Is IAM outdated? Why you need to study alternatives

Is IAM outdated? Why you need to study alternatives

15 years of IAM: the end of an era?

IAM projects have blossomed since the early 2000’s and most large companies implemented one. Unfortunately, for most organizations, a significative gap appeared between what they hoped  to get from their IAM projects, the expected benefits, and what they got, or should we say what they didn’t get in most cases. Many aspects of these projects initally planned weren’t implemented or requested specific developments that haver prevented any evolution or upgrading since because of these in-house specifications.

Companies initially launched IAM projects to provide an efficient answer to their risk and compliance challenges through automation. But unfortunately, this resulted in focusing on operational efficiency and leaving out risk mitigation on the long run.

Today, IAM domination is coming to an end with business and security needs evolving at a high pace, much faster than the rate at which massive IT projects, such as IAM projects, can evolve. Desillusion, constraining IT architectures inherited from these projects, lack of defined goals and perimeters from the start, all of these are some of the main reasons why IAM systems alone aren’t enough anymore.

Organizations need something else – something more – today to, not only ensure proper access management, but also implement access governance, continuous compliance and reduce security risks which continue to increase every year.

Getting rid of silos and connecting access management to the rest of the information system is essential. Making things simple and ensuring that technical and business internal actors are working together as much as possible are some of the key recommandations to start fresh. Working with silos is no longer possible. Services and departments within a company are more and more connected. Organizations now belong to a full network and need to communicate across the board. Silos are no longer accepted while IAM projects have most often been built that way, based on silos.

That is why it so hard to make them evolve, and in many cases impossible, because they cannot be connected and have often included in house specifications that prevent their upgrading. In many cases, making your IAM solution evolve amounts to as much work as implementing a new one.

Thus, when discussing IAM strategies and projects, it appears as if nothing has changed over the last ten to fifteen years. With the surrounding environment evolving – new risks, new ways of consuming IT – there is a need to reassess the way companies leverage their IAM programs, in terms of services, technology and organization.

Understanding why IAM projects often fail

If we consider a traditional Identity and Access management approach, a strong focus is set on connectors, meaning access fulfillment and automation. Other IAM services that should be included and implemented are too often considered as a secondary concern and never really implemented.

Companies’ experiences with IAM projects have many similarities for most of them: very long projects, weak visibility regarding the software’s adequacy with business users’ needs, budget and deadlines beyond pushed way beyond limits set at the start. The delivery value is most often not what was expected. For most organizations, the project’s scope has shrunk and very little automation has been implemented.

Other very important aspect: access-related risks aren’t taken care of by IAM solutions but they represent significative security risks for any company, regarding external and internal threats. Indeed, with the rise of access-related security risks, both through external and internal threats, companies now do not have the choice and need to mitigate these risks with an efficient access governance.

Knowing your information system as a whole – its users, their job positions and access righs, their usages and behaviors – is now necessary and IAM solutions cannot take this in charge.

 

What you need to succeed

Changing IAM solution, trying to make yours evolve according to your business needs or studying alternatives, all of these options require you apply best practices to make sure you chose the proper one.

What you need to pay attention to : ensure proper user experience, make sure that the solution is able to evolve according to your business needs, ensure data quality and controls automation as key components, and maybe try and see why you do not need IAM provisoning that much to ensure proper access management.

In addition, here are 3 key factors for success :

  • a unique platform to process end users’ requests
  • technical tools relying on standards
  • transversal solutions for audit, reporting and control

 

These 3 key factors will enable you to brake silos and take in charge all necessary processes you need to ensure: information browsing, request input, validation workflows, provisioning and technical actions as well as reporting, audit and control.

This will enable you to operate transversal processes and brake 4 key silos: IT & logistics, IAM for application access, non structured data and, last, ERPs.

You may ask, is this really possible? Do cross system and cross application solutions already exist? Indeed, some organizations are currently studying and implementing alternatives to the traditional IAM approach and it is promising.

 

Studying alternatives: a new paradigm with Identity Analytics

There is adequate and proven technology on the market to support this approach and organizations can chose among several options, according to their business needs and environment.

Some companies are examining alternatives to the traditional IAM model such as replacing IAM by a meta repository. Nevertheless, what we should be paying attention to are the other components of these options. ITSM tools and Brainwave Identity GRC, as an Identity Analytics solution, are included in many alternatives, so of them which do not even include an IAM solution.

Usually, an IAM solution does not cover what is initially needed and access governance as well as access related risk mitigation are left out. With these alternatives, some companies are starting to see how to meet their evolving needs outside traditional IAM and costly projects.

Nevertheless, the point isn’t to conclude that IAM projects are all failures – which is far from being true – and that Identity Analytics coupled with ITSM is THE alternative. IAM and Identity Analytics are complementary and companies need to make them work together to attain both of their prime goals: operational efficiency and risk mitigation, on a continuous basis.

BRAINWAVE GRC LAUNCHES ITS CLOUD SOLUTION FOR ACTIVE DIRECTORY

BRAINWAVE GRC LAUNCHES ITS CLOUD SOLUTION FOR ACTIVE DIRECTORY

Brainwave GRC, a software vendor specialized in Identity Analytics, launches “AD Booster Cloud edition” a SAAS version of its Brainwave Identity GRC software in order to help companies easily control their Active Directory’s content.

As many companies still use Active Directory it remains a central repository for many information systems as a door to a wide range of an organization’s data and applications. Whether companies face modernization challenges, opening to cloud services or organizational changes, Active Directory remains a key factor for any digital transformation project. Data are now stored in the cloud and on premise and your Active Directory is often the main entrance door.

