This blog is part of a series to help organizations of any size optimize their security. Our experts provide insights and recommendations based on common security use cases, customer questions, and security software developer needs.
Zero trust. Multi-factor authentication. Controlled access.
Professionals who work in security are so familiar with these terms that eyes may gloss over when they are mentioned. It’s true that they are often overused and at times misused. But identity and access management, or IAM, continues to be at the heart of any organization’s ability to stop cyber threats at the most obvious control points: where logins occur.
While the traditional IAM lifecycle started with a relationship and ended when the relationship ended, such as when an employee starts and stops working with an organization, a more mature IAM lifecycle centers around periodic access reviews based on real-time role and privilege needs.
What are the maturity levels for IAM capabilities?
The well-known Capability Maturity Model (CMM) can be applied to IAM. CMM was developed with funding from the U.S. Department of Defense in 1986 and includes five levels along a continuum for process maturity. The CMM should be applied to each of several key areas of IAM.
Level 1: Initial – Typically undocumented and dynamic, this level of processes is driven by ad hoc, uncontrolled, and reactive users and activities
Level 2: Repeatable – Some process discipline exists, allowing repeatability for certain processes or steps that provides consistent results
Level 3: Defined – Sets of defined and documented processes are established with periodic improvements developed and implemented
Level 4: Managed – Process metrics help drive effectiveness and achievement of process objectives across a range of environments and conditions, enabling adaptations with low to no deviations in quality
Level 5: Optimized – Continual improvement and addressing of variations for process performance through incremental and innovative changes
What are the key areas to consider for a maturity model for IAM?
Movement from one level to the next should happen in each of several IAM areas. According to Gartner, these include:
- Vision and strategy
- Architecture and infrastructure design
- Business value
As a business builds capabilities from initial to optimized, the goal is to reach operational excellence in as many of the key IAM areas as possible.
How can an organization get from one maturity level to the next one?
As an organization moves from one level up to the next, it increases business value and reduces risk. It’s best to define each of the five levels for the key IAM areas above and work through them. There are also some general steps organizations can take to start working on meeting the next level of IAM maturity.
Initial to repeatable: perform an assessment, document procedures and processes, and explore automation for the different stages of IAM (provisioning, authentication, self-service, password management, compliance, and deprovisioning)
Repeatable to defined: document policies, procedures, and standards; consolidate types of access and identities; and take inventory of each type of user, application, and privileged account
Defined to managed: align provisioning to business processes, explore security incident response integration with IAM, improve privilege management and remote management, and document IAM metrics
Managed to optimized: deliberately improve IAM and business processes integration, measure and manage improvements, and update IAM controls for agreement with policies, procedures, and standards
What are some tips for organizations to implement to improve IAM now?
Regardless of maturity goals, there are best practices that organizations can employ to improve security. The most important best practice is to adopt a Zero Trust strategy, which relies on the principles of never trust and always verify, assume a breach is imminent, and apply least-privileged access.
The inherent policies of a Zero Trust approach allow organizations to simplify IAM tools and authentication processes with multi-factor authentication (MFA) methods and automated workflows.
When adopting the principle of least privileged access, organizations can focus on limiting and restricting access and permissions as much as possible without interfering in users’ workflows. To do this effectively, it’s best to define role-based access and automate mechanisms for deprovisioning and provisioning when someone changes roles or leaves a position.
This also holds true for administrative permissions. For admins, a best practice is to ensure that no single person has excessive permissions. Responsibilities should be divided among admins to avoid over-provisioning and decrease vulnerabilities should an admin’s access be compromised.
The goal is to regularly audit usage for every type of user and adjust access accordingly. Audit usage logs can also alert security staff of possible cyber threats and allow deprovisioning to reduce the attack surface available. Without regular audits, gaps in access can quickly accumulate, become unmanageable, and open businesses to security vulnerabilities.
Learn more about security for your unique environment
If you’re not sure about your security posture or the level of vulnerability in your organization’s IT environment, a security assessment can help you develop a clear view of your current state and possible remediations needed. Visit the Professional Services for Security resources section for overviews on the different types of assessments available, and contact us at SecurityPSInquiry@vmware.com to learn more.
For more support, read the other blogs in this series:
- The Security Toolbox: Building a SOC on a Budget – Learn about the common tools and methodologies for a security operations center
- The Security Toolbox: Meet Cybersecurity Mesh Architecture – Discover the promise of better security through the concept of CSMA
- The Security Toolbox: Slow the Risks of Attack Surface Expansion with AI – Read about the benefits of AI and machine learning for mitigating cyber risks
- The Security Toolbox: Facing the Real Business of Ransomware – Mitigating ransomware risks starts by understanding how cybercriminals operate and incorporating security best practices
- The Security Toolbox: Raising Preparedness with Wargaming – Learn how practice detecting and hunting threats in realistic scenarios raises security posture
- The Security Toolbox: Multi-Cloud Security Basics – Review the three basics for security within multi-cloud environments
- The Security Toolbox: Upskilling – Learn what to do to grow your career as a cybersecurity professional