It’s beyond doubt that digital transformation has been a savior for many businesses in terms of cost-savings and improved efficiency, but going fully online comes also at a risk
In fact, organizations embracing digital transformation must also understand the cybersecurity risks that come with it, like data breaches and identity theft, which cannot be prevented solely by deploying a strong password manager software.
In this interview with Hanno Ekdahl, Founder & CEO of Idenhaus Consulting, we will learn how they create effective Identity Management and Cybersecurity programs for their clients, and what you can start to do now to better protect your online identity.
How did you end up in the cybersecurity field?
I had a background in computer science and had worked as a programmer to pay my way through college. Fast forward to a few years later, and I was graduating with my Masters in International Business and started working for Cambridge Technology Partners doing dotcom strategy work. We were acquired by Novell and it was at that point that I started moving into Cybersecurity with an emphasis on Identity Management.
Can you give us an overview of the services you offer?
We provide a range of Cybersecurity services including:
- Identity and Access Management solutions (strategy through implementation),
- FedRAMP advisory services
- FedRAMP Continuous Monitoring
- FedRAMP ISSO as a service
- SOC 2 services,
- NIST Assessments
- Security Policy Development
- Pen Testing/Vulnerability Scanning, and
- Secure code reviews.
What are in your opinion the best practices for secure Identity and Access Management?
At the heart of it, Identity Management solutions are intended to help make identity management easier, not more difficult. However, when not properly implemented, solutions that are designed to help can really seem more like a hindrance. Best practices begin by understanding that Identity Management touches everyone and everything and is more than just a point solution. For this reason, best practices begin with a Systems Thinking approach to your IAM implementation.
Systems thinking provides a way of gaining a big-picture view of commonly occurring systemic problems in organizations, namely, the tendency to implement “Band-Aid” fixes and the tendency to shift the burden from one functional area to another. Understanding these two common pitfalls in problem-solving is particularly useful in understanding and resolving problems that frequently plague Identity Management-related process improvement efforts.
Here some fundamental Best Practices for IAM Implementations:
- Involve stakeholders from different functional areas that touch the processes and systems before attempting to define and solve a given IAM problem to mitigate political risk
- Evaluate and remediate data quality issues across systems from HR to your service directories and applications. If the data quality is low, you will need time to address the issue, so get started early.
- Create a data dictionary that shows the flow of attributes across systems to support solution design and implementation
- Map out user lifecycle processes beginning with HR to understand where potential issues exist with the timing of steps, bottlenecks, and workarounds that may impact your solution
- Look beyond the ‘crisis du jour’ and consider the long-term sustainability of the solution before making the decision to implement a quick fix
- Committing to long-term change is challenging. Both the HR and IAM teams need a shared vision for what they are trying to accomplish (e.g. IAM maturity model) and persevere through the difficult discussions and decisions that are part of any systemic change
What are the cybersecurity risks of implementing identity management?
The risks of implementing identity management arise in several areas:
- Identity Management (IAM) becomes a Target. IAM solutions are high-value, centralized targets for bad actors. As the user identity lifecycle is more automated and managed by the system, the IAM solution itself becomes an attractive security target. To mitigate this risk, organizations should properly secure theirIAM platforms with advanced authentication measures, such as multi-factor authentication.
- Mediocre Access Management, where users are over privileged and have more access than they need to do their jobs. This can result from improperly defined access rules or the mismanagement of user roles. For example, role-based access control models can provide a high-level of security and efficiently manage user access if done properly. However, if the roles are poorly defined and managed, it can have the opposite effect where users are granted access to applications and services they don’t need. In the worst scenarios, this can result in having users with inappropriate separation of duties, which can lead to bad business outcomes as well as compliance issues.
- Poor Governance. If it is not clear who defines access rules, security policies and standards the organization is at risk of making localized decisions that lead to undue cybersecurity risks for the organization. Ultimately, the governance model should feed into the risk management framework and include input from business leaders to create the policy.
- Limited IAM Integrations. When it comes to user lifecycle management, there are many moving parts. If the IAM solution is not integrated with an organization’s key systems, then user processes (joiners, movers, leavers) are not fully automated. This puts the burden on administrators to fill in the gaps and, as people often do, they may fall short and not properly provision/deprovision users. This becomes a particular problem when workers leave the organization, and their legacy accounts are not removed from systems in a timely manner. One way to mitigate this risk is to open tickets in the support system to track user access for non-connected endpoints so that it can be cleaned up later. Ultimately, all key systems should be integrated into the IAM platform to eliminate this risk.
- Insufficient Training. Identity and Access Management integrates identity lifecycle processes, security policies, and automated integrations to rapidly update user accounts and access across the enterprise. While the benefit of automation is that it streamlines repetitive processes and reduces the amount of administrator overhead required to perform common IAM tasks, it is a double edged sword because Administrator errors can be rapidly propagated by the system and negatively impact a large number of users in a short timeframe. Because of the complex interactions between people, policy, and process, admins must be trained to set up automations and ensure they’re functioning properly before deploying. The mitigation here is to provide the budget and time to keep your Administrators current on the technology.
- Lack of Access Reviews. As businesses evolve their strategies, new systems and applications are added to the environment and users require modifications in their access. Entitlement Creep, where new access is granted to users but old access is not removed is a common problem. Without regular Access Reviews, it can lead to a situation where users have access to applications and data that they no longer need. Implementing regular access reviews to complement the IAM system is the best way to mitigate this risk.
Apart from your services, what would you suggest to anyone trying to improve his data protection?
For companies working to improve their data protection, it is important to define a data lifecycle for their organization that balances business requirements against data security/protection concerns. In the end, data should have a finite life that runs through the following cycle: creation, storage, usage, sharing/collaboration, and disposal. A robust data protection strategy is a good place to start and should define the following:
- Classify the data types produced and consumed by applications and systems
- Identify legal/regulatory requirements by data type
- Define lifecycle data policies for each data type from creation through disposal
- Implement policies and processes to provide data integrity throughout the data lifecycle (Note: You will have different policies for each data type)
- Diligently enforce the removal/disposal of data that is end of life
- Provide an audit trail that demonstrates compliance with data laws and regulations
Lastly, any exciting new updates or developments that you would like to share?
Cloud-based identity solutions are rapidly evolving and will eventually become the standard IAM platform. This change will drive down costs by accelerating the time to implement, reducing operational costs, reducing support costs, and providing both scalability and resiliency to better manage peak loads and recover from adverse events. Organizations moving forward with IAM programs would be wise to incorporate Cloud-based IAM solutions as part of their program roadmap.