Why Organizations Are Failing at IAM, How True Identity Hygiene Can Help

Why Organizations Are Failing at IAM and How True Identity Hygiene Can Help

Written by Rita Gurevich
October 31, 2022

Look beyond tooling for best identity and access management security of data, infrastructure and applications.

Rita Gurevich

Today’s organizations are inundated with a relentless stream of alerts from up to 76 different security tools in their arsenal, an increase of 18% from 2019 to 2021. Although advancements in tooling are necessary to combat shifting attack methods, the industry needs to approach the rising increase in data breaches in a fresh, strategic way.

Privilege misuse remained a top cause of financially motivated security incidents in 2021, with the majority of incidents resulting in data compromise, according to Verizon’s annual Data Breach Investigations Report (DBIR). The task at hand is clear — organizations need to look beyond tooling toward a complete shift in the way they approach identity and access management (IAM). More importantly, how they approach identity hygiene.

Put simply, identity hygiene consists of the activities organizations and individuals perform regularly to maintain the security of their data, infrastructure and applications. The goal of true identity hygiene is to ensure that the right people have access to the right information at all times, so an organization’s crown jewels are protected. Below, I will discuss a few challenges and common mistakes that hamper identity hygiene, along with practical steps IT and security leaders can take to ensure their identity hygiene programs are successful.

Stumbling Blocks on the Road to Identity Hygiene Success

As an IT practitioner and leader, you invest mounds of time and resources to solve complex issues derived from managing access across on-premises and cloud environments. That’s a pretty big burden to carry, and it’s understandable that in the rapid shift to the cloud, your teams are trying to keep their heads above the water.

One of the most challenging identity roadblocks in the industry is data correlation. This aspect of identity hygiene involves examining a company’s security policy, reviewing the target operating model (aka, the desired state of operation) and defining the discovery phase. Once all these pieces are in place, the data correlation process answers the question of “Who has access to what, why, and when at all times?” across the enterprise.

Another tripping point organizations are facing is the inability to take the IAM program to the finish line, or in other words, incomplete implementation. When there is incomplete implementation, it’s usually because IT teams lack a well-defined blueprint for guiding the entire life cycle program day by day, including priorities, sequences, budgets and staffing. Incomplete implementation can also mean a disorganized, or absent, “responsibility matrix.” In simpler terms, your enterprise may lack a clearly defined desired state of operation. To go even further, many enterprises are missing a proper transition from implementation to support. This creates a huge vulnerability among relevant IAM controls. It’s one thing to launch a program and another thing entirely to continue supporting it. Having a healthy system of transition is also key to ensuring consistency in program operations, regardless of who is managing it. Full documentation of a program’s blueprint lays the foundation for continued quality and success amid personnel changes.

Build Identity Hygiene Program Block by Block

It’s not easy to manage IT infrastructure, and cleaning up permissions and entitlements can be tedious. But there are building blocks you can begin setting in place that will lead to sustainable, transformational identity hygiene across the business. Let’s start with a high-level overview of what an effective IAM program should involve — the design, the build and the implementation.

The design stage is where the tech architecture blueprint is mapped out. As mentioned above, this is where key IT and security leadership come together to lay out all priorities, sequences, available budgets, and staff breakdowns. When there is an overarching plan to always fall back on, teams can spend their time and energy on their business, rather than investing valuable resources on baseline security. The build stage is where you will implement the data sources required to build the landscape of controls needed to initiate identity hygiene. The implementation stage is where the program will pick up speed, consisting of the review, reporting and remediation of potential issues identified during the previous stages. IT infrastructure teams should also be cognizant to monitor and mitigate risks continuously. Setting key performance indicators (KPIs) that are uniform across multiple teams should be in parallel with the long-term blueprint in the design stage. As you can see, these stages are a cycle of moving parts, dependent on each other for a successful program rollout.

Additional steps within the implementation stage that are very relevant to success involve defining what the crown jewels of your organization are, especially if you work in highly regulated industries with sensitive financial or health data. Defining the pillars that make up your IAM program is critical so that the entire initiative is well-divided. These pillars include identity management, access management, and privileged access management.