Identity and access management (IAM) should be at the heart of any organization’s cybersecurity strategy. It’s an essential component in supporting the delivery and security of digital services and assets, including access to data, applications, and other enterprise resources, such as servers, network appliances, and database systems. Getting IAM right reduces an organization’s risk of data breaches involving identities and enables increased productivity and collaboration. IAM programs also ensure that regulatory compliance management is systematically managed and achieved. Getting there, however, takes a deliberate planning approach because the implications of IAM extend way beyond the traditional enterprise corporate network. Avoiding silos requires that organizations plan carefully to incorporate an enterprise vision for access management based authorization and role management, biometrics, and federating identity. Planning an identity and access management program that meets security, compliance, and business agility goals can be complicated, but it’s much easier following these best practices.
Evaluating current IT architecture for IAM strategy development - With existing IT and network architecture as the base, organizations should consider what their future IT environment might look like. They need to consider these questions:
Are they adding Software-as-a-Service applications, mobile and social technologies, private or hybrid cloud infrastructures?
Are they supporting BYOD or do I have plans for the Internet of Things (IoT)?
If the answer to either of these questions is “yes,” these technologies should be worked into an IAM plan.
Organizations should also look at their access needs depending on the types of users there are within a company, how much variability there is in access requirements - which might include looking at where user identities are stored (i.e., employees, partners, contractors, and customers). Risk factors for data breaches as well as compliance requirements for protecting data should also be considered, looking at the industry the company is in as well as the country, or countries, of operation. By taking these steps, organizations can identify security gaps in the architecture and determine the most pressing vulnerabilities. Identifying these areas early can highlight what areas organizations should be focusing on, rather than simply identifying the issues that are currently getting the most attention. In addition, security teams can uncover opportunities to bring higher value to the lines of business supported by the IAM program.
Building an IAM roadmap and tool evaluation - Once companies have a clear understanding of their IAM program goals, it’s time to design a roadmap and start evaluating IAM tools that best meet those criteria. IAM systems should be flexible and robust enough to accommodate the complexities of the computing environment and support centralized management of users in a scalable way across the enterprise. The IAM solution should automate the authentication of granting appropriate access privileges based on the user's role. IAM systems can run in the cloud, on-premise or a hybrid of both, giving companies significant options when it comes to deployment. As more applications move outside the firewall and into the cloud, cloud identity management solutions are an attractive option because they bring new capabilities, reduce the burden on internal IT teams, lower the total cost of ownership, and improve the user experience. When starting out building an IAM program, many organizations start with authentication, identity assurance, and single sign-on. Next, they move to provision, directory services, audit, compliance, and password management.
Laying the groundwork for a successful implementation - Once teams ensure compatibility between their current operating systems, third-party applications, web servers, and IAM tools they can integrate access control devices, including card readers and other access hardware with IAM solutions. IAM leaders should also designate user roles and define an individual's or group’s access privileges and restrictions. IAM tools that can help to ensure end-users’ identity using advanced authentication methods like biometrics, or mobile-optimized push notification, or hard tokens, can help administrators achieve good identity assurance.
Looking ahead
In an environment where security threats have become more sophisticated, and compliance pressures continue to grow, companies need to smarter find ways to make identity and access management programs more adaptive, proactive, and intelligent. Getting there means implementing an IAM roadmap that effectively manages regulatory compliance and grants authorized users seamless access to applications and data they need - ultimately supporting a more agile and collaborative workforce.