Keys to the kingdom
Identity and access management are a core principle of ensuring a robust cybersecurity framework.
Any organisation that manages multiple users, all of whom need access to many types of data and applications, requires a robust set of solutions and standards to help implement access controls, to protect data from today’s complex threats. Identity and access management (IAM) systems are designed to do exactly that.
According to Sana Rejibi, IAM consultant, BT, remote working and hybrid workforces are shining the spotlight on the need for these systems. Because work has moved from being centralised in an office location to taking place across myriad locations, this is placing greater demands on access management.
Gartner says organisations are finding themselves tasked with having to support multiple options for user and device access as well as multiple generations of digital assets, all within a flexible modern identity infrastructure. “In the enterprise, identity governance and administration are essential to governing access to both on-premise and cloud resources,” she says.
Another factor spurring on IAM adoption is the need for organisations to deliver a seamless user experience, she adds. This is particularly important as user and employee experience is now a business differentiator and essential to gaining competitive advantage.
The traditional cyber perimeter is evolving so fast that most businesses are battling to determine where their critical information assets reside, and who has access to them.Simeon Tassev, Galix
Simeon Tassev, MD and QSA, Galix, says businesses are faced with the challenge of providing their workforces with the right level of access to the right resources. “While employees are now used to being able to work from any place, and at any time, supporting user access from a wide range of locations on a slew of different devices can not only introduce new risks, but added complexity.
“The old maxim is that companies can’t protect what they don’t know and what they can’t see, and, unfortunately, the traditional cyber perimeter is evolving so fast that most businesses are battling to determine where their critical information assets reside, and who has access to them.” In addition, he says, there are today’s multicloud environments, the edge, IoT devices, an increasingly stringent regulatory environment, and an ‘everything digital’ world, and it’s easy to see why getting a grip on IAM is one of the most complex and challenging issues enterprises must deal with.
“IAM has become an essential component of security and all principles of security, including the baseline principle of security – CIA (confidentiality, integrity, availability),” he adds.
A costly threat
Debilitating cases of ransomware and malicious software attacks are rising, with the potential to cost governments, public and private sector organisations dearly in capital, time and resources, says Jeremy Matthews, CEO, Panda Security Africa. “In addition to this, insider attacks are becoming more prevalent, with the potential to expose confidential client information and resources. Bring your own device and cloud reliance are driving the adoption of IAM, as it ensures that only authorised people use assigned resources, when required.”
Approaches to authentication have evolved in that using a single-factor authentication, such as a password, to protect from cyberattacks is no longer sufficient in today’s hyperconnected world, adds Rejibi. Cybercriminals are exploiting weak, stolen, or compromised credentials to take on the identity of certain individuals, and hunting for privileged accounts and credentials that can help gain them access to an organisation’s most critical infrastructure and sensitive data. “A more modern approach is to rely on multi-factor authentication (MFA), which entails using an extra method of identification in addition to a username and password when logging into an account. This enhanced method of security ensures that the person requesting access is the right person by requiring additional verification information,” she says.
MFA provides security to protect users’ identities,assets, accounts and information, adds Matthews. “Its benefits can be appreciated in sectors such as banking – powerful systems protect sensitive data and the financial assets of their users. MFA ensures that only authenticated users have access to specific resources.”
Over and above a security tool, IAM is also a business enabler. Rejibi says security is essential to cloud adoption and digital transformation. The latter is reliant upon being able to securely connect with people, applications, and devices.
“IAM is a business enabler in the sense that as a core security solution, it’s now essential that organisations adopt IAM. Without it, there is a high risk that they will leave themselves open to cybersecurity threats,” adds Matthews. “IAM, paired with MFA, should be used to protect companies’ remote networks, as well as email and administrative access. This also allows the visibility of all endpoints and will significantly minimise the threat of a breach, especially when combined with mature patching requirements, employee training and increased awareness. If implemented correctly, IAM drives business productivity and the uninterrupted functioning of digital systems. Employees can work effectively, whether in the office or remotely, through centralised management and by connecting systems to customers, contractors and suppliers, increasing efficiency and lowering costs.”
Some new frameworks are focusing more around security on the edge by identifying who needs access based on various factors such as identity, location, or devices they are connecting from. These different factors could be part of a user’s identity, comments Tassev.
More frameworks have emerged in recent years, one of which is secure access service edge (SASE), which was identified and coined by Gartner. SASE works on a process that every access that an individual requires will be provided based on their identity and not where they are from. “This is the framework that every organisation is moving towards, in order to enable the workforce to do their jobs no matter what device they’re using or where they’re connecting from,” says Tassev.
In terms of where IAM fits in with the overall security posture, Matthews says it has evolved into a vital area of any organisation’s overall security strategy. Services like WatchGuard Authpoint MFA, offer a strong identity framework and enable organisational productivity and the uninterrupted functioning of digital systems. In today’s business climate, employees and management teams require rapid and easy access to data and IT resources. An organisation’s security strategy should incorporate IAM with MFA and encourage the safe collaboration between employees, while enabling them to work and safely share information across the organisation. IAM lays the foundation for the safe sharing of identity information across applications and tools without compromising on security. This will ultimately improve productivity, research and development and the longevity of an organisation.
Tassev concludes: “It’s difficult to have a security strategy without identifying the users, whether that’s an individual or a service account. These accounts would be automated to deal with a specific aspect of the organisation’s data, such as backing up the system. In the remote working world, IAM is important to the cybersecurity strategy as it ensures that an identity is only given access to what they need and nothing else. This decreases the chances of a cybersecurity threat, or an individual accidentally deleting data they shouldn’t. IAM and its many layers of authentication, enables full accountability.”
* This feature was first published in the June edition of ITWeb's Brainstorm magazine.