How can IAM help manage identity and access risks?

I agree-in my experience, the core of all organisations user lifecycle management objectives starts with your Authoritative Source (HR & 3rd parties) clearly defined and integrated. Then the Role Based Access Control (RBAC) remains the sustainable approach with selective Discretionary Access Control (DAC). Then comes the Risk Based Approach to fully enforce Privileged Access Management (PAM) and AUDIT EVERYTHING!! Operationally the deployment of Just in Time (JIT) Provisioning will eliminate human provisioning errors. That uses a SAML protocol based method to create users the first time they log into an application via an identity provider. This eliminates the need to provision users or create user accounts manually.

The integrity of IAM is core to the integrity of Authentication and Authorisation mechanisms across your environment. As an example, in a typical Windows-based enterprise, a traditional IAM setup will rely on Active Directory for user identification. Thus, compromise of the AD database results in the ability for attackers to impersonate users across the estate, with widespread ramifications for the systems relying on the integrity of authentication processes. Thus, a key objective for IAM is to understand the abusable attack surface of whatever solution you have implemented, and put in place plans to ensure that this attack surface is: 1. reduced, 2. monitored and 3. incorporated into the organisation's incident response planning.

offer thousands of configuration options, IAM has become one of the main pillars of security. This encompasses SSO, MFA, biometrics, setting up user accounts, adaptive authentication, zero trust, onboarding, moving people, and offboarding. Managing it properly will reduce the company's risk of information leakage and breaches as well.

An IAM solution must provide distinct identity to all entity types. Take an example of humans, devices and software. A combination of authentications for each identity type can provide strong security for protecting against complex attacks.

Before defining an IAM solution, it is extremely important that the organization already has some internal access control processes in place. Some examples: - Minimum privilege, access only to activities that need to be performed by an employee; -Access management through RBAC or ABAC, which of course must be implemented in accordance with the organizational environment; -Continuous monitoring of these accesses; -Defined access renewal process. In my opinion, these are the most important aspects that need to be defined when integrating an IAM. For example, enabling the AWS IAM will make it easier to manage all of the points mentioned above, whether in terms of applications or accounts that will be used.

A risk-based approach to identity and application security involves assessing the potential risks associated with each individual user and application within an organization. By understanding the specific risks that each user or application poses, organizations can prioritize their security measures accordingly. This allows them to focus their resources on the areas that are most vulnerable and most likely to be targeted by cyber threats.

Best practice if not green fields scenario is to conduct a risk assessment using top identity providers for accuracy. That involves recognizing assets, threats, vulnerabilities, impacts, and likelihoods. Maintain a risk based approach/access model at all times using Identity Access Governance (IAG) processes on a monthly basis and Privileged Accounts daily/weekly!!

Critical success factor-follow the principle of defense in depth when implementing these controls. Make use of an Identity Provider that has ALL the required User Lifecycle Management capabilities that fits your organisation and business needs. Utilise that deployment model and phased approach from that respective vendor to build a lifetime relationship with the product and its evolution. Gartner has all the reference and best practice requirements anybody needs to ensure their deployment is fit for purpose and address ALL their access management requirements from ONBOARDING to CHANGE to OFF-BOARDING.

In your experience, if you spent quality time acquiring the correct Identity Provider and you have HR, Risk and the business stakeholders on your side, the next best thing is to monitor user lifecycle management and privilege management process and controls diligently using a SIEM capability. That will provide both the DETECTIVE & PREVENTATIVE visibility to IDENTIFY & PROTECT your information & system assets 100%

Apart from very well-known ones, user authentication, authorization and Role-based access provisioning -Single Sign-On - simplifies access with one set of credentials, reducing password risks. - Multi-factor Authentication -adds extra security layers for access verification. -Audit Trails -Provides logs for threat detection and compliance purposes. -Privileged Access Management - Controls and monitors high-level access accounts. - Automated Account Management - Streamlines user access provisioning and deprovisioning. - User Behavior Analytics - Detects abnormal activities indicating potential threats.

Implementing additional conditional access controls based on IPs, geolocation etc would further reduce the risk of compromised accounts. MFA bypass has been in the news with sophisticated attackers leveraging Attacker-in-The-Middle (AiTM) framework to circumvent MFA.

- Use privileged access management to protect the access of business critical systems - Find ways to Integrate your IAM solutions with SIEM or SOAR to monitor and detect user behavioural patterns or probable insider threats - Consider IGA - Identity Governance and Administration as part of your identity management program.

One other key insights to note is tgag IAM automates the process of granting and revoking access privileges in addition to existing controls. It also reduces the risk associated with delayed or forgotten access changes during employee onboarding, offboarding, or role changes.

Value Added benefits to enhance security and improve user buy-in could be Risk Based Biometric Authentication to sensitive systems/assets as primary control and Single Sign-On to streamline adoption in your organisation. This value could also be sustained if you have a Catalogue of Cyber Services to demonstrate real value to your stakeholders that is tangible.