End-users are becoming increasingly mobile, and relying on more applications than ever before. With the growth of cloud and mobile services, traditional Identity and Access Management (IAM) solutions are less effective at managing access.
It’s easy to let the complexity of cloud, mobile, hybrid, and all the panoply of new options make your head spin. But there are three things you can focus on that will keep your Identity and Access Management program on track, regardless of what they throw at you.
Granting the Access Users Need, But Only What They Need
First, remember that in the end, this is all about making sure users can access the information they need for their jobs. That may seem like it just says “build SSO”, but it’s far from it. Everything from the provisioning to set up access, to the governance to ensure that access is valid, to the review to ensure access is in line with regulations are all implied.
What this is really about is asking yourself this guiding question. What is needed to ensure the users get access when they require it and are restricted access when the organization requires it? With all the fancy tricks IAM can perform, this basic idea often gets lost in the shuffle. As the systems move outside of organizational control at their lowest layers into the cloud, and their highest layer onto mobile devices, ensuring this basic question about identity and access is well answered will be your first line of defense.
Don’t Forget About Privileged Access
Second, it’s important to understand that not all identities and not all access are created equal. Traditional, on premises vendors made it easy for you to see end user access and administrative user access as two distinct fields. Often there were wholly different interfaces and methods of authentication for each. Increasingly, those differences are disappearing as the cloud-led application world simply serves up different options, depending on what identity you use when you enter the applications.
This means that it will be up to you to ensure that the privileged “god level” access that is so crucial to protect and control is being given proper attention. All other identity in your world is mapped to people. And the policy and regulations that apply to it are derived from that person and their role. But with privileged identities, you don’t tie them directly to humans and policy, and regulations are extremely different. So you must have a focused practice to manage all aspects of these privileged IDs, which may leverage much of the same plumbing as the end users, but will have extra layers of protection, monitoring and control. This is corporate password management, as opposed to traditional user password management.
Identity is the New Perimeter
Finally, Identity and Access Management must become a primary – not a secondary – security defense. Identity has long been driven by compliance, operations and end-user convenience. Everyone knew it was partially about security, but the real security game was the perimeter. That’s all changed. You have to make decisions IAM where you see it as the primary source of security.
Identity is the new perimeter. You don’t VPN into your systems and then log into applications. Instead, you go to the SaaS provider’s site and log right in. You don’t go to a special kiosk and access your corporate system. Instead, you whip out your smart phone and get access right where you stand on whatever network you happen to be connected to. It is the identity you log in with and the access you’re granted that acts as the primary security in these cases.
So IAM must now be security before anything else. As you make choices about it, make sure you take into account all the things IAM is, but puts the security piece at the top of the list.
If you can build your Identity and Access Management program around ensuring proper and efficient end user access, keeping privileged access in check, and treating IAM as the organization’s perimeter defense, then you will get all the other details right along the way.
You can learn more about securing your critical identities in our white paper Best Practices in Privileged Identity Management.