Hidden challenges in IAM and how to overcome them

This article has been co-authored by Christina Arcane – Cybersecurity Education Specialist and Robert Murace – IAM Specialist and Manager.

How your people impact IAM?

Identity and Access Management (IAM) is at the heart of protecting our digital assets in our workplace environment where the risk of cyber incidents is increasing. IAM is a framework of policies and technologies ensuring that the right individuals have access to the right resources at the right times for the right reasons.

That is a lot of ‘rights’ – so where does IAM go wrong??

While IAM may seem like a domain reserved for cybersecurity professionals, its relevance extends far beyond, touching upon roles across an organisation.

It begins with buzz words such as JML, RBAC or SOD which are actually key principles designed to mitigate risks and ensure operational integrity.?

Segregation of Duties (SOD) prevents conflict of interest, fraud, and error by dividing tasks among multiple individuals. Role-Based Access Control (RBAC) streamlines access management by assigning system access based on an individual’s role within an organisation. Furthermore, the need-to-know principle limits access to information to those who require it to perform their job functions, thereby minimising exposure to sensitive data.

However, all these acronyms get lost in the minds of the people who are the bedrock of access controls – employees across the organisation.

HR teams manage onboarding and off boarding processes, team leaders also get involved, and Service Desk might create tickets and action provisioning, de-provisioning thus we quickly see how IAM can come undone!?

We hear lots of reasons which reduce the effectiveness of our IAM systems; They didn’t terminate the access in time; They didn’t submit the termination form on time; They forgot to submit the termination at all; The employee moved teams but no-one mentioned it; The supervising manager is no longer here; That’s the other persons responsibility.

The one thing all these reasons have in common is that they rely on the actions of people!

Even with the additional control of a User Access Review (UAR), a periodic activity to review and correct access of all people to systems, IAM still comes undone by a lack of workforce understanding of the principles.?

Could it be because these principles were communicated in a brief online training module that the employee clicked through as fast as they could??        

Without proper knowledge, every organisation is exposed to huge gaps in access to their systems which create the perfect environment for credential stealing, lateral movement, access to elevated privileges, access to admin accounts and the result – a cyber incident.??

Knowledge barriers are only half the story!?

Other Challenges in IAM

Here are some other challenges that come with the implementation and management of an IAM solution and tips on how to approach them.??

Legacy Systems

This shouldn’t be a surprise; legacy systems pose a challenge for most technology and cybersecurity solutions due to their nature.?

Organisations should look to define a clear separate strategy on how to approach every legacy system in regard to any IAM solution before embarking any integrations, migrations or uplift to avoid the pain later. Tactical solutions manage through a risk framework may be prudent instead.?

Documentation & maintenance

Unless you work for Atlassian who seem to be the divine beings of mapping, maintaining, and updating documentation, chances are this is a barrier to an effective IAM solution for you. It seems simple, you can’t build a house well and on time if you start digging and the foundation is a completely different material to what you were expecting.?

Take the time to document and build in processes so it continues to happen. Get the right people in the room and document accurately to minimise delays, strengthen IAM effectiveness and reduce risk.?

Lower Environments?

Ironically, for security (amongst other) reasons, lower environments are effective to reduce risk of unauthorised access, however if they do not match the production environment enough, new issues can be identified as the solution moves through the stages. This further presents challenges in enhancements or upgrades for the IAM solution management in the future.?

As the applications in the lower environments have their own development and test cycles, ensure the IAM solution in these environments is production-like to bring confidence to testing application changes.?

Testing

Also prevalent in many other functions – how do you test your IAM Solution in the most ‘live-like’ environment without impacting your systems if the test fails. If you’ve got a Business Continuity or Disaster Recovery colleague, they would sure have a story or two here.?

Thought must be given on the IAM testing process to get the most successful, real outcome.?

What else do we recommend?

Engage your C-suite early - Engage and educate your organisations C-level early on the scale, complexities and challenges of IAM to gain their ongoing support to drive its adoption. This top-level support is crucial, as it can significantly influence the adoption and acceptance of IAM practices throughout the organisational hierarchy, down to the managerial levels and individual staff members.?

Define and agree roles and responsibilities – Business and IT systems Owners of all assets need to be in the know from the beginning. They know their domains better than anyone and their input is paramount to a successful implementation, maintenance and future upgrade to an IAM solution.?

Automate – The future is automation and a good IAM implementation is no different. A great IAM solution will have Joiners/Movers/Leavers (JML) processes automated via data obtained from one or more source of truth (eg: HR system for internal staff and a vendor management system for externals), it will have assets integrated to enable governance of the access accounts, possibly manage the access request and approval workflow for those assets, automate provisioning and de-provisioning of access and where that’s not possible, generate a work request for manual provisioning. Whoa, that’s a lot – that’s why it’s automated!?

The IAM implementation should also build efficiencies via birthright and RBAC roles and improve governance via implementation of SOD and User Access Reviews.

Maturity & Zero Trust - As maturity builds across the IAM landscape, organisations may look to implement a zero-trust model and challenge an account at every access point, or they may also look to move to ‘passwordless’ access, building efficiency and attempting to mitigate the weakest point in the chain (our people remembering a password).

And finally, get more non-cyber roles better versed in cyber security topics, especially IAM so they can buy into your program, understand it’s application and provide helpful assistance and ownership as needed.?

We hope you enjoyed this read as much we did writing it. Please reach out if you’d like to discuss more!?

Authors:

Christina Arcane – [email protected] | https://www.dhirubhai.net/in/christinaarcane/

Robert Murace: https://www.dhirubhai.net/in/robert-murace-b9783726/