In today's modern cloud environments—all connected by a multitude of devices and networks from virtually anywhere in the world—productivity through connectivity is the only way for businesses to remain innovative and competitive. However, with that connectivity must also come a new level of due diligence where companies require an entirely new set of business intelligence mechanisms—ones designed entirely to manage access to ensure true cyber resilience is maintained.
However, as much as the need is clear, Identity and Access Management (IAM) can be one of the most difficult aspects for modern businesses to manage. After all, with so many employees, contractors, consultants, and more coming and going, the question for so many companies can simply be, “Who, exactly, has access to our network, what do they have access to, and who knows who these people are?”
The countless times that we as cyber security solutions experts have uncovered "rogue" access is nothing short of astonishing. And to be clear, I'm not referring to anything nefarious—in fact the opposite. In the majority of these cases, it's more about a lack of oversight, due diligence, and a lack of technology that leads to the issues.
For example, one of the most common is that of contractors and consultants. At no time have any of these folks done or plan to do anything wrong. They complete their contracts and move on. However long after they are gone, their access to corporate networks remain. Perhaps the manager forgot to remove the access, perhaps it was IT that was responsible yet unaware that access was to be removed, perhaps it was Human Resources. Whatever the case, it doesn't change the fact that people had access who shouldn't have. But it goes much further than that.
Aside from contractors and consultants—those are easy targets for access issues—there are also the people that are full-time employees. In so many instances, our professional services team discovers access issues that are beyond obvious. Lateral moves are one of the biggest culprits in organizations as it pertains to access. As people move from one department to the next, the information that they require to do their new job often has nothing to do with the information associated with their previous position. This means that the potential for a data breach can increase exponentially as people migrate within a company when maintaining previous access rights.
And, as a final yet almost humorous example, I’ve personally seen active access by those who have left the company. From dismissals, to people who have left for other organizations, to retirees, the lack of due diligence paired with the lack of technology can be a frightening combination.
In many of these instances there is one major culprit: the technology that enables IAM in the first place causes many companies to suffer because of the question of who owns the system and, more importantly, who has the ability to create and remove access as needed. In so many cases, IT may own the technology, but the administrative aspects of the processes may reside completely outside the IT department. And everyone from supervisors and directors to Human Resources may own (at least in part) the process of granting and removing access.
So, what's the solution? The best approach to IAM should always starts with people, then process, followed by technology. After training people on effective processes and policies, I recommend solutions to automate and improve the efficiencies of these processes and policies. Technology comes at the end when we automate and improve the process of granting and removing access.
Furthermore, IAM and Privileged Access Management (PAM) are not products, they are a process. Business needs must be identified and defined to recommend an appropriate solution. And lastly, always concentrate on a well-defined and proven discovery process that provides the level of detail needed to consider the best solution that will meet your needs, budget and timeline.
The journey to IAM is one of self-discovery—both figuratively and literally. In the end, it should lead to peace of mind. In today's business environment it really is all about control and as the title says: Control your access—control your world.
September 7, 2023
#FacesOfCalian: Oscar Morales
Get to know the Calian team with our Faces of Calian series!
August 1, 2023
Google Engages iSecurity, a Calian Company, to Conduct Assessments of Google Cloud
Google's recent decision to engage iSecurity, a Calian company, for a comprehensive privacy impact assessment (PIA) and a threat risk assessment (TRA) for Google Cloud services in Canada was a significant step towards even stronger data protection and risk management.
May 26, 2023
Meet the Experts - Kevin de Snayer
In today’s edition of Meet the Experts, we have an interview with Kevin de Snayer, Director of Cyber Solutions, ITCS, Calian.