Enhancing cybersecurity through identity and access management

As organizations advance from limited IT environments with few systems physically located in their office environments, to complex webs of connected systems in many locations, the importance of identifying and verifying human users before granting them access has grown to a non-negotiable critical protection for systems and data.

Organizations have a wide array of users who need access to systems, such as employees, contractors and vendors, customers, guests and visitors, and many more. Each of these user types require different access to systems for various periods. Implementing a robust identity and access management (IAM) program – including processes and technologies with the appropriate people to manage – can help manage risks, such as:

To evaluate how effective your organization’s IAM program is for managing these risks, an assessment should be performed to measure the maturity of the program and identify opportunities for improvement. This assessment can be based on leading practice guidance in the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) 2.0 and National Security Agency (NSA)/Cybersecurity Infrastructure Security Agency (CISA) Identity and Access Management Recommended Best Practices for Administrators.

Organizations should take a proactive approach by evaluating the following areas of the current IAM program to identify opportunities to mature practices and reduce risks:

1. Policies and procedures - do they align with industry best practices, regulatory requirements and organizational goals?
2. Governance and oversight - does it support roles, responsibilities and accountability?
3. Identity lifecycle management - how are user identities created, managed and deactivated throughout their lifecycle? (join, move and leave processes)
4. Authentication mechanisms - how strong and effective are authentication mechanisms used for user verification, such as passwords, multi-factor authentication (MFA), biometrics and single sign-on (SSO).
5. Authorization controls - how granular are the access controls and permissions to ensure the principle of least privilege is applied?
6. Privileged access management (PAM) – how effective are privileged session monitoring, session recording and audit trails? 
7. Identity federation and integration – how does the organization manage federated identities across multiple systems, applications and cloud services? 
8. Monitoring and compliance – what are the mechanisms for monitoring user activity, detecting anomalous behavior and responding to security incidents? 
9. IAM technologies and tools – how effective, scalable, and resilient are technologies and tools deployed within the organization? 
10. User awareness and training – do the user awareness programs and training initiatives cover IAM best practices, security policies and data protection? 
11. Risk assessment and gap analysis – have the potential risks and vulnerabilities within the IAM program been identified? 
12. Improvement roadmap – what is the roadmap for enhancing the organization's IAM program?

How can Baker Tilly help my organization?

Baker Tilly’s team of cybersecurity and IT risk professionals can guide your organization in many ways.