From dispersing office spaces to remote working, COVID-19 forced organizations to have a holistic approach to cybersecurity. Business continuity transformed overnight to navigate through the pandemic. The industry also experienced a paradigm shift in embracing human error, addressing cyberthreats, and securing data.
In a digitally enabled economy, Identity and Access Management plays a critical role in the security and resiliency of an enterprise. Hence, IAM and data security are inseparably linked. IAM empowers its users to self-authenticate, thereby reducing time-consuming tasks such as help-desk tickets and password resets.
To dive deeper into how IAM systems enhance productivity in today’s cut-throat business world, Pooja Tikekar, Feature Writer at CISO MAG, engaged in a conversation with Amruta Gawde, Practices Program Manager – IAM, Simeio Solutions.
Amruta has around 14 years of experience in Information Security, with 12 of those in IAM domain, spanning across organizations like Vaau, Sun Microsystems, PwC and Simeio Solutions. While in Simeio, Amruta has worn multiple hats on the delivery side from techno-functional to customer engagement. Backed by her extensive customer-facing experience, she took the responsibility of heading the IAM practices for Simeio to build Simeio’s Center of Excellence. Her program combines technical innovation with IAM thought leadership to build innovative solutions.
Edited excerpts of the interview follow:
2020 is an alarming year for data security. Exposure of PII is at an all-time high. Although two-factor or multi-factor authentication is a standard remedy, how does Identity and Access Management (IAM) help in safeguarding digital identities compared to the traditional security practices?
Traditional security practices either focus on perimeter protection (assuming all the threats are external) or on the post-breach detective approach.
While this is obviously an important aspect of security, a significant percentage of breaches are a result of privileged/administrative access being abused by staff either inadvertently or intentionally. In addition to two-factor or multi-factor authentication (which falls under the gamut of IAM), IAM focuses on building a strong framework of access control and access enforcement for ensuring the “Least Privilege” security principal – Provide minimum required access. As a result, you cannot employ the privileges that you do not have. Additionally, every access provided and subsequently utilized, has supported the audit trail, which helps in compliance.
COVID-19 and the dispersed work from home format has intensified security risks. What is the role of IAM in securing enterprise networks in decentralized environments?
The need for ‘Any Time Any Where Any Device Any Content’ (ATAWADAC) services have significantly increased. Thanks to this new era of remote working and decentralized environments, IAM which was always relevant to any organization’s security strategy, has gained a lot more traction.
An IAM solution provides a centralized platform for automated provisioning and de-provisioning of required privileges to vendors, employees, partners, and mobile or IoT devices alike.
IAM solutions also have analytical intelligence to add contextual references during authentication and authorizations. For example, if an employee usually logs in between 9-5, any logins outside of those hours would require additional authentication. Static administrative privileges and shared admin credentials, that can be stolen, are a history with just-in-time privilege escalation using advanced privileged access management solutions.
As technology evolves, so does Identity and Access Management. How are IAM systems evolving to get better at authenticating users, apps, and devices to enhance security posture?
The IAM space has been constantly evolving. Recently introduced GDPR regulations require privacy protection and consent management in consumer transactions. IAM solutions provide fine-grained authorization and consent management during logins and data access as a result. Increased WFH has increased the need for ATAWADAC and secure remote access. Striking the right balance of security and user experience gave rise to zero trust (don’t trust, authenticate every time) and a need to go passwordless, which are the latest trends in IAM. Increase in the IoT devices has resulted in adaptive/contextual authentication and artificial intelligence in IAM solutions. Analytical intelligence/threat analytics are commonplace. The need for self-sovereign identity (user-created and controlled identity) has caused significant advancement in IAM solutions as well. We are also seeing one major change that is – the traditional IAM solutions were administrator friendly – complex to configure and use, and centrally managed. The modern IAM solutions are business-friendly, keeping the synergy between business, security, compliance, and user-friendliness a priority over customizations and technical complexities.
It is said that single sign-on (SSO) requires a focus on the safety of user credentials, and hence deemed critical. How does SSO authenticate third-party applications or websites? Is it practical?
Single sign-on is definitely practical given that most organizations leverage third-party cloud applications to better help deliver products and services to their customers.
Given the increase in complex eco-systems that contain multiple applications, IAM solutions inherently provide the capability of SSO.
