A recent report by Forrester tells us that 80% of security breaches today involve privileged credentials (Source: Forrester). That number is staggering but not entirely surprising. That’s because modern enterprise networks have expanded and spilled over beyond traditional perimeters and outside the safety net of endpoint security and enterprise firewalls. Today’s technology and business landscape are instead ripe with BYOD devices, mission-critical apps− accessed both on-premises and in the cloud− and a remote workforce that requires always-available mobile connectivity. In this environment, pre-cloud and pre-virtualization security is no longer adequate to keep security breaches at bay and hackers from uncovering corporate identities.
Identity and access management (IAM) solutions have emerged to help close the door to these security exploits and to reinforce compliance by protecting users’ access in multi-perimeter environments. The trick is to select and implement an IAM solution that protects and manages digital identities while also providing identity governance, security policy enforcement, and user-based access control. Before moving forward with an IAM framework, watch out for these commons missteps to avoid scope creep and cost overruns.
- Incomplete enterprise risk assessment- during the IAM planning phase, it’s imperative to identify key business objectives and perform a complete enterprise risk assessment. This includes identifying all infrastructure components as well as performing data classification. This will help determine proper access management policies. The process includes identifying what data should be protected (i.e. determining if is it high risk such as customer or financial data or if it’s lower risk). It’s also imperative to decide who owns that data and what business units are authorized to access which data sets. Failing to account for the dynamic demands of users who are accessing IT assets, and identifying user access that’s not in sync with business unit leaders, will put the IAM initiative at risk.
- Failing to future-proof IAM- One of the most critical mistakes an organization can make is underestimating the impact of managing mobile devices in the enterprise. This includes evaluating how mobile access and Enterprise Mobility Management (EMM) strategies and solutions will eventually fit into overall enterprise security plan and IAM solution set. Going forward, in addition to authorizing and authenticating user identities, identity and access management will expand to include access to applications and devices. In other words, internal corporate resources will need to be accessed by managed and unmanaged hardware devices. This is an important distinction to make when evaluating IAM solutions because today many IAM frameworks use the identity of the user, without accounting for the identity of the mobile device. Look ahead to see how IAM solutions will converge with evolving EMM tools. This is particularly important for extending identity management to applications and devices for authorized machine-to-machine (M2M) communication.
- Lack of interoperability with existing systems- A mixed platform environment with diverse applications, infrastructure, and apps, is the new norm for the modern enterprise. An IAM solution touches many of these environments so it’s important that they work well together. Essential IAM capabilities like single-sign-on (SSO), user provisioning and password management and audit process improvement, touch heterogenous systems in the enterprise. Look for systems that off automated provisioning of accounts, fulfillment of access requests and automated policies & workflows regardless of the existing IT systems in place. It may make sense to keep IAM systems and the directory of authentication credentials on an isolated server or cloud instance.
- Ignoring other users- It’s important to remember that IAM solutions go beyond authenticating and authorizing employee access to applications, data, and devices. Other legitimate users across an organization may also require access to get work done and build connections. Look for IAM solutions that can scale to address the needs of internal employees as well as guests, partners, and customers.
Today’s successful enterprises are leveraging IAM solutions to provide seamless and secure access to enterprise applications and data from an array of devices, platforms, and networks. Getting there requires ensuring the IAM solution is scalable and comprehensive and most importantly aligned with the organization’s most strategic goals. By integrating IAM into an overall enterprise security strategy, organizations can efficiently meet project milestones and in doing so strengthen the privacy and security of enterprise assets.