Why is IAM Implementation so Difficult?
What is IAM?
Identity Access Management (IAM) is the cornerstone of a secure business network. It provides an essential piece of access control and its impact can be felt widely across numerous areas within enterprise businesses.
What is it in layman’s terms?
Identity Access Management is the term which covers all of the administration relating to individual identities across a network, country or company. Essentially, IAM sorts out who in your company gets access to what on your internal network.
The main objective in this process is assigning a singular digital identity to an individual. So, IAM projects handle things like password resets — issuing new user credentials and provisioning new users when necessary. They define access privileges and who gets to do and see what within your firewalls, controlling and monitoring network access.
Why is it so tricky?
See, the problem with IAM is that there are several big areas in which other, smaller problems can crop up when a company tries to implement it — that’s why it can often take up to 3 years to be properly executed.
There are 3 main areas which cause problems for IAM projects.
1. The Lack of Active Directory Optimization
Your computers already use the Active Directory (if they’re using the Windows domain or Windows server operating systems). The Active Directory is responsible for the authentication and authorization of around 80% of organisational data — including users and access.
You probably don’t even notice it working — a quick example is that whenever you log in to your desktop, the Active Directory checks your password and username, and sorts out whether you’re down as a system administrator or a user.
So what is the problem here when it comes to IAM?
The Active Directory is really complex. Whilst to end users it seems pretty smooth (thanks to numerous layers of failure resistance), the inner structure is super in-depth, with a lot of unstructured data directly connected to it. Whilst IAM projects try to secure and control access to every last corner of an organisation, projects keep running into problems within the AD as a result of this unstructured data. What this means is if you do decide to undertake an IAM implementation, you should be prepared to take on a secondary project: optimising your AD security model.
Commencing IAM projects without optimising your AD means that redundant and overlapping groups of users within the AD may be granted privileges they shouldn’t be, just because of the tendency within AD to grant similar permissions to the same resources.
This is similar to privilege creep — a situation arising when whole groups of users are granted blanket access, meaning some members end up with privileges not intended for them.
The problem with this allocation of access rights within the AD is that it’s extremely difficult to separate rights from users within groups. If you take the user from the group, they might lose all their other access rights (not just the one you want taken away), and if you take an access right away from the whole group, you risk creating a scenario in which no-one in the group has this access right, even if they are supposed to have it.
2. The Ways Companies Manage Their Approach to IAM Projects
Getting Your Data Priorities Straight
One of the other big issues when it comes to implementing IAM into an organisation is the fact that most businesses don’t actually know what to protect — or how to go about it.
We’ve previously explored the need for companies to wise up when it comes to their data storage and it seems to be a prevalent theme in the data handling world. When approaching IAM implementation, companies need to identify their main business needs. Data mapping is becoming crucial — organisations need to know what their important data is and where it’s currently being stored.
“Identify 20% of the data that is business critical and protect that” — Tim Farrell, CEO & Founder of Future Soft
You Can’t Trust Everyone
It’s a sad but true fact that many organisations have yet to face up to: not everyone who works for you can be trusted with security.
We’re not saying you should suspect all of your employees, but you can’t blindly trust your workers not to share passwords, access areas they aren’t supposed to, or accidentally leave their files open to breaches. Unfortunately, the inside is now where the majority of threats come from. You need to systematically maintain, monitor and modify digital IDs regularly, ensuring they match your access permission plan, and ensure that your employees know why their network access is monitored/has restrictions placed on it.
“People really are the key to this one. Technology is very much in second place… ” — Simon Godfrey, Director of Security Solutions, CA.
Combating Corporate Myopia
Since IAM doesn’t directly increase the functionality or profitability of a company, there’s a tendency towards myopia when it comes to approving the funding or continued implementation of IAM projects.
The failure to recognise that IAM prevents a loss of intellectual property, reduces the risk of prominent security breaches and ensures data handling follows compliance process is a common hurdle when it comes to getting IAM set up within organisations.
3. The Disruptive Trends of BYOD and SaaS
As our businesses embrace cloud based business apps, Software as a Service and the myriad of separate devices employees utilise when working, the risks and challenges surrounding managing access governance only grow.
Whilst staff in the IT departments may be able to manage data inside company firewalls (to some extent), they can’t completely control data outside in the cloud. IAM faces an increasing threat from the developing complexity of our IoT based lifestyles.
At Thatcher MCS, we are currently recruiting for a high volume ofCyber Security roles, including IAM consultants, across the whole of London and the UK. If you’re interested in having an informal discussion about the possible opportunities open to you, please don’t hesitate to get in contact with me on 0117 311 3131 or email me on LinkedIn. Alternatively, you could always search our jobs or upload a CV to our website.