Identity and access management: Where security and operations meet
The relationship between security and operations helps chart a course for success in the application economy.
In the wake of massive data breaches caused by user credential theft, identity and access management (IAM) has become one of the most important tools in the CSO’s toolbox.
But, really IAM has been a tried and tested tool in the Chief Security Officer’s toolbox for decades, used for improved IT operations and compliance as well as IT security. The focus and use cases have merely shifted over time – in particular to the privileged user and his or her access and activity.
The U.S. government has rightly been promoting the use of both multi-factor authentication through the use of personal identity verification (PIV) credentials and privileged access management (PAM).
An example of the government’s move to promote PAM has been through a memorandum from the Office of Management and Budget, which among its many recommendations, tightens up policies and procedures for privileged users and is a driving requirement of the Department of Homeland Security Continuous Diagnostics and Mitigation program. Recommendations include:
These considerations help provide agencies with an excellent way to identify high-risk privileged users and accounts.
PAM tips beyond OMB recommendations
These developments and others show that the government is heading in the right direction regarding PAM. More importantly, we see the private sector understands the benefits of PAM because privileged users – or at least his or her credentials – are recognized as a high risk factor.
The convergence of IAM as a SecOps (security and operations) practice establishes a more holistic IT management approach.
Here are a few additional PAM best practices not directly spelled out in the OMB recommendations that highlight this.
Security for the application economy
No single security solution will be 100 percent effective. But by implementing these suggestions, adopting the proposed NIST guidelines, and recognizing the relationship between security and operations, CSOs and CIOs can chart a course for success for securing their organizations and optimally running their businesses.
SecOps is just two-thirds of the story for security in the application economy. Secure application development is another must-have for app economy success. A topic for discussion another day.
Is your organization viewing IAM – in particular privileged access management – as a holistic security and operations initiative? If not, you could be missing out on critical benefits and an easier path to justifying the investment.