Companies have been developing and executing identity and access management (IAM) strategies for decades. “It started with mainframe time sharing, so nothing is new,” says Jay Bretzmann, program director for security products at IDC. Despite that long experience, there are still opportunities for mistakes, especially when companies are upgrading their IAM platforms to those that can better deal with modern IT deployments.
Here are six ways to tell that a company’s IAM strategy is failing.
1. Users can’t access their applications, but criminals can
The primary goal of an IAM platform is to allow legitimate users to access the resources that they need, while keeping out the bad guys. If the opposite is happening, then something is wrong. According to the latest Verizon Data Breach Incident Report, stolen credentials were the most common attack method last year, involved in half of all breaches and in over 80% of web application breaches.
The first things that companies usually try to do is move away from simple username and password combinations, and add text message one-time passwords, says Bretzmann. This doesn’t help much, he says, and it aggravates users, to boot. “Done right, IAM is more than just single sign-on and multifactor authentication,” he says. “It’s about understanding the variety of users that request access to IT systems and solving their connectivity problems.”