6 Features to Look for in an IAM Solution

eye retina scanner security identity access management
Getty Images

If you want to protect your company from account takeover attacks, establish secure boundaries for your most critical data, and prevent privilege creep, you need an identity and access management (IAM) solution. Best-of-breed IAM technologies will have the following six features, so if you’re in the market for a new IAM deployment, here’s what to look for:

1. Multi-Factor Authentication (MFA)

MFA should be the bedrock of any IAM solution. If an attacker tries to log in from a compromised account or an unfamiliar device, the MFA component of your IAM solution should prompt the attacker to input any combination of a one-time password, a secure USB key, or a biometric.

MFA is very effective if deployed correctly, but 53 percent of companies haven’t adopted it yet. Many companies worry that they don’t have the right IT infrastructure to deploy it, and others worry that it will present a roadblock for their employees. In other words, they’re concerned that it will present cumbersome login barriers for employees that are trying to log in legitimately.

While these are valid concerns, there’s still no excuse for choosing an IAM solution without built-in MFA. Even if you’re not sure how to configure it, some defense is better than none – and other mission-critical features below will mostly make up for deficiencies in your MFA deployment.

2. Dynamic Password Management

Static passwords – like the ones you have to remember to log in to your work computer and productivity apps – don’t do you much good in terms of security. If you can remember your password, then an attacker can steal it.

Dynamic passwords that change every time you log in are different. When you get a password prompt from your computer, you open a mobile app that generates a one-time password for you to use. Then you type it into your computer. It’s a bit less convenient than using a static password, but the security upside is massive.

3. Role-Based App Access and Privileges

An accountant probably doesn’t need to access your organization’s application development environment. Even if they genuinely need to see it, it’s probably a one-time thing. To accommodate both of these cases, your IAM solution needs to handle two situations:

First, it needs to streamline access management by allowing you to assign team members to specific roles. If you hire an accountant, you should be able to simply click a drop-down menu within your IAM solution and assign them to an “accountant” role that provides access to email, productivity, apps, and accounting software.

Second, if an employee needs temporary access to a resource that they ordinarily don’t use, you should be able to grant privileges that expire automatically at a set time. Your accountant may legitimately need access to development tools but won’t need it forever. Since about 80 percent of breaches are via privileged accounts, setting unneeded privileges to expire automatically vastly reduces your attack surface.

4. Risk Management

Your IAM system should act as an adjunct to your incident response program. With hundreds of employees logging in per day, it effectively serves as a record of intrusion attempts. If you experience a breach, your IAM  should help you correlate malicious login attempts with malware or data loss. To help prevent intrusion attempts, your system should alert you to suspicious failed logins, access attempts from unknown devices, and other activities indicating that an account has been breached.

5. Security

One principle of security is that there are some things – like customer data, healthcare records, financial data and intellectual property – that require higher levels of security than others. Your IAM solution protects the entire organization, but it must also provide heightened security for these critical assets.

Heightened security might include the ability to implement encryption; the ability to set additional password checks for those viewing secure information; more sensitive alerting for failed login attempts relating to secure information; and even the ability to automatically lock down entire databases in the event of a potential attack.

  1. Cloud-based

On-premises solutions don’t fully cover your workforce, since 85 percent of companies permit BYOD. A cloud-based IAM solution will cover the use of enterprise applications on personal devices.

In addition, enterprises are increasingly dispersed. Employees are likely to work in branch offices, in satellite departments around the world, on client sites, and remotely from home. On-premises IAM solutions can’t ensure the security of these workers, but cloud solutions let you provision employees anywhere in the world.

Lastly, with on-premises solutions, in-house IT personnel must be responsible for maintenance, adding considerably to their workload. SaaS solutions are mostly maintained by vendors. As such, switching to a SaaS IAM platform doesn’t just increase your security – it also decreases the workload of your infosec department.

Putting it All Together

When considering an IAM solution, choose carefully. You need a cloud-based platform with MFA, dynamic passwords, granular alerting, role-based access, and more. Since most data breaches result from compromised accounts, opt for the strongest IAM solution available – one that includes all of these features as must-haves.

Author Bio:

Gerry Grealish is Chief Marketing Officer at Ericom Software. He is a  security industry veteran, bringing over 20 years of Marketing and product experience in cybersecurity and related technologies. Responsible for Marketing and Business Development, Gerry previously was at Symantec, where he was responsible for the Go-To-Market activities for the company’s Network Security portfolio. Prior to Symantec, Gerry was at Blue Coat, which he joined as part of Blue Coat’s acquisition of venture-backed CASB innovator, Perspecsys, where he was CMO.


Copyright © 2020 IDG Communications, Inc.

What is security's role in digital transformation?