Why Identity and Access Management Strengthens Security
What is data security?Also called information security or computer security, data security refers to protecting databases and websites from unauthorized access to data and maintaining information confidentiality, integrity, and availability.
Why is data security important?Data security is important to gain customer trust, to protect your organization from compliance risk arising from regulatory fines,and to mitigate potential legal costs arising from data breach lawsuits.
What is the compliance risk?In response to increased severity and sophistication of data breaches, governments and industry standards organizations established more stringent cybersecurity compliance requirements. Many of these standards, regulations, and frameworks either suggest IAM controls or require a risk assessment that enable you to review high risk data and users. All regulations and several industry standards incorporate fines for noncompliance. For example, the European Union General Data Protection Regulation (GDPR) incorporates fines up to 4% of the enterprise’s annual revenue or $24 million. Meanwhile, the Payment Card Industry Data Security Standard (PCI DSS) incorporates fines ranging from $5,000 to $100,000 every month until the company addresses control weaknesses.
What are the lawsuit risks?With data breaches becoming more common, governments and industry standards organizations also started allowing citizens to file lawsuits against companies whose noncompliance leads to a data breach. Both the GDPR and California Consumer Privacy Act (CCPA) allow citizens to sue companies for unauthorized access to data. Moreover, the legal standard of care in new regulations is rapidly changing from negligence to strict liability. For example, the GDPR enables data subjects to bring private lawsuits for both material and non-material damage arising from regulatory noncompliance. The ability to bring a lawsuit for non-material, or not really significant, damages means that the legal regulatory responsibility is shifting.
How is data security different from data privacy?Although often used interchangeably, data privacy focuses on organizations authorizing access to personally identifiable information (PII) while data security focuses on preventing unauthorized access to PII. While this might sound similar, authorizing access ensures that the right users have the right access to the right resources at the right time for the right reason. Meanwhile, preventing unauthorized access means ensuring that the right users can only access the minimum amount of data necessary to fulfill their job functions so that no unnecessary access to PII occurs. Many people assume that data security only applies to external users engaging in unauthorized access to data. However, many data breaches arise from internal users. According to the 2019 Data Breach Investigations Report, internal actors accounted for 34% of data breaches. Maintaining a secure infrastructure, therefore, requires creating and maintaining a strong set of controls for internal access to data.
How to use Identity and Access Management to create a more robust security programUsing IAM policies, you can limit user access to and within your infrastructure and applications. Digital transformation has changed the way in which organizations need to view identity. While traditional on-premises definitions of identity focused on humans, new technologies such as service accounts, Internet of Things (IoT) devices, robotic process automation (RPA), and programmatic functions within IaaS/PaaS ecosystems change how you need to create and manage access to information.
Define All UsersSecuring data using IAM starts by defining all users within your ecosystem. These user identities include employees as well as vendors – both human and non-human. To define all users, you need to rate the risk they pose by asking questions such as:
- Who are my employees?
- Who are my vendors?
- Who are my privileged users?
- What applications require service accounts?
- What IoT devices do I need to manage?
- What RPAs do I use to manage repetitive activities?
- What servers do I need to monitor?
- What serverless functions do I need to control?
Rate User RiskRating the risk users pose to your infrastructure means ensuring that you know where you store information as well as the risk a data breach poses to that information. Some questions that can help you create risk-based IAM policies are:
- What information do my users need to fulfill their job function?
- Where do I store my PII?
- Who are my users?
- Who are my most transient users?
- What users are non-human?
- Where are my users located?
- How do I authenticate user access?