Bookmark and Share

IAM in the Modern Security Age

This group broke their discussion up into “Identity Management” and “Access Management/Privileged Access” as two separate pieces. They addressed Identity Management first. Back in the “good old days,” identifying users was a little easier—there were employees in one group, and the other group consisted of “everyone else.” However, now managing users is trickier because that other group is much larger and consists of many different types of people: partners, statement-of-work individuals, bots, various types of accounts, and so on. All of these entities function differently within the system, and that leads to challenges on the Access Management side of the situation because they all require different levels of access to your company data and infrastructure. The group then asked: who owns the responsibility of delving out that privileged access? In the earlier years of security, responsibility functioned as a straight tiered line up the corporation. Now, it is not so simple as companies grow so large that the structure is no longer linear. More and more, that responsibility lands directly in the lap of the CISO and the cybersecurity/IT team—and maintaining a balance of “proper privileged access” alongside “ease of system use” can be an ongoing battle for those teams. Unfortunately, that still is not an easy task. It is their job to ensure an employee’s access is revoked in areas where they do not belong, which can frustrate employees who perhaps do not understand the scope of what they are requesting, or are impatient about the process they must follow to obtain due access. However, teams must be vigilant, because Privileged Access to systems should not be handed out lightly. It is, as one group member noted, the type of access that allows them to circumvent the security process to directly obtain information—which is no small privilege to obtain! Boundaries must still be built even within that access, so they do not have a “skeleton key” to all the doors in the system. It is an ongoing, careful process, and security teams must maintain firm IAM to minimize overall risk while maximizing the efficiency of the process as best they can.