Identity and Access Management (IAM) projects are generally executed with a focus on delivering operational improvements, cost savings and eventual long-term security enhancements. Today, I am questioning whether you can afford to be satisfied with a "long-term" goal of security enhancements with your IAM program when organizations are being attacked TODAY. If you are worried about a breach and its impact on your organization, you may need to revisit your phasing of IAM goals to be more focused on addressing security concerns first.
Breaches, Audit findings, Lack of automation, Excessive access… All of these concerns are reasons organizations strive to ramp up their Identity and Access Management maturity, but many organizations continue to focus on Technology rather than Risk when determining their IAM priorities. With breaches on the rise, it makes sense to adjust your IAM program to deal with existing security gaps now rather than waiting for a future technology implementation to solve them.
Basically, this means focusing on risk throughout your project so you address the highest security concerns first. This might mean delaying some of the bells-and-whistles of identity and access management capabilities or lengthening ROI timelines, but this approach definitely improves security to help avoid a breach. What you need to decide is whether saving money on operational improvements outweighs potentially losing money because of a breach.
Use Identity and Access Management to Reduce Risk
If reducing risk is your organization’s top concern, then your IAM project phases probably need to be revisited. Unfortunately, this is not a natural process for project managers or project teams tasked with developing a plan and driving toward that plan. As a security professional, you need to think about what concerns you from a security standpoint and then escalate that risk into the project.
For instance, let’s say you progress toward implementing an IAM HR feed approach that automatically creates and disables accounts based on HR actions. While implementing this greatly improves security for any new terminations, it does not address current account issues that put you at risk today, such as active accounts of terminated workers. Following a risk-based approach would add a component into the project to immediately address existing account issues by looking for active accounts of terminated employees, third parties, consultants, etc. and then lock them down. Once completed, the HR Feed component can be implemented, which will ultimately assume secure actions against a clean Directory environment.
Privileged account management is another scenario where risk applies. In this case, take time to cleanup excessive access first in order to lower risk. Then, implement a technology to control privileged accounts going forward. With this approach, you lower risk NOW to help prevent breaches, while also establishing a clean environment for technology controls going forward.
Ultimately, you should be concerned about account/group/access issues anyway. For this reason, take time to fix these issues as soon as possible rather than rely on a technology-specific IAM project to solve them once the system is in production. Fixing IAM-related security issues provides a clean slate for your IAM technology to maintain going forward, and it will likely prevent a breach in the mean time.
Begin your identity management initiative by following what corporate compliance experts recommend for the workflow automation of businesses processes, self-service administration and IT operations.