Audio Cast:

Takeaway Points:

• IAM has become the critical fulcrum for business strategy

  • empowers B2E productivity and compliance

  • generates B2C revenue

  • is foundational for security

  • critical for privacy

• It is also THE major attack vector for internal and external adversarial activity

• To that end we have seen the evolution of identity security

• Whilst we see specific controls within the core pillars of IAM (MFA, IGA, PAM, PxP) we also see two overlay models

• Identity Data Risk Management (aka ISPM/IVIP)

• Identity Runtime Risk Management (aka ITDR, behaviour, intent)

• To measure we need to consider covering ALL identity types

• We also need to consider the end to end life cycle taxonomy of the identity

  • from IDV, credential management, authn, authz, storage, monitoring and so on

• From a security point of view as also need to take a end to end approach and consider several different pillars so we can assess, analyse, recommend and iterate on the identity security layers

• What to measure?

  • Visibility - do you know where your identities are located? Who uses them? What systems do they access?

  • Threat analysis - Can you perform continuous risk and threat analysis of your IAM components?

  • Detection - Can you detect runtime behaviour issues or mis-configuration within your identity data?

  • Protection - Are you applying core IAM controls such as MFA, ZSP, JIT and credential rotation?

  • Response - Breaches happen – can you respond effectively and efficiently – incorporating the right systems and teams?

  • Hygiene - Are you removing redundant identities, permissions and policies?

  • Operations - Do you have buy in and strategic direction?

• Take a look at the The Cyber Hut’s Identity Security Scorecard for more information