It’s clever and scrutinises your every move
By Tallen Harmsen, head of cyber security at IndigoCube
Integration projects can be a painful experience. But none quite let the terms of endearment ring out like an identity access management (IAM) integration project. It’s a tough job that drills into processes and user roles and behaviours in business units like no other, probably not even ERP.
At the same time there is increasing focus on robust security in a world beset by cyber attacks, hackers, cybercrime, ransomware, malware, cyber espionage, nation state hacking, and even cyber corporate espionage.
Widespread digitalisation, broadband access, and new application development methodologies that cater for new business models also continue to emerge. They focus on cloud computing, distributed cloud storage and analytics, and they increasingly shrink application logic into smaller chunks such as functions-as-a-service (FaaS). Applications today piece these microservices together on-the-fly to provide overall customer experiences such as e-commerce on a website or updating customer details in an app.
These separated functions or microservices, overall business systems, cloud services, users, customers and more have to be authorised to get access to one another. IAM identifies people, systems and services at their point of connection via APIs.
But, when you consider how many there are, it can be a tedium unparalleled to a) get them all working together properly and b) for the people using them to constantly update them. In fact, it’s such a cumbersome process that developers often make these systems and give the different components super-user rights, which is obviously bad for the systems when they go live.
Modern frictionless security provides a solution. It uses new authentication and verification methods that don’t obstruct people from doing their work. Things like biometric authentication or pushing a button to a mobile device that lets a user verify their location on a map are quick and easy to use. There are many and they can be layered, without slowing the user down, to provide much more effective “gateway” security than a username and password.
With machine learning and advanced analytics they go a step further. While older systems would have to be “hard coded” to know what systems you were allowed to use and what you could do with them, new frictionless security is smart. It learns from what you do to figure out what you’re allowed to do. It can also accept bits of “hard coding”. It can learn from your peers. It can establish risk profiles. It can learn from external sources such as databases of known malware or even HR records. And it can constantly update itself.
It can actually become an essential part of the glue of integration projects that frees people up to be able to access systems as they come on stream – verifying only the first time they get on to a new system without any hard coding or role management required.
They also constantly watch so people can do the jobs they need to do, working with the systems as they need to, but always under the watchful eye of the frictionless security systems. Deviate from expected behaviours, profiles, and patterns and the system can take a number of actions. It can lock systems down, users out, or malware down. It can restrict access. It can alert humans or other systems. It can change risk profiles and, at the least, keep a closer eye on proceedings.
Most importantly, it transforms security from a headache for integration teams into an enabling service that manages users for them while maintaining regulatory integrity.