Identity and Access Management: The product is not the first step

If you are an executive team or sit on a board, you need to ask the question of your security staff “What is the potential (on a scale of zero -> ten) of a similar event happening to us?” Today, the answer should be very close to zero. If it is not, it should be, and you have work to do and hopefully a budget to support the process.

The solution to the example breach above falls under the guise of Identity and Access Management (IAM). There are many products, solutions, and services in this space. Today, more products are being created and current products are being enhanced. It is a big market and estimates of it’s value vary depending on who you ask, but all are in the billions. As a result, there will be many companies that will attempt to quickly sell you products and solutions. Eventually you will likely have to purchase one or more depending on your needs, but a product purchase is not the first step.

IAM in simple terms is permitting the right individuals access to the right resources at the right times for the right reasons. IAM for large enterprises is actually very complex; involving teams of individuals, multiple products that need to work together with process and procedures to permit and deny access, track and alert, exception management and many other aspects.

Before embarking on any large purchases of solutions or services, using the definition above, start by considering the following:

Resources: What resources am I trying to protect? Do we have a definitive list of these resources and where they are located? Keep in mind that a resource can be a physical server, a third party service, or the data stored and used by the service.

Time: Who is accessing what resources when? Is there an approved change scheduled at the access time? If privileged access to a resource running key services is happening during a time when changes are not approved, is an alert sent immediately to the security operations teams?

Reasons: Why is a particular login or access happening? A company with effective IAM practices, should be able to clearly justify the reasons for each and all access to a particular resource, especially if it is a privileged access. Audits with often ask specific questions such as “Why did Sally login to the switch between 12:15 and 12:18am on Tuesday?” “Can you tell what she did during this access period?”

IAM is a very complex and important aspect of any business. Before purchasing any products, have a very clear understanding of the resources you own or use, servers, services, applications, cloud and third party services. Understand the data on each of these resources, how it is classified and the importance of each of the resources to your business. Once you do, then you can embark on IAM product and service selection. The end result will be something that meets your access, audit and regulatory requirements and moves with you as you execute future vision and strategy in IAM.