IBM InterConnect 2015 is right around the corner. This is always an opportunity for organizations from around the world to share, collaborate and recommend strategies to secure the new era of computing. This year, chief information security officers and identity and access management (IAM) leaders are turning their attention to the digital identity as a security weak link and, specifically, the human interactions across the enterprise and in the cloud. Many organizations are embarking on bring-your-own-digital-identity strategies, while others are relying on silos of enterprise identities and context awareness to secure authorized access to enterprise applications and data on a need-to-know basis. Organizations need to evolve their IAM infrastructure to secure authorized access to their crown jewels that reside in the distributed and mainframe environments while enabling themselves to leverage the new era of the cloud and mobile computing.
At this year’s conference, IBM will share the evolving threat landscape and the following three key considerations to strengthen IAM programs in 2015:
1. Digital Identity Needs to Become a Security Control
By compromising an authorized user’s digital identity and intruding upon his or her access with common vulnerabilities and attacks, attackers gain the quickest path to the enterprise’s crown jewels: data. Today’s Web access management systems authenticate and authorize user access while letting the Web content flow through without security checks. In order to defend the enterprise against targeted attacks and session takeovers, Web access management systems need to evolve to become aware of security threats and vulnerabilities. They cannot turn a blind eye.
2. Identity Context Is Essential for Fraud and Insider Threat Prevention
The rapid cloud, mobile and social transformations continue to erode the traditional security perimeter as we know it. This results in multiple perimeters around the enterprise resources, business partner interactions and cloud-based services. For example, mobile employees’ extranet access resembles that of an end consumer’s access. Outsourced IT employees administer business-critical assets with privileged access from remote locations. Traditional, static access definitions need to evolve to use identity context such as user, device and transactional attributes to help ensure legitimate users have access and fraudulent user activities are prevented.
3. Identity Governance and Analytics Are Required Elements for Enterprise Risk and Compliance Management
Organizations today have siloed and customized IT-driven identity management to govern the access of their employees, contractors and partners and help support their regulatory compliance posture. This offers opportunities for the enterprise users to be productive while introducing ways for the business to be compromised in the new era of computing. Audit and risk teams alike continue to demand answers to seemingly simple questions. Who is doing what, where and from how many points of access? Business-driven identity management with a focus on identity governance and real-time identity and access analytics can help answer these questions and enables better decision-making and detection of anomalous behavior to audit, providing enterprise-wide security risk management.
Figure 1: IBM Threat-Aware Identity and Access Management
Director, Strategy and Product Management