Most of the world’s companies are part of a conflict – something they have been for several years. If your job comes into contact with IT security in one way or another, you are part of this conflict.
You probably go to work wearing jeans and t-shirts - not carrying any guns - yet you are still part of this conflict.
As in any other conflict, the frontlines have moved several times:
For many years the perimeter of the company was the frontline. A company's primary tool was a stateful firewall while the cybercriminals primarily used virus and worms.
As the conflict progressed, the cybercriminals changed their tactics. Now their preferred tool was so-called Advanced Persistent Threats that could exist for months without being discovered.
The defence developed as well. The companies' most advanced tool became the “Next Generation Firewall”, which is different from the stateful firewall in that sense it has application awareness, typically integrated IPS and also capability to integrate one or more third party data sources.
The frontline had become muddy. The frontline was still the perimeter to many companies and because of this they wanted to invest in firewall technology. However, the companies' many end-points on the internal networks were increasingly a battlefield for different kinds of attacks, exemplified by the well-known ransomware.
This is the reason why many companies experienced a need to change their strategy to focus on an integrated defence. This integrated defence was supposed to exchange data between the firewall and agents installed on the company’s end-points.
Yet this strategy was surpassed by the BYOD wave that swept the world. The BYOD wave implied that your data could be spread to other devices without you knowing.
Forget all about the perimeter!
This brings us to present time and the current frontline of the conflict. Today, minor battles are fought on all types of data. This means that companies have to identify what needs protection.
Let’s start by taking a look at the reality of IT security officers:
- There is no perimeter. Data is not only used within the physical boundaries of the company but also "on the go" and in the employees’ private homes.
- Controlling end-points involves major challenges. Data is used several places: on computers, smartphones and iPads handed over to the employees and on the employees' personal devices, etc.
This means that a company’s previous defence, also known as the “Alamo”, is gone. What’s left are two joint control points for protection of data: Identities (who is accessing) and assets (what is being accessed).
These two should function as the core of the company defence - and also as the foundation for companies’ IT security strategy against threats in 2019: Identity & Access Management - also known as IAM or IGA.
Identity Administration & Governance
So what is IAM? Gartner defines IAM as the security discipline that enables the right individuals to access the right resources at the right times for the right reasons.
This somewhat tortuous definition supports the companies’ wishes that users only have access to the resources needed for their job function and area of responsibility together with the compliance demands being supported.
The starting point is identity, who. The reason for this is that identity is the most extensive reference point we can rely on when defining the security policy. You may attach a variety of attributes to identity such as "role".
This enables us to set up a number of use cases for security and compliance:
Discover and warn when actions that go against the compliance rules are detected. For instance, stopping the provisioning of a server in public cloud, if the server profile does not match a set of predefined requirements.
Discover and warn if user rights are granted but do not match the identity’s area of responsibility. For instance, if a sales assistant is granted access to data that sales assistants do not normally have access to, this is discovered.
"House cleaning”-tasks. If an employee is moved to another position in the company, you definitely remember to grant him the rights needed for his new position – but do you remember to remove the rights he no longer needs?
IAM is similar to most other security measures in that sense it deals with the interaction between systems and processes. This means that even the best IAM-system is not worth much without your active participation concerning governance and compliance rules.
With that being said, there are of course differences between the systems offered, for instance, features, how they access tasks, where data is collected etc.
At Netic we recommend Saviynt by the American company of the same name. Yet there are several other systems all handling the task in different ways.
Please feel free to contact us if you have any questions.