Who is trying to watch you? IAM
Traditionally, IAM is used to authenticate system users before granting them with access to systems and resources located in the internal network domain – that is, inside the enterprise network perimeter. The user can be located inside or outside that network perimeter, and the IAM solutions can be customised to enforce stronger identity verification (that is, authentication) when the user is located outside the network perimeter. This demarcation of external and internal domains was also supported by the use of physical network segregation.
However, this boundary is increasingly blurred, driven by the Internet of Things revolution, virtualisation, mobility requirements and cloud adoption. Data and services are transiting service providers and between organisations. There are fundamental changes to end-user expectations of system availability and connectivity. System access via multiple endpoints, including personal devices not controlled by the service provider, is expected.
Information Technology must support and enhance productivity. Good architecture design and accurate data classification are key enablers, but identity and access management will come to the forefront in distributed networks, whereby the only realistic point of control is the point of data and resource access. As the technology environment changes, IAM controls must also adapt. Effective IAM solutions will need to gather additional contextual and behavioural data such as time and location of access, duration of access to provide seamless system access whilst safeguarding users and services.
The business expects and demands hyper-connectivity and ease of collaboration in modern networks. Together with the rapid adoption of virtualised cloud environments, removes one of the most potent tools in the defender’s armoury, that of physical segregation. Without the latter, the threat landscape is dynamic, when combined with attackers’ propensity to adopt technology innovations will magnify the attack surfaces and increase business risk. Innovation is critical in business – the impacts on businesses which fail to innovate are well documented. However, any change is associated with risk – the aim is to manage this risk without irreversible damage to the business itself. Increasingly, business risks have foundations in the technology estate, specifically the organisation’s network infrastructure. Given that the connectivity and innovations are essential to businesses, IAM could be a crucial enabler in the defender’s arsenal. Unfortunately, it also means the trend towards being watched more closely is unlikely to abate.