Rethinking IAM: How a Risk-Based, Automated
Approach Makes Identity and Access Management
More Strategic and Effective
As security professionals are tasked with defending
against a threat landscape that gets continuously
more sophisticated, they need to be able to rely on
effective identity and access management (IAM)
policies and procedures so that only authorized
users can access company applications and data.
However, as their organizations grow, it can be
difficult to keep up with IAM requirements, especially
those that rely on manual processes.
It’s an issue that needs to be addressed because IAM
is not just a fundamental underpinning of any sound
security strategy, it’s a business enabler, helping
users quickly get to the applications and data they
need to do their jobs.
But many IT decision-makers feel their company is
falling short in terms of security in general and IAM
specifically. Consider: 86% of the 1,735 CIOs, CISOs,
and other executives responding to the 2016-17 EY
Global Information Security Survey said their cybersecurity
function did not fully meet their organization’s
needs. What’s more, only 29% rated their software
security measures as “mature,” and a mere 38%
thought their IAM measures were mature.
A recent IDG Research Services survey focused on
IAM found companies are struggling to keep up with
requirements using traditional, largely manual tools
— or in many cases, multiple tools. The issue is
complicated by the many “islands of identity” that
companies deal with. They include contractors and
services providers who may have access to company
data, and cloud-based applications, including those
employees sign on for without the permission of IT
(so-called “shadow IT”). The survey pointed to the
need for a more automated approach to IAM that
takes into account which applications and data
present the most pressing risks.1
Current IAM Landscape
Today more than 40% of organizations employ
multiple IAM solutions, the IDG survey found. Nearly
all (88%) find it at least somewhat challenging to
integrate these solutions, with 51% saying it is very or
extremely challenging.
These results are troubling because the survey also
finds IAM is becoming more strategic to companies.
Survey respondents were asked to rate IAM on a
10-point scale, with 1 meaning it is simply required
for security and compliance and 10 meaning IAM is a
business service that enables strategic objectives.
Respondents rated IAM as a 6.5 on average, showing
it is becoming a strategic priority.
“It’s becoming a business imperative to provide an
easier method of granting access to users,” says
Frank Bresz, an Executive Director at EY who is
focused on IAM. “But you also have to keep out the
wrong people. An effective IAM tool is strategic
because it can help you address both challenges.”
Although users recognize IAM as a strategic function,
many IAM tools rely on largely manual processes.
Less than one-third of IDG survey respondents said
they have mostly or completely automated IAM
processes, while another one-third use a mix of
manual and automated processes. But threequarters
of respondents said they’d like IAM to be
mostly or completely automated.
Automating IAM
Automation can apply to numerous IAM processes
and functions, including identity assurance, step-up
1
New IDG Research survey shows enterprises increasingly headed in this direction
Tying it to risk aligns IAM to the
business. The business units are
generally the owners of the data,
and they know how devastating it
would be if certain data were
compromised — or in other
cases, how trivial.
Frank Bresz,
Executive Director at EY
–
1
IDG Research surveyed 104 IT decision makers in December 2016 and January 2017 on behalf
of Ernst & Young, LLP and RSA Security LLC, a subsidiary of Dell EMC Infrastructure
Solutions Group, to support this whitepaper.
Market
Pulse
2
authentication, multifactor authentication, access
certification, and access approval workflow.
With respect to identity assurance, for example, it
could mean gating access depending on the device a
person is using, their location, or time of day.
Companies could have an automated, dynamic
process that requires an employee logging in from a
new device to answer some security questions. An
external contractor, on the other hand, may have to
provide additional information, perhaps a
pre-assigned password, or use multifactor authentication.
For access approvals, it means providing a
method to grant access without having to manually
seek out the managers and data owners via email,
while still maintaining a clear paper train for audit
purposes.
As companies get larger, automation of these
processes is essential, but managing them becomes
difficult. A simple blanket process for automating
access approvals can become burdensome over
time. Managers are constantly asked for approvals,
notifications get missed, and rubber stamping
begins; the human element undermines the
automation and security the IAM tool is intended to
provide. Business users need a way to not only
automate IAM controls, but to also keep them
flexible and minimally invasive. At the same time,
cybersecurity professionals need the controls to
protect the organization’s valuable data.
The solution is to add business context to IAM. If a
user is logging in at odd hours or from a foreign
location (say, a country in which the business doesn’t
operate) that’s important context that should trigger
the IAM tool to apply more stringent authentication
and approval criteria. If, on the other hand, they are
logging in from the same office location and same
device, at the same time of day they always do, it
would be possible to not require high levels of
authentication. This “frictionless” user experience is
just as important to users.
Not All Apps are Equal
Authentication decisions also need to take into
account the application or data the user is trying to
access, and the level of risk that unauthorized access
would present. The IDG survey makes clear that
companies are indeed trying to take a more
risk-based approach to IAM.
The vast majority of respondents (91%) assess the
risk level for at least some of their enterprise applications,
and 38% do it for all apps. Among the criteria
they use when assessing risk levels are:
That’s a good list of items to consider, EY’s Bresz says,
while noting more companies should be taking the
device fingerprint into consideration.
“You need the information profile of the system and,
if it has sensitive information on it, how it’s integrated
into the rest of the security architecture,” he says.
