Integrated IAM Assessments to Manage Identity and Privileged Access Risk - Issue
Identity and access management (IAM) is a growing concern among chief information officers (CIOs) and chief information security officers (CISOs) as organizations are working to manage closely who has access to their systems and data. The risk of unauthorized access to information (personal, proprietary, etc.) comes from potential intentional and unintentional misuse by employees, contractors, vendors and business partners, as well as malicious outsiders.
With cyberattacks increasingly becoming daily news, organizations are placing greater emphasis on IAM, and privileged access management (PAM) in particular. Most security incidents and data breaches, including many that made the news in the past few years, are caused by the compromise of privileged accounts. Because privileged accounts provide elevated access to various systems within an organization, their compromise can lead to enormously dire consequences, both from a financial and reputational standpoint.
Challenges and Opportunities
Even as organizations are taking note of the importance of IAM and PAM, many are still struggling with this area of security – particularly the challenge of striking a balance between providing the right access so employees and business partners can do their work and guarding against excessive access that can cause information leaks and raise the company’s access risk profile.
Historically, most companies have managed their privileged accounts by minimizing the number of people with access to those accounts and requiring security mechanisms, such as password changes. However, as company environments become more complex and cyberattacks more sophisticated, this management system is no longer sufficient.
In our experience, many organizations struggle to mature their IAM programs to manage these and other identity and access issues. Without a strong program, it can be difficult to assess where an organization stands with regard to its access management maturity and what projects should be undertaken to improve it. An effective IAM program should both enable the business by delivering the desired efficiencies and protect the organization’s data and information from potential misuse by systematically reducing IAM risk.
Our Point of View
Regardless of where an organization stands in its IAM capabilities, performing an IAM assessment is the first step to raising maturity. For organizations with less mature IAM programs, a full IAM assessment can help guide the strategic direction and provide a road map for improvement. For those who need targeted help in the PAM space, a PAM assessment serves as a logical starting point to determine the best course of action. These assessments help organizations determine:
- Where their IAM strengths and weaknesses are with regard to both process and technology
- What, if any, immediate remediation activities should be initiated to alleviate serious concerns
- What are the potential projects and services that can be introduced to the IAM program, via a multi-year road map, to raise IAM maturity
The Protiviti IAM capability model, illustrated below, supports the identification of gaps and can be used to provide an understanding of the company’s current state relative to leading industry practices and the desired future state. This, in turn, helps to develop recommendations, business cases, road maps and other targeted remediation activities depending on the specific business, compliance or other drivers of the organization.
An Integrated Approach
Most IAM assessments start with interviews with key stakeholders and subject-matter experts within the company, detailed documentation reviews, authoritative data sources reviews, and other discovery tasks to gain appropriately detailed knowledge of the IAM environment. Many of these discovery tasks, however, are time-consuming, and findings are often based on anecdotal stories or single observations by users.
To mitigate these issues in the discovery process, we employ an integrated assessment approach that leverages our proprietary tools and scripts developed during IAM assessments in combination with industry tools, such as CyberArk’s Discovery & Audit tool (DNA). This allows us to rapidly scan the customer environment for privileged accounts on the network, password statuses, accounts vulnerable to Pass-the-Hash attacks, secure shell (SSH) keys, and a number of other items in the privileged access space. This approach considerably speeds up the discovery phase of the project and provides data evidence to support or refute user stories of privileged account issues in the environment.
More important, the process provides material to present to executive management to facilitate a buy-in on the required remediation approach and investment. Often, it can be challenging to obtain executive support for the necessary investment to properly address privileged access issues, despite organizational awareness of the importance of effective privileged access management. The IAM assessment approach described here provides stakeholders with indisputable, convincing data from which to build road maps and business cases and make informed decisions.
How We Help Companies Succeed
Protiviti helps companies perform IAM and PAM assess¬ments and use the results to develop programs to raise the maturity of their IAM environments. Our experience spans a variety of industries, including financial services, health¬care, insurance, and hospitality and leisure. We work both with those that do not yet have a mature IAM program in place and with those seeking to enhance their IAM program governance and processes, IAM technology solutions and IAM road map and strategy.
We recently performed a PAM assessment for a multi-billion-dollar consumer products company in the UK. We combined interviews with key PAM stakeholders in the organization with use of CyberArk’s DNA discovery tool to provide concrete, easy-to-understand data analysis of privileged accounts and associated risk across the various technologies used by the organization. The data obtained through this process served to support the key findings we documented during the assessment, influenced remediation recommendations, and provided our internal stakeholder with a compelling business case for remediation and strengthening of the company’s privileged access environment.