Database and password incidents are so commonplace that we need a breach the size of Yahoo! or Anthem before the media takes notice. Just like these incidents, you’ve heard the statistics and read the reports which claim that the most common way to breach a network is through stolen credentials. If we know that this is an issue, why is it so hard to convince people to take Identity and Access Management (IAM) seriously?
Four hard things to know about IAM:
1. Hard to Explain
Firewalls are easy to explain. Yes, they have their intricacies but when trying to describe what it does to a friend (or your board) it’s a fairly simple concept. However, while your firewall may be strong it will still fail to protect you. Attackers are still going to get in because while you are spending your time patching the firewall the attackers are walking through the front gate by “pretending” to be one of your employees.
How do you know if you are letting the right people in? There should be authentication measures in place as well as monitoring to ensure that the identities on your network are acting like they should and not exfiltrating your data to the highest bidder.
It is also hard to explain (although I don’t know why) just how valuable your information is. Sure, a breach can affect your reputation, there could be fines, and you could end up losing money, intellectual property and more in a breach. But it goes beyond that.
The government knows how valuable it is. There are regulations in place, both by the government and the industry itself, that force compliance on organizations. They understand that the information you hold, such as a social security number, can affect your customers for the rest of their lives. Think about it – stolen credentials like these can destroy consumer credit and can prevent your customers from buying a home in the future or leaked health information can lead to social embarrassment and isolation, or worse cost them job opportunities.
While they aren’t firewalls, even if you could articulate IAM to your next door neighbor, on the surface IAM is viewed as a discipline in compliance or as a business process. It’s not. IAM is a security asset. Allowing only the right people to access the right systems at the right time is a security minded effort, not a check the box exercise to show your auditor.
2. Hard to Enforce
We talk a lot about building a culture of security in your organization and I still believe that it is paramount to the cyber-health of any company. However, while you can preach safety to your employees and put in place measures to force them into a more secure environment, you can’t force the general public to do the same. This includes your employees once they leave for the day, as well your valued customers.
With a good IAM solution you can enforce mandatory password resets, micro-certifications, least privilege access policies, and more to keep your employees safe. These measures, along with the constant monitoring of your network are what make these solutions worth their weight. But what if they could do more? What if they could influence your customer’s safety?
Admittedly, forcing measures like multi-factor authentication on your customers can cause friction and can upset their ease of use with your products. No matter how many times you can say “it’s for your own good”, you walk a fine line between customer satisfaction and customers hunting for an easier option. One way to make this transition easier for them is to allow a mobile reset option. This way, customers can reset their passwords on the go rather than having to call into a help desk, place a ticket, and cost them their precious time. Look for IAM solutions that include frictionless ways for your customers to interact and increase their safety.
3. Hard to Budget
I would ask how easy it is for you to get more money from your board or executive team but I already know your answer. It’s like pulling teeth…from an angry bear. Going back to the first “hardship”, how can you budget for a solution that you can’t even explain?
Think about your periodic access review process. If you are manually performing these on a quarterly, semi-annual, or annual basis, you likely have a host of managers and system owners that are spending time pulling user extracts, formatting files, adding contextual data, and emailing files back and forth until the due date. Lather, rinse, repeat. All that wasted time from some of your most valuable resources. What price tag can you put on the hours and days all of these resources spent on the review? Wouldn’t it be worth the investment into a security tool that could help automate these efforts? (And please don’t raise your hand if your teams are rubber stamping approvals in the name of “efficiency
It is still hard to calculate true ROI on an IAM solution because they vary between organizations based on your size and your needs. Last year DMR reported that the global spending for cyber-security products and services was $81.6B. That sounds like a lot until you see that the estimated cost of cyber-attacks for the same year was $400B and that the projected cost by 2019 is over $2 trillion dollars.
If the help desk ROI isn’t enough to get them thinking, see if the $2 trillion does the trick.
4. Hard to Ignore
A few weeks ago, Ashley Sims wrote an article with the 5 cyber-security trends for 2017 and one of those trends was the rise of spear-phishing attacks. In 2016 we saw these attacks take on two different forms and, already, in 2017 we have seen these grow in the form of ransomware attacks. These issues are not going away, if anything they will continue to increase until our $2 trillion number looks like a drop in the bucket.
Attacks using stolen or compromised user credentials will remain at the top of the attacker’s playbook. Without appropriate Identity and Access Management you will not be able to detect, much less stop, these attacks. This is no longer an issue to be ignored or to be patched with a bigger and better firewall. Don’t wait until your company is “the next Target” to take these issues seriously.