Companies have been developing and executing identity and access management (IAM) strategies for decades. “It started with mainframe timesharing, so nothing is new,” says Jay Bretzmann, director of IDC’s security product program. Despite that long experience, there are still opportunities for mistakes, especially when companies are upgrading their IAM platforms to those that can better handle modern IT deployments.
Here are six ways to tell that a company’s IAM strategy is failing.
1. Users can’t access your apps, but criminals can
The main goal of an IAM platform is to allow legitimate users to access the resources they need while keeping the bad guys out. If the opposite happens, then something is wrong. According to the latest Verizon Data Breach Incident ReportStolen credentials were the most common attack method last year, involved in half of all breaches and more than 80% of web application breaches.
The first thing companies typically try to do is move away from simple username and password combinations, and add one-time passwords for text messages, says Bretzmann. This doesn’t help much, she says, and it annoys users to begin with. “If done right, IAM is more than single sign-on and multi-factor authentication,” she says. “It’s about understanding the variety of users requesting access to IT systems and solving their connectivity issues.”
According to Forrester analyst Andras Cser, users who fall within the purview of enterprise IAM systems include employees, business partners, and end customers. They all require different approaches. For employees, companies often turn to identity-as-a-service providers, such as Okta or Azure Active Directory, or on-premises IAM systems, which he says are still more powerful and feature-rich than cloud-based options. For customers, some companies are starting to move from usernames and passwords to social logins like Google and Facebook.
A final category of IAM access is machine identities. according to a survey released last fall by Pulse and KeyFactormachine identities take a lower priority than user identities, but 95% of CIOs say their IAM strategy can protect machine identities from attack.
Companies must also pay attention to the fact that they have to protect all these different types of users in a variety of environments: on-premises, cloud, SaaS, mobile, and work from home.
2. Siled identity and access management platforms
Many organizations use different solutions for access management, for identity governance and administration, and for privileged access management, says Henrique Teixeira, an analyst at Gartner. Silos create extra work, he says. “And there are often gaps between each solution that attackers can exploit.”
Providers are beginning to move toward unified systems to address this problem, says Teixeira. “Okta and Microsoft, for example, have started to offer more converged platforms.” By 2025, Gartner estimates that 70% of IAM adoption will be through these converged IAM platforms.
Client-facing IAM is lagging even further behind, says Teixeira. “Most organizations use custom applications built in-house. That’s problematic when dealing with new regulatory requirements for privacy and infrastructure protection against more modern types of attacks.”
3. IAM implementation plan too aggressive
It can be tempting to think that an IAM platform will do everything at once. Executives can get too excited about a solution and vendors can promise too much, Cser says. “That’s problematic for a lot of organizations,” he says. “If you’re trying to install an access management solution and you have to have all 300 of your applications active in one day, you’re going to fail.”
Cser recommends a staged implementation instead. Trying to do it all at once is not realistic. For example, despite what vendors promise, companies typically have to do more customization and orchestration work to integrate their applications. This is particularly true if a modern approach to IAM requires redesigning internal processes. He recommends that companies undertaking an IAM upgrade take the opportunity to simplify and streamline processes first. “And not implement existing clutter. It’s like moving. When you move from one place to another, you want to throw things out first and not move them to the new location.”
4. Separate authentication and authorization
“IAM is the cornerstone of any IT and security program,” says Rohit Parchuri, CISO at Yext, a search technology company. Without it, other security controls have diminished business value and won’t reach their full potential, he says. “You need to know what users and assets exist in your wallet before you can start protecting them. IAM provides both visibility into the access landscape as well as enabling features to control that access.”
In previous posts, Parchuri ran into a couple of issues implementing IAM. “When we originally ventured into running IAM, we didn’t add a few things to our success criteria,” he says. The first problem was that authorization was treated as a separate entity from authentication. “With a separate authorization server, we had to alternate between authentication and authorization practices on two different systems.” This increased the total cost of ownership and placed additional burdens on the team to manage two separate entities.
5. Authentication Coverage Blind Spots
Another problem Parchuri faced was that some internal systems were not cataloged and still relied on local authentication. “Having local authentication on our internal systems, there was a lack of visibility in terms of session management and user onboarding and offboarding practices,” she says. The IAM tool should have taken care of these tasks, but it didn’t.
The company discovered the error while running a hedging exercise in its asset management software. “We found that applications noted in our configuration management database were not captured in the IAM tool,” says Parchuri. “Once we identified those applications, we also noticed that the IAM tool outsourced authorization validation to locally deployed local systems, even though they existed in the IAM tool as an entity.”
To fix the problem, the hardest part was figuring out if the IAM tool and internal tools could integrate using Security Assertion Markup Language (SAML) or Cross-Domain Identity Management (SCIM). “Once we were able to get it up and running, the rest was perpetual execution and management,” Parchuri says.
6. Multiple IAM systems causing visibility issues
Enterprises sometimes have challenges integrating disparate IAM platforms, says Luke Tenery, a partner at StoneTurn, a global advisory firm that specializes in regulatory, risk and compliance issues. “If you have too many identity management systems, it’s hard to find relationships between security anomalies,” he says. “That’s where the pain is.”
Many cyber attacks, for example, involve some type of email compromise. If the same identity is also used to, say, access a company’s Salesforce system, there could be a significant delay before that second attack vector is discovered. “If it’s the same username and password, but it’s managed decentrally, they might not see the compromise in Salesforce,” says Tenery. “If the residence time is longer, there is a greater risk of impact on the organization. The longer the cancer remains in the body, the longer the threat has to cause damage.”
Tenery says he saw a case where threat actors were able to break into a Salesforce database for a global hospitality provider’s loyalty program, gaining access to millions of customer records. The solution is to create a holistic view of identity and access management across the enterprise. “Putting that connective tissue together can be an arduous process,” she says, “but there are platforms available to help organizations consolidate their IAM functions.”
If direct integration isn’t an option, says Tenery, there are advanced tools leveraging machine learning and artificial intelligence that can create automations to build those links. For Salesforce and Office 365, direct integrations are available. “And there are third-party tools, like Obsidian Security, that we use,” she says. “It’s a platform that leverages different forms of automation and machine learning to identify identity links to detect security anomalies and manage identity risk.”
Copyright © 2022 IDG Communications, Inc.