Our Roundtable Sessions are invite-only events hosted by peers for peers that bring together a select group of senior IT leaders from across industries for topic-driven, intimate dialog on current trends and topics. The group met remotely to discuss evolving trust and identity access management through digital transformation, led by the VP, CISO of a health insurance company. This Session was sponsored by Okta.
Identity and Access Management (IAM) enables organizations to verify users and control their access to resources. Using IAM, administrators can implement infrastructure-wide authentication, create policies for groups of users, issue short-term or long-term credentials, and enforce granular access control. But IAM does more than enhance an organization’s security posture; it also has various business benefits like better user experience, improved regulatory compliance, and reduced operational costs.
During the discussion, attendees were asked whether IAM was a board-level discussion in their organization. Most participants responded in the affirmative. A product owner said it was an integral part of their zero-trust journey. A CISO added that IAM is their actual security perimeter. A few people answered with a no; however, they expressed a desire to discuss IAM with their board soon.
When asked to comment on the importance of IAM, an executive explained that IAM lays the foundation on which security infrastructures are built. It’s a precursor to many cybersecurity implementations and approaches, like zero trust. Another participant added that without IAM’s centralized authentication, governance, and policy enforcement, it’s impossible to secure modern infrastructures that are spread across environments and platforms and need to be accessed remotely. Additionally, IAM allows organizations to extract context from authentication requests, personalize customer experiences, implement privileged access management, comply with the principle of least privilege, and enforce fine-grained access control.
An attendee told the audience that modern IAM techniques such as adaptive MFA can enable organizations to find the right balance between security and user experience. By checking factors like user device, IP address, the sensitivity of the accessed resource, time, etc., you can determine the risk level of every authentication request. If the risk level is high, the system will use multiple factors for stricter authentication. If the risk level is low, the system may allow access without any friction whatsoever.
Multiple speakers noted that IAM offers much more than just security. Using customer IAM, an organization can collect user data and build personalized profiles and experiences. Specific workforce IAM solutions can help managers identify trends, patterns, and relationships in employee activities and use these insights to increase productivity and collaboration. By providing password self-service, IAM can decrease the burden on the security teams. A well-implemented IAM solution can also make it easier for organizations to comply with various frameworks like GDPR, HIPAA, and PCI DSS.
An executive said data privacy and consent management are integral parts of an IAM system. There are laws and regulations regarding storing and processing employee data, which must be considered when dealing with an IAM system. Customer data laws and regulations are much more critical, which can differ based on location, jurisdiction, or industry. Customers must have a convenient way to opt-in or opt-out of subscriptions or promotions. There’s also a need to have a proof-of-age system or policy in place to ensure compliance with various data privacy laws.
Multi-factor authentication (MFA) and one-time-passwords (OTPs) are being used to verify identities, some argue, at the cost of customer convenience. So how do you implement security controls for your customers without asking them to do too much?