In a recent presentation to business leaders, Kent Goodrow, a Systems Engineering client Account Manager, spoke about the evolution of identity and access management (IAM). He noted the increasing business exposure to modern threats due to work-from-anywhere, cloud-first environments. Kent detailed how IAM has evolved over the last few years and how it now works to protect access to corporate resources. Below is an outline of his presentation on implementing IAM as your organization's first line of defense.
What is Identity and Access Management?
IAM manages two critical functions: identities (who they are, what device they are using, where they are located) and access (what they can access on your network, such as files, applications, systems, etc.) The evolution of IAM refers to changes in how identities and access are managed as IT environments embrace the cloud. Managing user identities and access levels is becoming increasingly important for IT to get right as these are primary entry points to your important systems and resources.
Traditional IAM Security Landscape
The traditional IAM process relates to how users access applications and data that live on-premises. File and folder permissions control what staff have access to on the network and applications. Your firewall devices are configured to keep bad actors out of your network. Remote workers likely access the network through a secure Virtual Private Network (VPN) potentially with multi-factor authentication (MFA) enabled.
Modern IAM Security Landscape
Today, cloud-first, access-data-from-anywhere network models challenge how we securely access corporate and customer data applications. For example, cloud Infrastructure-as-a-Service (IaaS) and SaaS hosting solutions are available from your line-of-business (LoB) application vendors. These applications typically exist in one or more public clouds such as Microsoft, Google, or Amazon Web Services. Request for access to your systems or data could originate from anywhere in the world which means your cloud security strategy must govern digital identities and access.
Proliferation of Software-as-a-Service (SaaS)
As mentioned above, part of the major change in IAM is the migration from on-premises and "boxed" software to IaaS and SaaS models. Offerings like Virtual Desktop Infrastructure (VDI), hosted Desktop-as-a-Service (DaaS), and cloud LoB applications are evidence of this change. The increasing need to care for security surrounding multiple applications living across multiple clouds and the safety of client & corporate data is giving many organizations new hurdles to overcome.
Zero Trust Security Model
These new security challenges bring about the concept of Zero Trust. Zero Trust - as its name suggests - is not to trust anything. Access is only allowed once the user, the device, and the process have passed a series of checks and balances. Historically, placing a firewall outside your network would mean that anybody operating inside the network was implicitly trusted. The idea of Zero Trust security is contrary to that thinking. Zero Trust is a recurring series of "if/then" statements that revisit policies and procedures to ensure they align with your security strategy.
Zero Trust Principles
There are three overarching principles that get to the core of what Zero Trust is all about:
- Verify Explicitly - Implicit trust, trusting any activity behind a network's firewall or perimeter, is abandoned with Zero Trust. All available data points (device, location, etc.) are now used to make sure a user is whom they say they are.
- Least Privileged Access - The idea of least privileged access is giving people just enough permission to the systems and resources they need to get their job done.
- Assume a Breach - Every authentication attempt is treated as though it could potentially be malicious.
With Zero Trust, you no longer implicitly trust anyone or anything whether inside or outside of your network proper. All applications and access scenarios are evaluated within the Zero Trust principles, and when in doubt, deny access.
IAM Business Hurdles
There are several hurdles to overcome when addressing IAM within your organization.
- Strategy - Knowing where to start. This is often the most challenging aspect for business leaders.
- Productivity - How IAM implementations may affect day-to-day business.
- Ongoing management - Once IAM has been deployed, ensuring ongoing success.
Before implementing IAM in your organization, there is one last concept to be familiar with: "Maturity Model." This term relates to how your organization's systems line up in relation to the Zero Trust principles. The model refers to user identities, devices, networks, and applications and can be categorized into three levels:
- Traditional - On-premises infrastructure.
- Advanced - Beginnings of Zero Trust adoption.
- Optimal - Mature adoption of Zero Trust across the organization’s application and data footprint.
Once your level is defined, your maturity model will directly relate to your Zero Trust security strategy and help identify which IAM solutions apply to your organization.
The rising frequency of breaches and zero-day vulnerabilities necessitates the need for organizations to embrace identity and access management. The traditional “set it and forget it” firewall security strategy is no longer enough. The threat exposure has become so significant that organizations must adopt a Zero Trust model to defend against modern threats, using IAM as the first line of defense.
IAM security is an essential component in an effective cloud security strategy. If you are interested in IAM and other solutions that protect your business in the cloud, our Cloud Security service can guide you to become a more secure, compliant, and operationally mature organization.
If you are a Systems Engineering client and have questions about IAM, please reach out to your Account Manager. Others, please connect with us at firstname.lastname@example.org or call 888.624.6737.