The IAM Gap

The ultimate goal that vendors and customers are trying to achieve in the identity and access management (IAM) space is to ensure that the right people have the right access to the right resources, and that they are doing the right things with that access. This seems simple, right? Easier said than done.

Many organisations are finding it increasingly difficult to manage user access as there are business, technology and compliance issues that are posing significant challenges. First, there’s the complex infrastructure of many applications, systems and networks.

Every computing system has specific individualised and optimised access controls, which makes it difficult to implement one single IAM process across the enterprise, especially considering applications are distributed across business units and geographical locations, on-premise and in the cloud.

The second major challenge is how to ensure that only the right information is available to the appropriate people at the right time. Actions such as onboarding a new customer or employee, promoting a staff member, terminating a contractor, merging companies or departments, or delivering a new product, all require access to sensitive and potentially confidential information.

Furthermore there are some technological challenges related to understanding and monitoring access risk. Traditional IAM implementations, for instance, start with user provisioning – an administrative step that ensures user access rights align with business processes from the start. Then companies perform periodic reviews or certifications – say, every three, six, nine, 12 months – to certify that those access rights are in order.

But many things change between the provisioning step and the certification reviews that can pose access risk: business changes, infrastructure changes, regulatory changes, new resources coming on line, new roles, policies, rights changes, hirings, firings, transfers. On top of all of these changes, significant holes can occur in the certification process – for example managers without the necessary time or understanding to correctly complete the process.

What all of this is creating is a huge identity and access management gap (IAM Gap) that leaves an organisation’s sensitive company information at risk to internal and external threats. To date, attempts to address the IAM Gap have been ineffective as existing IAM approaches do not offer the needed flexibility and up-to-date view of access risk.

One positive step in resolving this issue is to connect the changes of access rights directly to business processes such as the hiring or firing. Therefore, when the business action that impacts access occurs, the access automatically complies with policies and regulations.

Identity and Access Governance (IAG) tools, such as automated access certification and remediation, also help organisations achieve this and ensure that access rights are in order. For example, when a business manager finds that one of his or her staff has excessive access, they can automatically kick off a remediation process to revert their access to their role, delete it, disable it, etc.

However, despite the value of User Provisioning and IAG, closing the gap between User Provisioning and Access Certification still remains a significant challenge for organisations due to the lack of a real-time holistic view of access risk.

Businesses need to take into account the fact that risk is in fact dependent on the interaction of all elements of access, including: Identity Context (who the people are and what they are responsible for); Policy (what the business policies and regulations are); Rights (what access rights those people have); Resource Context (what types of resource they are trying to access); and Activity (what they are actually doing with their access).

By taking into account all these elements of access risk potential, businesses will be able to deliver an IAM strategy that holistically addresses access risk. This could be achieved through a dynamic and real-time system that brings together all access risk factors to effectively address access risk management concerns. This will enable businesses to:

  • Identify and evaluate risk in near real-time and get a clear view of where the greatest vulnerabilities lie and how access risk is changing
  • Dig deep into the analytics to understand what is actually driving the risk so they can drive immediate remediation
  • Understand the trending of risk over time and implement more effective preventive measures
  • Predict future areas of risk to fix the fundamental business process issue and not just symptom

Identity & Access Intelligence enables customers to identify and evaluate risk, even as elements within the company change. With this approach, organisations can understand access risk and how to control it, while predicting and addressing future areas of risk before data breaches occur.

Marc Lee has more than a decade of experience in selling enterprise software across EMEA, as well as building partner programmes from scratch. Prior to Courion, Lee was responsible for building sales and channel programmes for Imprivata in Northern Europe. He built the company’s pre-sales and sales team, and also helped develop key strategic partnerships with Siemens, VMWare and Connecting for Health. Prior to his position at Imprivata, Lee served as the EMEA Partner Manager for JBoss, where he implemented that company’s partner program and was responsible for building the channel in the UK and EMEA. He began his career at SilverStream Software, and later transitioned into a role as a sales manager at Novell when it acquired SilverStream in 2002.

Our latest thought leaders