Identity and Access Management (IAM) Overview
Executives can stay on top of their cybersecurity game by ensuring the right individuals are the ones signing in to their business networks in the right way. After all, as Experian argues, employees and negligence are rapidly becoming a company’s biggest threats. This is often merely because people make mistakes: imagine an overworked team member clicking a phishing link sent by email, and that link logs the individual into another part of the organisation's network carrying a hacker's payload. Pretty soon, bad news.
It's definitely possible, however, to envision a positive experience for companies that use robust identity and access management (IAM). This is a much-talked-about way of ensuring the right people have the right access at the right time. But what is IAM, really, and how can it benefit companies?
Identity and access management as a framework
The important thing for understanding IAM simply is to see it as a framework. That's a structure that organises a multitude of services, policies, concepts, and more. Any one particular user of a framework might only ever encounter bits and pieces of it without ever perceiving the whole or knowing how it all operates.
To understand how this process works, consider a federal Act of Congress. It is a complex piece of public law that, as a framework, organises the rights and services provided to those within its jurisdiction. A single person might just be familiar with his or her points of access with the law (access to information, support services, equal opportunities, etc.) and not all the backend architecture of legal code that makes the help possible.
Similarly, as executives know, no one person has the time or training to understand every line of code that goes into IAM, but the basic concepts can be made clear: a good identity and access management framework helps companies govern who the users of its business networks are (that's the identity component) and what services they can or cannot access and how (that's the access management component).
The question then becomes, how is IAM uniquely positioned to be the best solution to the modern challenges businesses face today?
In the past, blue chip companies sat employees down in office buildings protected by a digital firewall. Individuals signed into their office computers and worked until five o'clock, then signed out and went home to their personal lives. The current reality is much different.
Today, over the unsecure WiFi connection of a coffee shop, employees check their work emails on their personal cell phones, with or without a VPN, while also using their work laptop to talk with friends and send links across social media. In cybersecurity terms, this is far removed from the well-controlled environment described above.
The solution is to recognise that this is the employee's new identity, and to adopt a framework that accepts this reality. With a good identity and access management system, analytics can be employed to build a persona for today's user. Is he or she using that same personal cell phone? With the same operating system version? Such details can be tracked and used to make sure an employee signing in is authentically the person he or she claims to be.
Imagine a small legal firm with an important assistant who signs in successfully by using his or her Windows password. At many typical legal outfits, this person now has full access to the machine in question and could (intentionally or accidentally) cause all sorts of trouble, especially if the device is networked for remote access so the attorneys can work remotely when needed.
With a good IAM, companies aren't left with this binary picture where either the user has no access or full access. Instead, systems can be flexible and adaptive. There's now a spectrum where the IAM framework determines, based on analytics, known risks, and user history, the safest amount of access to give the person. Maybe he or she is presenting some sort of risk—neglected to upgrade an application, say—but still needs to access a word processor to make edits to a legal motion that's due today. A flexible, adaptive IAM framework can grant that without giving him or her carte blanche access to everything.
Security for today's workplace
A big problem with cybersecurity now, as the above examples illustrate, is the tendency for companies to rely on yesterday's solutions based on yesterday's realities. But the world—and the workforce—is changing, becoming more fluid and interdependent. For executives to stay on top of cybersecurity, they should turn to the solutions that don't hide from this reality, but recognise it.