Why Knowing Your IAM Maturity Level Is Crucial
This article will provide a comprehensive explanation of Identity & Access Management (IAM), covering from basic concepts to the significance of maturity assessment. Additionally, we will go through IAM services provided by NTT DATA to customers worldwide. This is a must-read for those interested in understanding the complexities of IAM, or for those looking to improve their IAM maturity.
What Is IAM?
Identity and Access Management (IAM) is a crucial security domain that encompasses various technologies and business processes. Its primary objective is to guarantee that authorized individuals and devices can access necessary assets at appropriate times and for legitimate reasons, thereby preventing unauthorized access and fraud. IAM includes processes and systems for managing and controlling digital identities and their access to resources. The key components of IAM involve user authentication, authorization, and the management of user roles and permissions.
NTT DATA has launched a globally unified cybersecurity strategy to provide comprehensive support to organizations worldwide (*1) . One of our 15 globally unified technology domains within this strategy is Identity & Access Management (IAM). We consider IAM a critical part of our strategy and aim to provide enhanced and comprehensive services to our customers in this area.
Figure 1: Services we provide from strategy to operations and incident response
Importance of IAM
IAM is crucial for several reasons. Firstly, it enhances security by ensuring that only authorized users can access sensitive information and systems, thereby reducing the risk of data breaches and cyber-attacks. Secondly, it helps organizations comply with regulatory requirements by providing necessary access control mechanisms and audit trails. This is particularly important in industries subject to strict data protection regulations like ISO 27002, GDPR, and the Zero Trust approach.
Thirdly, by automating and streamlining access management processes, IAM can reduce administrative overhead and minimize the risk of human error. Additionally, IAM enhances user experience by enabling seamless and secure access through single sign-on (SSO) and multi-factor authentication (MFA). Lastly, IAM aids in risk management by providing visibility and control over who has access to what resources, enabling organizations to proactively identify and mitigate potential security risks.
IAM plays a critical role in managing the lifecycle of digital identities within an organization. This lifecycle management is essential for maintaining a secure and efficient operational environment.
Figure 2: The image of Security regulations
Challenges of IAM
Despite its importance, IAM presents several challenges. One major challenge is the complexity of implementing and maintaining an IAM system, especially in large organizations with diverse IT environments and legacy systems. Integrating IAM solutions with existing systems and applications can be particularly difficult.
Keeping up with regulatory changes and ensuring that IAM practices align with legal requirements can also be challenging, with non-compliance potentially resulting in significant penalties and reputational damage. A notable example is the record fine of £183 million imposed on British Airways for a data breach after GDPR regulations came into force (ultimately reduced to £20 million, considering factors such as the company’s swift response, the economic impact of COVID-19, and a reassessment of the initial calculation) (*2). Under GDPR, companies can be fined up to 4% of their annual global turnover or €20 million, whichever is higher. Therefore, it is crucial to understand various aspects of IAM from the initial stages and continuously monitor and update your IAM system to maintain compliance.
In other words, it is not only important to understand the various aspects of IAM from (Table 1), but also necessary to continuously check and update the IAM system to ensure it remains effective and compliant with evolving standards.
| Aspects | Main Considerations |
|---|---|
| Proofing | Consider the methods for verifying users' identities and registered attribute information when creating accounts on the service. The identity proofing methods should align with the security risks and user convenience of the provided service. Options range from online self-declaration to in-person verification with identification documents. |
| Life Cycle Management | Examine the requirements and mechanisms for managing user accounts from creation to deletion, as well as the distribution and collection of account information to and from peripheral systems. Also, consider the structure, types, and management policies of user identifiers. It is expected to appropriately combine tasks performed by operators, automated system processes, and user self-service for effective management. |
| Authentication | Review the authentication methods to confirm that the access is performed by the actual user. This includes identifying security threats (such as phishing and credential stuffing) and adopting necessary authentication methods. Depending on the need for countermeasures, consider multi-factor authentication, risk-based authentication, and support for FIDO2 (WebAuthn). |
| Federation | Identify the systems that require authentication and determine the necessity of single sign-on, single logout, and the user attribute information to be shared at the time of authentication between systems. Pay attention to the connection requirements for linking authentication results to systems (e.g., connection paths to systems and protocols available for linking authentication results). Available protocols for linking authentication results include OpenID Connect and SAML. |
| Authorization | Organize the necessary access control models for systems, such as restricting system access based on user roles and attributes and allowing access to system resources based on user consent. Also, consider the mechanisms for verifying these access controls. |
Table 1: Examples of Aspects to Consider for IAM (*3)
Why Knowing Maturity Is Important
The relationship between IAM and IAM maturity is akin to the relationship between a system and the quality of its implementation. IAM provides the framework for managing identities and access, while IAM maturity measures how well this framework is implemented and managed within an organization. Higher IAM maturity indicates that an organization has more effective, automated, and compliant IAM practices in place, which translates to better security, efficiency, and regulatory compliance.
