We’ll be talking about:
- What exactly is Identity & Access Management (IAM) and how has this field evolved?
- What are the three pillars of IAM?
- Why is it important that businesses don’t focus just on the technical side of IAM?
- What are the current hot topics in IAM?
- What direction is IAM taking these days?
Ricardo, you’ve been working in Identity & Access Management for over twenty years. Can you explain briefly what it’s all about?
Ricardo Kowsoleea: “Identity & Access Management (IAM) is a field in cybersecurity; specifically, it falls under the heading of Prevention. The goal of prevention is obviously to prevent security incidents – but while still ensuring that the people using your IT have the permissions they need to do their work effectively, when they need them.”
There are three pillars to IAM: Access Management, Identity Governance & Administration, and Privileged Access Management. These are three sides of the same triangle: identity. Whenever you log into a system – be it your online bank account, Facebook, or perhaps your Administrator account when you arrive at Cegeka in the morning – you have to tell that system who you are. This identity information is vital for the automated environment to recognize you and determine what you’re allowed to do.”
Has IAM always been seen as important in cybersecurity?
Ricardo Kowsoleea: “IAM has evolved a lot over the years. In the past, there was a lot of focus on ‘return on investment’, i.e. things like reducing the volume of Helpdesk calls, getting people logged in to start work as quickly as possible, and tools like Single Sign-On (access to several target systems with a single username and password) that make life easier for the user. “
“Then in around 2003, the focus shifted towards compliance. Legislation like SOX, HIPAA and Basel II was coming in and companies were suddenly obliged to set up IAM properly in order to comply with these new regulations. Companies and individuals could be held responsible if they didn’t have properly configured IAM systems in place. So, for example, major banks were obliged to set up Privileged Access Management. There was a flip side though: because of the emphasis on legal compliance, IAM was often treated as something to be ticked off for audit purposes, and then forgotten about.”
“There’s been another shift in more recent years, with a growing emphasis on security, and IAM now plays a major role in security policies. We all know that threats like ransomware and other modern attack vectors are increasing rapidly. In the past, company data was stored on-premises, and protected from the outside world by a firewall. Firewalls are certainly still relevant, but the modern emphasis on cloud storage means different security paradigms: in particular, it’s important to be able to authenticate identities reliably and provide access to the right data and applications. Of course, ROI and compliance haven’t been forgotten. They still have a role to play in IAM policies. But they’re really secondary to security now.”
Is it just large organizations who need to think about IAM?
Ricardo Kowsoleea: “Certainly not. The days when banks were the primary targets for security incidents are long gone. Smaller organizations are just as likely to get hit nowadays. We’re seeing that shift reflected in the IAM market. It used to be just big businesses that had IAM programmes. But these days, companies with just 500 people on the payroll will see it as completely normal to implement an IAM system.”
“This goes hand in hand with IAM having become much more accessible to smaller businesses. In the old days, setting up IAM would involve a lot of customization and a complex, highly specialist rollout through the organization. It often just wasn’t practical. These days, we have much more user-friendly SaaS and Managed Services solutions that you can just plug into your systems via a connector.”
Earlier, you mentioned the three pillars of IAM. Can you explain a bit more?
Ricardo Kowsoleea: “Access Management is the oldest element of IAM. This pillar is about the infrastructure for authenticating and authorizing users to give them access to a resource. The traditional way to handle this is with passwords. However, passwords can be leaked. The trend nowadays is for multi-factor authentication – that means you need to provide more than one mode of authentication to be granted access – for example, a fingerprint scanner combined with a hardware token. Once an individual has been authenticated, they can be allocated permissions based on their authenticated identity.”
You said the second pillar is Identity Governance & Administration?
Ricardo Kowsoleea: “Yes. Those used to be two different systems: Identity Governance on the one hand, and Identity Management on the other hand. However, the two systems have grown towards each other and we now think of them together as Identity Governance & Administration, or simply IGA.”
“Identity Governance has its roots in the days when everyone was thinking about compliance. The new legislation that was issued around that time mandates that companies must be able to show who has access to what, and when, and even why those people need access to specific systems or resources. Managing that manually is complex, to say the least. Identity Governance systems make it possible to automate the task.”
“The other side of the coin, Identity Administration, which used to be known as Identity Management, is the infrastructure for automating the joiners, movers, leavers process. When someone new joins the company, their details are entered in the HR system. Then, depending on their role, function, location, etc., the coupled IGA system is used to derive the permissions the new joiner needs. For example, accounts will be configured for Salesforce and Active Directory, Office applications, and potentially hundreds of other resources. The accounts and authorizations are set up automatically and rolled out through the target system. This is something you used to have a whole team of account managers working on manually.”
“Another important issue is role tracking: accounts should be automatically updated when the person moves within the organization. If a company doesn’t have an IGA system, it can often end up with ‘collectors’: people who have been working there for a long time, in a number of different jobs, and who have gradually collected up a whole bucketful of permissions that they actually no longer need.”
