Busting the Top 3 Identity and Access Management Myths to Boost Security

One of the most exciting things about being in the technology security industry can also be the most challenging — constant and increasing change. Emerging threats, industry innovations, and increasing regulatory requirements can outpace our processes and skills.

Every IT department is facing these same issues and it doesn’t always mean that your team needs to re-invent the wheel. Sometimes, all that’s needed is another look at existing best practices that — when properly applied — can quickly move the needle for an organization’s security posture.

Identity and access management (IAM) is recognized as essential for securing data and other critical assets. And long before it was applied to technology, identity has been a cornerstone of security for centuries.

Names, locations, titles and relationships have served as identifiers long before the advent of computers. And we still use them today ― even in offline scenarios ― although more casually. Meeting new people generally starts with an establishment of each person’s relationship to the current situation and the greater environment.

But remote access, IoT devices and the demise of a fully physical perimeter have elevated the importance of identity to essential in the sphere of technology.

There are well-established IAM fundamentals necessary for securing access to your network:

• Who accesses your networks – including employees, customers and third-party vendors
• How does access occur – this aligns with devices and connections
• Know where access is occurring – including geolocation and time zones
• Know why a user or device is accessing specific information and if that access is appropriate

Advanced IAM solutions on the market today help organizations manage and secure access for people and devices. Using automation capabilities, these products can unburden IT teams and provide more thorough and consistent application of security policies.

Because IAM plays such an important role in every organization’s security posture, it’s important to have a clear understanding of the real challenges and benefits of an IAM strategy and solution. Some organizations are actually hampering their IAM advancement. Others are giving their basic IAM practices more credit for securing their enterprise than they should. Too much reliance — or not enough — can be equally risky.

The top three IAM myths heard from the field are debunked here.

Myth #1: IAM solutions are only for large entities.

There’s a common misconception that IAM solutions require complex systems with large data center footprints and come with a high price tag for implementation and administration that makes them prohibitive for anyone but the “big guys.”

This may have been true in the past, but now the combination of advanced technologies, more vendors competing in the same space, and secure Software as a Service (SaaS)-based IAM models have upended that notion.

Costs are now substantially decreased for both implementation and long-term maintenance. And along with greater cost efficiencies has come greater functionality and control. Organizations can now easily manage identities and their security posture through provisioning, deprovisioning, certification and role-based access control (RBAC) that moves toward a policy of least privilege.

By leveraging a SaaS-based offering, operating system, application and database maintenance becomes a thing of the past. System failover is no longer a concern because the architecture is hosted. The SaaS “configure over code” format means organizations no longer need to specialists in a particular programming language, and new IAM resources are coming with many “out of the box” configurations that work across a broad base. These pre-configurations are also easily “customizable” so organizations can implement an IAM solution quickly and become highly productive in less time without the need to write custom code.

Myth #2: Zero trust comes in a single solution.

The term "zero trust" has moved beyond a security methodology to the marketing vocabulary of security vendors. And while it’s true that some solutions are better suited to advance your zero-trust maturity than others, no single solution delivers a full zero-trust architecture.

When it comes to zero trust for IAM, some cloud solutions get very close and include many of the required components, but no single solution currently includes all of them.

Zero trust for IAM includes:

• Multi-factor authentication (MFA)
• Single sign-on (SSO)
• Privileged access management (PAM)
• Role-based access modeling
• Automatic account elevation
• Identity governance
• Continuous authentication
• User and entity behavioral analytics (UEBA)

These components combine for a zero-trust methodology applied to IAM and provide a high level of assurance. It’s recommended that you integrate IAM solutions to achieve these IAM best practice protocols.

But zero trust goes beyond IAM. And while it’s true that you can’t get to zero trust without IAM, you also can’t achieve zero trust with IAM alone.

Myth #3: MFA stops ransomware attacks.

Implementing MFA for your workforce and third-party vendors is essential. It is the foundational building block to start from when advancing your IAM capabilities. And as vital and necessary as it is for securing identities and access, it doesn’t eliminate the one issue that no IAM solution is equipped to handle — user behavior.

The efforts that can lead to a successful ransomware attack continue to improve, with bad actors using better grammar and spelling in more and more complex phishing campaigns. The best practices for educating and modifying the behaviors of end users include continual training and practice exercises.

Helping your users understand the risks and tactics being used arms them with the knowledge needed to assist in protecting your organization. It also helps them understand the behaviors that put their personal data at risk.

Consider this example: an employee was out to dinner with his family and knew he was not attempting to access corporate assets, yet he still validated an access attempt through MFA on his smartphone. Only training that increases individual awareness and accountability could have stopped this successful ransomware attack.

Having MFA enabled can help you gain and maintain cyber liability coverage with some carriers. Carriers often have varying MFA requirements for hosted email such as Office 365, VPN access, server logins and enterprise-wide implementation. These requirements may affect how your organization layers and manages MFA in your organization, but you shouldn’t let them define your overall identity and access security program.

To strengthen your MFA process, ensure that you are using a solution based on push verifications or biometrics. SMS-based authentication is too easily spoofed with access to a SIM card. MFA is best used as part of a full IAM stack that integrates with an endpoint manager. This protocol puts you in a much better position to secure your organization.

IAM is no longer a luxury reserved for the Fortune 500. Instead, it’s now a prerequisite for improving security and employee productivity in every organization, regardless of size.

While there is no silver bullet to achieve zero-trust maturity, a strong IAM program is a key step in the right direction. The current IAM marketplace includes multiple vendors and solutions that meet nearly every budget and delivery preference — cloud, hybrid or on-prem. Don’t let IAM myths keep your organization from advancing your journey toward zero trust with identity security.