Descartes probably didn’t have Identity and Access Management in mind as a 17th century philosopher, but for security professionals that’s not a philosophical statement – it should be a way of life.
IAM is defined as “the security discipline that enables the right individuals to access the right resources at the right times for the right reasons.” by Gartner. As more and more breaches hit the news, IAM is becoming more of a focus. It’s not enough to know that your data is secure, but do you know who is using it; when they are using it and why?
You cannot rely on just one strategy to ensure security. Rob Enderle suggests a 3-level approach. Do you rely on just one? As many firms are realizing, there is no single magic solution. At the very least a strategy that has multiple layers that is well-defined, broadcast to the organization and re-enforced with continued training is imperative in this day and age. It’s the responsibility of Security teams to identify and mitigate risks, but is the entire organization that has to have the thought of potential threats on their mind.
It’s not just the generous Prince of a foreign nation that we have to fear. As we know, hackers and infiltrators are becoming more and more sophisticated. It’s not necessarily a blunt-force attack that we need to look out for. The well-thought out and strategically approached assault is what needs to concern security and IT people.
If you know who has access and who should be accessing information, then you can set a baseline for business-as-usual. If credentials are compromised, then you should be able to tell when anomalous behavior is taking place. The time from assault to detection is vital. The sooner you know of an intrusion, the sooner you can remedy the situation. If an attack is not detected for a period of time, then no matter what controls you have in place, the proverbial barn door has been opened for too long.
Having complete knowledge of what is going on in your environment takes time. You have to first understand what you have, whether appropriate controls are in place, and what your legacy environment was like before the controls were put in place. If you communicate the need for diligence to your company, understand that not everyone will take threats seriously. It is the ability to detect anomalous behavior that will be your strongest defense against intrusion.