SHARED INTEL: Making the case for improved ‘Identity Access Managment’ (IAM)

By Byron V. Acohido

Savvy companies are fighting back against cyber criminals by improving their identity and access management programs.

Taking stock of and instituting best practices policies for IAM, as it’s referred to in security circles, can lead to major improvements of network security.

So says Citrix, the software giant that provides server, application and desktop virtualization systems used widely in commerce.

IAM refers to the policies and technologies that ensure the proper people have access to an organization’s technology resources. It “should be viewed as a business enabler that increases both productivity and user experience,” says Mike Orosz, Citrix’s director of Threat & Investigative Services.

Related story: More organizations find security awareness training is becoming a vital tool

Malicious attackers, though, know astute companies are improving their IAM programs, “so targeted phishing attacks are becoming the norm,” he says. “Joe Schmo in the mail room isn’t being frequently targeted—the CFO is.”

CFOs or other top executives, Orosz says, may have elevated privileges or access to a company’s most sensitive data.

“Phishing attacks are geared at stealing credentials,” he says. “Once credentials are in hand, the thief acts like a legitimate user. Any organization that doesn’t proactively implement the latest technology, policies and procedures to limit access creates the perfect opportunity for an intruder.”

Research company Gartner—which defines IAM as “the security discipline that enables the right individuals to access the right resources at the right times for the right reasons”—says IAM is “a crucial undertaking for any enterprise.”

IAM gives companies an advantage

Enterprises that develop mature IAM capabilities, Gartner says, can reduce their identity management costs and become “significantly more agile” supporting new business initiatives.

IAM improves security “by centrally managing user rights management.” This significantly reduces the risks posed by people accessing applications and sensitive data, Orosz says.

Better IAM and single sign-on (SSO) lessen the risk of shadow IT, he says, because they require all users to go to one team for the provisioning of accounts and access.

A recent Citrix/Ponemon survey of 4,268 IT and IT security practitioners in numerous countries found that baby boomers are more susceptible to phishing and social engineering scams or tend not to know how to protect sensitive and confidential information.

“A very real problem is most baby boomers can’t discern between phishing, social engineering scams and legitimate email information requests,” Orosz says. “This is due to a lack of security awareness.”

Employees must be part of solution

The survey also found that 59 percent of employees and third parties bypass security policies and technologies because they are too complex.

“A lot of people also don’t feel a sense of ownership of the security problem,” Orosz says. “Unless they’re informed and required, many people have bad habits and don’t adhere to security policies.”

Fewer than half of survey respondents say their organization has security policies to ensure employees and third parties only have the appropriate access to sensitive business information.

Security is a team effort

“In most cases, the root cause of poor security practices can be attributed to weak security policies, employee bad habits and out-of-date technology,” Orosz says. “Organizations should work feverishly to assess their risk, fix outdated policies, and come up with a blended solution. Since security is a team effort, effective communication to explain why everyone is responsible and how they can help should be a No. 1 priority.”

The survey showed that many businesses believe their security is outdated, inadequate or too complex, Orosz says.

“Any one of those factors can have a significant negative impact on how secure an organization’s apps and data are,” he says. “If you think about how people work today, they’re on different devices, networks and clouds and need to be able to access their work from anywhere, anytime. But it has to be securely delivered. All these themes directly correlate to IAM and organizational maturity.”

(Contributing writer: Gary Stoller)

(Editor’s note: This article originally appeared on

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone