May 31, 2019//Tony HowlettLast Updated: November 19, 2020
Major data breaches are a destructive reality– and the problem is growing. According to a 2018 Ponemon Institute study, 59% of companies said that they have experienced a data breach caused by one of their vendors or third-parties. In the US, that percentage is even higher, at 61%—up 5% over last year’s study and up 12% since 2016.
Managing user access has changed drastically in the past decade or so. Identity and Access Management (IAM) tools used to assume a one-to-one relationship between a network access point or a computer and a user. But, as cloud-based applications and networks (i.e. AWS, SaaS, etc.) become more the rule than the exception, these assumptions become outdated. Users may need access from anywhere, at any time, via any device. We expect IAM tools to be consistent and intuitive across platforms and applications. And that’s just for employee access. It’s no wonder that Gartner listed privileged account management as the top security project for CISOs to focus on in 2019.
As companies rely more and more on vendors and third-parties to manage their CRM, back-office, and e-commerce infrastructure, it becomes more difficult to understand exactly who has access to sensitive company data. So, while depending on vendors increases efficiency, it also increases your vulnerability to threats.
Identity and Access Management (IAM) refers to the system of policies and solutions deployed to securely match users and applications with the appropriate access.
Since the security environment and solutions infrastructure have been evolving, it’s a good idea to assess your company’s current IAM solution. You need to identify any gaps related to tools and processes for defining roles, access requirements for each type of role/user, and your audit requirements.
Use this assessment to evaluate any new IAM solutions or enhancements for your current one. Your solution should include tools that authenticate, audit, and control access by employees and third-party vendors. These three A’s are essential for maintaining the security of your business:
Authentication. Multi-factor adaptable authentication reduces risks of single-factor methods and helps to comply with standards and regulations. Multi-factor also requires each user to have unique credentials, eliminating the sharing of logins and passwords to better secure network access. Generally, these features revolve around knowing and managing users via your directory service. This includes tools that:
Audit. High-definition auditing tools track activity including (but not limited to) files transferred, commands entered, and services accessed. You should look for tools that provide:
Access. Users should be restricted to certain commands and networks/subnetworks by least privilege, need to know, and collaboration requirements. Access tools should:
Right now, every business is vulnerable to costly and crippling data breaches. Identity and access management tools provide the foundation for mitigating threats from employees, customers, vendors, and other third parties.
Changes in technologies and networks will bring even more threats in the future. Our whitepaper Cybersecurity Predictions for Enterprises outlines four critical steps you can take now to prepare for the future.