The Importance of IAM in the Context of the COVID-19 Pandemic
Identity Management, Risk and Compliance - July 11, 2022
During the COVID-19 pandemic, Cloud technologies played a critical part in ensuring business continuity. Without them, businesses would have struggled to facilitate remote work and eventually adhere to lockout procedures. While cloud computing enabled organizations to address the issues posed by coronavirus, it also resulted in a massive rise in the number of people they must manage. As a result, identity and access management (IAM) has taken on a new level of importance. In this blog, we will look at IAM from the context of the pandemic and discuss its present state and future promise.
Pandemic Induced IAM challenges
Due to the rise of remote work following the coronavirus pandemic, organizations' capacity to handle user identification and access control has become a serious concern. It is especially widespread in businesses that were not prepared for large-scale remote work yet have ended up with a complicated array of trusted, known devices and a considerable quantity of unknown assets in their networks. With such a diverse variety of endpoints that are not subject to the same network security or company standards, safely managing access to digital assets becomes incredibly challenging.
According to a survey by Proofpoint, 95% of cyberattacks involve human interaction. A common method of data leak is through privileged access. According to the 2020 Insider Threat Report, 63 percent of enterprises view privileged IT users as the primary threat. Another report by IDSA sheds more light on the impact of pandemic on enterprise identity security. The following are the key pointers:
83 percent stated that remote work as a result of COVID-19 has resulted in an increase in the number of identity issues.
Eighty percent report that the transition to remote work has resulted in a greater emphasis on identity security.
Confidence in an organization's capacity to safeguard employee identities has decreased from 49% to 32% during the last year.
At least 70% state that in the last two years, they have begun implementing or planned identity-related security outcomes.
Over the next two years, 97 percent of companies will invest on identity-related security outcomes.
93 percent feel that by utilizing identity-related security outcomes, they might have prevented or mitigated security breaches.
The development of remote work has fundamentally altered how people operate, rendering traditional security measures ineffective. For example, it has compelled some workers that carry poor cyber hygiene to utilize new cloud-based collaboration tools, which might result in employees reusing corporate user credentials to access less secure sites. Additionally, enterprise-level protection provided by corporate firewalls and controls may be ineffective when remote access is provided via residential networks, making perimeter-based strategies for enterprise network security less effective.
A Crisis (Pandemic) Resistant Identity and Access Management Solution
A crisis resistant IAM tool must meet the following five criteria:
Increased Scalability and Adaptability: Majority of firms have a predictable and consistent number of employees and business partners who require access to their enterprise systems. This simplifies the process of sizing the servers, storage, and networks required to support expected traffic levels. However, the number of clients requesting such access is not just significantly greater, it is also more volatile. An increase in demand can occur as a consequence of events such as Christmas shopping, new product debuts, promotional events, and travel restrictions caused by health or other situations. To swiftly respond to these spikes in demand with a sub-second response time, organizations require a cloud-based infrastructure built on a serverless and containerized architecture. Additionally, IAM systems can address the requirement for constant change by implementing an application programming interface (API) approach that provides the customisation necessary for optimal and individualized user experiences.
Providing a Unified Experience: The most frequent failure we find in digital customer interactions is inconsistent data as customers go from a Web chat to a phone call or a mobile application to complete a transaction or address a problem. They may be required to repeat or resubmit their name and account number, or they may encounter conflicting information, such as a planned repair time, when they go between service channels. This lack of uniformity across channels also makes it more difficult for employees to give a cohesive experience to consumers, as they are forced to consult different systems to obtain the most up-to-date information. Numerous firms struggle to easily combine data from customer relationship management, marketing, service, and credit scoring platforms. Neither the consumer nor the staff attempting to assist them can quickly obtain a comprehensive perspective of their interactions with the business. This increases customer service expenses and complicates determining which items or services can be provided to each consumer. An ideal IAM solution should be designed on an open, standards-based platform that enables easy integration. This significantly simplifies the process of utilizing the customer's context to acquire data from all relevant apps without resorting to costly and time-consuming bespoke integration.
Increased Personalisation Based on Events: The more information merchants have about their consumers, the more effectively they can target them with products, services, and special offers. However, few customers will take the time to complete extensive questionnaires on their first visit to a website, or even on their first purchase. Efficient identity and access management platforms, such as ISSQUARED's ORSUS, allow event-driven personalization strategies such as dynamic profiling, which gradually accumulates personal consumer data over time. For example, a merchant might ask a client for missing profile information based on their satisfaction index (such as a successful support contact or purchase) by coupling the ask with a special offer.
