In this blog post
Zero Trust with IAM for IT Alignment and Automation
Cybercrimes have become increasingly sophisticated with the new realities of a hybrid workforce. As a result, the traditional approaches to identity and access are no longer viable. While Identity and Access Management (IAM) is one of the core foundational elements to build a cybersecurity framework, most organizations have done very little in this area.
GAVS recently conducted a webinar that discussed the risks and challenges in IAM, best practices to protect users across the corporate network using the IAM system, and pillars of IAM and zero trust. This blog captures some of the key discussion points and takeaways from this webinar titled ‘Zero Trust with IAM to Achieving Automation and IT Alignment.’ The link to the entire webinar is available at the end of the blog.
The webinar was moderated by Shivakumar, who is a lead consultant at GAVS Technologies. He was joined by Arun Kumar Singh, Kavitha Srinivasulu, and Sundaramoorthy. Arun is the CEO of Ilantus Technologies with over 25 years of experience in running global cybersecurity businesses. Kavitha is the Associate Vice President and Head of cybersecurity services (Healthcare) at GAVS, with over 16 years of experience in financial services and telecom domains as well. Sundaramoorthy is the Senior Technical Manager for IAM at GAVS, with over 15 years of experience in delivering business solutions.
Challenges in Implementing IAM
Since the onset of the pandemic, remote work has created new challenges and increased the risk of data breaches as more people are connected remotely to their enterprise networks using their own devices. Corporate assets are no longer limited to corporate boundaries as multi-cloud, and on-premise environments combined with the use of SaaS applications have opened the gates with more users having access to privileged information. As a result, this setup blurs the overall visibility of who has access to what information. Evidently, this has led to an increase in ransomware attacks due to unauthorized access granted in these environments.
Traditional perimeter-based security architecture is slowly diminishing. While IAM is not a new concept, only recently, the response from enterprises has evolved to a greater extent with the increasing dependency on third-party vendors, new privacy regulations, frequent data breaches, and shifting security threats. Irrespective of the size, most organizations and IAM solution architects are trying to solve the big question of data visibility. With the rising use of BYOD, if everyone in the workforce has access to all information, hackers can easily exploit unmonitored devices to implant Crypto Jacker software or open a backdoor entry for a ransomware attack.
Pillars of IAM and Zero Trust
Zero Trust can be considered as the base for IAM. It is implemented in areas where hackers are most likely to steal data from the corporate network. The key difference areas are identities networks applications, endpoints, and data when it comes to zero trust. To improve data security, experts recommend a three-step approach to implement zero trust — verify explicitly, implement least privilege access, and always assume breach.
While it is impossible to give access to all employees to all applications, organizations must formulate an approach to restrict access to employees on certain criteria such as role-based responsibility. The base for such restriction starts with zero trust. The first approach would be birthright access. Initially, when employees join the organization, they can be given birthright access. This access refers to all the basic access an employee receives to perform their role. This access does not exceed beyond the bare necessities required to do their job.
The other approach could be a role-based approach that can be from the bottom up or top-down, depending on the amount of data and privilege employees will need. Another popular zero-trust approach is the segregation of duties. Depending on the role, an organization can classify the access an employee needs. This approach can be either proactive or reactive. If it is a proactive approach, a manager must review employee access based on necessity and continue authorizing access.
Measures to Improve Security
While granting access to data is the first step, there are various measures that must be taken to improve and sustain IAM in an organization. Some of the common ones include the creation of identity-based schema, controlled access to critical resources, continuous evaluation of trust model and identity management solution, and adaptive authentication.
Access control is one of the promising measures to improve data security. Instead of granting access to all employees, organizations must make a stern decision to ensure that the access provided is based on different criteria such as role or project. Another popular practice that industry experts highly recommend is continuous monitoring of all systems. Alerts and irregularities in data access must be mitigated promptly to avoid severe repercussions. Modifying user access to critical data from time to time helps improve unnecessary loopholes in security. Finally, as organizations expand, they must upgrade or patch systems continuously while ensuring data permissions are robust and validated.
This blog offers only a high-level gist of the webinar. You can watch the entire discussion, including the poll questions and the experts’ take on audience questions here. GAVS periodically organizes insightful webinars with GAVS’ tech leaders, the leadership team, and industry thought leaders to explore current and emerging trends. To watch any of our webinar recordings, please visit https://www.gavstech.com/videos/.