People, Process, and Technology: Key Takeaways from our Panel at the ComSpark Data and Security Summit

Our team had the pleasure of hosting a panel earlier this month at ComSpark’s inaugural Data and Security Summit in Milwaukee. During the panel, we covered how People, Process and Technology are fundamental elements of modern Identity and Access Management (IAM) programs – and how a breakdown of any element can result in a failed program.

Here are the biggest takeaways from the panel:

1. Organizations are reducing cyber insurance premiums through PAM

As cyber threats continue to evolve, organizations must adapt their security measures to effectively mitigate risk and reduce the potential impact of cyber incidents. One crucial aspect is Identity & Access Management (IAM) and Privileged Access Management (PAM), which play a pivotal role in safeguarding critical assets and preventing unauthorized access.

A proven approach to reducing cyber insurance premiums revolves around implementing robust IAM and PAM practices. By focusing on comprehensive user lifecycle management, RBAC, MFA, continuous monitoring, and auditing, as well as security awareness training, organizations can strengthen their overall security posture, reduce the probability of successful cyber-attacks, and demonstrate the security teams commitment to risk mitigation to leadership. These efforts should positively impact our cyber insurance premiums and help us maintain a secure and resilient environment in the face of evolving cyber threats.

When considering PAM in the cloud, the approach should expand to encompass cloud-specific PAM solutions, integrating with cloud IAM, JIT privileged access, continuous monitoring, and processes for maintaining compliance. By aligning PAM practices with the unique characteristics and requirements of cloud environments, organizations can manage privileged access, mitigate risk, and demonstrate a strong security posture. These efforts should positively influence an organization’s cyber insurance premiums and help maintain a secure cloud environment.

2. Cloud Infrastructure Entitlement Management (CIEM) and PAM are being utilized to address governance in the cloud

There is a trend towards the convergence of Cloud Infrastructure Entitlement Management (CIEM) and Privileged Access Management (PAM) in the security space. While they are distinct areas of security management, there are overlapping functionalities and objectives that are leading to their integration or convergence in some solutions.

CIEM focuses on managing and securing entitlements, permissions, and identities within cloud environments. It helps organizations gain visibility into their cloud infrastructure, assess and manage the risks associated with excessive permissions, and enforce least privilege access. CIEM solutions typically provide capabilities such as continuous monitoring, access governance, permission analysis, and policy enforcement for cloud resources.

PAM, on the other hand, primarily focuses on managing and securing privileged accounts and access within an organization's IT infrastructure, including on-premises systems and cloud environments. It involves securing and controlling access to privileged accounts, implementing strong authentication and authorization mechanisms, session monitoring, and managing privileged user activities.

CIEM and PAM address security risks related to access controls and permissions, although they focus on different aspects. By merging these security spaces, organizations can leverage synergies and create a more integrated and cohesive security posture across their entire IT environment.

3. Organizations are leveraging Intelligence (data) to improve the People and Process elements of identity governance

By leveraging intelligence (data) in the People Process aspect of Identity Governance certifications, organizations can enhance the effectiveness, efficiency, and accuracy of access reviews while avoiding the rubber stamping of access. These steps aim to introduce data-driven decision-making, automation, and risk-based approaches to ensure that certifications are thorough, meaningful, and aligned with the organization's security objectives.

Seven methods for leveraging Intelligence (data) to improve the People and Process elements of identity governance as discussed by the panelists:

• Automated Certification Campaigns: Utilize automation to streamline the certification process and make it more efficient. Automated campaigns can send certification requests to users, track responses, and provide reminders for pending certifications. By automating routine tasks, organizations can free up resources to focus on more critical and complex access reviews.
• Data-Driven Decision Making: Leverage data and analytics to make informed decisions during the certification process. Use metrics and reporting to assess the effectiveness of the certification program, identify bottlenecks, and measure compliance levels. By analyzing data trends and patterns, organizations can gain valuable insights and continuously improve their certification processes.
• Intelligent Access Review Workflows: Implement intelligent workflows that route access certifications to the appropriate individuals based on their knowledge and expertise. This ensures that certifications are reviewed by knowledgeable individuals who can make informed decisions about access approvals or revocations. It helps avoid the rubber stamping of access by routing certifications to the right stakeholders.
• Contextual Access Reviews: Consider contextual factors when conducting access reviews. This includes factors such as user behavior, job changes, transfers, promotions, and termination dates. By incorporating contextual information into access reviews, organizations can make more informed decisions and detect any deviations from expected access patterns.
• User-Friendly Interfaces and Explanations: Provide user-friendly interfaces and clear explanations to individuals during the certification process. Help them understand the importance of access reviews, the impact of their decisions, and the risks associated with rubber stamping. This awareness can encourage thoughtful and responsible decision-making during the certification process.
• Continuous Monitoring and Analytics: Deploy identity analytics and monitoring tools to gain insights into user behavior, access patterns, and entitlement usage. These tools can identify anomalies, suspicious activities, and segregation of duties (SoD) violations. By leveraging analytics, you can intelligently flag potentially risky access and prioritize certification reviews based on risk levels.
• Risk-Based Certification: Implement a risk-based approach to access certification, where access reviews are prioritized based on risk scores or contextual factors. This approach focuses attention on high-risk users, sensitive data, or critical applications. By intelligently allocating resources to higher-risk areas, you can ensure that access certifications are thorough and effective.

4. Balancing security and agility requires a thoughtful approach

Organizations should consider the specific needs and preferences of their users while implementing robust security measures. It's important to assess the trade-offs between security and user experience and make informed decisions based on the organization's risk tolerance, industry regulations, and user requirements. Regular communication and collaboration between security teams, IT departments, and end-users can help find the right balance and optimize both security and user experience.

How are organizations driving adoption? A combination of education, clear communication, incentives, leadership support, and user-centric design can contribute to higher adoption rates and improved security posture.

5. Organizations have adopted several approaches for incorporating transient/gig economy workers into their IAM programs

Incorporating transient and gig economy workers, as well as the blurring lines between employee and partners, into an Identity and Access Management (IAM) program presents unique challenges. However, there are several approaches that organizations can adopt to address these challenges head-on.

• Flexible Identity Lifecycle Management: Implement IAM processes and systems that can accommodate the dynamic nature of transient and gig workers. This includes streamlined onboarding and offboarding processes to quickly provision and deprovision access as per their engagement. A flexible identity lifecycle management approach allows for efficient management of user access during their time with the organization.
• Just-In-Time (JIT) Provisioning: Implement JIT provisioning processes to provide temporary access to transient workers and partners based on their specific engagement needs. This ensures that access is granted only when required, minimizing the risks associated with long-term access rights. JIT provisioning allows organizations to strike a balance between agility and security.
• Vendor and Partner Relationship Management: Establish clear guidelines and agreements with vendors and partners regarding access and data handling. Implement processes to govern and regularly review the access provided to external entities. This helps ensure that the access granted is necessary, appropriate, and aligns with organizational policies and compliance requirements.

We’d like to thank ComSpark and panelists, Jen Staffen, Sr. Director – Application Security at Northwestern Mutual, Jason Tyree, AVP Enterprise Security at American Family Insurance, Tellis Williams, Chief Information Security Officer at The Dream Exchange, and Joe Smits, Executive Vice President and Chief Information Security Officer at Associated Bank for giving us the opportunity to moderate the most attended panel discussion with our very own Adam Barngrover. Connect with us to modernize your information security posture.