Dragon Bane, Psycho the Clown, and Texano Jr. No, not members of some alternate Marvel superhero group, but wrestlers on the Lucha Libre Worldwide (AAA) roster. The ‘Triple A’: an organizing body behind – among others – WrestleMania.

Mexican professional wrestling: men of fearsome reputation, skills, and...masks! Indeed, real identities are hidden with great zeal by all combatants – which brings us to another ‘Triple A’, this time associated with Identity and Access Management (IAM).

A focus on identity

IAM. You most likely know the headlines behind this technology: an information security framework focused on securing digital identities in the workplace – and controlling access to company resources.
Where the triple A bit comes in, is with the three ‘sub-components’ involved:

  • Authentication – the process of confirming an identity
  • Authorization – defining the resources (data, apps etc.) individuals can access
  • Auditing – keeping track of all the changes being made to ensure compliance

Authentication

This used to be easy – but then came along the cloud and mobile computing, and it got really complex, really fast. Now, identity has become the primary security boundary; Where the emphasis is now on confirming people are who they say they are – with access rights attributed to the back of it.

The challenge here being that once “you’ve” been authenticated and let in the door, IT has little insight into who’s actually behind the mask. Hence the growing interest in providing different levels of authentication:

  • Authentication with something you know – most commonly delivered through a user name and password or PIN
  • Authentication with something you have – for example a token, banking card or ID card.  In this age of mobile devices, we often see the use of a smartphone as factor, with an sms code or authenticator app
  • Authentication with something you are – supplying biometric factors based on fingerprints, retinal scans or voice input

Authorization

The principal question to be answered here is simple: what resources can a user be allowed to access? Well it sounds simple at least. The reality is that getting it right requires IT to strike a delicate balance between security and usability.

Central to the process of authorization is Access Control – where you set conditions for the apps, data, and devices a user can get his/her hands on. For smaller organizations, such limits can be agreed at individual level. But for larger enterprises comprising thousands of employees, broader frameworks are required – including role-based access controls that automatically create ‘personas’ based on job function and position.

To this can be added the emerging concept of ‘continuous authentication’. Where an individual is allowed access, but constantly monitored thereafter (think keystrokes etc.) to spot any suspicious behavior.

Auditing

In order to complete the security picture, you need to enable auditing, to have a record of which users have logged in and what resources those users accessed. Obviously such a record can prove essential when responding to a potential cyber attack. It can also help with the wider software audit picture, by confirming who’s using which apps and services.

Equally, auditing can be a core building block for GDPR compliance – with identities covering more than just employees (partners, customers etc.). Done correctly, IAM can enable you to:

  • Comply with GDPR requirements such as managing consent by individuals to have their data recorded and tracked
  • Respond to individuals’ rights to have their data erased
  • Notify people in the event of a personal data breach

Sources

  1. 2017 Verizon Data Breach Investigations Report
  2. 2017 Verizon Data Breach Investigations Report
  3. 2015 Global Authentication and IAM Index, Gemalto
  4. https://execed.economist.com/blog/industry-trends/c-level-execs-and-ex-employees-pose-greatest-cybersecurity-risk
  5. Forrester’s Wave Report on Privileged Access Management
  6. 2017 Verizon Data Breach Investigations Report
  7. Ubisecure 2017 – see: https://www.ubisecure.com/about/news-events/organisations-say-gdpr-compliance-impossible-without-ciam/
  8. Cybersecurity Ventures – see: https://www.csoonline.com/article/3241116/gdpr-turbocharges-identity-and-access-management-spending.html
  9. DLA Piper – see https://www.itproportal.com/news/over-59000-data-breaches-reported-in-eu-since-gdpr/
  10. (10 Netskope Cloud report – see: https://www.cloudindustryforum.org/content/cloud-and-eu-gdpr-six-steps-compliance)

Wrestle your way to effective identity and access management

IAM brings with it many immediate benefits: ranging from the mitigation of security breaches and the prevention of data loss, to greater GDPR compliance and improved IT efficiency through automation. This all helps make IAM an absolute necessity for today’s business leaders. To find out more about COMPAREX’s IAM capabilities, experience, and solutions...

Stay Up-to-date

For regular updates and articles from us, click below to follow us:

 Follow us on LinkedIn

Related articles

The benefits of SD-WAN: making the right call

Are you able to assess all the benefits and opportunities presented by SD-WAN? We’ve created the high level overview to help you make an inspired decision. Read the full article ...

The 4 new rules of cloud security

Cloud security introduces a lot of complexities to the on-premise model, but you can still introduce effective controls if you’re aware of the basic rules. Update your playbook here. Read the full article ...

Contact Us

Peter Verbeeck

Peter Verbeeck

Solution Advisor

Share this article