COVID-19 set the stage for a boom in enterprise security issues. Mass layoffs, more employees working from home, reliance on contract workers, and an onslaught of new pandemic-focused cyberthreats have created a security nightmare for many IT and InfoSec teams.
Organizations are grappling with how to provision and deprovision employees quickly and accurately, manage and limit transitional workers’ access to systems and applications, and secure the company’s perimeter now that the traditional security perimeter no longer exists.
In these unstable times, your identity and access management (IAM) strategies will be tested, so it’s crucial that you ensure you are doing everything right. If you are new to IAM or just have a sneaking suspicion that your enterprise systems and applications aren’t as secure as they should be, here are some common mistakes security teams make when implementing IAM and what you can do to avoid making them yourself.
Mistake #1: Biting Off More Than You Can Chew
When kicking off an IAM initiative, it’s not uncommon for the team in charge to start too granularly. When you are first getting started with IAM, it’s important to control complexity. When you come out of the gate with roles and entitlements that are too granular, you don’t see the situation holistically. This is a huge waste of time and resources because if you haven’t identified your access needs, assigning fine-grained access and entitlements can cause security issues with the wrong people having access to things they don’t need, productivity issues with the right people unable to access the resources they do need, and a lot of rework for IT sorting everybody back out.
For example, when implementing a new IAM solution in a hospital, instead of right off the bat defining a rule for emergency room nurses that need access to a specific module within an EMR, it’s better to first provision all nurses with high-level access to the EMR then create more granular populations of different kinds of nurses.
Pro tip: When you launch your IAM solution, bring in as many users and business systems as possible and then slowly add more granular access based on need. This approach helps you identify actual needs versus assumed needs, and address them appropriately. Being conservative in the amount of access granted will provide greater visibility into who has access to what resources and reduce the complexity of troubleshooting security issues.
Mistake #2: Automating Bad Processes
Automation is often touted as a silver bullet, capable of making all of your security troubles disappear. While automation does help remove the human-error component, automation alone can’t fix everything.
A lot of IAM rookies (and even some of the veterans) get laser-focused on the technology without fully examining and understanding the business processes they are automating. In other words, IT’s perception of what the business needs often doesn’t align with their actual needs.
But a bad process is a bad process even if it’s automated. And automating a bad process often perpetuates or even exacerbates bad outcomes. The old Garbage In/Garbage Out conundrum.
Pro tip: Reviewing the business process with leadership and the business ensures that the business is getting exactly what they need versus what IT perceives what is needed.
Mistake #3: Only Taking Provisioning Halfway
Onboarding new hires is obviously a big priority so they are up and running (i.e., generating ROI) as quickly as possible. But many organizations don’t have the same sense of urgency when it comes to offboarding employees.
Automating the provisioning process but not following through with deprovisioning has huge security implications for a company. Leaving accounts open and unattended is practically begging cybercriminals to come in and play. Automated deprovisioning also reduces the risk of a disgruntled former employee going out in a blaze of glory.
Pro tip: Every access given to an employee must also eventually be taken away, whether the employee is changing roles or separating from the company. Each employee’s access and permissions should be followed all the way up and all the way back down during their employment. Failure to follow through can leave former employees with access to company resources and unattended accounts vulnerable to cyberattacks.
Mistake #4: Not Having a Roadmap
An IAM strategy can’t succeed without leadership buy-in and direction. Executives and senior-level management provide both the funding and the business objectives needed to implement an effective IAM solution.
Get business leaders involved early and often in the process so that every aspect of the organization can align IAM initiatives and responsibilities to the overall direction of the business. They will provide a comprehensive inventory of the business systems and applications you will need to consider and you will know what budget you have available to work with.
Business leaders will also be responsible for identity governance and administration (IGA), which provides visibility into the organization’s perceived security posture versus the reality. IGA answers the question of “why” a user has certain access. Only business leadership and their designees can answer that “why.”
Pro tip: Communicate with leadership from the start, so you have top-down support for the implementation and alignment across the organization so the IAM initiative furthers business objectives and goals. Leadership can also use their weight to implement the changes IAM introduces that will inevitably garner pushback.
Mistake #5: Skipping the Formal Security Policy
IAM is an integral part of today’s enterprise security strategies. As such, it is crucial to define all IAM processes in a formal security policy. For those new to IAM, it’s easy to overlook or put off this step in the implementation process, but not creating and documenting formal IAM policies can lead to compliance breaches and lack of adherence to company policies, like the separation of duties.
Change is difficult for any organization, especially when they are flying blind. Formal security policies get everyone rowing in the same direction.
Drafting a formal IAM security policy gives deeper insight into the scope of your security efforts by requiring the team to map employee access throughout the organization from end to end. This level of scrutiny uncovers weaknesses in areas that otherwise may be missed. Enacting a formal IAM security policy enables you to react quickly to security events and be audit-ready by maintaining compliance standards and adherence to company policies at all times.
Pro tip: If you don’t have one already, create an official security policy document that defines your company’s compliance requirements and clearly states how user access and authorization is managed in your organization. Business environments are in a state of flux right now, so be sure to schedule regular reviews of your policies and the documentation as circumstances can change quickly.
In today’s uncertain business landscape, you can’t afford not to have a comprehensive identity and access management solution in place. Whether you are building your strategy from the ground up, or you just need to make your solution more robust, avoiding these five common pitfalls will help streamline the process and create an end product you trust to secure access to your most business-critical systems and applications.