What is identity management and what role does it play in a security strategy?
Make sure only the right people have access to your infrastructure
The data that organisations create, collect and store is valuable, so protecting it from unauthorised access, either internally or externally, is essential. Even a minor data breach could cause huge financial loss and a loss of confidence in your company from consumers and investors alike.
In 2020, data breaches and cyber attacks were at an all-time high, and the constantly evolving nature of threats only emphasises how vital it is to ensure your organisation knows who’s accessing and using your data. This is where identity management becomes an essential part of your security strategy.
Identity management adds a layer of security by identifying individuals, and then authenticating and authorising them to provide them with access to your company’s data systems. It’s ensuring only the people you want to grant data access to, and only to a level to do their jobs successfully, have it.
This also includes a process whereby users are confirmed to be who they appear to be, i.e. through the use of a username and password, but with more employees working from home than ever before, cyber criminals are exploiting the limitations of monitoring a distributed workforce.
A robust identity management solution can reduce the risk posed by these cyber criminals, reduce costs and minimise demands on IT.
What should identity management systems include?
Identity management systems should include a central directory service of user identities and access permissions. This should be able to grow as an organisation does. It should also help in setting up users' accounts and provisioning users by enabling a workflow that cuts down on errors and abuse.
Access requests should be reviewed at multiple stages with approvals required to mitigate security risks. There should also be a mechanism to prevent privilege creep, the gradual process of a user acquiring access rights beyond what they need.
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2024.
Other identity management technologies are surfacing, focusing on ease of use in addition to security. Tasks such as the provisioning and de-provisioning of users can be automated, saving both time and resources. When a user leaves the organisation or changes roles, their account is automatically altered to suit.
Single sign-on technology has been developed, providing employees with just one set of credentials to access applications. This eliminates IT and human-error led password issues which are a major drain of IT departments' resources, and also ensures employees can access the applications they need without unnecessary hindrance.
Deploying identity management as part of security strategies
The role of identity management in an enterprise's security strategy should be to meet the task of securing an ever more interconnected, cloud-based network ecosystem.
This means not only making sure those who need access to data and services can get it, but also those that aren't authorised to access such data and services are prevented from doing so. Both situations require that access attempts are logged and can be later analysed for security purposes.
The issues here are that there are many operating systems and applications within a workplace, and these can all support different methods of authentication with various repositories for storing credentials and diverse communications protocols.
Also to consider in a security strategy is what kind of granular access your data requires. The more granular you make access rights; the more work is required to keep it up to date.
Another issue is moving data to the cloud. Diligence is needed when porting staff or customers' personal details outside your own network infrastructure.
One way of managing identity and security across heterogeneous networks is the use of federated identity. In essence, an organisation puts its trust in how another organisation deploys its identity management and allows access based on that trust. No personal data needs to be shared with a partner organisation when a user requests access, only an assertion from a trusted organisation that the user is authorised to make such requests.
When considering identity management and the role it plays in an organisation's security strategy, one must consider where identity management overlaps with other security projects in place, and whether they have similar goals that overlap. This can result in avoiding duplication of effort and resources.
Integrating identity management with the wider organisation
Even when an IT department has recognised that identity technology will increase security throughout an organisation, the implementation of a chosen system can still create challenges for employees.
Systems that fail to address the balance between ease of use and security could be an obstacle to efficiency, affecting workflows. Many systems focus on just one aspect of identity security, and it's only through combining multiple singular systems and products that organisations can experience complete security and identity visibility. A by-product of this, however, is a negative impact on the ease of use factors.
All-in-one systems offer a holistic solution to security problems. By combining different technologies, they provide the visibility and authentication necessary to deliver security benefits across organisations, while also dismantling efficiency obstacles for employees.
Identity management and hybrid working
The Total Economic Impact™ of Mimecast
Cost savings and business benefits enabled by using Mimecast with Microsoft 365
The shift to remote working had increased the importance of identity management when managing a number of employees dispersed around the country – or even the entire globe. However, the rise in popularity of hybrid work policies, where workers divide their time between working from home and from the office, has even further highlighted the need of scrutinising access permissions – especially when workers log in on multiple different devices. This is especially common with employees keeping one device at home and another at the office, and working from different laptops or PCs depending on where they’re based on a given day. Although this helps avoid hardware theft, it also means that the employer has to be aware of additional endpoint security needs, as well as ways to mitigate potential attacks on employees using their home network.
Hence, some distribution companies have begun to tailor their offerings to suit the specific post-pandemic needs of their customers. One such company is Tech Data, which at the beginning of 2022 announced a new identity and access management as a service (IAMaaS) designed to tackle the challenges that come with new hybrid working practices.
According to Tech Data’s UK&I Advanced Solutions security director Alison Nixon, “many customers don’t have a policy or a solution in place – and many partners do not have the in-house skills and capabilities to manage IAM for their customers and deliver the right outcomes”.
“Our service breaks that impasse, providing our partners with a managed IAM service that they and their customers can trust,” she added.