Taking risk data into account enables companies to
apply the most stringent IAM measures only to the
resources that, if breached, would result in the most
damage to the company. Such an approach has a
dual benefit: it improves productivity for users when
they’re accessing applications and data that don’t
require the highest level of security, while better
protecting those that do.
Automating Based on Risk
The key is to be able to take risk data into account on
an automated basis. That involves assessing the level
of risk that each of your applications presents, Bresz
says. This doesn’t require a specific risk score, but
rather a simple prioritization level for each.
“You need to determine which applications represent
your organization’s crown jewels, the ones you
should be most worried about,” observes Jorge
Garcia, a systems engineer at RSA. “Then determine
who has access to them.”
At this point, the governance, risk, and compliance
(GRC) group should be involved so that only appropriate
people have access to the most sensitive and
valuable resources, Bresz says.
Compliance requirement
or audit information
Location (including whether
cloud-based or on premises)
Threat information
Incident data
Behavior analytics
Device fingerprint
72%
67%
67%
57%
38%
27%
Market
Pulse
3
Then the organization can decide which authentication
controls are appropriate for each level of
application given its risk profile. With this approach,
companies can determine when they’ve taken out
enough risk for each application, and can stop
applying (and spending on) the most stringent
controls for all applications, Bresz says.
What’s more, with these classifications in hand, you
can now start automating IAM while taking risk data
into account. For example, if the risk profile of an
application changes from low to medium, it would
trigger an access alert and a new access approval
workflow — perhaps requiring two-factor authentication,
for example. If it goes from medium to high,
maybe that triggers the need for biometric authentication.
The IDG survey shows companies are indeed headed
in that direction, with exactly half saying they are
leveraging application risk data to automate
IAM-related controls. Of those, 63% leverage
approval workflows based on risk, 58% execute and
manage access certifications based on application
risk categorization, and 42% perform step-up
authentication based on an application’s risk rating.
Benefits of Risk-Based IAM
Of those who leverage risk data to automate IAM,
nearly 6 in 10 (58%) find the practice is either very or
extremely valuable, and they cite a long list of
benefits (see figure 1).
In looking at the list, Bresz points out it’s important to
consider that a risk-based approach to IAM delivers
all of these benefits, not just one or two. It’s also
interesting to note that, while compliance often
drives IAM projects, it was not the top benefit in the
IDG survey; that spot went to reduced IT time spent
modifying access controls.
Tied for second with improved compliance management
was the idea that risk-based IAM also delivers a
more proactive approach to access management. In
addition, respondents said it offers a higher degree
of assurance in authentication.
“Tying it to risk aligns IAM to the business,” Bresz
says. “The business units are generally the owners of
the data, and they know how devastating it would be
if certain data were compromised — or in other
cases, how trivial.”
Benefits Associated with Use of App Risk Data to Automate IAM Controls (Figure 1)
Increased automation reduces time spent
by IT staff modifying access controls
Improved compliance management
More proactive approach to access management
Higher assurance authentication
Simpler integration of new technology
services (e.g., cloud applications)
Ability to implement incident
response plans more rapidly
Business or user friendly (avoid over-complication
of security around low-risk applications)
Increased autonomy of business mgrs to grant
users access to enterprise info without IT’s approval
Simplified and streamlined IAM process
None
39%
38%
38%
31%
30%
26%
24%
22%
21%
2%
Market
Pulse
4
At the same time, using a risk-based approach enables
IT to report back to the business on where threats to
data lie.
“IT can inform the business that employee terminations
are a business threat, along with orphan accounts and
segregation-of-duties violations,” Garcia says. “That can
help the business calculate risk level from an identity
perspective and better determine what the risk level of
an application should be.”
For example, if the business understands that some
users of an application are vendors, it presents a
different risk calculus as compared to when all users
are internal employees.
All of these points support the idea that the risk-based
approach is not only important from a security
perspective, but as a strategic business enabler.
Achieving Automated IAM
Implementing a risk-based approach to IAM requires a
set of tools and processes that enable companies to
consistently identify the risks they face and couple that
with their IAM capabilities. By integrating risk governance
and identity solutions, organizations can apply the
right user access, assurance, and compliance measures
to reduce identity risk while meeting their security
needs. This provides a more flexible framework that
offers those who know their data the best, the
business, a structured and managed way to have input
into the controls.
Baseline risk-driven integrations can be further
automated by using that same framework to apply
more advanced workflow, multi-factor authentication,
monitoring, reporting and certifications. In short, as the
identity platform is enriched, users experience less
friction, your organization becomes more agile and risk
is further mitigated.
Manual No More
An effective IAM solution is crucial for protecting any
organization in the face of the current threat landscape
while keeping in compliance with industry and government
regulations.
For organizations of almost any size, it’s impractical if
not impossible to meet these myriad requirements
while relying on manual processes to determine that
only authorized users can access corporate
applications and data.
As the IDG survey makes clear, there is significant
value in leveraging application risk data to drive an
automated IAM approach to more effectively enforce
corporate policies around access management
without hampering user productivity. Such an
approach helps IT deliver an IAM solution that not
only addresses its compliance concerns, but
becomes a strategic business enabler.
The RSA SecureID® Suite includes the tools required
to enable any organization to take an automated,
risk-based approach to IAM. To learn more, visit:
www.rsa.com/iam.