AMaaS: Managing the New Perimeter

November 1, 2022

Considering the current breadth of devices, endpoint locations and network complexities, identity has been dubbed the “New Perimeter" — ousting its long-held title, the "Network's Edge." But with the rapid propagation of remote work, managing this New Perimeter has also grown exponentially more complex, an issue compounded by new use cases and policy exceptions.

 

Keeping up with novel tunnels, security gaps, network policies and user types during the pandemic meant that the identity and access management (IAM) domain had to move faster than most organizations’ policies and processes could handle, often adding more manual steps to the IAM lifecycle. Now that the dust has settled a bit, we can see the IAM mess inherited by InfoSec managers, security engineers, security analysts and, ultimately, CISOs.

 

Especially given the ongoing talent shortage, modernizing your network perimeter is a daunting endeavor to handle solo. You don’t have to go it alone. Read on for expert insights and recommendations to help you manage your identities and focus on the road ahead.

 

 

Priming Your Access Management Journey

Eventually, you may be given the task of simplifying, maturing and uplifting your access management (AM) program. Knowing where to start can be challenging, so before ripping out or standing up another system, we recommend keeping the following insights in mind:

 

  1. Identities are everywhere and used by everyone, so a "simple" change can propagate to many different team members in unknown ways.

  2. Evolving AM isn't a project; it’s a journey with ups and downs that require planning and budgeting. Each journey has protagonists, antagonists, setbacks and milestones. Identifying each via conversation and working sessions will help keep you proactive and moving forward.

  3. Understanding your core processes (Joiner, Mover, Leaver) beforehand will help you start your journey on the right foot, ensuring early design decisions are less impactful during the implementation phase and reducing rework.

  4. It’s not realistic to change your authorization processes overnight. Optiv organizational change management (OCM) experts have witnessed many clients with this mindset fail to successfully roll out due to shelfware, low enrollment, low buy-in and an inability to transition planned applications and processes.

  5. Identify what framework/standard and controls to follow while ensuring you don’t open your organization up to legal scrutiny. Optiv's default standards align with the National Institute of Standards and Technology (NIST) and can be hardened to meet various regulations. Meeting the NIST standards lessens the legal ramifications of potential breaches by satisfying the "due diligence" and "due process" clauses of many security policies.

  6. Identity modernization requires a change in day-to-day functions, and often many are resistant to adopting new processes. Thankfully, Optiv's agile change transformation (ACT) experts can step in to help with planning, communications and training.

  7. Throughout the journey, it's essential to plan with the law of diminishing returns in mind. To demonstrate what success looks like early on, start with the applications with the most ROI, have the most sensitive data or are business critical.

 

 

Access Management as-a-Service

Identity and access management impacts every user that interacts with your network, cloud, SaaS applications and company resources. Because the journey to maturation affects how team members log in to systems with a password, including MFA and application sign-on policies, it’s very visible and labor intensive. Additionally, it can make or break the onboarding process and/or keep your company's name off the audit findings list due to disjointed offboarding processes. This reinforces the benefit of having a seasoned team of experts to lean on as you expand and secure your IAM initiatives.

 

Access Management as-a-Service (AMaaS) deploys identity experts to help launch the AM portion of your program in the right direction. First, AMaaS boosts your security posture by meeting up to 40% of the access controls outlined in NIST. This not only helps mature your processes, but can act as Phase 0 of your Zero Trust journey and set your company up for a true passwordless experience.

 

Other base components of a trusted AMaaS include:

 

  • A single universal directory for all your identities
  • Single sign-on (SSO) for up to three applications
  • Potential automation of your user lifecycle processes
  • Opening your IAM processes to APIs with the latest standards and processes
  • Documentation of applications, processes and data flow
  • An OCM plan to ease the impact of change on team members
  • Multi-factor authentication (MFA) for applications or Passthrough MFA
  • Help desk training on new process flows
  • Alignment up to 40% of access controls as defined by NIST
  • The foundation for a solid IAM program

 

Based on a given organization’s unique operations and requirements, AMaaS engagements are typically customized from this foundation. The graphic below represents a AMaaS process from end to end.

 

Image
CP&I_Access-Management_AMaaS_Blog-internal-image_v2.jpg

 

At the end of the day, a solid AMaaS provider leverages teams of skilled and experienced engineers with vendor partner relationships to manage its clients’ AM platform and processes. Most importantly though, it should grant you peace of mind so you can refocus your internal teams on more pressing operational priorities.

Jesse Johnson
TECHNICAL MANAGER | OPTIV
Jesse Johnson is a Technical Manager in Optiv’s Access Management (AM) practice. He has a master's in information systems and a bachelor's in computer science, coupled with a decade of experience in software development within the IAM domain, focusing on IGA, AM and SOX auditing processes. His experience includes architecting, project planning, engineering, deploying and post-deployment customer satisfaction on projects of varying complexity levels. Jesse's role is to lead access management implementation teams in recommendations, advising and use-case solutioning. He also partners with clients to enhance their AM processes and security platforms.

Optiv Security: Secure greatness.™

Optiv is the cyber advisory and solutions leader, delivering strategic and technical expertise to nearly 6,000 companies across every major industry. We partner with organizations to advise, deploy and operate complete cybersecurity programs from strategy and managed security services to risk, integration and technology solutions. With clients at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can. At Optiv, we manage cyber risk so you can secure your full potential. For more information, visit www.optiv.com.