Identity management is a fundamental part of an effective security program. And, given the risks out there, it’s essential for protecting your organization against today’s cyber threats.
Big data breaches made headlines again last year. Of course, we all remember the Equifax breach, which impacted 145 million people. It’s a sober reminder of what can happen when cyber thieves get access to sensitive data.
But the Equifax incident was only one of many problems reported last year. WannaCry, NotPetya, and Bad Rabbit viruses hit computers around the world. Yahoo confessed that previous breaches were dramatically larger in scope than originally reported. Uber revealed publicly that data from 57 million of their customers was stolen in 2016.
The list goes on. But the bottom line is this: data breaches were a big problem in 2017. And the trend is expected to continue.
Build a Solid Foundation
Identity and Access Management (IAM) is a complex, multi-disciplinary field. At the core, IAM is a framework—a framework that supports the business processes, organizational policies, and technologies that are required to let “the right people get access to the right resources for the right reasons” and to prevent the “wrong” people from ever accessing sensitive data.
There are over 20 sub-disciplines that make up the IAM competency. Implementing an identity program is complicated. It takes an organization-wide commitment to the endeavor, as well as skilled resources to carry it out.
But, like most things in security, an effective program starts with a solid foundation. To establish firm footing, start with these four disciplines:
Privileged identity management (PIM) focuses on monitoring and protecting superuser, administrator, and root accounts. These accounts have wide-spread authorization to systems and data. In the wrong hands, these identities can cause tremendous damage or result in the loss of sensitive or confidential data, because they have escalated privileges.
Privileged account management (PAM) focuses on auditing account and data access by privileged users. For example, let’s say you have a user who works in marketing. It makes sense that this user would have access to the company’s marketing database. And the database may contain valuable information to a cyber thief. PAM monitors user access—in this case, the user’s access to the marketing database—to identify questionable or abnormal activity, which could be a sign that a user’s credentials have been compromised.
Single Sign-on (SSO)
We’re all familiar with the complexity of working in today’s world. Just to perform their jobs, users are required to access many different systems and applications. And every application they use requires an ID and password.
A single sign-on (SSO) solution simplifies access to applications. It enables you to manage identities and connections to applications using an identity vault. This makes identity management easier. Users only have to remember one set of credentials, and security administrators can manage privileges from a central location.
Multifactor Authentication (MFA)
Multi-factor authentication (MFA) requires a user to provide multiple credentials before access is granted. For example, a user may be required to provide a password and a token. Or a user may be required to provide a password and answer several personal questions before access is granted. Or a user may be required to enter a password and a code that was texted to their mobile device. There are many variations of MFA.
Every organization should be doing multifactor authentication today. If they’re not, they are taking a big risk and leaving the organization exposed. MFA makes it much more difficult for thieves to steal and reuse identities.
Lifecycle Management for Credentials
What happens when an employee leaves your organization? What happens when a person changes roles? How are their permissions, based on their role, managed and maintained throughout the lifecycle of their tenure at your company? How are their IDs commissioned and decommissioned?
Without good lifecycle management policies, user accounts can easily remain active when they shouldn’t be or have privileges that are inconsistent with the user’s role at the company. If that occurs, and the identity is compromised, an outside entity may be capable of causing more damage than you realize.
Five Keys to Success
IAM projects can be complicated. But here are five key steps that will help you have a successful implementation:
- Plan it out. Thorough planning is vital.An evaluation of the desired features and functions, up front, is a key first step. Understanding what IAM can and cannot do for your specific application landscape and the impact it will have on your business culture is critical.
- Start small. Don’t try to boil the ocean with a full-scale IAM implementation from day 1. The strategy should be formed, but tackle one area at a time to ease adoption and promote successes.
- Get organizational buy-in. Make sure you get support throughout your organization. Understanding and clearly communicating the usability and functional (or habitual) changes IAM will bring is important in order to overcome early dissention or resisters.
- Consider the future. The strategy you come up with today must work tomorrow and grow with your organization. Planning for scalability in terms of both head-count and applications is an important consideration and can help you avoid nasty issues later in the IAM journey.
- Quantify the value. Create a set of metrics applicable to your organization that can demonstrate the value of the implementation over time.
For information on how ePlus can help you implement IAM solutions that are right for your organization, click here to get in touch with us or contact your ePlus Account Executive.