Identity, Security Program Controls/Technologies

The Fundamentals of Identity and Access Management

Author: Janel Schalk, Optiv
Author: Janel Schalk, Optiv

Identity and access management (IAM) is an exciting world filled with dreams of business enablement while reducing risks and implementing security policies and processes. However, it can be daunting to educate, prioritize, pick and implement solutions, and then maintain all of it with thoughtful governance.

IAM encompasses the people, processes and technology used to create, manage, authenticate, control and remove a user’s permissions, and the way data is accessed throughout an organization by its employees, contractors, affiliates, partners and customers. By starting with a foundational understanding of the current state of IAM, your organization can appropriately assess its maturity against the pillars of IAM:

  1. The IAM Program – How the organization, its executive stakeholders and its subject matter experts approach IAM pain points, drivers, and the supporting people, process and technology changes.
  2. Identity Data Management – The control and management of identity-related data, the systems that house the data and how the data is processed across the organization.
  3. Access Management – Supporting authentication mechanisms, including single sign-on, multifactor authentication, federation and password management.
  4. Access Governance – Policy-based activities enabling the definition, enforcement, review and auditing of IAM functions and policy compliance.
  5. Identity Management – Core user lifecycle and self-service management of end user accounts, administration and entitlements.
  6. Privileged Access Management – Supporting the processes and technology controls related to elevated permission accounts.
  7. Data Security and Analytics – The ability to manage unstructured data, provide data classification, identification and user analytics to support data security programs.

When defining the maturity of IAM at your organization, you can speak to varying maturity levels across each of the pillars, including being aware, reactive, adaptive, purposeful or strategic in the way you approach each IAM component. By establishing this baseline, you can directly show growth and improvement to your executive stakeholders, and build your framework foundation for success with the direct improvement in maturity. From there, you can establish cross referenced, prioritized business requirements against stakeholder and business program drivers, while identifying measurable and appropriate key performance indicators (KPIs), metrics and key risk indicators (KRIs).

All this leads to the establishment of the next phase of your IAM program, which is full of process and technology choices, training and awareness, tactical and strategic decisions, and developing centralized offerings that your business and customers will want to opt into. As a result, you can reduce any decentralized, one-off solutions and approaches in use. By having a mature IAM program in place, your organization can balance accessibility with security, by appropriately focusing on business enablement and risk reduction, empowering your internal people and customers to access the services they need while mitigating risks where possible.

Understanding where you stand with your IAM program compared to industry best practices is a great first step. Check out Optiv’s free IAM self-assessment and read our IAM program primer to get you going in the right direction.

Janel Schalk is senior director, Access Management and Strategic Consulting, IAM at Optiv Security Inc. Read more Optiv blogs here.