Identity, access and privileged management solutions are tools that have been available for a long time. However, nowadays and as part of the cybersecurity model Zero Trust, these solutions are critical and defining a strategy to implement, operate and maintain them, is just as essential as the solutions themselves as part of a Zero Trust architecture.
|Here are the main objectives to cover when implementing IAM and PAM solutions, provide a clear message on the purpose of the IAM and PAM strategy:|
- Managing confidentiality and integrity risks.
- Automating or enhancing the maturity and effectiveness of access control, provisioning and de-provisioning processes, as well as privileged account management.
- Optimising resources to focus on more strategic and tactic activities.
- Regulatory compliance to external requirements, such as SOX, PCI-DSS, data privacy regulations and others related to each business sector.
- Compliance with internal mandates.
- Last but not least, as part of the seven tenants of a Zero Trust Architecture. Be able to know who has access to what and with which rights, verify the identity of internal and external users, provide multiple authentication levels based on a risk approach and provide the necessary privileges based on a need to know, do and time basis.
The initial effort to implement solutions like these is significant and based on the scope, enterprise architecture and other factors, it requires considerable time and broad participation from different areas, focusing on defining or standardising roles and profiles, policies, processes and procedures that will be configured into the solution and ultimately help to achieve the objectives listed before.
As a professional who has implemented a considerable amount of these tools, it is worth mentioning that I’ve been part of successful implementations. Also, others not so successful and I’ve seen organisations struggling, putting aside and in some cases, wholly decommissioning the tools without demonstrating the real value and benefits as part of a cybersecurity strategy. From my perspective and experience, this happens due to the lack of attention to specific and sensitive points which rely on the stability, continuity and, I must say, the service’s survival these solutions provide.
Here, I describe the points that, when ignored or mishandled, can generate struggling and stressing situations at organisations going through this journey.
- Identifying and defining the right stakeholders based on the scope.
- Executing initial workshops to provide a clear message on the purpose of the IAM and PAM strategy, the business objective, the tools involved, the scope, the goal, the expected behaviour, the level of contribution and engagement of each stakeholder.
- Managing stakeholder expectations.
- Defining game rules as part of the governance framework through formal and practical agreements for the proper communication and collaboration among the stakeholders throughout every phase of the IAM and PAM strategy. This point really makes a difference, so it is essential to take some time and think it through.
- Defining and implementing transparent processes for each IAM & PAM solution, independently and integrally, along with clear roles, responsibilities and metrics. Each part of the process is essential to ensure consistency, permanency and continuity.
- Allocating the roles and responsibilities of the IAM and PAM processes defined in the previous step.
- Appointing a responsible of the IAM and PAM strategy to work along with the key areas and stakeholders.
- Executing an awareness and communication plan projecting an adequate level of sponsorship and including the following key aspects:
- The stakeholders are part of it, making them feel it; they are key to making the strategy alive. It is important to show a real interest and commitment to listen to their needs, issues and ideas to be considered as part of the strategy. When possible.
- Providing continuous status on the progress of the activities and each phase of the strategy.
- Thanking people on the reached milestones.
- Explaining the changes needed from an operational and technical standpoint.
- Considering the differences between a customer “CIAM” and workforce strategy.
- Training the team responsible for taking ownership and accountability over managerial and operational tasks of each solution.
Once we have passed the implementation phase and are ready to move onto an operational stage, it is critical to leverage this momentum and continue the constant communication and collaboration among stakeholders to identify any new needs and business requirements, gaps, or issues and act on it. Also, we need to periodically measure the effectiveness of the services provided by each solution and be able to communicate the benefits by demonstrating how the business objectives are covered.
Collaboration, communication, measurement and continuous improvement require constant discipline; otherwise, the solution will become ineffective in weeks, emphasising weeks, because of the many and continued environmental, regulatory and technical changes. Without the proper attention to these changes, the solution will become a burden, rapidly exposing the organisation to unnecessary risks; as we try to extend modern technologies into our critical infrastructure, novel threats and unanticipated consequences continue to emerge. Walls and boundaries are being broken down in the name of progress and ease-of-use, often opening potential new avenues of attack. The benefits, once obtained, will be gradually lost to the point of becoming inoperative, leading to hating and decommissioning the solutions, writing one of the biggest horror stories in security engagements.
Each implementation is unique with its challenges and pitfalls, but I know you will be closer to a successful outcome by considering these points and implementing them. Good luck in your IAM and PAM journey!
By Nohemi Moreno Vázquez, CISM, CRISC, CDPSE, ISMS Lead Auditor, Member of WOMCY LATAM, Women in Cybersecurity and Advanced Cybersecurity Services Director, Accenture Mexico
You can connect with Nohemi on LinkedIn here