Active Directory is often one of malevolent individuals’ favorite targets. An issue in Active Directory management creates important security weaknesses that can give way to data leaks spread by an internal source. These security risks also represent a dreamed-of entrance door for hackers, especially if they target privileged accounts.

Active Directory’s access rights model is complex and evolves on a daily basis, following the company’s use of it. In consequence, it is often very hard and complicated to continuously ensure a sufficient security level without a proper tool.

Brainwave GRC launches its cloud solution for Active Directory to provide an out of the box solution for Active Directory audit and security. With this SAAS solution you can view, contextualize and analyze security risks and data quality issues with all your Active Directory domains as well as edit dashboards and reports.

With this solution any company can continuously monitor its AD referentials’ evolution and identify any anomaly, in a preventive and reactive way. The solution provides 360° visibility over AD:

  • Accounts and groups inventory
  • Bringing together accounts and their owners by reconciliating AD data with HR information regarding individuals and organizations
  • Privileged accounts identification and documentation
  • Security groups analysis
  • Highlighting security issues related to accounts (excessive access rights, dormant or residual accounts, never-changing passwords, etc) and groups (almost public groups, cyclic groups,…)
  • Illustrating changes having happened between two dates
  • Password policy analysis
  • Identifying accounts with local admin access rights
  • Analyzing authorized privileges within Active Directory through ACLs (who can reinitiate passwords, who can modify group members, etc)

 

Brainwave GRC cloud solution for Active Directory is accessible through subscription, immediately operational and requires no connector for the solution to connect to your IT system.

With Digital transformation, it has become necessary to closely monitor Active Directory. Any configuration mistake can lead to heavy security consequences. For example, an account remaining active by mistake can still give access to cloud applications linked to an AD referential. 

CISOs have already understood this risk and operate security controls over this referential, but these controls are often hard and laborious to operate. In consequence, analyses are often limited and remain superficial by lack of means or time. 

With AD Booster Cloud edition, our goal is to help CISOs improve their operational efficiency. The solution enables them to focus on monitoring and analyzing results rather than fighting with data extracts. The pricing model, a subsription mode, and the SAAS approach provide an immediate return on investment and are adapted to any company size”. 

explains Sébastien Faivre, Brainwave GRC Director.

BRAINWAVE GRC LAUNCHES THE 2017 VERSION OF ITS IDENTITY GRC SOLUTION

BRAINWAVE GRC LAUNCHES THE 2017 VERSION OF ITS IDENTITY GRC SOLUTION

Brainwave GRC, software vendor specialized in Identity Analytics, launches the 2017 version of its Brainwave Identity GRC solution.

A FLEXIBLE SOLUTION TO ENSURE EFFORTLESS RISK MANAGEMENT

Brainwave Identity GRC is an out of the box solution for audit and compliance control regarding user access rights in information systems. The solution enables companies to mitigate their security risks and easily fulfill their compliance requirements thanks to automated control and analysis processes. With Brainwave Identity GRC, organizations benefit from a 360° view over individuals who have access to the company’s data and applications, their access rights and their use of them on a daily basis in order to detect any abnormal behavior or unusual situation. Brainwave GRC clients know “who has access to what” within their systems and “who has been doing what” to ensure a continuous risk management.

The 2017 Brainwave Identity GRC edition includes multiple innovative features which answer strategic client needs, facilitate user experience and enable our clients to take advantage of all of our solution’s potential.

LOG LAKE AND USER BEHAVIOR ANALYTICS (UBA)

In its 2017 version, Identity GRC enables you to know “who is doing what” in your information systems and in an immediate way. The solution collects and centralizes application access logs within a log lake and highlights rapidly and easily informations regarding user behavior. With Identity GRC, you can know who works in your company and who has access to what but also who accessed which application or referential and when. With this log lake, the solution provides useful and precise user behavior analyses in order to easily fight against internal fraud or provide informations for audits.

 

AN OPTIMAL USER EXPERIENCE

Identity GRC 2017 has again improved the solution’s web platform user experience by enabling the user to edit and customize dashboards in a few clicks and share them via a web interface. This 2017 new feature – mashup dashboards – grants more autonomy and responsability to the user, for example for security offciers managing a community. With the Identity GRC mashup dashboards, each user views only results corresponding to data placed under his jurisdiction and can chose to view them as a list, indicators or graphs with the possibility to view trends.

 

AN POWERFUL CAMPAIGN MANAGER

Last, the Identity GRC 2017 version also includes a new review campaign manager which enables you to monitor and automatically set the rythm for campaigns.  It reinforces and improves the current campaign manager as it enables you to benefit from a precise follow-up regarding campaigns’ progress, to directly access compliance reports as well as include an electronic signature and show compliance reports stamped with date and time to prove, if needed, non repudiation.

Brainwave Identity GRC 2017 still operates automated remediation actions by connecting to target systems (ServiceNow, Atlassian Jira, …), as well as customizing execution, reminder and validation stages of a review.

Recent events reveal how much it has become harder and harder to keep control of IT infrastructures and that cybersecurity is the key to proper assets and user management considering digital transformation as a whole. 

Identity management’s promess, focused on operational efficiency – “who works in the company” and “who has access to what regarding his/her role” – is no longer sufficient. It is now necessary to understand how the company’s sensitive assets are used in order to anticipate cyberattack, fraud or data leak risks. 

This new paradigm, relying both on an in-depth knowledge of access rights and which access rights individuals use, his reinforced by decision aid approaches (user behavior analytics, machine learning) in order to identify weak signals. 

We are proud, after two years of R&D, to be the first European actor able to answer this challenge. Our “plug&play” approach enables security officers and assets managers to take back control of the company’s assets wherever they are and, in consequence, support and accelerate digital transformation initiatives”.

explains Sébastien Faivre, Brainwave GRC Director and co-founder.