Identity Access Management: Who Holds the Keys to Your Data?
Identity access management (IAM) determines which individuals within an organization have access to applications, network shares and data. IAM also ensures that employees only have the access they need for their particular role. According to the IBM X-Force Threat Intelligence Index 2017, 58 percent of cyberattacks in the financial industry are from insider threats. To curb this issue, business leaders across industries must control user access.
Laying the Foundation
When implementing an IAM process, businesses must determine:
- Who owns the IAM process. Often, companies have not determined the overall IAM owner. Best practice allocates ownership to the business and makes IT responsible for assigning the correct privileges on the basis of authorized forms.
- IAM team privileges. If the team isn’t granted sufficient privileges, it will need to assign tickets to other teams to complete access requests. On the other hand, if the team has too much access, the company runs the risk of giving IT more access than any other team in the business. It’s important to strike a balance that enables the company to receive access requests in a timely manner while not allowing too many users to access data.
- Secondary controls. Organizations typically run new employee starter processes effectively. An unproductive new starter is very visible to the business. However, it’s often easy to overlook if a leaver process hasn’t taken place or if access hasn’t been removed after a transfer. Companies need a documented evidence process to confirm if access is still required.
Identity Access Management Challenges
Transfer processes require frequent staff rotation. Without careful management, these staff members can end up with access to multiple areas in the business. Businesses can avoid this risk by ensuring that an appropriate secondary control process is in place.
Every business should consider IAM at the start of any project — whether it’s setting up a new technology area or a company acquisition. However, if each new process requires additional specific steps, the IAM process can quickly become unworkable.
Additionally, it can be challenging to receive a budget for IAM process improvement or tool deployment. It’s often difficult to show return on investment unless the business has already experienced a major issue with IAM.
Still, a lack of effective IAM can damage a company’s security. Imagine if the door of your server room fell into disrepair. Most employees would notice this issue the moment it started and do something about it. However, problems with your IAM process will be a lot less visible. It’s crucial to establish a focused IAM plan on your company’s technology road map and ensure that it’s not overlooked during new IT and business developments.