What are the 7 critical identity management questions your enterprise needs to ask itself? Where can you go to find the answers to these questions? Also, how should these questions influence or direct your identity security solution search?
Cybersecurity presents a contradictory challenge concerning deployment and implementation. On the one hand, the need for strong identity and access management becomes increasingly apparent every day. Enterprises don’t just face short-term fines and losses due to data breaches; they must also face the potential loss of customers due to lost trust and other effects of reputational damage.
Since so many data breaches begin with stolen or compromised identities, an identity security platform proves a necessity for enterprises of all sizes. Of course, this suggests selecting an identity solution as quickly as possible to keep your assets safe.
On the other hand, moving too fast in cybersecurity can often cause as many challenges as it aims to solve. In fact, enterprises frequently run into issues like this. Instead of making a cautious selection, they simply pick a solution that seems to solve their immediate challenge. Obviously, this creates an identity management platform bogged down by complexity and integration issues.
Therefore, you need to make your own selection judiciously. You can start by asking yourself these 7 critical identity management questions.
7 Critical Identity Management Questions Your Enterprise Needs to Ask
1. What Kind of Identity Management Does Our Enterprise Need?
We could reframe this and similar identity management questions as “what branch of available identity security solutions best suits our needs?”
Possibly, this question stems from ignorance over the difference between the identity security branches. While the various branches possess similar goals, they do emphasize distinct aspects of identity security:
- Identity and Access Management (IAM) protects your users at the login stage from infiltration or impersonation. Above all, it forms a digital perimeter to keep bad actors away from your assets.
- Privileged Access Management (PAM) secures your empowered users —those with the power to seriously alter your workflows or infrastructure. Also, it monitors their activities after they log in.
- Identity Governance and Administration (IGA) improves visibility over your users’ permissions. It helps to detect and remove unnecessary privileges and enforce temporary privileges.
- Customer Identity and Access Management (CIAM) seeks to protect customers logging into your digital marketplace. It also helps facilitate the user experience.
Of course, your enterprise might need many or all of these solutions for your network. Fortunately, you can find solutions which embody all of these key focuses. Otherwise, you can find a few solutions which integrate with each other through partnerships.
2. What Does Our Infrastructure Look Like?
Your enterprise can’t (or shouldn’t) answer any identity management questions without first examining its own infrastructure. After all, an identity and access management solution which adequately protects an on-premises environment may not do so for a cloud or hybrid environment. Moreover, not every identity solution can scale with growing networks or user bases.
Unfortunately, many enterprises suffer the consequences of these kinds of oversights. Inadequate or legacy solutions trying to protect new infrastructures resembles trying to put a square peg in a round hole; it just doesn’t work. You need a solution which matches both your network now and what it might look like in five or ten years.
3. What Is Our Use Case?
Obviously, this relates heavily to the question above. However, it remains a relevant query even after addressing the question of infrastructure.
The identity security threats your enterprise faces radically differ from those faced by other businesses. Factors such as industry, size, digital public-facing assets or pages, workflows, and external communications determine how hackers approach your business; it determines what they target and how. Ideally, you should have the threat intelligence to recognize which cyber attacks could do the most damage to you.
However, you should speak with your IT security team to fully understand your use case. From there, you can find an identity and access management solution that fits your business processes.
4. How Do Our Users Interact with our Current Identity Management Solution?
You can rephrase identity management questions like this to “how will our users adapt to new demands from an updated identity management solution?”
Partly, this question boils down to company culture. Do your users work well with your current solution? Or do they find and utilize workarounds? How well do they protect their passwords and usernames? Do they understand the severity of the digital threats on their identities?
Here, you face a two-way street. On the one hand, you should look for identity and access management solutions which fit as neatly as possible into your culture; this should help facilitate adoption and smooth deployment.
On the other, you need to catch your employees up on the new solution before you deploy it. Through regular educational efforts, you need to introduce your employees to the solution and make them understand the need for it.
Remember, you must also recognize the different types of identities interacting with your environment. For example, customers need a smoother interface and user experience than employees to maintain their engagement. Meanwhile, privileged users need to pass more authentication factors before receiving access.
5. What Identities Do We Regularly Handle and Monitor?
As we alluded to above, employee identities and customer identities differ wildly in their needs and expectations; while both have power in your enterprise, their levels of power don’t match. Thus, you need to store, monitor, and protect them in ways befitting their privileges. You need to keep an eye on your customer identities, including the security of their storage, but employee identities need even closer scrutiny.
Moreover, you need to establish total visibility over all of the identities on your network. Losing track of an employee or privileged users’ account could prove a significant security vulnerability. Accounts that linger after the employee leaves your business—orphaned accounts—are an ideal attack vector for the unscrupulous.
Additionally, other identity management questions of this category involve third-party identities and non-human identities like applications. Without proper monitoring, third-party identities could escalate their privileges and provide a stepping stone for hackers. Additionally, devices and applications often move through your network with little resistance, which hackers can exploit for their purposes.
So you need full visibility over your enterprise, its devices, its third-parties, and its users. Only then can you get a sense of the identity landscape you need to protect.
6. What Authentication Factors Should We Consider For Our Environment?
Regardless of your identity management solution, you need more than the basic password-only authentication protocol.
The rule of thumb concerning authentication states the more factors between access request and the database, the more secure they stay. Unfortunately, not every authentication factor makes sense for every population. Even within your own enterprise, you may need to enforce distinct factors to your users. For example, your customers need a smooth user interface to stay engaged, so they need fewer factors. Further, their factors can include social sign-on—an unthinkable idea for employees.
For employees, you need to consider them in full. Remote employees may have trouble with traditional hard tokens, as getting the tokens to them could prove challenging. However, turning their mobile devices into hard tokens could work substantially better.
Ask yourself these identity management questions before making any authentication decisions. The reward for doing so could seriously optimize your identity management.
7. Are We Ignoring Significant Challenges in Our Identity Management?
Identity management questions like this tend to prove relevant to all categories of identity and access management. Indeed, some branches of identity security face these problems more than others.
For example, let’s look at privileged access management. Enterprises often believe they could handle attacks on their privileged users; according to a recent study by Centrify and TechVangelism, as much as 93 percent of enterprises believe the can handle such threats.
However, the vast majority of enterprises (79 percent) don’t have mature privileged access management platforms. 52 percent don’t use a password vault, a basic capability. In a separate study, Centrify found 26 percent of U.S. IT decision-makers couldn’t properly define privileged access management.
Thus, the confidence enterprises display concerning their PAM looks more like overconfidence on close examination. You need to evaluate your own identity and access management and ensure you have the capabilities necessary for your enterprise.
How to Fully Answer Your Identity Management Questions