Fotolia
IAM is the future for managing data security
Why identity and access management is taking centre stage in companies’ access policies
With the availability of high-performance computer resources, hackers can crack even the most complex passwords, making them completely inadequate to protect application login and data access.
There are a number of trends driving the adoption of identity and access management (IAM) tools to counter this threat.
You can plug your password into How secure is my password.net and find that a password consisting of four lower-case characters and two digits currently takes 0.5 seconds to crack. In three to five years, biometric and behavioural authentication will eliminate the need for passwords for high-risk transactions.
Protecting corporate information and applications on mobile devices, such as smartphones and tablets, is only possible with a good, reliable identity context.
Bring your own device (BYOD) further amplifies the need for not just identity on-boarding, transfer and off-boarding processes, but also for device (personally owned laptop, tablet, and so on) hardware and manufacturer limitations.
Workload integration and security
Also, cloud workload integration and security is impossible without IAM. Integrating on-premise workloads (app and data) with cloud-based workloads is not just difficult, but outright impossible if user information (attributes, permissions, groups and group memberships) are not shared reliably and securely to cloud platforms such as Amazon Web Services (AWS) and Microsoft Azure.
That is why these cloud providers and identity as a service (IDaaS) suppliers are now providing cloud-based user repositories. IAM helps with corralling users into a single authentication scheme and centrally controlling how users log into software as a service (SaaS) applications.
Read more about identity and access management
An organisation’s IT security can be compromised if staff do not follow a strict policy of using strong passwords to access internal systems
In the modern business environment, what are the most common access control mistakes and how can these best be corrected?
IAM has always sought the answers to the questions “Who has access to what and why?” and “How do I enforce access policies?”
You might think every organisation should be able to answer these questions quickly and correctly, but, unfortunately, you would be wrong. Historically, implementing a mature, commercial IAM system has been complex and expensive, with services-to-licences cost ratios often exceeding 2:1 or even 3:1.
Identity governance
The advent of IDaaS offerings alleviates much of the complexity traditionally associated with implementing IAM, but today they do not offer the same level of identity governance and mobility security capabilities as can be found in on-premise IAM tools.
IT security professionals must still integrate many other IAM-related solutions that provide two-factor authentication (2FA), privileged identity management (PIM) and other capabilities. But despite this complexity, demand for IAM systems remains strong.
They mitigate data breaches, which can be very costly. Since its data breach in September 2014, US retailer Home Depot has incurred a reported $232m in related costs, with a net expense of $132m after a $100m cyber insurance payout.
IAM systems prevent hackers from escalating privileges and gaining access to sensitive applications and data once they have compromised an employee’s credentials. They can also mitigate the reach of malicious insiders.
IAM also helps to achieve regulatory compliance. Auditors are getting smarter about enforcing regulatory compliance. IAM helps to satisfy compliance mandates around separation of duties, enforcing and auditing access policies to sensitive accounts and data, and making sure users do not have excessive privileges.
It can also improve employee productivity and reduce helpdesk costs. Good IAM processes and tools alleviate employee and customer frustration by letting users log in faster, such as by using single sign-on (SSO).
Good processes and tools also help users to be more effective by offering self-service for resetting passwords and updating user profiles – phone numbers, email addresses and other preferences. Automated self-service also reduces the cost of fielding IAM-related calls at the helpdesk.
IAM also provides invaluable information about how employees and customers have accessed applications – who logged in when and what data they accessed. Firms can use this information not only for security and forensics purposes, but also to understand typical patterns of interaction: How employees work and how customers buy products and conduct transactions on the company’s website and mobile apps.
This understanding is key to simplifying, improving and optimising employee and customer experiences, leading to better business agility and a greater competitive edge for the company.
Identity is getting more complex
Data breaches, compliance requirements and the need to increase and support business agility won’t go away. In fact, these requirements not only apply to on-premise workloads but also to mobile, cloud and internet of things (IoT) environments.
Zero-trust networks require identity because the identity context drives how users gain or are denied access to resources. If you can’t log into a website, can’t reset your password easily or are declined too often in your payment transactions, it will have an immediate, negative effect on your digital experience (DX).
Forrester’s inquiries and interviews with clients show customer IAM (CIAM) and the potential impact on DX is a major concern for business-to-consumer (B2C) firms. Solutions such as risk-based authentication help with forcing 2FA for risky customer login attempts while leaving the other 99% of well-behaved customers alone. This shows how advanced IAM solutions can help balance DX with security.
Connected gadgets, cars, household appliances, electrical devices and meters all have their own identity, and IT security professionals must tie them to a human being who manages or owns these devices. For example, deregistering a used car’s IoT devices from the previous owner and registering them to the new owner’s fleet of devices poses security challenges related to device and human identity verification, enrolment, credential management and data protection. IT security professionals need IAM tools to control access to IoT devices and protect the data
they generate.
IAM needs to take centre stage in a world where the network perimeter is all but gone and identity is the new perimeter. With network and organisational boundaries disappearing and people working from hotel rooms and cafés, IAM has become the primary factor for ensuring that only authorised people from authorised locations access authorised resources.
As a result, identity is a key factor in the context that defines today’s access policies.
This article is an extract from Forrester’s TechRadar: Identity and access management (IAM), Q1 2016, by security and risk analysts Andras Cser and Merritt Maxim.