Call us now Email a specialist
+353 1 6420100 | info@ward.ie
  • Resources
  • Blogs
    • Insights

    Identity & Access Management: Planning an IAM Strategy right…

    IAM is fast becoming a key part of businesses' information security strategy - image
    Planning the right IAM strategy for your organisation can lead to a range of business benefits.

    Understanding your current Identity and Access Management (IAM) capabilities and how IAM impacts your business is key to ensuring that you have a strategy that is appropriate for your organisation and one that works. IAM should not be considered a once-off project, but rather as a program of work which delivers according to the specific requirements of your business.

    The current proliferation of mobile devices in the workplace means that increasing numbers of organisations are implementing bring your own device (BYOD) guidelines in order to facilitate mobile and remote working. However, ever-increasing numbers of devices logging on to your network can mask a very real security threat: the threat of unauthorised devices gaining access to potentially sensitive business information.

    A recent survey of 176 information security professionals carried out by the Cloud Security Alliance and Bitglass found that 57% of those surveyed have reported security incidents related to unwanted external sharing. As well as this, 47% had reported incidents involving access from unauthorised devices.

    These statistics highlight the need for businesses to take control of who can access data belonging to the organisation.

    Identity and Access Management (IAM) has become a key concept which sits at the heart of IT, providing control over the identities within your organisation, what they have access to and when. As the business landscape continues to change, the scope of Identity and Access Management is evolving to incorporate areas such as Mobile Device Management, Rights Management and MultiFactor Authentication (MFA).

    Identity and Access Management can augment your business's information security strategy - image
    Figure 1: Scope of Identity and Access Management

    A well planned IAM strategy solves a number of significant business challenges and delivers tangible benefits to the business:

    • Reduces significantly the costs of the identity lifecycle – provisioning, change and leaving –automation of these events to an agreed policy can dramatically reduce the number of IT administrators and support operators needed to deliver the lifecycle services.
    • Significantly improves Identity quality in an organisation by timely and automated enforcement of identity and information security policy thus ensuring a more accurate, holistic and complete view of users and their profile across numerous directories and user repositories.
    • Leads to a reduction in licencing costs – ensuring that the right users have access to the right systems at the right time means that organisations should only pay vendors and service providers for the services and applications they are actually using, thus solving the age old problem of over provisioning leading to over licencing.
    • Increases organisation productivity by providing on time access to all required systems to end users thus reducing expensive personnel downtime throughout the identity lifecycle.
    • Improves the user experience – a well-defined and executed IAM strategy means that users have appropriate levels of access to all the systems they need, when they need it. Through self-service capabilities they can fix their own problems directly with service owners – e.g. request new access, reset passwords etc., taking IT administrators and the helpdesk (with associated delays, errors and costs) out of the loop – thus resulting in users being happier with the service.
    • Improves agility – a well-defined and executed IAM strategy means that introduction of new services or applications or migration of existing services should be much quicker, easier and less costly to execute. These new services typically need to be plugged into “identity connectors” with simple policy configuration needed on your IAM service to define who needs access to the new service, how they are given it, when, how they change access and when they lose access.
    • Reduces the costs and burden of governance and compliance – using IAM tools to define, execute, capture and measure Information security policy activity means that audits and compliance reporting should be a one click activity from IAM reporting toolsets.
    • Improves organisation security – automated systemic execution of Information Security and IAM policy significantly improves the operation of key risk management controls. It also reduces the likelihood of poor IAM practices emerging due to solving of traditional problems identified above such as shadow IT, over-provisioning, poor credentials management, non-existent or periodic de-provisioning, lack of identity or policy transparency etc.

    All of these types of issues and requirements fall within the realm of Identity and Access Management, and as businesses move away from pure on premise infrastructure and adopt the promise of cloud services, IAM will  become an even more critical security control to have in place.  The right IAM strategy will ensure you are not sacrificing control and putting identities, data and services at risk, in return for improved end user functionality and reduced costs.