“Then there are a few other things handled by IGA. For example, there’s a concept called segregation of duties (SoD). The idea is to require more than one person to complete certain sensitive tasks. For example, someone in the Accounting department might be able to enter an invoice, but not pay it. Lots of companies haven’t got this implemented fully at present, but an IGA system provides the necessary framework.”
The third pillar you mentioned was Privileged Access Management. What’s the difference between that and your first pillar, Access Management?
Ricardo Kowsoleea: “Privileged accounts are accounts with very extensive permissions. They may be accounts for humans, machines or applications. For example, the root account in a Unix system, or an Administrator account on Windows, are privileged accounts. So are service accounts for providing communication between applications and a database. This kind of account is commonly targeted by cybercriminals, since if you manage to take over a privileged account, you can penetrate right into the depths of the system. Traditional access management isn’t necessarily good enough for these accounts. With Privileged Access Management, you can do things like use rotating passwords for a root account: if someone is working as root, the password will automatically be reset to something new when they log out. That way, even if the password was exposed during the session, a cybercriminal still can’t use it to break into the system in a new session.”
Earlier, you mentioned that companies need to be able to demonstrate why individuals need the access rights they’ve been allocated. You mentioned separation of duties. Does that mean that IAM isn’t just a technical solution – that companies need to think very carefully about the organizational aspects of identity and aspect management?
Ricardo Kowsoleea: “That’s right. In IT, we often talk about the 70/30 rule: usually, this means 70% technology, 30% people and processes. But for IAM, that ratio is the other way around: 30% technology, 70% people and processes. Introducing IAM at a company means making changes that people sometimes struggle to get to grips with. At Cegeka, we’ve been involved with the IAM journeys of large companies with over 100,000 people, and smaller businesses with perhaps just 500 employees. It’s not just the technical environment that is different for every organization: the people and processes also need a different approach. Cegeka always works on the basis of close cooperation with its clients – that’s the best way to get things right!”
“Here’s a simple example: administrators don’t like to be monitored! If you implement Privileged Access Management, their sessions will be recorded and/or their activities logged. Auditors can review these sessions to help them understand what system tasks are being done by the administrators. If you don’t prepare your administrators for this kind of thing, you’re likely to meet resistance during the implementation.”
What are the most important reasons for companies to roll out IAM?
Ricardo Kowsoleea: “Every company has a different problem it needs to solve. There’s no one-size-fits-all reason for organizations to implement IAM. Often, an incident highlights a specific issue, or an audit calls attention to certain shortcomings. When the company comes to us, it’s part of our job to identify the underlying problem and how we can solve it with IAM.”
“IAM is the Swiss Army knife of IT Security: it can do it all. But you don’t have to do it all at once! The first priority is to solve the company’s immediate problem; for example, if a security incident was the trigger for the company coming to us, we start by making sure that no further accounts can be compromised. After that, we can start to look at making the solution more efficient. And that’s the time to draw up an IAM roadmap.”
What are the current hot topics in the IAM world?
Ricardo Kowsoleea: “Remote access is the big buzzword right now. The Covid pandemic showed people how much of their work can be done from home. But if a company is setting things up for remote work, it needs to provide secure remote access to the relevant company systems. Lots of PAM vendors are currently offering solutions to provide VPN-free secure access to company data for employees, clients, suppliers and third parties.”
“Of course, the compliance legislation hasn’t gone away. Identity Governance remains very important. In fact, more and more companies are getting themselves in a muddle with compliance at the moment – they try and set it up themselves, but eventually realize they don’t have the right skillsets in-house. That’s when they start looking for a vendor who can set up the processes for them, not just deliver the technology.”
Will IAM evolve into a managed service?
Ricardo Kowsoleea: “Definitely! We’re already expanding our portfolio to include managed IAM services. Our goal is to relieve our clients of having to manage the three pillars of IAM. We want to make it as easy for them as Microsoft 365. They’ll pay a monthly price per user and connect to the system whenever they need it.”
Are there other developments you want to tell us about?
Ricardo Kowsoleea: “Yes: we’re finding that along with the transition to SaaS and managed services, the cloud vendors – companies like Microsoft – are bringing out cloud-native IAM solutions. These are interesting options for clients who are moving entirely to the cloud. Another development I’m seeing is that while often IAM vendors used to focus on just one of the three pillars, they’re now expanding their portfolios to provide integrated IAM solutions.”
To finish, can you tell us where IAM fits into Cegeka’s cyber resilience story?
Ricardo Kowsoleea: “One of the reasons that the acquisition of SecurIT by Cegeka was such a positive move is that we’ve been able to fill a gap in a critical domain in Cegeka’s cyber resilience story.”
“IAM extends the current portfolio by bringing in the ‘Identity’ component in each of the cyber resilience domains (see image below). This includes IAM assessment (Assess), tools for managing identities and privileged accounts (Prevent and Recover) and the coupling to SOC services (Detect & Respond). The latter is particularly important as it enables us to actively integrate identity and privileged account monitoring in our Managed Detection & Response service (called C-SOR²C). We’ve thus been able to compile an extensive portfolio of cybersecurity solutions that we can offer our clients now and in future, based on the combined experience of our own experts and selected strategic suppliers. That way, our clients are free to focus on their core business, securely and efficiently!”