The power of IAM
Having the right access to the right resources in the right context.
The number of high-profile data breaches has skyrocketed over the past few years, too many of which have resulted from the abject failure to appropriately enforce user access. At the same time, privacy and data protection regulations have grown increasingly stringent, and are placing businesses under pressure to secure their data. It’s no surprise then that there’s a growing consciousness among businesses of the need for an identity and access strategy to not only secure, but also enhance digital services and interactions.
Justin Doo, territory manager, Middle East, Turkey and Africa at Okta, says the need for identity and access management (IAM) is driven by three key trends. “Every company is becoming a technology company. Every organisation, even those that aren’t traditional software companies, is building applications to unlock new routes to market and better engage with their customers. Customer identity solutions enable businesses to do just that.”
Next, he says people are the new perimeter. “With breach after breach, security is now (rightfully) a board-level conversation. And as every company moves to the cloud, they can be breached in ways that traditional security can’t prevent. Starting with the identity of the person, and deeply understanding their behaviour, enables organisations to protect their data in any network, application or device.”
Finally, integration is everything, says Doo. “Organisations need to use the best set of technologies to run their business and they want an identity partner that has broad and deep integrations so that they can centrally manage and secure their diverse ecosystems of apps and networks.”
The days of ‘trusted’ internal and ‘untrusted’ external networks are gone. Instead, zero trust securely enables access for the various users irrespective of their location, device or network.Justin Doo, Okta
According to Vernon Fryer, head of NEC XON’s Cyber Defence Operations Centre, IAM is among the top five priorities for organisations to invest in. “IAM has been necessary in any business with people and an IT system for a long time. But it was difficult to implement and maintain in the past, which made it less effective. One of the major reasons was the lack of an industry standard, but that’s steadily improved over the past eight years or so and maturity has now resolved the challenges.
The regulatory requirement for non-repudiation around accessing privileged data is now also promoting IAM, adds Fryer. “It’s no longer simply operationally beneficial to businesses to implement IAM, for a variety of IT and business purposes, but it also takes care of a lot of legal requirements around companies being able to prove who’s accessed what information and when.”
IAM is also really powerful now thanks to advanced analytics and tight integration with other systems. It helps businesses build intelligent behaviour, analytics-based access control models, which is crucial in our era of heightened cyber security requirements, Fryer says.
The trends driving the adoption of IAM are linked to the need to stay innovative and competitive in this digital transformation age, says Alec Aronson, product manager, Cofense and RSA at Networks Unlimited Africa. “This would directly impact on the expansion of infrastructure, applications and the development thereof, as well as the acquisitions of other companies and employees, adding to complexity and divisional structures.”
Due to the large threat landscape created, Aronson says the abuse of these identities leads to sophisticated breaches involving default, weak and / or stolen passwords. “Companies are now looking for easier and less complex solutions to manage the different identities, with various access to a plethora of platforms and applications to give insight into the basic security fundamental questions – who, what and where?”
Two major trends lie behind the rapid adoption of IAM, according to Gregory Dellas, security presales, CA Southern Africa. “The first is the tidal wave of digital transformation initiatives across almost all industries. With 89% of organisations adopting digital-first strategies according to IDG, this has led to explosive growth in the number of identities under organisational management. Identities tied to natural persons, service accounts, robotic processes, access tokens and bots all keep growing. AI and machine learning built into the latest IAM solutions are required to keep pace with rapid digital transformation.”
The second major factor, says Dellas, is increasing legislative oversight due to concerns over consumer security and privacy. Regulations such as GDPR, PoPI and PCI-DSS, as well as standards such as ISO 27001, require an IAM solution for the most basic practical elements of compliance. Other trends evolving currently, specifically in IAM technology, are behavioural biometrics, continuous authentication and the zero-trust paradigm.
Given the need to comply with regulation and manage the skyrocketing number of identities, is IAM merely a ‘tickbox’ exercise, or is it a crucial business imperative? According to Doo, for any organisation that wants to thrive in a world where the rise of cyber threats continues to evolve dramatically and at unprecedented speed and sophistication, it’s the latter.
“The massive increase in adoption of cloud apps and mobile devices in the enterprise has led companies to re-evaluate their traditional approaches to security. The world is waking up to the need for a new framework for this new paradigm, commonly known as ‘zero trust’. Rather than trusting everyone behind a firewall, now IT and security leaders must trust no one, either inside or outside the organisation. IAM facilitates the adoption of this approach, making it possible through contextual access. The days of ‘trusted’ internal and ‘untrusted’ external networks are gone,” says Doo. “Instead, zero trust securely enables access for the various users, irrespective of their location, device or network. It’s all about ensuring the right people have the right level of access, to the right resources, in the right context, and that access is assessed continuously. If you’re a young company, all in the cloud, it’s easy to start building a zero trust framework today.”
The current global cyber security situation makes IAM imperative. Intelligent control is crucial and so is integration.Vernon Fryer
Moreover, he says, the use of passwords as the only way to secure our digital identities has been an abject failure. According to Verizon’s most recent ‘Data Breach Investigations Report’, 80% of hacking-related breaches are a result of weak or compromised credentials, and 29% of all breaches involved the use of stolen credentials. The consequences of a breach can be catastrophic, with the average cost of a stolen record $148, and the total cost incurred from a data breach averaging at $3.86 million, hardly small numbers.
Fryer agrees: “The current global cyber security situation makes IAM imperative. Intelligent control is crucial and so is integration. A lot of big South African corporations have the ability to automatically manage access and control across all their business systems and peripheral systems such as the physical access locks in real-time. That’s typically the kind of function that was neglected under the previous iteration of more manual IAM systems.”
