Cyber Defense Magazine: Identity and Access Management (IAM) for Breach Prevention
April 20, 2018
Recently, Herjavec Group VP of Identity and Access Management, Ketan Kapadia, spoke to Gary S. Miliefsky from Cyber Defense Magazine about the importance of strong Identity and Access Management (IAM) practices for a stronger cybersecurity program in organizations. As the article states, "IAM is becoming a hot topic in the infosec area and the consensus is that many successful breaches have been enabled by poor IAM hygiene."
Read the full article from CDM’s Gary Miliefsky below:
As you may recall, I've been keeping a keen eye on Robert Herjavec and Herjavec Group (HG) as an innovator in the Managed Security Service Provider (MSSP) space, starting with my exclusive interview and coverage of Robert Herjavec, which is available online.
I've enjoyed watching Robert and HG evolve. What I've learned from watching Robert over time is that he knows how to bring in the right people at the right time. Asa leader, you look for the best you to surround yourself with. In this case, with Identity and Access Management (IAM) becoming a very hot topic in the INFOSEC arena and the consensus that many successful breaches have been enabled by poor IAM hygiene, Robert knew he had to help enterpises fix this problem. Enter IAM executive, Ketan Kapadia, Herjavec Group's VP of Identity and Access Management and keep reading for my recent interview with him about HG's initiatives in the IAM space.
Ketan Kapadia is Herjavec Group's Vice President of Identity & Access Management. He is an accomplished, results-driven executive with experience in information security, consulting, product management, and Identity Management and Access Governance. As VP of IAM at Herjavec Group, Ketan is responsible for driving the direction and delivery of HG's Identity Services which include: Assessment, Design, Deployment and IAM Managed Services. Prior to joining Herjavec Group, Ketan founded Aikya Security Solutions Inc; he also held an executive role as the Director and Chief Architect at Aveksa (acquired by RSA Security LLC). So, who better to speak with about leveraging IAM to stop breaches than Ketan?
My first question for him is about the state of security. Why are there so many breaches after we've seen a plethora of new products and technologies hit the market to help organizations defend against the next cyber threat?
Why is IAM So Important in 2018 and Beyond?
"Gary, your readers need to know what we've discovered at Herjavec Group and it's simply astonishing - most organizations think that security hygiene is based on firewalls, virtual private networks, patch management, vulnerability management and running the latest antivirus products - the reality is that Identity and Access Management is the epicenter of security."
"What is the commonality in most cases of cybercrime and data theft? We need to start putting people and their corporate-network centric identities at the center of the breach problem - this is all about best practices in IAM, which has been missing from the equation;' Ketan told me in our interview.
This was very interesting to me so we dug deeper into his view and their findings. He told me that most organizations haven't created the best practices model for IAM. For example, onboarding users need to get the right access at the right time for the right role. As organizations evolve - shrink, grow, change, we see dynamics in user roles that should follow users. What happens when someone leaves the organization? How do you ensure access is taken away? There's a lot of interesting things we come across showing that the need is to focus on the root that the identity is the central point - then it's about the hygiene of the identity. According to Ketan, "the right person should have the right access at the right time ... this is more than just working with IT - it's about getting a process in place and making sure human resources (HR) is also actively involved in IAM."
I also asked Ketan to give me the Herjavec Group definition of IAM because there's so much buzz about it and so many folks confusing other terms such as proxy access management, privileged access management, single sign-on and access governance frameworks. He gave me the best answer and simply one word ... it's all about "IDENTITY". This is the core of IAM.
Anything an IDENTITY touches, whether it has privileged access to a server or with the shifting landscape in mobile and loT - it's really about a user and all access by that IDENTITY i.e. that "carbon life form': Who you are as a USER and what you have access to - such as devices, network resources, databases, applications, servers, and services.
What is the Best Way to Get Started with IAM Best Practices?
"We like to start out with an IAM assessment. Before deploying our full-service offering in this area, it's best to help the clients understand their strengths and weaknesses at Identity and Access Management. In many cases, as part of the assessment, our clients have complex regulatory compliance issues to deal with and how people are granted access.
As in most organizations, we find too many manual processes with a lot of hands-on work, day to day crunching of info but without having a third party like Herjavec Group taking an independent view, most organizations don't notice where there are dropping the IAM ball - for example, we usually find that HR needs a better user onboarding and offboarding process where they and IT can work together hand in hand. We find this and many other issues to help ensure that best practices will be in place quickly for when someone changes a role or leaves the organization and these credentials won't be left in place as a window of vulnerability.
Depending on the organization size, it takes typically 6-8 weeks for a solid IAM assessment. We outlined the existing use cases, challenges, processes, gaps and we came up with best practices IAM plan on risk reduction, security posture improvements, and regulatory compliance improvements. We easily find their pain points and phase in the implementation in digestible bite sizes in a strategic roadmap so clients can move towards best practices in IAM without business disruption."
"At Herjavec Group, when it comes to JAM deployment for our customers, we're vendor agnostic and help point out what processes, tools and techniques are best for them. We do a gap analysis from a vendor agnostic approach to accommodate customer specific use cases. Often, it's a multivendor playground with different solutions for different gaps we find," Ketan pointed out.
On being an IAM MSSP Innovator
Starting fresh from an MSSP perspective, I was wondering if HG would do something innovative in the IAM space and they are - the first to offer remote services as IAM managed services which is bleeding edge in the MSSP space. "In most cases, as a trusted advisor and MSS partner, we can handle access management remotely. We're overseeing the IAM platform 24x7, troubleshooting challenges and offering configuration support," said Ketan.
"We leverage our Security Operations Centers (SOC) for analysis and triage and find that a unique differentiator we offer to clients who have both Security Information and Event Management (SIEM) and IAM Managed Service is that doing both improves visibility and triage significantly. We have the ability to look deeper into the IDENTITY of the user and contextually drive additional information from a SIEM event. For example, based on what we see with this person, they really shouldn't have this access - taking a proactive approach and granular monitoring. Often these issues are usually not visible for most organizations up front which leads to a reactive model rather than a preventative model. We offer tremendous value by having the right visibility across SIEM and IAM .... better data to drive to the right closure," he said.
Do the Boards and C Level Executives Understand the Need for IAM Yet?
"We've reached an inflection point, where the cybersecurity hygiene is becoming a Board level discussion and IAM is finally making it onto the radar at the Board and C level. It's a great time for us to provide this offering from a perspective of being an assessor, a trusted advisor and a partner of these companies. We don't tell them what to do, we help them discover what tools and technologies will fit their business processes to deploy IAM optimally for security and compliance."
My Conclusion: Now is the Best Time for an IAM Assessment by Herjavec Group
From my research and what we've learned from Herjavec Group, 'bad' IAM hygiene is a general problem across all markets making it easy for cybercriminals to steal the data from the inside-out, behind the corporate firewall. This is a glaring weak spot in most vertical market sectors which is why we read about breaches, data theft and lost personally identifiable information (PII) records, every day. These growing breaches might have been stopped more proactively, if best practice in Identity and Access Management had already been in place at these victim organizations. Therefore, having an IAM Assessment is a must for all organizations, no matter the size or the industry. The key is to have it done by a third party you can trust who has years of experience providing an independent view and expertise. By using the right tools, the right processes and governance, we can start to get one step ahead of the next breach. Now is the time to look into doing IAM the right way. If you are interested in an IAM assessment by one of the most trusted names in the MSSP space, please email firstname.lastname@example.org and tell them you found out about this very compelling offering from Cyber Defense Magazine.
View the full issue of Cyber Defense Magazine here.