Database and password incidents are so common today that it takes a massive breach to make headlines. Coverage of these breaches often highlights that stolen credentials were a key part of infiltrating the network. Even though we know credential theft is often at the heart of these incidents, why is it so difficult to convince our organizations, leadership, employees, and customers to take Identity and Access Management (IAM) seriously? Here are four key elements that make IAM so difficult within the business:
1) IAM Is Hard to Explain
Describing a firewall is fairly easy to explain. While firewalls have their intricacies, they are a much easier concept to describe to your organization. Yet even though they may be easier to characterize, and can be a strong defense for your company, they can still fail to fully protect you. Attackers can still get into your network because while you spend time patching your firewall, they can pretend to be one of your employees with stolen credentials and walk right through your front gate.
So how do you know if you are letting the right people in? The key is having strong identity governance programs in place as well as network threat detection to ensure that the identities on your network are acting like they should—and not exfiltrating your data to the highest bidder.
Another difficult challenge about IAM is that it is hard to explain just how valuable your information really is to your organization. Yes, a breach can affect your reputation—there could be fines and you could lose large amounts of money, intellectual property, and more in a breach. But a breach goes beyond that. For example, government issued information, like your social security number, is considered extremely sensitive information and is tied to the ability to purchase large items, like a home, or pursue new job opportunities. That’s why there are governmental regulations in place that require compliance for companies to handle personal information securely. Because the government recognizes the value of information and seeks to actively protect it.
Even if it were easier to articulate the value of Identity and Access Management, on the surface, IAM is viewed as a discipline in compliance or as a business process. But this is not where its value lies. IAM should be regarded as a security asset. And ensuring that the right people access the right systems at the right time is a security effort—not a checkbox exercise to show auditors.
2) IAM Is Hard to Enforce
We talk a lot about building a culture of security as paramount to the cyberhealth of organizations today. However, while you can preach safety to your employees and put in place measures to force them into a more secure environment, you can’t force the general public to do the same. This includes your employees once they leave for the day and your valued customers.
With effective Identity Governance and Administration solutions to reduce identity related risks, you can enforce mandatory password resets, micro-certifications, least privilege access policies, and more to keep your employees safe. These measures, along with penetration testing and continuous monitoring of your network, make these solutions part of a broader security strategy to increase the effectiveness of your organization’s defenses.
Another important action to consider is how you influence the security of customers external to your organization. However, increasing the friction for customer access can disrupt the ease of use for your products. So it is important to find a practical balance between organizational security and user efficiency. One way to do this is to empower customers to reset their own passwords through a mobile rest option. This way, customers can reset their passwords on-the-go rather than having to call into a helpdesk, place a ticket, or require the time of IT resources. Remember, look for IGA solutions that include frictionless processes for customers as well to interact with your products and increase their own safety.
3) IAM Is Hard to Budget
Requesting funding for identity governance programs is tough. If explaining IAM is hard, trying to budget for a solution that you can’t even explain is much harder. Think for a moment about your periodic access review process. If you are manually performing these on a quarterly, semi-annual, or annual basis, you likely have an entire team of managers and system owners that are spending time pulling user extracts, formatting files, adding contextual data, and emailing files back and forth until the due date. All that wasted time from some of your most valuable resources. What price tag can you put on the hours and days all of these resources spent on access reviews? Wouldn’t it be worth the investment into a security tool that could help automate these efforts?
It is still hard to calculate ROI of an identity governance solution because the use of IGA programs vary between organizations based on overall size and organizational needs. However, spending on security globally is expected to exceed $103 billion in 2019, an increase of more than nine percent from 2018, according to IDC data. That sounds like a lot until the estimated cost of cyberattacks, which was estimated at approximately $654 billion in 2018, and is estimated to jump to upwards of $2 trillion in 2019. If simply decreasing helpdesk costs and reducing reliance on IT resources isn’t enough, try dropping the costs of cyberattacks to see if that does the trick.
4) IAM Is Hard to Ignore
External threat actors have become considerably more sophisticated in their malicious activities that target insiders—from deploying social engineering attacks like phishing emails to scanning through LinkedIn and other data stores on the Internet to gather details on corporate environments. These issues are not going away and will only continue to increase in intensity in coming years. Attacks using stolen or compromised user credentials will remain at the top of the attacker’s playbook. Without appropriate identity governance policies, you will not be able to detect, much less stop, these attacks. This is no longer an issue to be ignored or to be patched with a bigger and better firewall.
Identity and Access Management Challenges Will Just Keep Growing
The complexity of identity and access management will only continue to grow for organizations that do not have a solid approach identity governance. The growing number of systems, devices, applications, employees, and customer expectations will continue to intensify the four top challenges highlighted throughout this blog. Making sure you provide appropriate access goes a long way in mitigating risks and improving the security posture of your organization. Start being proactive in your security approach. Discover how Core Security IGA solutions are the foundation for an intelligent Identity and Access Management program in your organization today.