IT leaders must actively refine their internal processes to reduce their organizations’ exposure to IT security risks as business IT environments grow increasingly complex. It’s not just about determining which employees need access to specific systems. Leaders also have to consider non-human access—those entries granted to automated systems and external tools.
Varun Prasad, vice-president of ISACA San Francisco Chapter, highlights a common pitfall: companies often rush through traditional access management steps amidst their sprawling IT landscapes. He stresses the need to regularly review access authorizations, asserting that this shouldn’t just tick a box but involve a careful analysis to spot any privilege access creep.
The review should extend beyond just production system access. Prasad urges leaders to include all non-human identities and cover critical resources like source code repositories and secret vaults. With human error being a frequent cause of cyber incidents, automating key processes like account provisioning and access reviews can be a smart move. He also suggests linking the centralized identity access management (IAM) platform with the human resource management system to streamline employee offboarding.
Periodically automating access reviews can help ensure that access rights align with job responsibilities. While social engineering is a well-known tactic for stealing passwords, Prasad notes cyber attackers are now exploiting phishing to access MFA codes too. He advocates for adopting phishing-resistant MFA methods, like WebAuthn and PKI-based authentication, to eliminate the human error factor.
Forrester indicates that generative AI can spot new identity threats across various platforms. Some IAM tools now create identity and access policies to combat these threats. Additionally, non-technical users can use natural language to query IAM systems, making it easier to assess risks.
Despite advances in IAM technologies, Prasad insists that access management remains a priority. Research from the Cloud Security Alliance ranks IAM-related risks among the top threats to cloud computing, and a poll showed that 84% of 500 surveyed organizations faced identity-related breaches last year. Thankfully, major cloud providers like AWS and Microsoft Azure support phishing-resistant MFA, seen as essential by CISA in a zero-trust framework.
Beyond technology, Prasad calls for companies to foster a strong security culture. Practicing basic IAM hygiene—like the principle of least privilege and regular entitlement reviews—is crucial. With so many IAM issues tied to data breaches, efficient IAM governance is vital for robust cybersecurity.
Andrew Peel and Scott Swalling from PA Consulting point out that IAM should be more than a defensive wall; it needs to involve proactive threat detection and response, incorporating practices like zero trust. They encourage organizations to develop capabilities to identify signs of compromise, noting that usage trends can reveal vulnerabilities.
Detection tools that log IAM activities can help mitigate the fallout from phishing by identifying unusual behavior, like unauthorized rights escalation. A strong identity-centric security posture is key to combating cyber threats effectively. Using high-quality identity data, technology controls, and user education creates a resilient defense against evolving attacks.
Mike Gillespie from Advent IM emphasizes that this is fundamentally a people challenge, not just a tech issue. By focusing on human factors in the security strategy, organizations can bolster their defenses against cyber threats, phishing, and ransomware.
Recent breaches targeting IAM tech providers have forced IT decision-makers to reconsider their vendor selections. Forrester notes a growing demand for IAM providers to demonstrate strong internal processes and compliance with regulations like SOC 2 and ISO 27002. Organizations should insist on multifactor authentication for all users and prioritize providers that embrace secure-by-design principles.
While IAM technologies play a crucial role in cybersecurity, their effectiveness relies on individuals making informed decisions. Gillespie suggests that instead of imposing access restrictions, teams should be involved in identifying their access needs. By encouraging collaboration and understanding, organizations can create a security framework that safeguards both people and the systems they operate.