CIOs need to ensure that the right people get to the data they need with the appropriate tools, and they look to identity and access management (IAM) as one way to help accomplish this task. IAM can be complex though—it involves user administration and everything associated with it; governance with all of its implications spread across a multitude of systems and user types; and even the risks and opportunities associated with powerful super user/administrative access. Not done well, IAM can become a productivity black hole or a security loophole.
Here are five universal truths that can improve organisations' IAM approach, enabling it to be an agility enabler.
A unified approach to security is the basis of a stable foundation.
Anyone who has attempted to deal with security without an underlying strategy will find themselves in a losing battle constantly running from one fire to the next with no end in sight. CIOs should base their IAM approach on a single set of controlling policies that apply to all systems. These include a single user identity that comprises everything necessary to appropriately access systems and data; a single set of parameters that control access and define users; and a single point of management that places the power in the hands of the people who know why someone should access something—not simply how to manipulate the system to grant that access.
Any single user can have dozens of individual identities across just as many systems, and each system can require different attributes or controls within those identities. These disparate factors make it a challenge for CIOs. The more unified your IAM approach, the easier it is to actually understand the rights and activities of users.
Hackers are unavoidable.
It is impossible to watch every user and entry point for suspicious activity. While the normal security measures are necessary—firewalls, good password policy, shredding documents—certain aspects of IAM can dramatically improve your chances when hackers inevitably come poking. For instance, implementing an automated, business-driven and policy-based provisioning solution can ensure that there are no instances of inappropriate access that can be exploited.
Users will write down their passwords, but will not remember their passwords.
In an attempt to remember their numerous passwords, employees often write their passwords down and then leave them around their work spaces. Regardless of how thoroughly monitored a user is, and how unified and strong a company's security policy is, nothing is secure once a password falls into the wrong hands. By employing single sign-on (SSO) technologies in one's IAM policy, CIOs can avoid a password-related breach.
Insider threats are a problem.
Many of the most damaging and high-profile security breaches of recent years were the result of insiders using privileged access to do bad things. Some steal and publicise critical data. Others set time bombs to destroy systems.
The super user account is unavoidable, but common practices that put it at risk are. Often, in an effort to ensure that critical IT tasks can be done in an efficient and timely manner, organisations will share the all-powerful administrative password across any and all staff that may ever need to use it. A better approach is to never give it to anyone and instead implement a privilege safe to issue it automatically, according to policy, and with complete visibility into the associated activities. In addition, where possible, it is advisable to implement a least-privilege access model, where subsets of a full administrative credential are delegated to individual administrators giving them just enough rights to do their jobs.
Sign up for CIO Asia eNewsletters.