Security Advisor ME hosted a roundtable in partnership with Gulf IT network distribution and Sailpoint, which focused on how organisations can achieve security and business agility with identity and access management.
With the increasing number of cyber threats, unauthorised access and mounting regulatory pressures, many security leaders are turning their focus on securing end-users, which are often regarded as “weak links” within organisations.
In addition, the growing number of applications, platforms and devices have made the need to provide a safe and secure place to store critical information more and more prevalent. A demand that can be met properly implementing an effective identity and access management (IAM) programme.
Sailpoint regional director Tariq Jan kicked off the discussions by shedding light on how the IAM market has evolved over the years. “What we’ve seen in the region over the past 12-24 months is that a lot of organisations today are optimising identity to enhance other security solutions such as privileged access management, data loss prevention tools and GRC among others. This makes IAM a critical aspect of cybersecurity now more than ever.”
According to Jan, identity and access management revolve around three key pillars: single sign-on and multi-factor authentication (MFA), identity governance and privileged access management (PAM).
“The first pillar, single sign-on and MFA, focuses on ensuring that the person accessing the system is who they say they are. Oftentimes, this is done through fingerprint authentication, access cards or password access,” Jan explained.
He continued, “The second pillar is around identity governance. This centres on understanding what people have got access to, what they are doing with that access and verifying whether they should or should not have access to that data. These are important questions to address as identity ties with security.”
Furthermore, Jan also noted that identity governance is crucial in giving visibility to all the data and systems that a specific privileged user has touched.
Last but not least is PAM. “This third pillar is all about understanding who’s got the ‘keys to the kingdom’,” said Jan. “This pertains to being able to manage and monitor the activities of those people who have access to your organisation’s critical infrastructure.”
Today, the need for a robust IAM strategy has become an integral part of enterprise IT. Strong IAM solutions can enable enterprises to boost employee productivity and bolster their overall security postures. However, increasing endpoints make IAM deployments more challenging than ever to get right.
The roundtable session saw the panellists share their views, challenges and best practices around IAM implementations. Throughout the discussions, it became apparent that identity management can be especially challenging as it is not just about deploying a plug and play solution. More than choosing and implementing the best IAM technologies in the market, security leaders also need to ensure that the people and processes within an organisation are all working with one another to be successful.
Mohammed Darwish Azad, CISO, Emirates NBD, then gave his perspectives as an end-user and shared his experience and success in IAM deployment.
“Many organisations face difficulties in their IAM programmes because they are often hesitant to let go of the legacy systems and processes that they have set in place,” said Darwish.
“When we embarked on our journey to transform our IAM processes, our main goal was to ensure that our systems remain agile and that our services are secure without hindering our customers’ experiences,” he added.
He then highlighted that a key step the ytook was standardising their IAM tools, processes and governance schemes. “We made sure to remove the different customisations that we had applied to some of our existing solutions and applications. The reason behind this was that we found that these customisations make it challenging to upgrade and improve these tools,” he explained.
Moreover, Darwish emphasised that organisations need to understand that identity and access management is not an IT project nor a security project, but rather it is a business project.
“That’s why we made sure to determine a business objective for our IAM project,” said Darwish. “The objective was to ensure that access to systems and information is secured. It was also aimed at making sure that we can manage and monitor who has access to specific data and how they use it.”
Following this, Darwish said that as people are the primary aspect of IAM, Emirates NBD also set up a governance body to ensure the effectiveness of the implementation.
“The governance body is comprised of different business stakeholders across multiple departments of the organisation and is headed by the CISO,” he said.
According to Darwish, the committee is instrumental in helping the CISO to better communicate the risks and vulnerabilities to all stakeholders. In addition, they are responsible for spreading awareness and in evolving the security culture within the workplace.
Jan then rounded off the discussion by reiterating that to succeed in identity and access management, organisations need to give significant focus on all three aspects of the deployment – technology, people and processes. “IAM is about bringing all these three aspects together and aligning them with your business’ objectives,” he said. “It’s a multi-faceted programme and requires time, investment and commitment.”
