August 27, 2019

Why Identity and Access Management Strengthens Security

Karen Walsh

Why Identity and Access Management Strengthens Security

While protecting a data breach from external malicious actors is glamorous, creating an effective Identity and Access Management (IAM) program matures your data security program to help protect information. As your enterprise seeks to create a security digital transformation strategy, managing the expanding identities across on-premises, hybrid, and cloud infrastructures becomes difficult. As the perimeter shifts from networks to identity, maintaining a robust Identity and Access Management program strengthens security and matures your cybersecurity program.

What is data security?

Also called information security or computer security, data security refers to protecting databases and websites from unauthorized access to data and maintaining information confidentiality, integrity, and availability.

Why is data security important?

Data security is important to gain customer trust, to protect your organization from compliance risk arising from regulatory fines,and to mitigate potential legal costs arising from data breach lawsuits.

What is the compliance risk?

In response to increased severity and sophistication of data breaches, governments and industry standards organizations established more stringent cybersecurity compliance requirements. Many of these standards, regulations, and frameworks either suggest IAM controls or require a risk assessment that enable you to review high risk data and users. All regulations and several industry standards incorporate fines for noncompliance. For example, the European Union General Data Protection Regulation (GDPR) incorporates fines up to 4% of the enterprise’s annual revenue or $24 million. Meanwhile, the Payment Card Industry Data Security Standard (PCI DSS) incorporates fines ranging from $5,000 to $100,000 every month until the company addresses control weaknesses.

What are the lawsuit risks?

With data breaches becoming more common, governments and industry standards organizations also started allowing citizens to file lawsuits against companies whose noncompliance leads to a data breach. Both the GDPR and California Consumer Privacy Act (CCPA) allow citizens to sue companies for unauthorized access to data. Moreover, the legal standard of care in new regulations is rapidly changing from negligence to strict liability. For example, the GDPR enables data subjects to bring private lawsuits for both material and non-material damage arising from regulatory noncompliance. The ability to bring a lawsuit for non-material, or not really significant, damages means that the legal regulatory responsibility is shifting.

How is data security different from data privacy?

Although often used interchangeably, data privacy focuses on organizations authorizing access to personally identifiable information (PII) while data security focuses on preventing unauthorized access to PII. While this might sound similar, authorizing access ensures that the right users have the right access to the right resources at the right time for the right reason. Meanwhile, preventing unauthorized access means ensuring that the right users can only access the minimum amount of data necessary to fulfill their job functions so that no unnecessary access to PII occurs. Many people assume that data security only applies to external users engaging in unauthorized access to data. However, many data breaches arise from internal users. According to the 2019 Data Breach Investigations Report, internal actors accounted for 34% of data breaches. Maintaining a secure infrastructure, therefore, requires creating and maintaining a strong set of controls for internal access to data.

How to use Identity and Access Management to create a more robust security program

Using IAM policies, you can limit user access to and within your infrastructure and applications. Digital transformation has changed the way in which organizations need to view identity. While traditional on-premises definitions of identity focused on humans, new technologies such as service accounts, Internet of Things (IoT) devices, robotic process automation (RPA), and programmatic functions within IaaS/PaaS ecosystems change how you need to create and manage access to information.

Define All Users

Securing data using IAM starts by defining all users within your ecosystem. These user identities include employees as well as vendors – both human and non-human. To define all users, you need to rate the risk they pose by asking questions such as:

Who are my employees?
Who are my vendors?
Who are my privileged users?
What applications require service accounts?
What IoT devices do I need to manage?
What RPAs do I use to manage repetitive activities?
What servers do I need to monitor?
What serverless functions do I need to control?

Rate User Risk

Rating the risk users pose to your infrastructure means ensuring that you know where you store information as well as the risk a data breach poses to that information. Some questions that can help you create risk-based IAM policies are:

What information do my users need to fulfill their job function?
Where do I store my PII?
Who are my users?
Who are my most transient users?
What users are non-human?
Where are my users located?
How do I authenticate user access?

