Is Establishing a Robust IAM Practice Tactical or Strategic?
Verizon’s 2021 Data Breach Investigations Report found that privilege abuse is still the leading cause of breaches today. As cyber-attacks targeting identity (such as business email compromise or phishing) have become more sophisticated and numerous, many organizations are increasing their focus and budgets to combat them using Identity and Access Management (IAM). By developing strong IAM practices, they’re doing more than just protecting their internal workforce and external consumers—they’re also learning that identity and security projects should not be separated. There’s a growing understanding that these two distinct teams should be consolidating their efforts. And, since these two areas are often deprioritized, this can be a challenge. We’re finding that organizations are questioning how to bring them together and how to start.
The cyber security community often cites a line from Sun Tzu’s The Art of War: “Strategy without tactics is the slowest route to victory. Tactics without strategy is the noise before defeat.” In essence, some think of tactics and strategy as diametrically opposed, when in reality, they’re complimentary. In the context of a great IAM implementation, the equivalent elements are policy and technology—some see them as opposed, but best practices dictate that they complement one another.
A common question around adopting an IAM practice is how to tackle the challenges of policies while implementing industry-leading technology. Agnostic solutions, like Okta and Auth0, provide the ability for organizations to put holistic protections in place around identity. These protections encompass internal/remote users, third-party users, and external users (consumers, for example) spanning cloud, legacy, and homegrown solutions. We do this by removing common barriers, supporting productivity, and developing solutions that will help you achieve success.
Removing the Barriers
With our solutions, technology and policy become ubiquitous, which reduces the burden on IT and Security teams. This is done through robust integrations, extensible APIs, and an easy-to-use interface for the workforce and consumer users alike. This improves internal adoption, ensures successful implementation, and transforms these teams from being perceived as barriers to becoming business enablers.
With Okta’s Identity Platform, organizations can automate any identity process. It connects Okta with downstream systems to enhance security using strong authentication and policy enforcement while simultaneously delivering an improved user experience. Okta’s Workflow templates further support automation and orchestration for a number of previously manual use cases. Examples include actions like “suspending inactive users,” “reassign files while deprovisioning with GSuite,” or “perform identity proofing with a third-party service.”
When combined with Auth0 solutions, organizations can easily customize any point of the login flow with low code, extensible tools. Auth0 was built to enable development teams to easily customize identity-related functionality—instead of hiring professional consulting services to solve their unique issues and use cases. This is achieved using Auth0’s extensibility tools, Actions, Rules, and Hooks.
When you protect both your consumers and your workforce, you effectively reduce your risk surface. And, unlike the security models of decades past, people are “the new perimeter,” so you must be in compliance as well. So, protections must be in place to comply with regulatory requirements and avoid financial penalties, and please do this without disrupting productivity or knocking critical systems offline.
Our options provide the needed balance, with solutions that not only implement but enforce policy supporting identity and security—without disrupting your business. These fixes reduce your “soft costs”, allowing teams to focus on your business-critical tasks.
As more organizations adopt cloud solutions, the interplay between technology and business ops becomes more critical to successful deployments and adoption. And, with any major project, there are multiple stakeholders. But for identity and security projects, we’re seeing more cross-department collaboration than ever before.
Another area to be considered around IAM technology and policy? The challenges around legacy systems and operational processes. These older systems are integral to large enterprise organizations. Projects to modernize are complex, with a lot of moving parts. To succeed, organizations need agnostic, extensible solutions, and an understanding they that don’t need to boil the ocean. Like a caterpillar becoming a butterfly, transformation can happen through a slower process of metamorphosis. A “big bang” approach is unnecessary, as organizations can always start with one or two critical systems or services and expand over time.
The most successful implementations provide a balance between a good, frictionless user experience coupled with modern security tactics. We recommend starting by deploying technology that will enforce policies against a single app or group of users. By starting small the impact is mitigated and, when successful, becomes the template to roll out systems and programs more broadly.
Success you can Trust
Our goal is to provide trusted solutions that address the Identity challenges most organizations face, through customizable technology. We are constantly engaged with our customers and partners to ensure we’re developing the solutions they need and that address their most pressing challenges.
In the last few years alone, we’ve seen a swell of data privacy regulation (from the LGPD in Brazil to the APPI in Japan, and from the GDPR in the E.U. to the CCPA in California). It’s the indicator of how consumers are demanding that their information, their digital identity, be respected and protected. Keeping pace with the speed of change and consumer expectations is no longer an afterthought. As stated in this McKinsey & Company report, “Consumers may even vote with their feet and walk away from doing business with companies whose data privacy practices they don’t trust, don’t agree with, or don’t understand.”
It’s a disservice to approach your IAM initiatives thinking that technology and policy (i.e., tactics and strategy) are diametrically opposed. To overcome barriers and find balance, you need solutions that you can trust and are dedicated to your success.