For example, Identity Governance and Administration (IGA) is a framework for managing user identities and access permissions, ensuring compliance with policies and regulations through identity lifecycle management, access authentication, and policy enforcement. When using our IAM maturity stages to evaluate IGA, companies with low maturity levels will find they only have basic identity governance and access management in place, and the identity lifecycle of internal and external employees is managed to a certain extent. In contrast, companies with high maturity levels have comprehensive management of all accounts and permissions, with strengthened governance and they also have the improved user experience and processes for anomaly detection and automated provisioning are established. In this way, our IAM maturity stages can help companies to clearly distinguish between low and high maturity levels.
Figure 3: Our Concept of IAM Maturity in IGA
Understanding the maturity level of your IAM system is essential for addressing challenges effectively. By knowing the maturity level, organizations can compare themselves to industry standards and best practices, identifying gaps and areas for improvement. Grasping IAM maturity allows for strategic planning and roadmap development, helping to prioritize investments and resources to enhance system maturity.
A maturity framework can help you identify gaps in your IAM status and track progress over time, which is invaluable for continuous improvement. It both paves the way for implementing specific services and solutions tailored to your organization's needs and ensures a robust and effective IAM system.
Our Services
NTT DATA's global team includes over 500 IAM service professionals, not only in professional expertise but also in providing services to numerous customers. We have developed an assessment tool that adheres to current regulations, enabling us to deliver high-quality and rapid maturity evaluations for our customers.
Figure 4: Our Concept of IAM Maturity Assessment Framework
Examples of international standards and regulations for maturity assessments:
We help organizations comply with relevant frameworks such as ISO27002, NIST SP800-53r5, CIS Controls, GDPR, HIPAA, and the Zero Trust approach, which govern digital identity protection.
| Standard/Regulation | Country | Industry | Description |
|---|---|---|---|
| ISO27002 | International | All industries | Guidelines providing best practices for information security management. Supports the ISO 27001 framework and helps in the implementation and operation of Information Security Management Systems (ISMS). |
| NIST SP800-53r5 | US | Government and other organizations | Guidelines for security and privacy controls for information systems and organizations. It is mandatory for US federal agencies and provides detailed directives to enhance security measures. |
| CIS Controls | International | All industries | Guidelines summarizing cybersecurity best practices, designed to help organizations prioritize and implement the most critical security actions. Covers a wide range of security measures from basic to advanced. |
| GDPR | EU | All industries | Regulations on personal data protection in the EU. Applicable to all companies operating within the EU and handling data of EU citizens, imposing strict rules on data collection, storage, and use. |
| HIPAA | US | Healthcare | US law aimed at protecting medical information. Applies to healthcare providers, health insurance companies, and related businesses, establishing regulations to protect patient privacy and ensure the security of medical information. |
Table 2: List of Standards and Regulations
High-Level IAM assessment:
We conduct assessments in various areas, focusing on different aspects of the digital identity lifecycle, the user experience of the products used, and functionalities related to security policies. This ensures segregation of duties and the presence of a Role-Based Access Control model to optimize and secure user access.
Furthermore, our method is highly flexible and can meet every customer's needs. The framework is composed of different modules, each focusing on the main aspects of various components of the IAM infrastructure (IGA, PAM, AM, CIAM). This allows the customer to concentrate on specific platforms as needed.
Figure 5: Definition of IGA, AM, PAM, CAIM
Core functionaly assessment:
Some evaluation perspectives for Identity Governance & Administration (IGA)
- Onboarding, offboarding and managing changes in user identities processes with provisioning and deprovisioning task (Identity Lifecycle Management)
- Access Certification
- Access Request and Approval
Some evaluation perspectives for Privileged Access Management (PAM)
- Password Vault
- Session Management
- RTA
Some evaluation perspectives for Access Management (AM)
- SSO
- Federation
- Passwordless authentication
Some evaluation perspectives for Customer Identity & Access Management (CIAM)
- MFA
- Anti-Fraud
- Social integrations
From the evaluation, we provide a clear stage chart to visualize the maturity gaps in IAM systems from multiple perspectives. This insight is crucial for planning further IAM implementations.
Our assessments result in remediation plans for any identified gaps or weaknesses. No matter which type of assessment you choose, NTT DATA global team will use their proven skills to create an ad hoc plan based on security and business requirements and provide specific implementation methods.
Conclusion
In today's world, with a wide variety of devices and the prevalence of telework, implementing an IAM system is no longer optional. In such a dynamic environment, it is essential to accurately understand the status of your IAM system and continuously improve it in line with evolving laws and regulations. Understanding the maturity of your IAM system is paramount in achieving this.
NTT DATA aims to help customers quickly understand their IAM system's status and provide actionable improvement plans. This article comprehensively covers the fundamentals of IAM, its importance, the challenges faced, and the significance of maturity assessments.
Additionally, it details the overview and features of the IAM services provided by NTT DATA, which we hope will assist our customers in identifying and addressing gaps in their IAM systems to ensure secure and effective protection of critical resources.
Yu Shiqian
NTT DATA Group Corporation
After joining the company, she has been engaged in the implementation of products aimed at achieving zero trust in IT environments, such as SASE/EDR, for customers. Currently, she is responsible for global strategy and service planning in OT/IoT security, automotive security, and IAM.