Strict Adherence to Privacy Laws: In many nations, customers have significantly greater control over their personal data than employees have ( e.g., GDPR and CCPA). This means that IAM systems must be able to handle consumer consent for data usage and privacy, as well as their choices for how and when they receive messages. Such platforms should have audit tools that enable them to track where such data is held and how it is utilized, as well as notify consumers when their data is abused or hacked. Additionally, customers must be offered the option to refuse the use of their personal information.
Extremely Thorough Security Measures: Any IAM project should be supported by a strong security architecture and roadmap. A strong identity and access management (IAM) vendor, such as ISSQUARED Inc., handles new and developing security needs. Outdated client identity verification approaches check a user's identification without requiring them to produce formal documents. They achieve this by utilizing data from outside the company (such as automobile registration or birth information). An effective IAM platform would enable enhanced and seamless client verification using approaches such as online identity proving and BYOID. Online identity verification verifies government-issued evidence of identification against external sources using advanced digital tools. It is critical to offer adaptive access, which allows users' access to be restricted based on their circumstances.
Integrating Zero Trust Concepts into Your IAM Strategy
We have entered a new age in which technology enables employees to work from anywhere and anytime. The zero-trust security paradigm is a solid candidate for creating the appropriate tone for ongoing, persistent, and flexible access management. The technique has gained widespread acceptance during the last decade. The zero trust principles are intended to alleviate the dangers inherent in a large, dispersed company. Many of the most modern technologies on the market enable these concepts, allowing for continuous verification of all interactions between anything and anybody desiring to connect to corporate networks and access a company's data. This mandates the use of a matrix model to microsegment the network, making it more difficult for attackers to move laterally through a company's infrastructure after it has been compromised. Additionally, businesses are increasingly relying on sophisticated behavioural analytics to identify abnormal user behavior and therefore improve their detection of both internal threats and advanced assaults.
While zero-trust principles are extremely effective for managing identity and access, they may be difficult for enterprises to adopt. A mix of antiquated technology limited holistic network visibility, and deeply ingrained security rules that resist automation and continuous verification make zero trust implementation extremely challenging.
Making Identity Our Perimeter Security
The coronavirus pandemic has altered how we think about perimeter security. With employees working in remote locations, firewalls and VPNs are incapable of defending an organization's corporate network; but employees can, which means that businesses must make identification their new perimeter.
As a component of the network that remains consistent regardless of the location of employees, Identities are now at the heart of cyber security. Simultaneously, governance has become an ever more critical concern. To make identification a central component of organizations' security policies, they must make governance an integral part of every work. Governance is concerned with the why behind the job rather than the how. With greater knowledge of why security processes exist, security personnel are better equipped to sustain security regardless of how much corporate strategy changes. However, given the uncertain future of work, organizations must be prepared for the additional change from a cyber security standpoint.
Our workforce's mobility must be reflected in the fluidity of our access control systems for company data. Dynamic adaptability to changing conditions is a critical design criterion for a robust IAM system.
How are we to going attain this adaptability? Utilizing already-developed intelligent technologies could be helpful. Machine learning is an example, although this is not confined to capabilities associated with artificial intelligence. Rules of operation that affect system behavior are an overlay of IAM that give the amount of control required in a complex business setting with fluid workforces in an unpredictable world. Having a design that adheres to zero trust principles combined with adaptive rules, tasks such as continuous verification, threat intelligence that overlay an IAM enables a solution that works for everyone: workers, non-employees, and gadgets.
The problems that have arisen throughout this pandemic are not novel. COVID-19 has only brought them into clear focus. Work is expected to continue adapting to the new world order: with decreased travel due to pandemic and home working; an increase in the use of freelancers and consultants for non-employee assistance; and unpredictable economic conditions are likely to result in an unstable employee base.
Our access control mechanisms must evolve as well, and the moment has come to assess how a company is adapting to an uncertain situation like the pandemic.
Surya Jatavallabhula is a Cyber Security and Risk professional with an extensive history in Banking, Biotech, Medical,
and Education sectors. Surya has played various roles under security domains including CISO, Security Partner/SME for
Information and Cyber Security, DevSecOps, Risk Management, Data privacy, Enterprise Security Architecture,
Data Architecture, Technology Risk, and Portfolio Management after graduating in MS Risk Management from Stern School
of Business, New York University, U.S and M.B.A from Leeds University Business School, U.K.