Protecting porous perimeters via identity access management
With the growth of “mobile working” and an increasing number of business applications migrating to the cloud, the corporate perimeter has become more porous and vulnerable, driving demand for solutions that manage access and user identities securely and efficiently. This is where identity access management (IAM) technologies come into play. Sicco Boomsma, director in ING’s structured finance TMT team, explores.
Employees are increasingly accessing corporate data from outside the corporate perimeter. Using personal devices to work from home or while travelling is blurring network and organisational boundaries. IAM technologies are therefore starting to take centre-stage in a world where the network perimeter is all but gone and identity forms the new perimeter.
The emergence of IAM as the primary solution to ensure that only authorised people can access authorised resources is reflected in a forecasted 7.3% compound annual growth for the IAM market, to €4.3 billion by 2019, according to research from Technavio.
Banking, financial services and insurance are among sectors increasingly implementing IAM solutions, both on-premises and in the cloud, such as privileged access management and two-factor authentication. The goal is to improve risk management, fraud detection and cyber-threat awareness.
IAM systems prevent cyber-criminals from climbing the chain of access privileges within IT systems, blocking hackers from sensitive applications and data even if they have managed to compromise an employee’s credentials. Access management systems can also reduce the extent of internal security breaches by better controlling user privileges and maintaining comprehensive records about who, how and when data and applications were accessed.
Those record-keeping features also provide organisations with valuable information about how employees, partners and clients access the network and interact with applications. Firms can use this knowledge not only for security and forensics but also to understand typical patterns of interaction, enabling them to simplify, improve and optimise employee and customer experiences.
An efficient and well-maintained IAM system can, for example, improve employee productivity and reduce helpdesk costs by simplifying sign-on processes and reducing the risk (and stress) of connection failures, alleviating employee and customer frustration by letting users enter the corporate perimeter more quickly and easily.
For those reasons, systems featuring single sign-on (SSO) processes that allow users to maintain a single set of device- and connection-agnostic log-on credentials have become increasingly popular, especially cloud-based services usually developed and managed by providers of third-party Identity as a Service (IDaaS).
One challenge faced by traditional IAM approaches is a shortage of capabilities offered by any single vendor or solution, resulting in the need to integrate multiple systems and technologies. This can lead not only to additional overheads, product interference resulting in poor user experience but also the inability to correlate events, alerts and reports.
IDaaS providers overcome this issue by enabling organisations to adopt a single solution that provides all necessary control in one platform, or at least integrates different access and identity management functions via a single platform and interface.
The advent of cloud-based IDaaS offerings can alleviate much of the upfront costs and complexity typically associated with implementing IAM, which has traditionally involved high initial capital expenditure, while providing a very limited scope of coverage in terms of applications and a low return on investment.
Data and access monitoring within IAM systems, including those offered by IDaaS providers, can also help organisations meet regulatory requirements, satisfying increasingly stringent compliance mandates around separation of duties, enforcing access policies for sensitive accounts and data, record keeping and making sure users do not have excessive privileges.
As compliance requirements continue to be rolled out – including the European Union’s General Data Protection Regulation (GDPR) due to take effect in 2018 – it becomes a pivotal responsibility for corporates to ensure data and systems are appropriately protected. Having adequate IAM systems in place is an essential aspect of an effective cybersecurity strategy, which is good for employees but especially required to safeguard the trust of customers.