We often think cybersecurity is about technology, but it’s really about people. If it weren’t for people with malicious intentions, we wouldn’t need cybersecurity. What’s more, it’s people who are doing the work—creating, sharing and controlling where the data goes.
So it makes perfect sense that the next wave in security is all about people. Zero-trust practices transform security from a castle wall perimeter approach to access control based on individual identity. Each connection is untrusted until the user can authenticate themselves.
In a remote work environment, the human factor makes identity and access management (IAM) the new cornerstone of organizational security. The idea behind IAM is to provide authorized users access to the data they are approved to access when they need to access it—and to keep unauthorized users out.
Identity and access management is the set of processes, policies and tools that enable an organization to control who is allowed to access organizational information—and which resources they are allowed to access. In today’s complex world of digital business, the “who” may be employees, contractors, business partners, or customers.
Examples of IAM tools are solutions that facilitate multifactor authentication, single sign-on, and privileged access management. Policies should be based on cybersecurity principles such as least privilege and separation of duties. Processes should include practices such as deactivating stale accounts and removing access for outgoing users.
IAM has taken on greater importance with the shift to remote work forced by the COVID-19 pandemic. With employees requiring access to organizational resources from home, companies transitioned to the cloud to facilitate this access. Gone was the security that came with resources and users inside the office perimeter. Each connection now needs to be verified, and access to resources managed individually.
Nearly 80% of cyber attacks leverage identity-based attacks to compromise legitimate credentials and use techniques like lateral movement to quickly evade detection, according to CrowdStrike’s 2022 Global Threat Report. A well-managed IAM program verifies users are who they claim to be, preventing attackers from gaining access using compromised credentials.
“Most of today’s cyber attacks involve some element of IAM, realistically,” says Thomas Blanchet, VP of Digital Enterprise, Cloud and Cyber Security at Harman International. “There are many vital components to a strong security posture, and IAM is one of them. If IAM is not managed properly, you’re at risk.”
There is no one right approach to IAM—different organizations are at various stages of implementation, use different technologies in their initiatives, and start in different places.
Chris Burrows, CISO at Rocket Central, ranks IAM as one of his team’s top priorities. He estimates around 20% of his security team of over 100 employees is focused on IAM, constantly working to ensure all 30,000 team members across the Rocket family of companies have access to what they need when they need it.
“We’ve got a philosophy of ‘Be better tomorrow than we were today’,” Burrows says. “It could be an inch, one small thing that we’re better at. And if all 100 of us are better at something tomorrow, by the end of 365 days, we’re lightyears ahead of where we were on January 1.”
Recent projects for Burrows’ team involved automating account access removal for outgoing employees, shifting the organization over to role-based security, and implementing longer password requirements. Next, the team will be rolling out a CASB tool to detect any shadow IT accounts team members have created with SaaS vendors.
At Harman, Blanchet’s team has been implementing multifactor authentication and using technology to find and clean up stale accounts. His team works cross-functionally with HR, procurement, and internal managers to onboard and offboard employees and contractors. They are working toward automating this process.
No matter where an organization is in its IAM program, it’s important that IAM is prioritized and constantly refined. Burrows and Blanchet are both believers in making incremental improvements.
“It’s about getting the technology working and making progress, rather than insisting on perfection from the start,” Blanchet says.
For more from Burrows and Blanchet on IAM, see Here’s How Two CISOs Do Identity & Access Management.