PROTECTION STARTS WITH IDENTITY
Organisations are vulnerable to a range of threats: cyberattacks, malware, ransomware, theft and device loss, compromised passwords, phishing and even malicious attacks from the inside. Breaches are widespread. No organisation is immune. Early detection is critical. With threats increasingly sophisticated, and as digital transformation and technology continue shaping how business gets done, many organisations have adopted a mindset of Zero Trust—a security discipline that holds nothing inside or outside the perimeter can be trusted and everything must be first verified before getting access.
Information security is often the unsung hero in a business. If everything is performing up to expectations, the organisation and its data remain protected another day—business as usual. If any disruption to security or a significant data breach occurs, headlines are made and the potential damages are tremendous—from tarnished reputation and distrust to even lost business and customers.
Identity is at the core of security. The need for a strong, well-thought out and continuously implemented identity access management (IAM) programme has never been greater. Organisations that can seamlessly manage and maintain user access to business information will not only decrease the likelihood of a breach—and the financial, reputation and brand equity threats that accompany compromised data—but they will also eliminate service disruption, establishing a competitive advantage over their less-protected peers.
Why is IAM so Important?
For as long as businesses have existed, identity has always been critical. But in today’s digital revolution, identity has never been more relevant and necessary for a number of reasons
- User life cycle: Every user is on a life cycle, from their first day at the company to their last. Users include full-time employees, vendors, consultants, contractors and even customers. It’s critical to keep pace with the evolution and growth of the user, as they may assume new roles or take on different projects that require access to systems and applications that may only need temporarily. Effective IAM constantly adjusts and fluctuates permissions as the user and digital experience evolve over time. This ensures that users have authorised access to only the applications, systems and programmes they need to do their jobs. It also ensures permissions are revoked when the user no longer needs access, thereby only sharing the minimum data and information that is required for business to keep moving.
- User experience: IAM is happening behind the scenes, whether the user is aware of it or not. The three main systems used for IAM—singlesign-on (SSO), multifactor authentication (MFA) and privileged access management (PAM)—have some level of automation built in. Products from companies such as Okta and Ping are designed to consolidate the number of passwords a single user has. Instead of requiring a manual sign-in when trying to access a programme or application, users have a frictionless, one-time sign-on user experience.
- Device volume: Users are those who need some level of access to systems, applications, databases, physical locations or any other platform hosting information. With an increasing number of devices—including laptops/desktops, smartphones, tablets and wearables—at their fingertips, the reality is there are progressively more connected devices to protect.
- Sophisticated attacks: While innovative technologies give organisations the ability to deliver solutions to their customers better, faster and more efficiently, this revolution comes at a price. Security breaches and attacks that take advantage of technology vulnerabilities can be more sophisticated and occur more often, underscoring the demand for tight security measures.
- Regulatory landscape: General Data Protection Regulations (GDPR) and California Consumer Privacy Act (CCPA), two of the most recent data protection and privacy regulations enacted, have also changed the way companies manage data. Compliance is a lot easier with a solid IAM programme.
Digital transformation presents unique challenges for a security-minded organisation. Companies strive to innovate and renovate, leveraging technology to improve the services they deliver and the speed at which they deliver them. While business-enabling technologies such as IoT, cloud enablement, mobility, analytics and AI present opportunities for organisations to reinvent the way they deliver value, these technologies need to be approached prudently in the business environment. An effective IAM programme is a business necessity. Critical, sensitive and proprietary data is at risk. Protection isn’t an option, rather a mandate.
Identity: The Holy Grail
Privacy and security are achievable with an IAM program that keeps people from getting access to the wrong data, systems and applications. IAM programs help organisations streamline manual identity workflows and processes, ultimately helping them be more efficient with their security. But it’s not just protecting information. It’s also about enabling employees from day one with access to what they need so they can be successful from day one.
One of the most common challenges organisations face is underestimating the complexity and scope of IAM. It needs to be thought of as a never-ending programme— not a one-time project or task. “The reason you see challenges in this space is because people don’t have a programme; they buy a product and then they try to build a programme around the product. They don’t think of it programmatically,” says TEKsystems Risk & Security Practice Manager Kory Patrick. IAM consistently strives to secure the organisation.
It’s worth noting the IAM landscape continues to evolve, and the cloud drives a lot of that change. As customers search for solutions that reduce hardware spend, an increasing number of cloud-based tools and technologies are emerging in the marketplace. “Cloud isn’t necessarily changing the way we do IAM; cloud is forcing us to do IAM—because identity is really one of the last things that an organisation still remains in control of as they move their infrastructure or platforms or even software-as-a-service to the cloud,” says Patrick. In a strictly on-prem environment, organisations could make less of an investment in identity. But once the cloud became a factor, identity became the one thing you can—and must—tightly control.
Technologies are driving transformation and innovation across the enterprise. It’s not limited to the cloud. “Digital transformation has made the security professional’s world a lot more difficult because there are more surfaces to protect,” says TEKsystems Risk & Security Practice Executive Mike Mulligan. “In theory, that’s better for the consumer, better for the customer and better for the user of said technology, but it creates a tremendous amount of technology and security challenges because that means more things need to be accessed and provisioned, more things need to be protected with IAM.”
It’s essential for organisations to create a strategy built around the security products purchased. Otherwise, organisations run the risk of an out-of-the-box technology solution that ultimately doesn’t meet the needs of their business. One of the biggest mistakes companies make is choosing a tool without knowing all the business requirements of the organisation. This could also result in stitching disparate products together—which creates a separate set of challenges. Without the right people with product-specific expertise, organisations don’t know how to support the tool they just purchased. “I’ve also seen customers trying to make the wrong tool work,” Patrick adds. “It boils down to perception. They were sold this tool that’s going to solve all their problems, but that’s just not the case. Tools are tactical, not strategic.”
TEKsystems’ Tips: A Programmatic Approach to IAM Confidence
- Align IAM goals with business outcomes. IAM deployments should be based on business priorities.
- IAM is complex and requires planning and preparation. Don't overlook the importance of data cleansing, business process reengineering and building the right team.
- IAM is a programme—align your business strategy to your tactical execution. Don’t purchase a tool without understanding the full business requirements and needs of the organisation.
- Tools are tactical, not strategic. Don’t try to force a product to fit your business needs.
- Secure buy-in from the appropriate stakeholders. Think holistically and consider the impact of your IAM programme across the enterprise—including how it impacts HR, help desk, compliance, IT and security.
Mike Mulligan, Practice Executive for Risk & Security Services, TEKsystems
Kory Patrick, Risk & Security Practice Leader, TEKsystems
The views and opinions expressed in this publication are those of the authors and do not necessarily reflect the views of TEKsystems, Inc. or its related entities.