    Roadmap outlining the development of an effective IAM strategy - image
    Figure 2: Identity and Access Management Roadmap

    Critcal success factors for formulating the business case for an IAM strategy or project include:

    • Identification in order of priority the objectives for IAM in your business.
    • Gaining consensus and buy-in from key business stakeholders –  It is important to realise that execution of an IAM strategy is a significant undertaking involving delegation of responsibility and input on policy formulation from multiple business functions
    • Establishing your IAM strategy as a key component of your overall Enterprise Architecture and your Information Security Architecture – As such it needs to be planned, designed executed and governed in the same way that you manage your overall Information Systems strategy and architecture.
    • Prioritised and phased implementation – eat this elephant in pieces. IAM is a complex and sophisticated project and ongoing service. Over ambition or over complexity in any phase is likely to lead to failure of that phase.
    • Ensuring that you take on IAM skills early. It is important that key IAM skills are acquired by appropriate people within the organisation early and ongoing – even if you outsource some or all elements of strategy, design or execution. That way they can lead, contribute and validate key elements of the IAM strategy, design or execution throughout the journey.
    • Ensuring that IAM strategy and Architecture is part of your ongoing ICT/ISM planning. Phased implementation means that elements of the roadmap need to be designed or executed on an ongoing basis to ensure appropriate levels of penetration in the business. Change means that new services are taken on or old services are retired which means that IAM needs to adjust to the ongoing business needs. Information security threats evolve as do IAM technologies and offerings so ensuring that you have the right tools and application of these tools will ensure that your IAM service continues to deliver the appropriate security and risk mitigation controls to the business whilst enabling the business from an access and agility perspective.

    It’s essential for businesses to realise the role IAM plays within their organisation and how IAM issues and requirements relate to their IT Strategy and goals to ensure they are aligned. So before launching into implementation of IAM solutions, we recommend you:

    • Determine your current IAM maturity level
    • Identify your specific IAM challenges and goals
    • Identify your gaps and key priorities
    • Plan the right roadmap for your business
    • Identify the right tools and platform that will support your IAM plans

    With the knowledge and understanding of your current capabilities and a vision of where your business should be, you can launch a successful IAM program, with some quick wins to realise immediate value, and provide the foundation for planning your IAM Architecture and Designs.

    If you’re interested in learning more about our IAM Assessment service speak to one of our team – visit  https://www.ward.ie/about-us/contact-us/ or call +353 1 6420100.

    Insights

    Ward Solutions’ Survey: Over a quarter of organisations don’t…

    Cybersecurity incident response - image
    Ward Solutions 2016 Information Security Survey found that over a quarter of organisations haven’t planned for a potential data compromise

    The results of Ward Solutions’ 2016 information security survey, conducted in association with TechBeat have been published, and have garnered significant media attention. The results revealed that almost half of organisations wouldn’t report a data breach to affected third parties, and that nearly a fifth of businesses don’t know where their data is being stored.

    As well as this, over a quarter (26.3%) of respondents admitted that their company has not planned for potential data compromises. An additional 12% are unaware of whether or not their company has a crisis management plan.

    The rise in incidents of cybercrime over the past number of years has necessitated forward planning to deal with potential data breaches. Almost half of those surveyed confirmed that they had noticed an increase in the number of security incidents in their organisation over the course of the past 12 months. What’s more, 63.2% said that they expected to spend more on cybersecurity in the next year as a result. In order for businesses to survive and thrive they must accept the gravity of the cybersecurity threat and adapt their business strategies to tackle it head on.

    On a positive note, it seems that the majority of organisations are aware of this necessity, with 61.7% of respondents stating that their organisation does have a crisis management plan in place, and are prepared for the consequences of a potential data breach.

    However, over a quarter of organisations are leaving themselves extremely vulnerable to significant financial and reputational damage in the wake of a data breach. Analysis of security incidents, both nationally and internationally, points to significant brand damage and significant further loss to organisations through mishandling of a security incident in the time after the event.

