should ideally provide an automation-enabled system that is easy to use and allows granular control over disparate and distributed assets and facilities in your environment. This helps to reduce the risks and issues mentioned earlier, as well as support your administrators with compliance requirements through a central platform. Another consideration is the ability of the platform to connect to physical and online access controls for your users. This will help ease the challenge of operating in new hybrid work environments.
Where do we begin? Organizations need to look at a phased approach or an incremental roadmap that considers the risks posed to your assets and facilities as a first step. Working with established vendors who can bring in the skills and experience, be it bridging current technology into the future or addressing multiple needs at once, can dramatically simplify this journey.