Close

See How Your Peers Are Moving Forward in the Cloud

New research from CDW can help you build on your success and take the next step.

Oct 22 2024
Security

Debunking the 3 Biggest Misconceptions of Identity and Access Management

As the National Institute of Standards and Technology updates its Digital Identity Guidelines, it’s worth revisiting a key zero-trust security capability.

The National Institute of Standards and Technology has updated its Digital Identity Guidelines to address new methods of identity and access management (IAM).

NIST’s draft guidance addresses modern digital pathways — such as biometrics, passkeys and user-controlled wallets — as well as more traditional forms of identification, including in-person identity proofing and applicant reference.

The agency gave the public until Oct. 7 to comment on the draft and is using responses to further refine the guidance.

“Everyone should be able to lawfully access government services, regardless of their chosen methods of identification,” said NIST Director Laurie E. Locascio in a statement. “These improved guidelines are intended to help organizations of all kinds manage risk and prevent fraud while ensuring that digital services are lawfully accessible to all.”

As federal identity guidance evolves, let’s examine some of the biggest myths that continue to surround IAM.

Click the banner below to see how identity and access management can improve the user experience.

 

Myth No. 1: Small Agencies Can’t Implement IAM

IAM solutions no longer require complex systems and large data centers, nor do they always come with a high price tag that only large agencies can afford. On the contrary, IAM is simple to use and effective, and it remains a smart investment for organizations of any size.

While most agencies have single sign-on (SSO) capabilities and other IAM components internally, some are leveraging options such as Software as a Service–based models. This alternative has broadened the range of choices for IAM solutions.

According to CrowdStrike, “Others have turned to identity as a service (IDaaS), which is a cloud-based subscription model for IAM offered by a vendor. As with any as-a-service model, IDaaS is often a viable option because outsourcing IAM services can be more cost-effective, easier to implement, and more efficient to operate than implementing these services in-house.”

IDaaS is a particularly good IAM choice for small agencies.

A CDW article notes that “IAM is no longer a luxury reserved for the Fortune 500. Instead, it’s now a prerequisite for improving security and employee productivity in every organization, regardless of size.”

IAM TOC

 

Myth No. 2: IAM Prevents Insider Threats Entirely

Think of IAM as human proofing an organization’s endpoint security, much like a parent would childproof a home. It makes it harder for mistakes to happen, but it doesn’t eliminate the risk altogether. If vulnerabilities do emerge, however, the consequences are likely to be less severe because IAM has prevented a full-scale security breach.

According to Proofpoint, “Identity-centric attacks are a practical calculation by bad actors: Why would they invest their time and resources to build exploits to help them get in through a virtual back door when they can just walk through the front door?”

This is why stolen credentials and phishing are two of the top three ways that cybercriminals infiltrate organizations. In fact, 74 percent of all security breaches are caused by “human actions,” meaning that someone fell for a scam or social engineering tactic.

This is also why IAM succeeds. By helping authenticate users’ true identities, IAM mitigates the risk of security breaches due to human error.

Federal IT leaders looking to achieve cyber resilience should prioritize IAM practices and train employees to spot the signs of a phishing or quishing (QR phishing) scam before it escalates.

“Consider this example,” the CDW article offers. “An employee was out to dinner with his family and knew he was not attempting to access corporate assets, yet he still validated an access attempt through MFA on his smartphone. Only training that increases individual awareness and accountability could have stopped this successful ransomware attack.”

RELATED: Ransomware attacks require agencies to improve information sharing.

Myth No. 3: IAM Covers All of an Agency’s Zero-Trust Security Bases

IAM is a core tenet of the zero-trust philosophy. It’s an essential step for organizations on a journey toward achieving zero-trust maturity. But using IAM does not mean that an agency has achieved zero trust.

Zero trust is more complicated. It requires that agencies leverage multiple solutions for optimal security at every endpoint within an IT system. These include MFA, SSO, privileged access management, role-based access modeling, automatic account elevation, identity governance, continuous authentication, and user and entity behavior analytics.

“The current IAM marketplace includes multiple vendors and solutions that meet nearly every budget and delivery preference — cloud, hybrid or on-prem,” notes the CDW article.  “Don’t let IAM myths keep your organization from advancing your journey toward zero trust with identity security.”

miniseries/Getty Images