    Data compromises require a technical, information security and whole business response. This is very difficult to achieve effectively in the absence of a prepared plan that has been developed, communicated and tested in the context of a specific business. Implementation of a well-communicated, well-understood, and well-rehearsed crisis management plan is one way to stem further losses and damage once an incident occurs.

    Many businesses believe that they have no need of a crisis management plan as they are unlikely to ever experience a security incident. However, it is important to remember that a security incident doesn’t necessarily have to be a hack or a data breach, it could also be as simple as a sustained high-profile, high-impact outage. This is something that could happen to any organisation at any moment.

    Businesses who accept these new realities and plan with them in mind will continue to be successful. Those that do not put themselves at risk. Ward Solutions can work closely with organisations on the development of crisis management plans, tailored to their specific business needs. Organisations that opt to implement such a plan will dramatically reduce the threat level that they face from malicious hackers.

    To read more about Ward Solutions’ 2016 Information Security Survey download our whitepaper: Mapping the Cybersecurity Landscape.

    To find out more about how Ward Solutions can help your organisation to develop a crisis management plan, and about our range of information security offerings, contact us today. Visit our website or call +353 1 6420100.

    Insights

    Cybercrime aims lower for greater ransom success

    Cybercriminals targeting SMEs and demanding smaller ransom fees - image
    Ward Solutions’ recent Information Security Survey found that cybercriminals have come up with new tactics to extort money from organisations through ransomware attacks.

    66% of survey respondents who were hacked over the past 12 months state that they have been held to ransom for less than €1,000
    Ward Solutions’ recent IT Security survey, conducted in association with TechPro magazine, revealed that cybercriminals have come up with new tactics to extort money from organisations through ransomware attacks.

    The survey, an in-depth analysis of cybercrime and data storage trends in Ireland, presented some startling findings around data breaches and ransom demands. The responses revealed that two-thirds of those surveyed who had their data encrypted received a ransom demand for a fee of less than €1,000 during the past 12 months.

    This new trend of demanding smaller fees is an interesting tactic being employed by cybercriminals. Companies are more likely to pay a small fee in order to avoid reputational damage amongst the public or other affected 3rd parties such as suppliers. This is supported by the survey finding that 46% of Irish companies would not report an incident of a data hack to impacted 3rd parties and almost 30% would not report the incident to the authorities.

    A smaller fee means that a whole new target comes to the fore for cybercriminals and their ransomware attacks as more SMEs find themselves victims of cybercrime. While larger fees are cost prohibitive for SMEs, smaller fees of sub €1,000 are easier for them to contemplate paying to save their reputation. SMEs have smaller resources than larger enterprises but may still be hosting information that can be ripe for ransomware encryption in a location that is more vulnerable to attack.

    The findings in the survey demonstrated that ransomware is a real and evident threat, and more importantly, that a significant number of Irish organisations have been targeted. This is in keeping with Ward Solutions’ experience in the marketplace in recent years, having witnessed a multitude of targeted approaches by attackers who seemingly know or infer the value of the data that they have encrypted to individual organisations.

    What’s more, it appears that a significant percentage of companies are unprepared for a ransomware attack, with over a quarter of respondents stating that their company does not have a crisis management plan in place to deal with potential data compromises. A further 12% did not know if there was a plan in place. It is imperative to have a well communicated, well understood and well-rehearsed incident management response in place to minimise further loss. A data compromise requires a technical, information security and whole business response – something very difficult to achieve without a pre-prepared plan to battle cybercrime.

    Ward’s view is that organisations both large and small need to develop deterrents to fend off cybercriminals and ransomware attacks by taking a holistic approach to their security requirements. This is based on the lifecycle of: Identify, Protect, Detect, Respond, Recover. This can be integrated in an overall information security experience which can serve to keep data safe and reputations intact.

    For best practice advice on combating cybercrime and ransomware threats, contact Ward Solutions today.