It’s time for a new approach to identity and access management – a modern IAM. In my previous blog entry, I explained how business has been disrupted by mobility and digital transformation, why a microperimeter cyber security strategy is needed and why modern IAM is a key part of that strategy. But what exactly is modern IAM and what are the critical objectives? The best approach is to examine it according to three dimensions:
- Risk-Based security strategy: for making decisions
- DevOps strategy: to enable agility while automating security
- Omnichannel strategy: to improve user satisfaction
Let’s examine these, starting with risk.
Risk-Based Security Strategy
Although every organization’s risk profile is different, safeguarding customer data should be priority number one. A well-managed organization should continually evaluate risk in terms of the impact unauthorized exposure might have on its consumers. That means taking a close look at the risks inherent in all systems and processes that deliver business services, including systems from third parties such as cloud providers.
There are two major kinds of risk: Compliance and business.
- Compliance Risk: Regulatory compliance requires that organizations know who has access to what, a task made more difficult when manual processes are automated by digital transformation initiatives.
- Business Risk: Addressing gaps in business continuity is key to mitigating business risk. Providing business continuity means assuring the timely delivery of services at scale and meeting user experience goals.
Each risk factor should be evaluated as to whether it prevents an organization from meeting business policies, industry standards or government regulations. It should also be evaluated as to its financial impact and customer satisfaction impact.
When an organization’s risk profile is fully understood, it should be applied to IAM through the principles of zero-trust security, both to protect the organization and to enable business activity and employee productivity. Two critical processes handled by IAM are verification of identity prior to establishing a session and monitoring the session itself. By applying zero-trust principles, IAM protects the organization from possible breaches and abuses of privilege.
By enforcing the right level of authentication based on policy, IAM ensures the identity of the person requesting access is properly vetted, enabling his or her identity to proceed with business activity based on the least privilege required to perform a given task. For example, additional identity verification might be required before a person is allowed to transfer funds across accounts.
A key part of keeping organizations secure is ensuring applications are able to consume security services through DevOps (or because security is included, sometimes called DevSecOps).
Developers are not security experts, so they need a way to externalize critical security capabilities and help insure security concerns are being addressed by DevOps best practices. Developers should consider IAM as a platform delivering secure business services, exposed through industry standards and APIs. In this way, DevOps processes and tools securely connect application infrastructure to IAM business services.
Developers are not security experts, so they need a way to externalize critical security capabilities and help insure security concerns are being addressed by DevOps best practices.
DevOps-friendly IAM systems include the REST API. This ensures ease of integration and configuration to accommodate any deployment requirement. To ensure ease of application-specific implementation, they are also based on security Open Standards such as OAuth2, OpenID Connect, SCIM, SAML and FIDO.
Integrating security in DevOps delivers significant business benefits, particularly agility in accelerating the delivery of secure application that address both compliance and business risk.
DevOps provides the necessary level of tested and capable security glue, leveraging proven and scalable security services via predictable application integration blueprints, freeing up developers to focus business outcomes.
To enable a great user experience, it’s important to ensure seamless authentication across the different user access channels, including mobile, web, business applications and bots. A core requirement is a channel-aware authentication policy that applies appropriate rules to each channel. As a result, security, business and operations teams have fewer security silos and fewer security definitions to manage. Users, meanwhile, are relieved of the burden of authenticating themselves over and over across different channels, even as the IAM system applies the correct level of risk management to their sessions on each channel. Finally, omni-channel session management should ensure integrated risk management across different channels. For example, when a breach is detected in one channel, all other sessions in other channels should be instantly revoked.
As you can see, modern IAM might be a simple concept, but it has far-reaching ramifications. Because of its critical role in modern IAM, Zero Trust will be the focus of my next blog entry.
We encourage you to share your thoughts on your favorite social platform.