What is IAM in cyber security?
If your organization is like most, Identity and Access Management (IAM) is taken very seriously. IAM is a cyber security discipline that provides the essential services needed to manage and secure users' digital identities and control access to protected information. Your business has probably already imposed complex password policies and integrated with authoritative sources and core applications to deliver automated lifecycle events.
These services are often accessible to end-users, enhancing their experience and delivering significant business benefits. This includes capabilities such as periodic access reviews, integrated Single Sign-On (SSO) to simplify the login experience, and risk-based Multi-Factor Authentication (MFA) to ensure robust login protection. However, IAM is not static; it is continuous, with ongoing demands and priorities covering process changes, regulation requirements, business transformational demands, additional applications and systems onboarding, BAU activities, and even the inevitable evolution of the IAM services themselves.
Despite significant investments in IAM capabilities, many organizations experience disappointment due to persistent challenges. We've observed audit failures, poor data hygiene and practices, ineffective processes, unhelpful user feedback, high integration costs, manual testing, and difficulties with upgrades and legacy IAM platforms - to name a few!
Are you maximizing the true value of IAM?
Many organizations underutilize their IAM tools, missing valuable insights hidden within account attributes and characteristics. Despite significant investments in IAM implementation and operation, it is often assumed that the processes are effective and operate flawlessly every time - for example, basic joiner and leaver processes – which is not always the reality.
Digital Identity services should provide these insights as standard, demonstrating IAM's true value to stakeholders such as auditors, risk and compliance teams, and relevant business units. These details should help identify ineffective processes, access-related risks, and unusual account characteristics, enabling benchmarking of lifecycle events. By leveraging this information, organizations can maximize their IAM investment and enhance overall security and operational efficiency.
The silent threat of IAM certification fatigue
Many organizations sleepwalk through critical IAM services like user certification and review processes. The mandated access recertification cycle typically generates an extensive workload and account list for business users to review based on large volumes of users and associated entitlements, often with poor or inaccurate descriptions and a lack of insights.
As a result, re-certifiers frequently feel ill-equipped to assess the accounts and access levels properly. This leads to a tendency to adopt a "select all and approve" approach, sometimes with little more than a cursory glance before moving on to their other daily tasks. Fundamentally, the issue relates to the volume of accounts and access presented for review, compounded by a lack of meaningful context.
Therefore, it becomes a check-box exercise despite the governance and compliance that attempts to mandate scrutiny to ensure appropriateness. Overwhelmed by IAM certification fatigue, the security team can be blindsided and assume everything is fine.
Waking up to the reality of IAM risk
The reality is that going through IAM on autopilot like this creates a culture of false security, and most organizations don't even realize it. Significant volumes of orphan or dormant accounts, overprivileged accounts, ineffective JML processes, and access outliers might exist. The crazy thing is the IAM service itself is positioned to identify and remediate these risks!
In addition to security-related risks, IAM insights can also support the mitigation of operational risks. For example, you might have a single user in an organization who is the only person with that access profile, which might relate to business-critical processes and functions. The key question is why that is the case, and what happens if they suddenly fall ill or quit the organization?
Operational resiliency is even more critical, as the introduction of new regulations, such as the TSA, DORA, and NIS2, has added further compliance pressure.
6 tips to defend against IAM fatigue
Don't let fatigue weigh down your IAM processes and services. Consider these six best practices to help you snap out of the slumber and introduce effective, real-time IAM to your organization:
1. Regularly test your IAM policies and processes.
Utilize identity analytics to test critical controls and processes, gaining valuable insights into their effectiveness. This approach enables rapid identification of vulnerabilities and facilitates the development of targeted remediation plans. By implementing these measures, organizations can ensure proper enforcement of control policies and strengthen their overall security posture.
2. Leverage broader cyber insights as part of identity observability.
Identity observability relates to harnessing more comprehensive cyber security tooling insights and outputs to further enhance risk reduction. Pull data associated with signals such as Indicators of Compromise (IoC) or Indicators of Attack (IoA), Threat Intel (TI) data from the dark web on enterprise compromised accounts, and other cyber datasets to help identify potential indicators of risk based on account characteristics.
3. Optimize integration efforts.
When exploring new integrations with applications, always review the options from the start to ensure the best long-term results. Uncovering technical integration challenges or data issues and resolving discrepancies or incongruities is always best practice as part of an early feasibility assessment that ensures efficient usage of time and IAM outcomes.
4. Improve user experience and streamline certification processes.
Deploy an intuitive certification process that streamlines user access certification based on fact-based data and supports informed certification activities. This can surface concerns and risks as part of the process, so reviewers spend appropriate time and focus on reviewing the accounts and access. When the process is simple, informative, and supportive, reviewers will invest more time and energy into being more thorough.
5. Deliver effective and practical training.
Organizations often assume that IAM processes are well-understood and simple to follow. However, with staff turnover and increasing remote and hybrid working environments, they must ensure responsibilities are communicated clearly. Organizations need to support training and any related questions as part of certification campaigns and re-emphasize the significance of compliance.
6. Utilize technology automation.
A significant challenge in application onboarding and value realization relates to manual activities, where technology can support efficiency and value realization through automation, intelligent insights, and risk identification. Artificial Intelligence (AI) and Machine Learning (ML) tools can significantly support value to inspect user and access data sets by identifying anomalies in privileges, control exceptions, orphaned or dormant accounts, access outliers, identity data quality issues, and supporting remediation activities.
Organizations should adopt a value-driven approach to maximize the impact of Identity and Access Management (IAM) solutions. This strategy leverages insight-driven capabilities that offer more than just verification of what they already know. By focusing on advanced analytics and proactive security measures, businesses can unlock the full potential of their IAM tools, enhancing both security posture and operational efficiency.
More than ever, it is essential that IAM solutions deliver on their potential by uncovering risks that organizations may not see and providing real-time responses to help mitigate those threats.
Global VP Identity & Access Management, NCC Group
Derek is a seasoned technology executive with over 26 years of experience in information security, consulting, product management, and professional services. As a global digital identity leader, he oversees the strategy and execution of Identity and Access Management (IAM) and Privileged Access Management (PAM) services, providing thought leadership and insights across enterprise delivery projects.
Throughout his career, Derek has held leadership roles at prestigious organizations, including titles like EMEA IAM Leader at IBM and the UK IAM Leader at PwC. He also founded a boutique IAM service provider, Praxism. A highly respected voice in the digital identity field, Derek actively invests his time in supporting a wide range of industry bodies and organizations.
Sometimes Identity & Access Management systems need a wakeup call.
To learn more about how NCC Group can help your organization achieve eyes-wide-open IAM, view our Digital Identity services and get in touch.