Provide User Access To Resources

After rating user risk, you need to find a way to provide access to resources using the principle of “least privilege.” In short, you need to limit the amount of access you provide users so that they cannot access more information than they need. While role-based access controls (RBAC) worked to control access in on-premises IT infrastructures, cloud-based applications and infrastructures need dynamic, context aware attribute-based access controls (ABAC). ABAC enables you to create detailed, fine-grained access privileges that incorporate a user’s role, location, group, and other attributes that help limit access across a variety of factors.

Continuously Monitor User Access

In the same way that you monitor your networks, applications, and software from malicious external actors, you also need to monitor access from internal actors. For example, a Portguese hospital whose medical staff had more access to patient information than necessary to do their jobs received a 400,000 € fine for allowing unauthorized access to records. While the GDPR is a privacy regulation, medical practitioner excess access can lead to a data exfiltration that compromises data security. As users request additional access to resources, you need to ensure that you maintain your “least privilege” controls. However, as users request additional access, managing the request/review/certify process becomes overwhelming which can increase human error and security risks.

Why IAM analytics ease data security burdens

Automating the IAM process enables you to mature your cybersecurity program by establishing risk-based, context-aware controls. Once you create the controls, an automated tool that incorporates intelligent analytics allows you to streamline the time-consuming, mundane tasks often associated with IAM.

Create a Single Authority for Identity with Role-Mining

Using an automated tool, you can bring together the different definitions for users, roles, groups, and identities from across your ecosystem. Since each SaaS, IaaS, and PaaS service uses its own definitions, many organizations struggle to create a single authoritative source of identity. The IT administrators need to manage multiple monitoring locations which increases human error. Moreover, it makes managing segregation of duties difficult. Using intelligent analytics for role-mining, an automated tool creates a single source of identity across the ecosystem, providing a single location for monitoring. Automated tools reduce human error risk which also reduces potential compliance and security risks.

Fine-grained, Detailed Access Entitlements

Automation that provides fine-grained entitlements enables better control over access to and within your ecosystem. The more detailed the attributes you apply, the more focused your access entitlements are. Fine-grained access entitlements both protect you from privilege misuse and provide better access for your employees.

Streamline Request/Review/Certify Process with Predictive Access

Automated tools with analytics enable predictive access. Using predictive access with intelligent analytics, your users can request access in the automated tool then obtain near-real-time access based on peer- and usage-based data. Additionally, not only does predictive access restrict users from excess access, it also provides proactive additional access that they might need in the future.

Automation Reduces Operational and Compliance Risks and Costs

Many operational and compliance risks inherent in managing governance over your digital transformation strategies arise from human error. Multiple locations for managing risk, divergent identity definitions, and lack of non-human identity definitions across the ecosystem increase operational costs and compliance risk. Using automation to create an authoritative source for identity that continuously monitors your infrastructure for anomalous access requests reduces time-consuming administrative tasks. Moreover, automation reduces compliance risks by providing governance over your IAM program and ensuring you maintain compliance with internal controls.

Why Saviynt? Intelligent Analytics for Smarter Security

Saviynt’s cloud-native platform offers flexible deployments, including on-premises only or hybrid/cloud to match your infrastructure governance needs. Saviynt’s intelligent analytics enable organizations to create fine-grained entitlements so that they can secure access to and within their ecosystems. With our platform, you can choose an authoritative source of identity – either from your human resources’ platform, within our platform, or from another service – and then use our intelligent analytics to role-mine across divergent definitions to find the similarities. This process creates standardized identity definitions for all users. Within our Gartner-recognized Identity Governance and Administration (IGA) platform, you can create fine-grained access entitlements access based on the information our platform obtain from the application’s database. Bringing together all of the attributes from across the ecosystem, our platform then monitors for anomalous access requests to ensure consistent policy application across the ecosystem to prevent excess access or SOD violations. By converging our IGA analytics with cloud privileged access management, our Cloud PAM solution enables stronger cloud security. As a cloud-native solution, Saviynt’s Cloud PAM solution detects a variety of new risks in near-real-time, including workloads, containers, servers, and serverless functions. Our suite of solutions enables you to create a holistic approach to IAM that enables you to mature your cybersecurity posture by securing your identity perimeter. For more information or for a free trial, contact us today.