When evaluating an identity and access management platform, the benefits far outweigh any drawbacks. That said, you must consider a few identity and access management risks when designing an IAM implementation and ongoing maintenance processes. Let’s look at some of the more common risks associated with IAM deployments:
- Centralized management creates a single, centralized target. As you begin to centralize the management of usernames and authentication mechanisms, the process creates a much bigger and centralized security target. Thus, great care must be taken to properly secure an IAM platform using various network-based security tools.
- Improper management of network/application/data access. Another potential misstep is the management of role-based access control (RBAC) within an organization. RBAC is a method used by admins to bundle multiple users into groups based on their need to access similar resources. While the use of access groups is a great way to reduce the number of access policies that need to be created and maintained, many businesses lump too many users into a single group. The result is some users gain access to applications and services they don’t need. In a best-case scenario, this leads to a situation where user access isn’t nearly as stringent as it could be. In worst-case scenarios, this can result in having users with inappropriate separation of duties, which can lead to access control compliance violations.
- Who forms access rules? IT vs. business leaders. While the IT department may have a fairly solid grasp on what type of access users, groups and departments need, getting input from business or department leaders in order to create the policy is highly recommended. Doing so can help zero in on who needs access to which corporate apps and data.
- Insufficient process automation. When it comes to access management, there are many moving parts. If repetitive processes are not automated, it can lead to a situation where admins neglect to execute certain processes in a reasonable amount of time. User offboarding is a perfect example of where a lack of automation can lead to security threats for employees who leave the company but their authentication and access to corporate resources remain in place.
- Failing to plan for scalability. As businesses grow and technology needs change, IAM platforms must scale to meet new demands. In certain situations, IAM products or deployment methodologies can limit the level at which a platform can scale.
- Lack of management training. Identity and access management can consist of a complex set of processes. Add to this the fact that automation streamlines repetitive processes and reduces the amount of administrator overhead required to perform common IAM tasks. Because of the complexities and complications inherent in automation, admins must be trained to set up automation steps and ensure they’re functioning properly. Any errors in automation processes can negatively impact large numbers of users.
- Lack of scheduled access management auditing. As businesses pivot toward new goals and objectives, employees often require modifications in access rules. While adding policy that grants access to new apps or data is usually not a problem, revoking access to previously required resources is a common problem. If regularly scheduled audits are not performed, it can lead to a situation where users/groups have access to apps and data that they no longer need.
Effective processes to protect against these types of IAM risks is essential. These include the necessary firewall and intrusion prevention system protections, as well as the creation of a strict access policy that significantly limits who has access to manage the platform. Proper training and regular communication with business/department leaders are also important steps toward keeping an IAM platform running smoothly and with processes that ensure that employees receive the exact access they require and nothing more.
This was last published in July 2021
Dig Deeper on Web authentication and access control
Related Q&A from Andrew Froehlich
What is the network edge and how is it different from edge computing?
The network edge is where an enterprise network connects to third-party network services. Edge computing is a distributed architecture that processes…
The differences between PAP and CHAP
PAP uses a two-way handshake to authenticate client sessions, while CHAP uses a three-way handshake. Both authentication processes are common, but …
What is the difference between audio and video conferencing?
Audio and video conferencing each have benefits and drawbacks. Learn the difference between audio and video conferencing to decide which best suits …