I wanted to create my own Identity Centric Security Framework as I believe the industry has been slow to grasp the changes in security over the last 10+ years and security organizations are not yet focused on Identity and Access Management as they should. Thanks to the number of audit findings in the IAM space, some organizations are starting to look at IAM in a new way, but with IAM in a small box in a legacy framework, it often does not get the focus it should. The result is budgets are usually spread between "boxes" in the framework or given to the team that shouts the loudest.
This is somewhat surprising given the causes of breaches. If you have ever tried to recover a drive that book sector is corrupted beyond repair, you will realize that data has no use, unless you cannot access it. Identity is the starting point of every transaction and Access the ending point. Remember this next time you looking to secure a digital crown jewel in your organization and you will have half a project plan already. Nothing can lead to more confusion than starting in the middle with networking or some other random point, then grasping for what have we missed. In fact today I had a chat about a plan to move to identity based firewall for application layer segregation in a large financial organization and my first thought was I hope their identity system is up to scratch, else this project would have a net benefit of zero.
In no way am I suggesting you ignore the other security disciplines. What I am asking is how much of your security budget is going to IAM and is that approaches to the levels of risk it addresses? Then given the 4 pillars of IAM, does your organization have enough focus on IAM?
No comments:
Post a Comment