How To Develop an Identity and Access Management Strategy
To thrive in a digital world, organizations of every size will need an identity and access management (IAM) strategy. Here's how technology leaders at ADP view IAM, and why they think it's critical to an organization's continued success and improvement.
To thrive in a digital operating environment, organizations need a robust identity and access management strategy for managing access to digital assets for customers, employees and contractors.
According to Gartner, identity and access management (IAM) is "the discipline that enables the right individuals to access the right resources at the right times for the right reasons." IAM has increasingly become business-aligned and now requires leaders with business skills, not just workers with technical expertise. Organizations that prioritize developing mature IAM capabilities can reduce their identity management costs and become more agile in supporting new business initiatives.
In practical terms, an IAM solution includes a database of users, the ability to add, edit or delete user data, the means to police user access and document trails to facilitate auditing and reporting.
IAM has become critical to future success
Deepak Kaushal, ADP's Vice President of Access and Identity Management, sees IAM as a crucial component of an organization's security defenses. "IAM can't be a second thought anymore in an age where cyber warfare can be devastating for a company," he says. "A clear strategy with continuous execution will keep any companies and their client data secure and gain the trust of their consumers."
Having developed an identity and access management strategy, Sanjoli Ahuja, Senior Director of Product Management at ADP, sees a need for organizations to routinely check and continually refine their approach as threat vectors develop. Ahuja also sees a need to revisit an IAM strategy periodically due to changing technologies, business processes and the data footprints IAM protects. She and Kaushal caution organizations not to overlook employee conduct as well.
"An aspect that is equally important and often overlooked is internal threats, which can be more damaging than external threats," Kaushal notes. "Creating a broader strategy will help cover all aspects of security."
Engaging the right stakeholders
An effective access management strategy must scale to meet an organization's needs and evolve as the threat landscape changes. It must also meet the needs of the business and align with Chief Information Officer (CIO). In fact, IAM requires engagement and support from across the business and covers a broad range of disciplines and risk types.
"From the CSO (Chief Security Officer) and CISO to business units responsible for implementing and working directly with your consumers, everyone must play a role in formulating an IAM strategy," says John Agodini, VP of Product Development and Reliability at ADP. "An IAM strategy must include, but is not limited to, risk assessment and mitigation, threat modeling, security policies definition and enforcement, security architecture, red/blue teaming and incident management, auditing and reporting, and internal/external communications."
Understanding the benefits of IAM
Beyond securing the enterprise, IAM can provide numerous other benefits, including reductions in fraud losses, cost savings generated by deploying enterprise solutions that allow for the removal of point solutions, and efficiency improvements tied to streamlining IAM-related processes.
"A well-thought-out approach to IAM can generate operational benefits through a reduction in technical support calls and an increase in secure self-service options," says Kaushal. It can also make it easier to meet the demands of security and audit reporting. In the event that a security incident occurs, a well-defined process, established as part of the overall IAM strategy, can focus an organization's response efforts and minimize the time, effort and expense required to return to normal.
A commitment to continuous improvement
Organizations must ensure that their IAM strategy remains relevant as the threat landscape and regulatory environment change.
"The key is to establish IAM as a product with both an internal and external focus and a defined roadmap," notes Kaushal. "The product team should stay in touch with internal/external threat intelligence, have a quarterly roadmap review and adjust with key security stakeholders. Internal threats should be regularly evaluated through access and security controls audits as well."
For organizations in the digital space, trust is essential. Strong identity management and governance practices build trust with employees and customers alike. As organizations migrate more of their legacy products and services online and design new digital offerings, the need for identity access management will only become more critical to business success.
Learn about privacy at ADP.