A recent study tells us that 80% of security breaches today involve privileged credentials (Source: SecureLink). That number is staggering but not entirely surprising. Modern enterprise networks have expanded beyond traditional perimeters and outside the safety net of endpoint security and enterprise firewalls. Today’s technology and business landscape are instead ripe with BYOD devices, mission-critical apps− accessed both on-premises and in the cloud− and a remote workforce that requires always-available mobile connectivity. In this environment, pre-cloud and pre-virtualization security is no longer adequate to keep security breaches at bay and hackers from uncovering corporate identities.
Identity and access management (IAM) solutions have emerged to help close the door to these security exploits and reinforce compliance by protecting users’ access in multi-perimeter environments. The trick is to select and implement an IAM solution that protects and manages digital identities while also providing identity governance, security policy enforcement, and user-based access control. Before moving forward with an IAM framework, watch out for these commons missteps to avoid scope creep and cost overruns.
- Incomplete enterprise risk assessment- during the IAM planning phase, it’s imperative to identify key business objectives and perform a complete enterprise risk assessment. This includes identifying all infrastructure components as well as performing data classification. This will help determine proper access management policies. The process identifies what data should be protected (i.e., determining if it is a high risk, such as customer or financial data or lower risk). It’s also imperative to decide who owns that data and what business units are authorized to access which data sets. Failing to account for the dynamic demands of users accessing IT assets, and identifying user access that’s not in sync with business unit leaders, will put the IAM initiative at risk.
- Failing to future-proof IAM- One of the most critical mistakes an organization can make is underestimating the impact of managing mobile devices in the enterprise. This includes evaluating how mobile access and Enterprise Mobility Management (EMM) strategies and solutions will eventually fit the overall enterprise security plan and IAM solution set. Going forward, in addition to authorizing and authenticating user identities, identity and access management will expand to include access to applications and devices. In other words, internal corporate resources will need to be accessed by managed and unmanaged hardware devices. This is an important distinction to make when evaluating IAM solutions. Today, many IAM frameworks use the user’s identity without accounting for the mobile device’s identity. Look ahead to see how IAM solutions will converge with evolving EMM tools. This is particularly important for extending identity management to applications and devices for authorized machine-to-machine (M2M) communication.
- Lack of interoperability with existing systems- A mixed platform environment with diverse applications, infrastructure, and apps, is the new norm for the modern enterprise. An IAM solution touches many of these environments, so they must work well together. Essential IAM capabilities like single-sign-on (SSO), user provisioning and password management and audit process improvement, touch heterogeneous systems in the enterprise. Look for systems that off automated provisioning of accounts, the fulfillment of access requests, and computerized policies & workflows regardless of the existing IT systems in place. It may make sense to keep IAM systems and the directory of authentication credentials on a remote server or cloud instance.
- Ignoring other users- It’s important to remember that IAM solutions go beyond authenticating and authorizing employee access to applications, data, and devices. Other legitimate users across an organization may also require access to get work done and build connections. Look for IAM solutions that can scale to address the needs of internal employees and guests, partners, and customers.
Today’s successful enterprises leverage IAM solutions to provide seamless and secure access to enterprise applications and data from various devices, platforms, and networks. Getting there requires ensuring the IAM solution is scalable and comprehensive, and most importantly, aligned with the organization’s most strategic goals. By integrating IAM into an overall enterprise security strategy, organizations can efficiently meet project milestones. In doing so, strengthen the privacy and security of enterprise assets.