Identity and Access Management (IAM) is not new; myriad tools can help organizations control user access and privileges. Organizations have the means available to implement mature and reliable IAM solutions to protect their data and systems. Yet costly, damaging data breaches persist, most of them starting with an identity compromise. Why?
IAM can seem daunting in today’s highly distributed environments, with data scattered across user and Internet of Things devices, private data centers and public, private and hybrid clouds. That complexity is multiplied by a growing range of IAM-related technologies, such as multi-factor authentication (MFA), privileged access management (PAM), zero trust strategies, customer IAM, Secure Access Service Edge (SASE), Cloud-Native Application Protection Platform (CNAPP) and others.
Getting control over identity management requires a comprehensive and ongoing process from risk assessment through daily management. Breaking down the IAM cycle into its key elements can demystify the process and provide organizations with a clear path to reducing risk, mitigating attacks and, ultimately, safeguarding their most important data.
The 5 Steps of the IAM Lifecycle
It has been five years since the Capital One data breach, in which attackers gained access to 100 million customer accounts and credit card applications because of inadequate IAM controls, as a MIT Sloan case study explained. It is far from an isolated incident as the pace of significant breaches continues, and since then, the attack surfaces for organizations have only grown.
The identities on a network include not only human users but an exploding number of machine identities, such as services, applications, APIs, and devices ranging from smartphones to IoT sensors. Meanwhile, users with access to systems include third-party vendors, partners, and other stakeholders. All are potentially exploitable.
Organizations must take a holistic, programmatic approach to IAM, implementing an ongoing process involving policies, procedures and technology to strengthen IAM programs and security postures against evolving threats.
At the heart of IAM is the basic premise of granting authorized users the correct level of access to the right data when needed, regardless of whether they are humans or machines. A big part of effective IAM is ensuring that the basics of security are performed, though ongoing.
You can start by understanding the five key components of an ongoing process in IAM.
1) Assess. This involves documenting the “as is.” This is accomplished by reviewing security policies and naming conventions, defining requirements, and establishing the organization’s current IAM environment. Identify any holes in the IAM processes, such as whether security teams allow exceptions to MFA policies where, for example, groups or individuals are allowed access to certain information without MFA. The information gathered during the assessment stage can help organizations understand their accurate security posture with visibility across users, applications and data.
2) Design. In this stage, you architect the solution, determine your needs, and evaluate vendor and product offerings. Based on your assessment, could you set your requirements and design solutions to meet those requirements? It’s also essential at this stage to be aware of compliance requirements and design solutions according to industry standards. You should also establish an IAM maturity model.
3) Deploy. It’s best to adopt a plan for phased implementation, determining requirements for each phase and communicating with constituents during the process. Be sure to validate that the processes are working effectively. And it’s also critical to make training and education part of the deployment. Training should be enterprise-wide, including people working in IT, sales, finance and everywhere in between. Considering that identity compromise (achieved via phishing and other means) is the attackers’ primary method, failing to educate users on IAM threatens to undercut an organization’s best security efforts.
4) Test. The best way to validate an IAM solution is through testing—you don’t want to wait until an attack is underway to determine if your controls are working. You need to do proactive penetration tests, adopting the posture and tactics of an attacker, to identify security gaps, prioritize remediations and validate the effectiveness of IAM controls. This stage also allows you to review your original assessment, evaluate the solution design and identify where improvements can be made.
5) Manage. This stage includes daily tasks such as provisioning and deprovisioning users, identifying unused accounts that need to be closed, enforcing least-privilege policies and managing access controls using role-based access control (RBAC). Every human user needs a clearly defined role, including those with privileged access. PAM can help ensure you audit those roles, adjusting privileges when roles change and changing passwords frequently. Management also includes regulatory and compliance reporting.
Best Practices and New Approaches
Despite the complexity of maintaining IAM in today’s distributed environments, effective security still involves covering the basics and following best practices.
For instance, centralized control of IAM is essential, so organizations should have a full-time security operations center (SOC) for continuous monitoring and threat detection. A dedicated SOC can enable real-time threat detection and quick response.
Overworked security teams lag on timely patch management, but unpatched systems create potentially serious vulnerabilities. Organizations must implement automated patch management and adhere to strict schedules for applying updates to software and systems.
Because IAM is an ongoing process, organizations must keep abreast of new developments and emerging technologies.
For example, organizations that haven’t adopted zero-trust principles, which have become a driving force in security, need to get started. Cloud-based and distributed networks have long since obliterated the idea of a network perimeter. Zero trust focuses on identities, no matter where they reside, relying on continuous verification and authentication.
Encryption is another essential element of protecting data, whether at rest or in transit. It’s important to encrypt as much data as you can and store encryption keys (used to decrypt data) separately in a hardware-based digital vault, which can reduce the likelihood of breaches.
Organizations must also be aware of post-quantum cryptography (PQC) and the recently released post-quantum encryption algorithms by the National Institute of Standards and Technology (NIST). The arrival of quantum computers will render current cryptography obsolete, five or 10 years away, but it will likely take organizations years to transition to PQC fully. In the meantime, harvest now, decrypt later (HDNL) has become a more common attack, in which attackers steal encrypted data in anticipation of being able to decrypt it later when quantum arrives.
Artificial intelligence transforms IAM systems by automating critical tasks such as password management and account provisioning while enhancing security by detecting anomalous or suspicious network behavior. Additionally, monitoring the sheer volume of user activity data can overwhelm teams. AI-driven automation addresses this challenge by streamlining workflows and delivering actionable insights in near real-time, empowering organizations to respond more effectively to potential threats.
The Core of Cybersecurity
Organizations must adopt a holistic IAM strategy as they navigate the complexities of distributed environments and an explosion of identities. IAM is not a one-time project, it is a continuous process of assessment and improvement. By committing to this cycle and staying informed about new technologies and threats, organizations can turn IAM into a powerful enabler of security and business agility, ensuring their data and systems remain protected in an increasingly digital and interconnected world.
