Identity and access management spells sound cloud security—provided that permissions are properly configured. If not, then a business is essentially risking its success, even its survival in the event of a major breach that results in loss of data, clients, and the support of stakeholders.
Vital cloud services (e.g., Google IAM, Microsoft Azure Active Directory) enable the management and assignment of permissions to entities—users, customers and clients, and partners, as well as services and applications. These permissions control the access of entities to an organization’s cloud resources.
To ensure your identity and access management is doing its job and ultimately saving your business from any data security disaster, make sure to configure your permissions properly.
These are the 5 IAM configuration mistakes you should avoid:
1. Security gaps in provisioning
Provisioning is actually two processes that are equally crucial to your data security: provisioning and de-provisioning.
Provisioning involves assigning permissions to access resources to either of the following:
- a new employee or an employee whose responsibilities have been modified (either due to a transfer or a promotion)
- a new application
- a new customer
- a new business partner or provider/vendor
De-provisioning involves revoking access to resources for the same entities for the following reasons:
- The employee has left the company
- The application is no longer being used you’ve stopped using
- The customer has been idle
- The business partner or provider/vendor is no longer associated with you
At the provisioning stage, which is integral to your onboarding process, errors can be in the form of overprovisioning—granting entities access to resources they don’t need. As soon as you have determined the responsibilities of your new employee, partner, or provider, be sure to revoke permissions to resources they don’t need.
At the de-provisioning stage, a lot of companies fail to fully de-provision entities when they need to be de-provisioned.
Security gaps in provisioning often occur due to issues with the processes involved more than because of a lack of tools. So evaluate your provisioning processes to make sure your new accountant doesn’t have access to your HR data or that an employee who left five years ago doesn’t still have access to their corporate e-mail.
2. Limitations in IAM scope
Understanding that entities are not limited to employees is key to being able to comprehensively implement IAM in your business operation. In the age of IoT (internet of things), it’s not just people who are able to access your resources, so be sure not to limit the scope of your IAM configurations to access for employees and partners alone.
To effectively configure permissions, adopt the full scope of IAM from day one. This allows you to develop a single system for managing identities and permissions for people, with different roles beyond employees and for applications, as well as for people and applications in different locations.
Having a single system from the start removes the need for duplication of processes to cover entities that haven’t been dealt with previously, as would be the case if, say, you’ve established a process only for your employees and not for your business partners and providers.
Duplicating processes could create vulnerable points in your security system, not to mention make the process more difficult than it needs to be, which means time lost, which is also costly.
It’s also important to consider the way your IAM handles an individual entity’s actual volume and to provision, find, and evaluate each entity.
3. Sub-optimal approach to process automation
IAM coverage starts from the inside out and involves much more than just password management. (For that matter, it should no longer involve password management and deal instead with passwordless authentication factors.) It also involves the following:
- Thorough audit of your assets
- Accurate categorization of entities
- Proper assignment of permissions
The IAM process needs to be performed quickly and at scale—across a number of models, depending on your business size and extent of operations, as well as your corporate policy around use of devices and access to resources.
These models include the following:
- Customer and business partner access (high-volume user model)
- Temporary, contract, and remote users
- BYOD (bring your own devices) as well as other points of access involving mobile devices
- Considerable, even massive, deployments of IoT device environments
The speed and complexity that is inherent in IAM makes automation necessary. However, you should only introduce automation once you have fine-tuned (i.e., planned, tested) your IAM process, including ensuring that adjustments will be easy and will not introduced security vulnerabilities.
4. Lack of (thorough) reviews
IAM doesn’t stop at implementation. The speed at which technology sees innovations and new solutions also means cybercriminals are able to make adjustments. This means your security needs are constantly evolving , which is why regular, careful reviews are crucial for plugging any security gaps that have developed as a result of some oversight.
Be sure your IAM configurations are adjusted to address—and even anticipate—any new security requirements.
5. Neglect of authorization
Are you implementing IAM but categorizing all your employees in the same security group and granting them access to the same applications and data? This indiscriminate authorization results in entities being able to get to sensitive data they have no need for in performing their job, and eventually, an entity will end up being an entry point for a malicious actor to get to your sensitive data.
Authorization is vital, and authorization at scale is even more so. Authorization should come hand in hand with authentication, which it isn’t interchangeable with.
Strengthening Your IAM process by going passwordless
If you’re investing in IAM, make it count by not neglecting the seemingly easy-to-neglect but crucial processes. That includes making the necessary upgrades, like saying good-bye to passwords and embracing passwordless authentication.
Contact TraitWare to learn more about our enterprise-level solutions, like passwordless multifactor authentication and single sign-on.