What Is ABR? Why Should It Be a Top Priority for CISOs in 2021? Part Three: IAM Roadmap
Data management continues to challenge businesses. Identity & Access Management is a powerful tool used by organizations around the globe to automate the process of tracking and assigning user privileges.
IAM Assessment allows organizations to evaluate the current state of their IAM solutions and identify vulnerabilities that need to be shored up. IAM Blueprint helps businesses get a clear picture of their IAM security today, it helps them envision an ideal security situation, and then it helps them outline the steps they need to take to get from where they are to where they want to be.
An IAM Roadmap is the third pillar in this strategy. It allows organizations to address budget concerns and answer the question of how your organization can reduce security risk with limited spending.
What Does an IAM Roadmap Look like?
A good roadmap starts logically. The goal is to create something that is consumable. Typically, this takes the form of a swim lane, multi-phased, driven diagram. If you can lay this out on a single page, it will be easier for management to consume. Engineering will understand it, as will all of the departments involved.
From a best practice standpoint, none of the phases in your roadmap should be more than six months. There are some practical reasons behind this.
Let’s say that your organization requires auto-provisioning for 5,000 applicants. You feel that you can cover those 5,000 applications in four years. This still applies.
Phase 0 of your roadmap would be documenting the current processes your organization is using for provisioning. This would be the case whether it was automated or manual.
Phase 1, or the next six months, would be standing up your auto-provisioning system. This is the development, test, and prod phase. Evaluate what is feeding into your auto-provisioning system. Is the information coming from HR? Or is it coming from an external source?
Phase 2 is where you start to get the economies of scale. In phase 0 and phase 1, you built the framework. Now, the time has come to expand from that. Maybe in phase 2, you are processing your first 50 or 100 applications. By phase 3, you are doing your next 100 or 200 applications.
The practical side of having your phases max out at six months is that every six months, you can show management your progress. It would be a different thing entirely if you walked into their office and said you needed money to cover a project that was going to take the next four years.
You may have three or four swim lanes addressing different aspects of Identity Management going on at the same time. But for each swim lane, you have a six-month program. For example, you could attack certification, federation, and provision account management simultaneously.
Each phase has multiple projects, and each project will need to have an action plan built out. This action plan identifies the dependencies, resources required, tasks, deliverables, cost, and budget.
Now, when you need to go to management or to other decision-makers and explain why improvements need to be made to your Identity & Access Management system, you are able to do so with the data in hand.
- Assessment outlined what the current weaknesses are in your IAM security systems.
- Blueprinting laid out what the ideal security situation for your organization is, where you are in relation to that ideal, and the people, processes, and technology needed to fill that gap.
- Roadmapping allows you to break the information down into phases, identify the people and resources needed to get the task done, and present that in budget form to decision-makers.
Why Is ABR Needed?
In a word, agility. The year 2020 has been a year of seismic change for businesses. The economic climate is tighter than ever before.
According to a recent survey by Cyber Security Hub, 67.37 percent of cybersecurity budgets stayed flat or were reduced during the opening months of 2020. Less than 40 percent of the CISOs in this study felt that their budget was going to increase over the next six months.
The irony of this is that COVID-19 has led to an increase in cyber-attacks. IAM ABR can help you reduce security risk with limited spending. Through assessment, blueprinting, and roadmapping, you can improve the outcomes of your Endpoint Detection and Response and your Data Loss Prevention.
The year 2020 has changed things so dramatically that the roadmaps you created in 2019 are obsolete. IAM ABR helps you understand your spending from a risk perspective. You are able to evaluate risk similar to how an insurance company evaluates risk and loss. You can then select the right technology, processes, and training to mitigate that risk.
It is possible that after evaluating your situation, you see that much of your technology can be removed without impacting your risk surface. ABR helps you make recommendations that optimize your IAM security operations in accordance with the information garnered from your security assessment.
COVID-19 is expanding your attack surface. Your employees are working from home, the third parties you interact with have employees working from home, and everyone is using their own applications and devices. ABR allows CISOs to develop improved integrated ecosystems for their IAM security operations.