The identity and access management purpose is to support the overall cybersecurity objectives of an organization. As such, identity and access management objectives are to ensure confidentiality, integrity, and availability of systems and data.
Identity and Access Management (IAM) is a broad term which enables organizations to identify, authenticate, and authorize users to access critical resources. In this context, a user may be a person, system, IoT device, or robot. While organizations manage user access on a continuous basis in order to avoid a window of opportunity for unauthorized access when someone leaves the organization or changes role, they focus on various IAM controls such as the principle of least privilege, segregation of duties, and privileged account management to achieve the identity and access management objectives.
Identity and Access Management Objectives
The main identity and access management objectives are to ensure that legitimate parties have the right access to the right resources at the right time while keeping unauthorized parties out of systems. Various parties which may include employees, contractors, vendors, customers, and even devices need access to systems and thus require the establishment of their identities and assigned access rights during the on-boarding process.
According to leading research studies, over 90% of all cyber attacks are successfully executed with information stolen from employees who unwittingly give away their system ID and access credentials to hackers during phishing attacks. Often, parties which have been granted system access become identity theft targets of hackers who need their access privileges to gain access to systems.
“Fooling authorized users and stealing their access information is the most cost effective and efficient way for hackers to gain access to systems” according to Henry Bagdasarian, Founder of Identity Management Institute. “Regardless of business investments in high tech security systems, sophisticated information security measures can be bypassed if existing users can be fooled by hackers to steal their access information which is why the populations targeted by hackers for their access must be constantly educated” continues Mr. Bagdasarian.
While, identity and access management objectives ensure the removal of access as soon as employment is terminated or changed, and monitoring of activities to detect hacking attempts or unauthorized activities to protect systems and data, IAM objectives also go beyond cyber intrusion prevention such as fraud detection, regulatory compliance, and ensuring operating efficiency in the entire identity lifecycle management.
From a fraud prevention standpoint, IAM can help minimize fraud losses due to crimes committed by corrupt insiders who abuse their access privileges to commit fraud and cover their tracks to avoid or delay detection. IAM practices can automate system monitoring based on predetermined criteria to detect fraudulent transactions.
Identity and access management objectives can also ensure organizations comply with various regulatory requirements for customer identification, suspicious activity detection and reporting in money laundering cases, and identity theft prevention.
In summary, organizations must employ qualified IAM professionals to implement the necessary processes and technology. Next, they must educate employees and any party with highly privileged access to avoid becoming victims of identity theft scams. Employees must frequently be reminded about cyber security risks and consequences of violating security policies to the organization and themselves including employment termination. Employees should also understand the risks of taking devices containing confidential data out of the secure workspace which can be stolen from cars and homes, disposing of devices and data improperly, and, sending confidential files and messages through unsecured channels or to the wrong recipients.
Identity Management Institute (IMI) maintains a free identity management blog with many articles covering various topics to educate everyone about proper identity and access management practices. IMI also offers training and registered certifications in identity and access management to its novice and experienced professional members.