The digital technology wave has simplified and streamlined the way that we do business, but it has also put corporations at risk. Data is currency and hacking is profitable. The target of many security breaches is not just financial data, it includes customer data, employee data, engineering designs; essentially any digital record can be stolen and sold. Security administrators in many office environments are faced with the challenge of protecting and securing their corporations sensitive information, while balancing usability and access for users. Our market research is showing that more organizations are turning to solutions for identity and access management (IAM) to address these challenges as the user becomes the new IT perimeter.
The definition by Gartner of IAM is that it is “the security discipline that enables the right individuals to access the right resources at the right times for the right reasons.” But there are many things to consider when you are looking at what the best solution is to address all of the needs of a corporation. When thinking about the right IAM solution for your business you need to understand all of the moving pieces.
Whenever faced with a project of this scope and scale it is always best to go back to one of the first lessons we all learn in grade school – the 5 W’s (and an H). By using this methodology let’s take a look at some of the key points to consider to ensure that your organization is implementing a solution that will address all of your needs.
I am going to break this out into a couple of posts. These posts are informed by discussions with various organizations with decision makers and the questions that they are asking as they consider the different IAM solutions that are in the market. Let’s start by considering WHY your organization needs an access management solution.
Some of the questions that are raised around WHY an organization needs access management are: What regulatory compliances on data do you have? Have you been breached or are you at risk of a breach? Are you looking to protect a hybrid environment? Has the C-level mandated stricter controls? Are you expanding access to entities outside of your corporation? Do you want to implement a single sign on solution (SSO)?
Your organization may have industry driven regulatory compliances that you need to adhere to, it may be NIST, GDPR, PCI-DSS, HIPPA, FCA, HIPPA, or another. Many of these regulations require that organizations audit and report on access to sensitive applications and information. A strong IAM solution will have appropriate tracking and reporting giving complete visibility to your entire infrastructure through a single pane of glass. Many of these guidelines have strict timelines which we will examine further when we look at the questions of WHEN.
Another strong motivator behind adoption of IAM solutions is the risk of a security breach. This is something that is top of mind and companies globally are making moves to increase security to protect themselves from costly data loss. The cost of a breach exceeds the initial investment of deploying an IAM solution.
Our breach level index report for 2017 revealed that 1.9 million records were exposed as a result of users. Users are regarded as the weakest link in the security chain of an organization. As you consider IAM solutions your organization should look for one that focuses on authorization and authentication of users. We’ll explore this a little further when we consider the questions around WHO and HOW.
Our recent global cloud data security study executed with the Ponemon Institute it was found that on average organizations are using 27 cloud applications. Expanding to cloud, while convenient, poses security challenges as those resources are no longer internally controlled. Knowing WHAT you need to protect in your environment is critical. The solution you select should provide you different integration options allowing you to extend protection to a hybrid deployment. Since many of these cloud application support SAML authentication, the IAM platform you deploy should have SAML as an integration point to ensure easy deployment.
The desire to implement a SSO solution comes from the desire to improve the user experience. As organizations expand and adopt more applications, it become arduous for users to recall which user name and password combo to use for each resource. SSO in its most basic implementation means that the user has one set of credentials and that gives them access to everything they need. However this is risky, as if that one credential is compromised then everything is exposed. The IAM solution that you implement should provide you with a simplified user log in experience like an SSO without compromising security on sensitive resources. You should have the ability to create policies to enforce strong authentication based on WHEN, WHO, and WHERE the request is coming from.
The solution you select should also be versatile and scalable so that it can grow with your organizations needs as you move into the digital future. Consider an IAM solution provider that offers a cloud solution. The benefits of leveraging an IDAAS or cloud based access management platform is that it will have gone through ISO 27001:2013 or SOC2 audits, and your organization will have a lower TCO. Cloud solutions are flexible and enable organizations to protect resources no matter WHERE they are, but more on that in a later post.
Whatever your organizations reasons why, you need to find an access management solution that can help you quickly and easily deploy a solution. The solution should assist you with consolidating the management of access policies for applications across your environment. A robust system will enhance business productivity while reducing the complexity of you security solution and protecting users in the organization. We’ll explore this more in Part #2 where we look at WHO and WHAT you need to protect.
Learn how Gemalto’s access management solutions can help you address regulatory compliance or see how quick and easy it is to protect your environment with our hosted access management solution SafeNet Trusted Access.