More and more organizations are embracing a hybrid or fully remote work environment—and that means more and more employees are accessing company systems, data, and information from a variety of devices and locations, making identity and access management more important than ever.
But as CIO, how can you ensure your identity and access management (IAM) practices are safe, secure, and effective?
We asked Liz Tluchowski, CIO and CISO of insurance broker World Insurance, where she oversees IT, information and security, for her insights into best practices for identity and access management. Here’s what she had to say:
Why is proper identity and access management so important?
First things first. Let’s quickly touch on the role of identity and access management (IAM) in an organization—and why proper IAM practices are so important.
“[Access and] identity management’s purpose is to make sure that the right people and job roles can access the tools needed to do their job,” says Tluchowski.
The key phrase in that sentence? The right people and job roles. Proper access and identity management practices help to protect your company’s network—and give you control over who has access to what. “Identity and access management provides a valuable layer of security against unknown security vulnerabilities with added control over what is being accessed and by whom,” says Tluchowski.
And not having a set of IAM best practices in your organization? It puts your company at risk. “As IT has the role of the gatekeeper, not having the controls to be able to identify who is accessing our systems and what they are accessing is a recipe for bad things to come from a security perspective,” says Tluchowski.
So, what are some of those risks? “Poor control can compromise an organization’s security at several levels,” says Tluchowski. For example, if an unauthorized user is able to access your network, they could get access to customer data—which could lead to a host of problems, like regulatory issues (if you store sensitive customer information) or financial losses (for example, if customer credit card information was stolen).
That’s what happened in the 2019 Capital One security breach, when an unauthorized user gained access to Capital One’s server and and over 140,000 US social security numbers, 1 million Canadian Social Insurance numbers, and 80,000 bank account numbers as well as identifying information, putting customers (and the company’s reputation) at major risk.
Clearly, having a set of best practices for identity and access management is a must to keep your company’s data and sensitive information secure—and, as CIO, it’s your job to develop and implement those practices.
But what, exactly, are those practices? Let’s take a look at a few best practices for identity and access management you should definitely consider incorporating into your organization:
Create clear policies and procedures around identity and access management
You can’t improve your company’s identity and access management without a plan. And so, if you want to improve your organization’s approach to IAM? You need to clearly outline that plan for yourself and your team—and that means developing clear policies and procedures.
As you’re developing your IAM best practices, make sure to clearly outline relevant policies and procedures for your employees. For example, if you’re going to be implementing two-factor authentication for your remote employees, you’ll want to create a procedural document that walks employees through how to get set up with two-factor authentication, how to use it to login remotely, and what to do if they have issues with the process (for example, if they don’t have access to their mobile device to retrieve their authorization code).
In terms of what policies and procedures you should create, it will depend on your organization’s structure and goals. But whatever policies and procedures you decide to create, make sure they are written in a way that “will provide structure and give you results that you can measure,” says Tluchowski.
For example, if you’re developing a procedure for your IT team to monitor remote access, you might lay out the steps you want them to take to increase security (like performing regular security audits to identify potential threats)—and then set clear metrics for how you’re going to measure how successfully the procedure is being implemented. For example, you may want to clearly outline the number of audits you expect each employee to complete each month—and how quickly you expect security threats to be managed.
Consider taking a zero trust approach
When it comes to identity and access management, it’s better to be overly cautious than not cautious enough. So, if you want to ensure that only authorized persons are able to access your network, “consider a zero trust concept to make sure that network resources are limited only to specific users,” says Tluchowski.
With the zero trust concept, the assumption is that any device attempting to access your network is not secure—which means that every device must go through an authorization and authentication process before being granted access to the network. Essentially, going with a zero trust approach to identity and access management adds an extra layer of security—which can help you better and more quickly identify any threats or suspicious activity.
Continually monitor, manage, and remove accounts
Identity and access management practices are, by definition, continually changing. For example, when an employee leaves your company, you no longer want them to have access to sensitive company information. Or, if you move an employee from one department to another, you may need to change what information they have access to (and how they access it). “[Identity and access management is] a constant evolution that will…[progress] as the company’s needs change and users shift…to other job roles [or leave the company],” says Tluchowski.
That’s why, if you want your identity and access management processes to be as secure as possible, you need to continually monitor, manage, and remove accounts.
“Review user access and make sure that it aligns with the needs to perform their job responsibilities,” says Tluchowski. “Always remove accounts that are no longer needed and manage any generic accounts.”
Make removing access part of your employee offboarding procedures—and have your IT team regularly review identity and access management for existing employees to ensure their access aligns with their job responsibilities (and that they don’t have more or less access to information than they need).
As CIO, it’s your job to do everything you can to ensure secure identity and access management. But you certainly don’t need to do everything manually! There are a host of tools out there that can make your IAM processes easier, more streamlined, and—most importantly—more secure.
Do your research to find the IAM tools that make sense for your needs and goals—and then be willing to make the investment to implement those tools across your organization.
And try not to get sticker shock. When you leverage the right tools, they’re more than worth the initial investment. “[Using automation tools for] managing identity authentication and authorization to reduce the risk to the business is worth the up-front costs—and will quickly demonstrate the ROI from the efficiencies and layers of security provided by using these tools,” says Tluchowski.
Implement these best practices for more effective and secure identity and access management
Safe, secure, and effective identity and access management is critical—particularly in today’s world of remote and hybrid work. And now that you understand the must-know best practices, you’re armed with the information you need to better control how employees access your company’s network, data, and sensitive information—and make your organization more secure in the process.
Are you looking for more best practices to ensure the security of your organization’s data in the era of hybrid work? Read our white paper to find concrete tips from several CIOs:
Access White Paper
In our white paper “CIOs: Navigating the New Challenges of Hybrid Work”, you’ll discover: the 3 major challenges for CIOs in the era of hybrid work, concrete advice on how to accelerate your digital transformation, secure your workstations and improve the employee experience, as well as testimonials from 10 CIOs working in companies, administrations and associations.
Author: Deanna deBara