Chris Owen, Director of Product Management at Saviynt
Enforcing a secure and reliable cyber security policy has never been more crucial –hackers reportedly only need five hours or less to infiltrate enterprise environments,phishing attacks are growing at a rapid rate, and a whopping90% of organisations have reported being affected by ransomware in 2022.
In the UK, the Government’sCyber Security Breaches survey noted that nearly four out of ten of UK businesses have identified a cyberattack in the past 12 months, 83% of which were phishing attempts. The report also found that medium and large businesses lost an average of £19,400 last year from attacks.
So, what can organisations do to combat these ever-growing threats? This article will take you through the basics of Identity & Access Management (IAM), a key security pillar, to help UK organisations, big and small, better protect themselves, their employees and their data during now and in the future.
What is Identity & Access Management?
In simple terms, IAM solutions ensure that the right users have the right access to the right resources, at the right time, for the right reason, so they can do their job. According to the NCSC’s (National Cyber Security Centre) recommended10 Steps to Cyber Security, IAM should be in any organisation’s security arsenal.
IAM is the who, what, where, when, how, and why of technology access. It is designed to protect personal and corporate data from theft by using ‘identity’ and ‘access’ to govern how users interact with data and applications across an organisation’s systems and networks. But what is meant by ‘identity’ and ‘access’ exactly?
Prior to the digitalisation of today’s workplaces, identity meant human users. Now, anything that interacts with an organisation’s IT systems, whether it’s human employees or a machine – a bot, code, IoT devices – can be considered an identity. Access, on the other hand, is what each of these identities can access on an IT system, what they can do with that access – what permissions and privileges they have – and how long they are granted this access. At the very minimum, each identity needs access to the resources that allow them to do their jobs.
Access cannot exist without identity, and identity is useless without providing access to resources. The catch is that all identities, and the access they have, come with their own set of risks. Especially in today’s digitalised, remote working world, it’s important to consider context and risk together. Remote workers connecting to a network outside of their organisation’s boundary are not protected by the organisation’s security perimeter, and from the organisation’s perspective, insights into the risks that could affect an employee’s security may be difficult to come by. So when identities request access, it’s important to take into consideration the context in which this access is being request, and what subsueqent risks this context may pose.
This is where IAM programmes play a crucial role. The IAM process starts by authenticating and authorising users, or identities. Then, access rights are assigned to resources with identity management (IDM) solutions to continuously monitor which identities are accessing what.
Incorporating multi-factor authentication (MFA) is also a good idea here. MFA requires users to use more than one of the following authentication methods: something you know (password), something you own (smartphone, token), or something you are (biometrics). This is something most people will be familiar with thanks to the rigorous log-in processes of the likes of online banking.
Most IAM solutions also provide enforcement of and governance over “least privilege” or “zero trust” access rights. Here, access is limited as much as possible to critical information systems and access is only granted to privileged resources for a limited time, on the basis of need. This process enables organisations to secure identity as the security parameter against today’s threats.
IAM in action
In today’s digital-first world, the number of applications an organisation has on its system, particularly Software-as-a-Service (SaaS) applications like Office 365, Salesforce and Hubspot, is ever increasing, meaning there’s also a growing number of tools that require authentication. The challenge is that users and identities will need access to any number of these resources and applications, even if it’s just for a short period of time. Access can therefore get complicated.
For example, within higher education institutions, a university professor may hold multiple identities that require access to different resources. First, professors need access to sensitive university information such as students’ grades and advisors. At the same time, many universities also allow faculty and staff themselves to take classes for free. As students, professors should only have access to their information, not their classmates.
Indeed, there are all sorts of risks associated with this proliferation in identities if not managed effectively and securely, including security, privacy, operational, and compliance risks. For example, HR may need access to an employee’s medical history, but that employee also has the right to keep their personally identifiable information private from a manager. If organisations don’t manage access and identity effectively, they may be violating someone’s right to privacy.
From an operational standpoint, embezzlement and fraud are a real danger. For instance, a person accessing Accounts Receivable should not access Accounts Payable, as if they can access both, they can create a fake vendor account and pay it from the corporate bank account without oversight. And compliance-wise, most regulations require organisations to limit access to data. For GDPR compliance for instance, an IAM solution must track all access to personal data collected, and update access rights based on both organisational changes and relevant customer preferences.
Governing IAM with IGA
There’s one other key ingredient to an effective IAM strategy. Identity Governance and Administration (IGA) is a branch of IAM that refers to the security processes that govern and manage identities. According to Gartner, “IGA differs from IAM in that it allows organizations to not only define and enforce IAM policy, but also connect IAM functions to meet audit and compliance requirements.” In short, IGA is focused on securing digital identities through the governance and administration of IAM policies and relevant reporting for compliance. IGA also automates applications and data access so security teams can streamline processes, ensure compliance and reduce risks.
Cyber threats aren’t going anywhere, and neither are digital identities. Organisations must therefore ensure they have clear visibility and insight into who is accessing what, and set some access rules and governance so that only the right users are accessing the right thing, at the right time.