Making IAM invisible: accessibility, technology, and new opportunities

Tuesday
 
26
 
November
10:45 am
 - 
11:25 am
Topic
Identity / Access Management
Agenda
Sign in to add this session to your agenda
Add to My AgendaAdded to My Agenda
Location
Room 103
Theme
Cyber Security Infrastructure

Speakers

Aidan Turner
Aidan Turner

Aidan Turner

Aidan Turner

Manager, Identity and Access Management
Downer

Synopsis

PROBLEM STATEMENT

Despite most stakeholders having to engage with Identity and Access Management on a daily basis, or perhaps due to that, it can be difficult to mature checkbox driven compliance and secure the investment needed to solve the irritation that process and technology can cause.

There is a need to establish an "invisible" IAM program that leverages emerging technology to meet the security risk appetite of the organisations we secure.

DEFINITIONS

Invisible in this context does not mean that stakeholders cannot see or don't interact with IAM process, it just has to be embedded within cultures and smooth enough to hide in plain sight.

This presentation will provide insight as to how this was achieved in several highly regulated organisations.

PEOPLE & CULTURE

The IAM team must be accessible to the wider business, it's time to come out of the shadows. This goes both ways, a truly embedded security team will understand the realities of business units and remain pragmatic.

Embedding new practices and understanding which controls need uplifting is dependent upon discovering the load-bearing colleagues in each business unit. These people are often unassuming and will be the key to all effective change.

Proactively managing detractors to change or the team and converting them into supporting and positive voices is a key cultural objective.

The IAM team must put effort into understanding what the organisation actually cares about fixing and the risk tolerance that is acceptable. Additionally, effort to understand the step by step process that risk compliance is measured and achieved is necessary to find and remove waste and opportunities for automation.

PROCESS IMPROVEMENT

  • Baked in compliance activity for certifications of major identity events such as Joiner, Mover, Leaver.
  • Re-evaluation of priorities and key risk frameworks. Only report on what matters.
  • Put yourself in their shoes, where are the interactions occurring and are they valuable.
  • Deliver the first thing improvements well, and garner trust for more difficult deployments.
  • Offer opportunities for the business to provide feedback.

TECHNOLOGY CONSIDERATIONS

  • Application coverage is key and must be included in supplier contracts, MSP engagements, and be a business application team priority.
  • Never customise if at all possible.
  • Privileged account management must be remediated first. It is higher risk and easier to justify implementing tighter controls.
  • "Lift and shift" guarantees waste -> 5% extra effort in discovery is generally a > 50% return on investment and should be a separate project contingency.
  • Automatic implementation for JIT

HOW TO INTEGRATE AI

  • Connector development for increased application coverage.
  • Incident detection / policy triggers.
  • Recommendations for removing entitlements.
  • Customer identity insights for policy improvement and assessing risk.

AI USE CASES TO AVOID

  • Avoid recommendations for adding entitlements as it leads to unintended privilege escalation.
  • Never allow external data storage or analysis as it compromises data protection and sovereignty.
  • Don't treat AI like a platform, treat it like a person and assess privileges and access to data accordingly.
Back to Program

Acknowledgement of Country

We acknowledge the traditional owners and custodians of country throughout Australia and acknowledge their continuing connection to land, waters and community. We pay our respects to the people, the cultures and the elders past, present and emerging.

Acknowledgement of Country