Introduction
When we talk about IAM, it is mostly in the context of cybersecurity and zero-trust. Most of the IAM initiatives are also driven by the cybersecurity team. While IAM is definitely a very important component of the cybersecurity framework, it is equally important to consider other equally important facets of IAM.
In this blog, we will discuss Hexadius’ unique approach to the IAM program, which does not look at IAM with a monolith focus on cybersecurity. As with all our solutions, Hexadius focuses on the trifecta of Cybersecurity, Productivity and User Experience for any IAM deployment. This approach ensures that IAM does not become a pure IT project (which it is not and is one of the key reasons for many IAM programs).
The IAM Trifecta
Any IAM program should ensure that this trifecta is adequately addressed in a balanced way. This will not only avoid the typical pitfalls that result in failure of IAM programs but will also ensure effective and faster adoption of IAM solutions among various stakeholders.
Here is the IAM trifecta along with some examples:
1. Cybersecurity (and also compliance)
This IAM pillar focuses on enhancing the cybersecurity posture of the organization by addressing cybersecurity threats and ensuring better compliance. This is how IAM can support cybersecurity posture of an organization:
- Need-based access: one of the basic tenets of cybersecurity, this is also one of the most difficult to enforce. IGA helps manage this requirement, through automated birthright provisioning together with approval based ad hoc access requests.
- Timely access removal: IAM automates the access removal based on information pulled from an authoritative source (typically HR and/ or contractor management system, also referred to as the ‘source of truth’). This is applicable for both user movements as well as terminations.
- Visibility: IGA solutions provide visibility over what access users have across all IT systems. This also helps identify orphan or duplicate user accounts.
- Enforcing policies: IGA helps to enforce Segregation of Duties (‘SoD’) policies as well as other access policies (e.g., contractors should not have access to certain systems).
- Controlling privileged access: PAM controls privileged access to IT systems by restricting the access as well as monitoring the privileged access sessions.
- Strong authentication: MFA helps enhance information security by requiring users to provide additional authentication based on defined policies.
2. Productivity (and also automation)
This IAM pillar focuses on enhancing productivity. This may be in the form of automation of regular activities as well as enabling users to spend more of their time on productive activities (instead of requesting and waiting for system access to perform their activities).
- Reduced helpdesk tickets: Self-service password reset and account unlocking results in fewer tickets with the helpdesk.
- Productivity from day one: First day access allows users to be productive from day one.
- Data sync: Data sync features allow users to request for new access faster without requiring duplicate data entry.
- Audit and compliance support: IT team needs to spend less time to prepare for audits and other compliance activities such as regular access review. IGA provides multiple self-service features for both auditors as well as the compliance team.
- Automated provisioning: Finally, IGA takes away the routine user management activities and allows system administrators to focus on value added activities.
3. User experience
This IAM pillar is focussed on making the user experience smooth and seamless. In the case of business users, it is all about reducing complexities and removing technical aspects from their interaction with IT.
- Data quality: IGA provides data sync feature which ensures that user data (such as name, contact details, department, designation, etc) across various IT systems are always synced and up to date
- Simplified authentication: SSO helps users avoid authenticating individually to various IT systems.
- Approvals and reviews: IGA makes it easier for approvers to approve access requests and reviewers to review user access through automation (and some IAG solutions also provide AI/ ML features to help with this).
- Authentication issues: IAM helps with self-service password reset and account unlocking.
- First day access: IGA helps ensure that the system access for a new user is ready when they join. This avoids productivity loss where a new user spends the first few days (or weeks) just trying to get right access to the IT systems.
The IAM trifecta should be discussed and agreed upfront as part of any new IAM program. This ensures that the KPIs and success measures are properly aligned. This also drives better user involvement and adoption.