Maximising Digital Identity: Overcoming IAM Fatigue for Better Security
If your organisation is like most, Identity and Access Management (IAM) is taken very seriously, providing the core and essential services needed to manage and secure accounts and access. Your organisation has probably already imposed complex password policies, integrated with authoritative sources and core applications to deliver automated lifecycle events.
These services are often accessible to end-users, enhancing their experience and delivering significant business benefits. This encompasses capabilities such as periodic access reviews, integration of Single Sign-On (SSO) to simplify the login experience, and risk-based Multi-Factor Authentication (MFA) to ensure robust logon protection.
However, IAM is not static, it is continuous – with fluctuating demands and priorities, covering process changes, regulation requirements, business transformational demands, onboarding of more applications and systems, not to mention the BAU activities and the inevitable evolution of the IAM services themselves.
Are you maximising the effectiveness of your Digital Identity solution?
Many organizations underutilize their IAM tools, missing out on valuable insights hidden within account attributes and characteristics. Despite significant investments in IAM implementation and operation, it is often assumed that the processes are effective and operate flawlessly every time - for example, basic joiner and leaver processes – which is not always the reality.
Digital Identity solutions should provide these insights as standard, demonstrating IAM's true value to stakeholders such as auditors, risk and compliance teams, and relevant business units. These insights should help identify ineffective processes, access-related risks, unusual account characteristics, and enable benchmarking of lifecycle events. By leveraging this information, organisations can maximise their IAM investment and enhance overall security and operational efficiency.
The hidden threat of IAM certification fatigue
Many organisations sleepwalk through critical IAM services, such as user certification and review processes. The mandated access recertify cycle typically generates an extensive workload and account list for business users to review, based on large volumes of users and associated entitlements, with limited insights or inaccurate descriptions for context.
As a result, re-certifiers frequently feel ill-equipped to properly assess the accounts and access levels. This leads to a tendency to adopt a “select all and approve” approach, often with little more than a cursory glance, before moving on to their other daily tasks.
It therefore becomes a check-box exercise despite the governance and compliance that attempts to mandate scrutiny to ensure appropriateness. Overwhelmed by IAM certification fatigue, the security team can be blindsided and simply assume everything is fine.
Waking up to the reality of IAM risk
The reality is that sleepwalking through IAM creates a culture of false security, and most organisations don’t even realise it. There might be significant volumes of orphan or dormant accounts, overprivileged accounts, ineffective JML processes or access outliers escaping urgent attention.
In addition to these security risks, IAM insights should support the mitigation of operational risk. For example, you might have a single user in an organisation that is the only person with that access profile, which might relate to business-critical processes and functions. The key question is why is that the case, and what happens if they suddenly fall ill or quit the organisation?
Operational resiliency is becoming more critical, with the introduction of new regulations such the TSA, DORA and NIS2, adding further compliance pressure.
6 tips to help combat IAM fatigue
Don’t let fatigue weigh down your IAM processes and services. Here are six tips to help you snap out of the slumber and introduce effective, real-time IAM to your organization:
-
Control test your policies and processes. Perform testing of key critical controls and processes using identity analytics will provide visibility into their effectiveness. This should help rapidly identify vulnerabilities and develop a remediation treatment plan for proper control policy enforcement.
-
Harness wider cyber insights as part of Identity observability. Identity observability relates to harnessing broader cyber security tooling insights and outputs to further enhance risk reduction. Leverage data associated to signals such as Indicators of Compromise (IoC) or Indicators of Attack (IoA), leveraging Threat Intel (TI) data from the dark web on enterprise compromised accounts, and other cyber datasets to help evaluate potential indicators of risk based on account characteristics.
-
Maximise integration effort. When considering new integrations with applications, always review the integration options from the outset to ensure optimum results are achieved. Uncovering technical integration challenges, data issues, and resolving any discrepancies or incongruities, is always best as part of an early feasibility assessment that ensures best usage of time spent and IAM outcomes.
-
Optimise your user experience and certification processes. Deploy intuitive certification processes that streamline user access certification with fact-based data - this can surface concerns and/or risks as part of the certification process, so reviewers spend appropriate time and focus to review the accounts and access. When the process is simple, informative and supportive, reviewers will invest more time and energy into thorough approval.
-
Focus on practical and effective training. Organisations often assume that IAM processes are well understood and simple to follow, however with staff turnover and increasing remote and hybrid working environments - they must ensure responsibilities are communicated with clarity. It is important for organisations to support training and any relevant queries as part of certification campaigns and re-emphasize the importance of compliance.
-
Fully leverage technology. A big challenge in application onboarding and value realisation relates to manual activities, where technology can support efficiency and value realization through automation, intelligent insights and risk identification. Artificial Intelligence (AI) and Machine Learning (ML) tools can significantly support value to inspect user and access data sets by identifying anomalies in privileges, control exceptions, orphaned or dormant accounts, access outliers, identity data quality issues, as well as supporting remediation activities.
Organisations need a value-driven approach to deploying and utilising IAM tools, focusing on insight-driven capabilities and offer to do more than just verify what they already know.
More than ever, it is essential that IAM solutions deliver true value by uncovering risks that organisations may not see and provide real-time responses to help mitigate those threats.
To learn more about how NCC Group can help your organization achieve eyes-wide-open IAM, view our Digital Identity services and get in touch.
Welcome to techUK’s 2024 Digital ID Campaign Week! On the 14-18th Oct, we are excited to explore how our members are increasing efficiency for both businesses and users, combatting fraud, as well as what creative and innovative ways our members are expanding our understanding of Digital Identities.
Whether it’s how we’re communicating, shopping, managing our finances, dating, accessing healthcare or public services, the ability to verify identity has quickly become a critical vanguard to the Digital Economy.
Follow us on LinkedIn and use the hashtag #UnlockingDigitalID to be part of the conversation!
Upcoming events
Latest news and insights
Get our tech and innovation insights straight to your inbox
Sign-up to get the latest updates and opportunities from our Technology and Innovation and AI programmes.
Contact the team
Elis Thomas
Elis Thomas
Elis joined techUK in December 2023 as a Programme Manager for Tech and Innovation, focusing on AI, Semiconductors and Digital ID.
He previously worked at an advocacy group for tech startups, with a regional focus on Wales. This involved policy research on innovation, skills and access to finance.
Elis has a Degree in History, and a Masters in Politics and International Relations from the University of Winchester, with a focus on the digitalisation and gamification of armed conflicts.
- Email:
- [email protected]
- Website:
- www.techuk.org/
- LinkedIn:
- https://www.linkedin.com/in/elis-thomas-49a1aa1a1/
Authors
Derek Gordon
Derek is a seasoned technology executive with over 26 years of experience in information security, consulting, product management, and professional services. As a global digital identity leader, Derek oversees the strategy and execution of Identity and Access Management (IAM) and Privileged Access Management (PAM) services, providing thought leadership and insights across enterprise delivery projects.