In today's modern cloud environments—all connected by a multitude of devices and networks from virtually anywhere in the world—productivity through connectivity is the only way for businesses to remain innovative and competitive. However, with that connectivity must also come a new level of due diligence where companies require an entirely new set of business intelligence mechanisms—ones designed entirely to manage access to ensure true cyber resilience is maintained.
However, as much as the need is clear, Identity and Access Management (IAM) can be one of the most difficult aspects for modern businesses to manage. After all, with so many employees, contractors, consultants, and more coming and going, the question for so many companies can simply be, “Who, exactly, has access to our network, what do they have access to, and who knows who these people are?”
The countless times that we as cyber security solutions experts have uncovered "rogue" access is nothing short of astonishing. And to be clear, I'm not referring to anything nefarious—in fact the opposite. In the majority of these cases, it's more about a lack of oversight, due diligence, and a lack of technology that leads to the issues.
For example, one of the most common is that of contractors and consultants. At no time have any of these folks done or plan to do anything wrong. They complete their contracts and move on. However long after they are gone, their access to corporate networks remain. Perhaps the manager forgot to remove the access, perhaps it was IT that was responsible yet unaware that access was to be removed, perhaps it was Human Resources. Whatever the case, it doesn't change the fact that people had access who shouldn't have. But it goes much further than that.
Aside from contractors and consultants—those are easy targets for access issues—there are also the people that are full-time employees. In so many instances, our professional services team discovers access issues that are beyond obvious. Lateral moves are one of the biggest culprits in organizations as it pertains to access. As people move from one department to the next, the information that they require to do their new job often has nothing to do with the information associated with their previous position. This means that the potential for a data breach can increase exponentially as people migrate within a company when maintaining previous access rights.
And, as a final yet almost humorous example, I’ve personally seen active access by those who have left the company. From dismissals, to people who have left for other organizations, to retirees, the lack of due diligence paired with the lack of technology can be a frightening combination.
In many of these instances there is one major culprit: the technology that enables IAM in the first place causes many companies to suffer because of the question of who owns the system and, more importantly, who has the ability to create and remove access as needed. In so many cases, IT may own the technology, but the administrative aspects of the processes may reside completely outside the IT department. And everyone from supervisors and directors to Human Resources may own (at least in part) the process of granting and removing access.
So, what's the solution? The best approach to IAM should always starts with people, then process, followed by technology. After training people on effective processes and policies, I recommend solutions to automate and improve the efficiencies of these processes and policies. Technology comes at the end when we automate and improve the process of granting and removing access.
Furthermore, IAM and Privileged Access Management (PAM) are not products, they are a process. Business needs must be identified and defined to recommend an appropriate solution. And lastly, always concentrate on a well-defined and proven discovery process that provides the level of detail needed to consider the best solution that will meet your needs, budget and timeline.
The journey to IAM is one of self-discovery—both figuratively and literally. In the end, it should lead to peace of mind. In today's business environment it really is all about control and as the title says: Control your access—control your world.
December 14, 2021
LOG4j Vulnerability: What You Need to Know to Protect Your Network
This week, cybersecurity and IT teams around the world are scrambling to protect their networks and data from the Apache Log4j vulnerability. This high-risk vulnerability, which has the potential to affect millions of Java-based applications, is being actively exploited, causing a full-blown,...
October 28, 2021
Sacha Gera, President of IT and Cyber Solutions, weighs in on today's top cybersecurity threats faced by businesses.
The Ottawa-based leader and Forty Under 40 recipient has nearly twenty years of experience in SaaS industries, professional services and M&A, working in technology for both start-ups and large multinational organizations, such as IBM, Nortel and CGI. Sacha joined Calian in September...
Case Study | COVID-19 Response Services
COVID-19: Resources Available for Crisis Response
Calian’s team of emergency management specialists and healthcare professionals are available to support your COVID-19 response. Read more about our services: