Balancing Security & Convenience: The Importance Of IAM
Before the Internet, things were simple. Less fun, probably, but definitely simple. Your office had a big door at the entrance, with a security guard who sat next to it to prevent intruders from gaining access. Once inside the building, you could easily walk to other floors and other departments. But the CFO's office was locked, as was the cabinet where confidential information was stored. Most employees did not have access to the keys to either of these.
Things are a lot more complicated these days. For sure, network segmentation and encrypted storage are digital equivalents of the locked offices and cabinets, just like two-factor authentication may be the equivalent of the big door and the security guard.
But that's only the beginning. Some employees will be working remotely; others will be connecting to the company network while traveling to a client or a conference. And through their phones most employees will have 24/7 access to at least their corporate email accounts, and probably a lot of other company data too.
At the same time, many services will have been outsourced to various cloud providers, so that the company network isn't contained within a building but spread over many data centers around the globe. Data stored there is of course encrypted, or so one would hope, but to do its job, the cloud provider needs to be able to access the unencrypted data.
And to that network the fridges and coffee makers in your office have recently been connected too.
To make sense of their increasingly confusing networks, most companies apply some kind of Identity and Access Management (IAM) solution.
IAM ensures your employees can do their jobs, even when they are on the road. It makes sure, for example, through two-factor authentication, that a lost or stolen phone device doesn't give an intruder access to your network. And it ensures that a coffee maker can inform the Head of Facilities it has run out of beans, but that it won't have access to the company's financial figures.
Choosing the right IAM solution is about finding a balance between security and convenience. A good solution can make security an almost painless experience. But as with any security solution, no IAM product is perfect. As such, it is important to be prepared for two scenarios where things could go wrong.
The first hypothetical: Some intruder does get access to critical parts your network. Would you know? Are you checking access logs? Do you know who accesses which data? Have you deployed canaries or honey tokens as a trap to catch those looking for valuable data?
The second scenario is the complete opposite, and one that security professionals often overlook. How do you handle a situation where you need the CFO to sign an important contract, but she is traveling and has left her authentication token at home? Are you able to give her access to the network, and how do you know this bypass isn't abused by some malicious actor, merely pretending to be her?
As security professionals, we have become quite good at adding many layers of protection. But what we are not so good at is: understanding how and in what cases these layers can be pierced. If a security professional assumes breach is “never” possible, that’s certainly the wrong answer.
Be Sure To Check Out: Know Your Enemy, Be Your Enemy: A Look At 'Adversarial' Cyber Security