There are many reasons why some enterprises struggle with their Identity and Access Management (IAM) strategies, but it’s often not the types of authentication being explored. Too many companies still think of IAM as solely an IT problem. It’s not – and the longer that flawed belief persists in the minds of both C-level execs and line of business managers, the longer it will take to strengthen cybersecurity across the organization.
The problem is the changing nature of the intellectual property, or data, that needs protection. That data no longer solely resides in servers under the control of IT managers. Whether the data is sitting in the cloud, on mobile devices, on an employee’s home computer, on a consumer-level backup service, it’s often on the move. To be effective, identity services need visibility across all corporate data.
That means discussions about who has access to what data need to involve HR, Legal, Marketing, every line of business—anywhere corporate data may live. Why? Consider the Marketing department. Marketing managers may be in a far better position to know about key customer analytics than IT – especially if they are making ample use of a non-IT-purchased cloud service to store that information.
“IAM is not just an IT project,” says Bindu Sundaresan, practice lead for AT&T Security Consulting. “Most organizations don’t have the foundational pieces in place to understand how data today is flowing across the enterprise.”
“You want an IAM infrastructure that’s both intuitive and effective,” Sundaresan says. “It has to be collaborative; functioning across business units that typically work in silos.”
Collaboration is critical to develop the visibility necessary to identify and track every asset within your organization, whether it’s inside or outside your network, whether it’s a traditional legacy security model (single domain on premises) or a hybrid data center cloud. The main goal of an IAM strategy is comprehensiveness. IAM can only help security if it has visibility into all assets. The more files that are out-of-view of IAM, the more exposed the enterprise is to attack.
With visibility across all your data, you can develop a better understanding of the risks and exposures of the enterprise. Risk-based profiles are an effective starting point for determining the types of authentication, such as using tokens or biometrics, make the most sense.
With an IAM strategy that incorporates all departments, finds hidden data and makes appropriate security choices based on an enterprise’s specific situation, IAM deployment is far easier—and safer.