“When you look at IAM solutions, you will find that organisations are enabled to grow and scale quickly as per their business needs, and no longer have regulation and compliance obstacles around security,” adds Aronson. “With IAM solutions in place, you would have the functionality, security and access for users for future deployment of applications to accommodate the business’ growth, and not only for regulatory circumstances.”
Over and above a critical business imperative, IAM is being seen as a business enabler too, continues Aronson. “With most organisation having siloed identities, it makes sense to invest in an IAM solution, as this would streamline the management of movers and leavers, including the risk of knowing who has access to what. Imagine users having a pleasurable experience in accessing resources needed to do their jobs or for business transactions, which would internally add to job satisfaction and employee retention because the company would be seen as innovative and at the cutting edge of technology. IT departments would have more control and visibility on all access points, as well as maintaining the necessary security.”
A business enabler
Dellas agrees: “Consider the following research statement from Accenture: 75% of consumers are more likely to purchase from a company that knows their name and purchase history and recommends products based on their preferences. Security is key here and effective IAM is a hard requirement to enable this level of data collection tied to a protected consumer identity. Further business value is also derived from the analytics and insight garnered from IAM. More than any other technology, IAM can define user interaction with the ability to shape and control user behaviour.”
“IAM is a business enabler because it’s an automated process,” says Fryer. “I no longer need to get any number of IT technicians, line managers, and managers from other divisions to authorise a new employee’s access to various business systems. So it clears their plates from that perspective. But it also enables business in another way. It ensures that access privileges are kept up to date, which maintains system and business integrity, eliminating interruptions. Plus, it fosters trust. Business people can rely on the fact that they’ll be able to intelligently access the right stuff to get their jobs done and not have to worry that unauthorised people mess with their business applications and data.”
So what, if any, effect can IAM have on an organisation’s culture and business processes? “In the early stages of adoption, IAM usually has a major effect,” says Fryer. “This is because you essentially limit user freedom across the network. Some of the people who are used to having carte blanche into all the systems and data across the network will invariably complain that they’ve been restricted. People also get upset when the new IAM system forces them to create a password that contains more alpha-numeric and special characters than they previously had to. Another challenge for some is that the system may force them periodically to update their passwords. Biometrics is one technology that helps ease the pain and, used as part of a two-factor authentication system, also helps to beef up security. I know of a company that uses a password typed in on a given machine that accesses that machine’s built-in camera to confirm the user’s facial recognition data for non-repudiation purposes.”
Aronson believes that streamlining the onboarding and exiting of users within an organisation improves the culture and perception of a company. “Generation Zs want access to resources instantly, as they need them, to conclude their tasks faster than previously. If you’re not able to keep up with the times, this generation will move on to an organisation that can assist them to perform efficiently.”
“Let’s take an organisation that promotes a culture of frictionless digital experiences for customers and employees,” adds Dellas. “With this objective in mind, requiring users to log into separate applications with separate interfaces to perform their desired functions will introduce friction. Delayed provisioning of services will introduce friction. Inflexible role permissions introduce friction. IAM removes friction in all these examples. Technical challenges affect culture in a big way and these challenges can be addressed with a commitment to effective IAM by top management.”
PQ3: “AI and machine learning built into the latest IAM solutions are required to keep pace with rapid digital transformation.Gregory Dellas
IAM responsibility tends to fall to IT by default, says Dellas. There’s also a case to be made for HR being responsible for IAM, with strong proponents of this approach. “I believe that joint responsibility should be shared between IT and HR. All non-technical aspects of IAM should be allocated to HR personnel who can perform the day-to-day administrative tasks of provisioning accounts, reviewing and approving rights and permissions and decommissioning users upon their termination. IT is best placed to manage machine identities, automated accounts and privileged accounts. IT staff must always be involved to maintain IAM from a technical perspective.”
Fryer believes that HR is the true owner of IAM. “IT only provides services. HR obviously isn’t in a position to own the technical aspects of running an IT system. But you no longer need an engineering degree or specialist training to maintain these systems. And, in fact, they hook into other systems so tidily, such as standalone HR systems and modules, that the IAM software does a lot of the lifting itself. HR personnel are simply responsible for records maintenance and oversight.”
That may simply mean changing a person’s employment status to having left if they leave to work for another company. That one change replicates throughout all the business systems, revoking the former employee’s access and use privileges without waiting for an IT administrator. “At the opposite end of the scale, it could mean flagging a senior executive, a business unit owner, product owner, direct manager, and also a cyber security person should an employee suddenly access and copy a highly sensitive SharePoint folder to a thumb drive.”
We’re seeing an evolution from a top-down, IT-driven approach to technology deployment, to an employee-driven, groundswell effort, says Doo. “It used to be IT making all the decisions about technology adoption, but now employees are empowered to do their best work using the apps they need or think are the best, which can be unique to different departments and functions.”
He says Okta’s recent ‘2019 Businesses at Work’ report revealed that today, large firms deploy an average of 129 apps per company. “Employees are driving organisational software choices, so if IT doesn’t provide employees with the best solutions to meet their needs, they will find the solutions themselves. It’s clear that user demand is a major driver for best-of-breed adoption. Along with building systems that don’t make security a significant roadblock, it’s important to develop a culture of ownership. It’s not just the security team’s job to secure our data. It’s not just the security team being hacked; it’s everyone. So building security technology that works alongside people while building a culture that celebrates good security etiquette and postures usually creates a solid foundation to protect workers and the workplace.”