In today's modern cloud environments—all connected by a multitude of devices and networks from virtually anywhere in the world—productivity through connectivity is the only way for businesses to remain innovative and competitive. However, with that connectivity must also come a new level of due diligence where companies require an entirely new set of business intelligence mechanisms—ones designed entirely to manage access to ensure true cyber resilience is maintained.
However, as much as the need is clear, Identity and Access Management (IAM) can be one of the most difficult aspects for modern businesses to manage. After all, with so many employees, contractors, consultants, and more coming and going, the question for so many companies can simply be, “Who, exactly, has access to our network, what do they have access to, and who knows who these people are?”
The countless times that we as cyber security solutions experts have uncovered "rogue" access is nothing short of astonishing. And to be clear, I'm not referring to anything nefarious—in fact the opposite. In the majority of these cases, it's more about a lack of oversight, due diligence, and a lack of technology that leads to the issues.
For example, one of the most common is that of contractors and consultants. At no time have any of these folks done or plan to do anything wrong. They complete their contracts and move on. However long after they are gone, their access to corporate networks remain. Perhaps the manager forgot to remove the access, perhaps it was IT that was responsible yet unaware that access was to be removed, perhaps it was Human Resources. Whatever the case, it doesn't change the fact that people had access who shouldn't have. But it goes much further than that.
Aside from contractors and consultants—those are easy targets for access issues—there are also the people that are full-time employees. In so many instances, our professional services team discovers access issues that are beyond obvious. Lateral moves are one of the biggest culprits in organizations as it pertains to access. As people move from one department to the next, the information that they require to do their new job often has nothing to do with the information associated with their previous position. This means that the potential for a data breach can increase exponentially as people migrate within a company when maintaining previous access rights.
And, as a final yet almost humorous example, I’ve personally seen active access by those who have left the company. From dismissals, to people who have left for other organizations, to retirees, the lack of due diligence paired with the lack of technology can be a frightening combination.
In many of these instances there is one major culprit: the technology that enables IAM in the first place causes many companies to suffer because of the question of who owns the system and, more importantly, who has the ability to create and remove access as needed. In so many cases, IT may own the technology, but the administrative aspects of the processes may reside completely outside the IT department. And everyone from supervisors and directors to Human Resources may own (at least in part) the process of granting and removing access.
So, what's the solution? The best approach to IAM should always starts with people, then process, followed by technology. After training people on effective processes and policies, I recommend solutions to automate and improve the efficiencies of these processes and policies. Technology comes at the end when we automate and improve the process of granting and removing access.
Furthermore, IAM and Privileged Access Management (PAM) are not products, they are a process. Business needs must be identified and defined to recommend an appropriate solution. And lastly, always concentrate on a well-defined and proven discovery process that provides the level of detail needed to consider the best solution that will meet your needs, budget and timeline.
The journey to IAM is one of self-discovery—both figuratively and literally. In the end, it should lead to peace of mind. In today's business environment it really is all about control and as the title says: Control your access—control your world.
Calian Cyber Security eBook - The worst passwords of 2020
How to Avoid Becoming the Next Cyber Crime Victim
November 26, 2020 | Bill Dunnion
This is all about your employee’s stolen identity
Everything in the modern age is digital—and of course you all know that. However, most people rarely contemplate what data is circulating around out there in the ether. Take one step further down the rabbit hole and apply that to personal data...
November 24, 2020 | Vanessa Howard
Virtual, Traditional, or Hybrid EOC What do you need to achieve?
An emergency operation centre (EOC) should enable people to respond to and plan the recovery from an emergency as effectively as possible. This is true of a brick and mortar EOC, a virtual EOC, and of a hybrid model. While there are...