June 24, 2021
The Identity and Access Management Journey
Breaking IAM down into three stages: assessing foundational elements, putting in place essential controls and operationalizing the IAM program.
Identity and access management (IAM) is a cornerstone in every organization’s cybersecurity program, specifically for those looking to adopt a zero-trust security model. IAM ensures that the right individuals get access to the right resources at the right time for the right reasons. These efforts share the common guideline of “never trust, always verify” and continuously monitor and validate that a user and the device used have appropriate access.
Building an IAM program can be broken down into three stages: assessing foundational elements, putting in place essential controls and, finally, operationalizing the IAM program. Let’s take a moment to explore each of these in more detail.
Foundational Security Concepts
As organizations get started with formal IAM programs, the best place to begin is with an assessment. Every organization already has some IAM elements in place, and an IAM program maturity assessment will look at existing controls and processes and identify areas for improvement moving forward. The assessment provides a roadmap for the IAM program, helping move the organization toward a fully operational IAM effort.
The IAM program maturity assessment will identify gaps in core enterprise security controls (e.g., directory services, firewall architecture, remote access), identity governance, access management and privilege account management (PAM). Ensuring that the organization has foundational enterprise security controls is the first building block in the IAM program journey.
Essential IAM Controls
Once an organization has foundational security controls in place, it can move on to building out the core elements of an IAM program (PAM, single sign-on and adaptive authentication). PAM is often seen as the most critical in reducing cyber risk and achieving high security ROI. Building in more granular visibility, control and auditing capabilities over privileged identities and activities is essential in the IAM program journey.
Establishing a single sign-on (SSO) service provides identification, authentication and authorization services for the enterprise. Modernizing applications to leverage SSO is a crucial step in the IAM journey. Moving legacy applications to SSO not only gains the benefits of centralized authentication, it also improves the user experience and adds the protection of adaptive authentication, selecting the right authentication factors based on a user’s risk profile.
Operationalizing the IAM Program
Organizations with mature IAM programs can then turn to an IAM program maturity model to adopt continuous improvement over time. They can then adopt a zero-trust security model, introduce identity governance controls, apply least-privilege and role-based access and advance to continuous adaptative authentication. This continuous improvement phase also introduces new opportunities for automation efforts around identity governance and privileged account management.
Strong IAM programs draw on the talents of many different technology professionals, so it’s important to take a full-stack approach to this work. Identity and access management specialists should leverage a full roster of cross-IT subject matter experts (network security, endpoint, application architecture and cloud computing).