This provides the ability to access both internal and third-party cloud application using a single ID, such as an Enterprise ID or a Social ID (Facebook or Google)
The Trust establishment with third-party applications is achieved through a concept of federation, which is like a digital third-party agreement between the identity provider (IAM solution) and the service provider (third-party applications).
Another relatable scenario that you would have witnessed is sometimes when you play a quiz online, in the end, it asks your permission to post the results to your Facebook page. In this case, the quiz app wants access to your Facebook profile. As a user, you do not want your Facebook account to share your credentials with this third-party, while allowing this temporary access. Also, you want to select what data should be exchanged. This is all achieved in the backend through IAM.
The Internet of Things (IoT) landscape is experiencing a paradigm shift. Businesses are now concerned with managing multiple “things” connected to their network. How does IAM provide security against IoT devices that are trying to access the network?
From the IAM perspective – human and device identities are treated equally. As we saw earlier, ATAWADAC is the need of the hour. Just like a human identity, every IoT device needs to authenticate itself and it is only allowed to access, what it is authorized to access within the given context. It needs to establish trust with third-party applications, all its transactions are audited, and so on.
Additionally, advanced API security and end-point privilege management devices ensure that the access is secure.
Tell us a bit about Cloud IAM and its role in cloud security. How can it help prevent data breaches and possible financial losses?
Cloud IAM, like other cloud services, are IAM solutions offered as-a-service. Customers do not need to pay for licenses, infrastructure, upgrades of the IAM platform. It is completely built, managed (availability, auto-scaling based on load, performance, etc.), run, and maintained for you. Cloud IAM allows you to unbundle the services and choose what you want to use, you pay for what you use. The accountability of data security is outsourced to the IAM service providers. It also gives you the flexibility to change the IAM service provider should you wish to do so. It integrates with native cloud platforms for key security features such as API security and provides identity management for the users of the cloud platform itself.
Choosing an IAM solution can be a daunting task, especially in these testing times. What primary factors determine an accurate IAM framework and what are its compliance requirements? Is it cost-effective for consumers and businesses alike?
I would recommend finding an IAM consultation partner who would help you define the IAM roadmap and help you determine what solution would work for your requirements.
An IAM solution covers multiple areas such as governance, identity management, authentication, authorization, SSO, privileged identity management, threat analytics, and intelligence under the IAM umbrella, which address a variety of business problems.
Pretty much all IAM partners offer you most of the functionalities with cost variation. The consumer-only products are light and may cost lesser. However, if you are looking to address different types of users including employees, B2B partners and consumers, enterprise IAM solutions are a better fit.
While some organizations do build their own IAM solutions, this is not recommended.
The key is to identify and prioritize business problems/objectives with respect to audit & compliance, security, operations simplification, risk management, cost-saving, digital transformation, number and types of assets, and types of identities.
There are multiple research firms such as Gartner, Forrester, KuppingerCole that publish market trends, and leading vendors analysis periodically.
Technology selection alone is not sufficient. It is important to align processes supporting your IAM roadmap and an adoption and maintenance plan. Outsourcing to professionals for implementation of IAM solution or opting for cloud IAM or Identity-as-a-Service (IDaaS) platforms is a better way to ensure that you are realizing maximum value out of your investment.
In fact, a customer-owned IAM solution requires significant investment in infrastructure and license costs during implementation and/or maintenance alike. Whereas, IDaaS platforms ensure that the customer does not have to bear the cost of infrastructure, licensing, upgrade, maintenance and you can switch shop without a second thought.
What is the IAM strategy of Simeio in a post-pandemic world?
Simeio has always been customer-centric and IAM focused. The pandemic has triggered significant digital transformation. Everything has gone online, from shopping to government services to doctor’s consultations, and you no longer require physical presence and access. As a result, the importance of secure virtual presence and verification of digital identity has increased exponentially. IAM has hence become the need of the hour. We have supported multiple of our customers through this digital transformation and their key security challenges. Our only target has been to make this transition to the secure digital world as smooth, secure, and fast as possible. We are focusing on combining our years of experience in this space, to enable customers to realize quick ROI through ready-to-consume, business-friendly, secure, feature-rich, modern Identity-as-a-service solutions.
About the Interviewer