Cybersecurity—identity and access management in particular—should not begin with thoughtless decisions. Before selecting an identity solution of any kind, you need to ask yourself essential questions about your security needs and goals.
Many IT decision-makers select an identity solution to solve a short-term problem. However, in these scenarios, they fail to evaluate how the identity solution fits with their IT environment. Indeed, they often don’t check whether the new identity and access management solution fits at all.
Of course, this can lead to all sorts of serious integration issues and potential security holes. Moreover, failing to consider their long-term identity and access management goals results in IT decision-makers not optimizing their identity solution. Many important capabilities thus go under-utilized.
Therefore, as you begin the identity solution selection process, you need to answer some critical cybersecurity questions. To help you, we created this questionnaire for your digital identity security goals and your current capabilities. Answering them honestly could help you identify what kind of solution your enterprise needs.
Identity Solution General Questions
Before you start to narrow down what kind of identity and access management solution you need, you need to begin an evaluation of your current cybersecurity policies and projections.
- What kind(s) of identity solution do you have currently employed? Where does it fit within your IT environment?
- Does your enterprise plan to digitally transform? If so, do you know whether you’ll adopt a hybrid environment or a completely cloud-based environment? If the latter, will it be a public or private cloud? Finally, can your identity security handle the demands of the cloud?
- Can you identify and access management process fully secure third-party identities access your network? Are you aware of what third-parties connect to your environment?
- How does your identity security handle the identity lifecycle? What do your onboarding and offboarding processes look like? Above all, do they match with your cybersecurity goals?
- Do you utilize single sign-on? If not, what holds you back from deploying this capability?
- On a more macro level, to which industry vertical does your enterprise belong? How many employees log into your network?
- Relatedly, what are your scaling projections? Will your current solution scale with your IT environments?
Privileged Access Management Questions
While a next-gen identity and access management solution can fulfill many of your enterprise’s particular needs, you may need a more specialized identity solution. For example, according to Centrify, 74% of enterprises suffered a breach as a result of compromised privileged accounts. Additionally, 52% of enterprises don’t have a password vault, and 21% don’t have any kind of multifactor authentication on their privileged accounts.
These problems could prove disastrous to your enterprise. Therefore, you may want to consider selecting and deploying next-generation privileged access management (PAM) or privileged identity management (PIM) solution. See how you answer these identity solution questions:
- Is your enterprise still using single-factor authentication to protect your privileged credentials and accounts?
- What kinds of protections do you use on your passwords? Do you follow password security best practices? Does your IT environment feature a password vaulting?
- Additionally, do you know all of the privileged identities within your IT environment? What procedures do you have in place to detect, prevent, or remove orphaned accounts?
- How do you employ multifactor factor authentication (MFA) policy? Do you enforce a consistent layer of MFA or do you deploy a step-up authentication depending on the severity of access requests?
- What procedures do you have to revoke privileged access after removing an account? On the other hand, what processes do you utilize for creating a new privileged account?
- Which multifactor authentication factors do you employ in your authentication protocols? Do you limit yourself to passwords and biometrics, or do you also utilize geofencing, login time, behavior analysis, and email verification?
- What security alerts do you have in place for failed privileged identity credentials login attempts? Who receives those alerts, and how do they respond?
- Do you follow the Principle of Least Privilege? Are privileged users limited in their access appropriately as well?
Identity Governance and Administration Questions
On the other hand, you may have more issues with role management and access governance. For example, your employees may not possess concrete limits on their permissions. Without those permissions, your accounts could become vulnerable to access creep.
If these problems speak to your experiences, you need to consider selecting a next-generation identity governance and administration (IGA) solution as your identity solution. However, before you do, answer these questions:
- Does your IT security team know what permissions each role and user in your enterprise possesses? In other words, are you sure each job role in your IT environment has set permissions which match with their job descriptions?
- How would you describe your visibility into your users’ identities? Can you easily determine what permissions they have or do not have?
- Do you have the governance capabilities to add or (more likely) remove permissions which exceed the job roles your users possess? Who has the authority in your enterprise to make these adjustments?
- How does your organization handle access requests? Are they centralized?
- If you have third-party identities connecting to your network, does your identity solution govern those credentials as well as your users?
- Do you have trouble with your identity compliance reporting? Do your regulatory mandates require identity management? What templates will you need to fulfill these compliance requirements?
Of course, your enterprise should also consider a managed identity solution if it feels like it can’t handle the demands of identity and access management. These managed options allow your IT security team to work with other experts, allowing for 24/7 monitoring of identity behaviors and comprehensive optimization efforts.
Identity Solution Selection Tools
This identity solution questionnaire should help direct your selection process, but it should only serve as one tool in your toolbox. You should also check out our 2019 Identity and Access Management Buyer’s Guide. We outline the capabilities of the major IAM providers in the field and provide our Bottom Line for each.
Above all, never select your identity solution without due consideration. You’ll find yourself feeling much more secure in the long term.
Latest posts by Ben Canner (see all)
- The Top 16 Identity Governance Platforms of 2019 - June 25, 2019
- Why is PAM Gartner’s Top IT Security Project for 2019? - June 24, 2019
- Forecast: Gartner’s 2019 Access Management Magic Quadrant - June 20, 2019