It remains astonishing that so much effort and money is put into all manner of technical and organizational security solutions, while the basics are not in order!
Basically, the whole security industry is about one thing: people! We’re securing our assets for people and against people. From that perspective, it’s actually very odd that so many organizations are neglecting the fact that their basic people hygiene is not up to the required standard.
Of course we know the reason for that: it’s a process and not a technical thing, so the IT security community is not very interested. New ‘boxes’ are much more fun!
It remains of paramount importance to know which persons are having legitimately authorised access to systems, applications, data and buildings. After all, if you have no idea who has authorised access, how could you detect unauthorised access? Of course, certain patterns could account for the detection of unauthorised access, but many of these incidents actually take place by means of the 'front door'.
The proper management of people, the accounts they use and the rights associated with these accounts constitute the foundation of good security. If this isn't in order, all other measures will simply not be sufficiently effective. This process is better known as Identity & Access Management (IAM). IAM, however, doesn't have such a good reputation: projects tend to get out of control, and only a few of these truly results in the benefits that were agreed on at the start of the project.
Quite a number of studies have since then been conducted into the reason why these projects systematically go haywire, but one of the key aspects is that not enough attention is paid to the added value of IAM for an organisation. IAM all too often focuses strongly on IT, and once you're in the 'automation mode', an IAM project just doesn't become any easier. From the perspective of the organisation, automation is often not even necessary. What's more important is that the process is a well-organised process, with such aspects as clear time lines. Bottom line, if you cannot prove how an IAM program contributes to the main goal of the organization, you will soon run into difficulties when it comes to budgets.
What does an organisation really need? In most cases, this will not even be a fully automated IAM process. Clearly defined delivery times and insight into existing authorisations are the most important arguments for the organisation and this can be 'delivered' just as easily without the implementation of complex IAM projects.
Once the IAM information (users/ access rights etc.) are up to date, this information can be used to improve the effectiveness of the detection mechanisms (IPS, SIEM etc.)
A simple IAM project and taking the most appropriate actions are often enough to considerably raise the effectiveness of your security!
For more information on Capgemini's seamless identity management, click here