Accelerating AI Adoption: The Imperative of Robust Identity and Access Management

In today’s rapidly evolving technological landscape, organizations are increasingly seeking innovative ways to integrate artificial intelligence (AI) into their business processes. The rise of generative AI technologies has prompted companies to explore diverse use cases, driving the demand for cloud infrastructure. As a result, the global cloud computing footprint is expanding at an unprecedented rate. However, with this growth comes significant challenges, particularly in the realm of security.

The Cloud Security Alliance has consistently highlighted identity and access management (IAM)-related risks as one of the top threats to cloud computing. A recent survey by the Identity Defined Security Alliance revealed that a staggering 84% of large organizations experienced an identity-related breach in the past year. Despite advancements in IAM tools and platforms—many of which incorporate AI and analytics—access management remains a critical priority for security practitioners. Here, we explore best practices for organizations to enhance their IAM strategies and bolster their security posture.

Centralize IAM

Centralizing the management of identities and associated entitlements is paramount for organizations. By integrating the sign-on process for various applications through a unified platform, companies can provide a seamless user experience while alleviating password fatigue. A centralized IAM approach offers numerous benefits, including:

• Unified Visibility: IT administrators gain a comprehensive view of all identities and their access rights, enabling better management and quicker responses to cyber threats.
• Enhanced Security: Centralization facilitates the consistent implementation of security policies, allowing organizations to understand user behavior and improve compliance.
• Reduced Administrative Overhead: A single platform streamlines access management, reducing the complexity and time required for administrative tasks.

For both small businesses and large enterprises, ensuring that access to specialized applications is integrated with the central IAM platform is crucial for maintaining security and efficiency.

Implement Phishing-Resistant MFA

Phishing and social engineering remain leading causes of ransomware attacks and data breaches. Cybercriminals often find ways to steal unique codes required for system access, in addition to passwords. To combat this threat, organizations should proactively implement phishing-resistant multi-factor authentication (MFA) techniques.

Traditional code-based MFA methods can be vulnerable to attacks, making it essential to adopt more secure alternatives. Popular phishing-resistant MFA techniques include:

• WebAuthn: A web-based authentication standard that enhances security by using public key cryptography.
• PKI-based Authentication: Utilizing public key infrastructure to verify identities without relying on easily compromised codes.

Major cloud service providers, such as AWS and Azure, offer capabilities to implement phishing-resistant MFA. The U.S. Cybersecurity & Infrastructure Security Agency (CISA) recognizes these techniques as the gold standard for protection against phishing and mandates their use as part of a zero-trust strategy.

Minimize the Cloud Unknown

A recent report from MIT Technology Review revealed that over 50% of organizations have been attacked through unknown or unmanaged assets. These assets can include unused virtual machines, shadow IT creations, or any cloud resources established outside approved channels. Such unknown assets often lead to unidentified identities and privileges that attackers can exploit.

To mitigate this risk, organizations must achieve complete visibility of their cloud environments, including identities and entitlements. This includes:

• Inventory Management: Keeping track of all assets, including non-human identities like service accounts, applications, secrets, tokens, and bots.
• Rigorous Monitoring: Ensuring that all identities, especially those introduced by AI technologies, are managed and monitored with the same diligence as human identities.

Back to IAM Basics

As organizations grow in size and complexity, they may overlook essential IAM processes. Regularly reviewing access authorizations is critical to maintaining security. This review should not be a mere formality; it requires a thorough evaluation of access entitlements to detect privilege creep.

Key considerations for access reviews include:

• Comprehensive Scope: Reviews should encompass all identities, including non-human accounts and access to sensitive resources like source code repositories and secret vaults.
• Automation: Automating key processes such as account provisioning, deprovisioning, and access reviews can significantly reduce human error, which is often a leading cause of cyber incidents.

Integrating the centralized IAM platform with the organization’s human resource management system (HRMS) can streamline the offboarding process for employees, ensuring that access rights are promptly revoked. Additionally, automating periodic access reviews helps ensure that all entitlements align with job responsibilities.

Cultivating a Security-Aware Culture

Beyond deploying sophisticated IAM solutions, organizations must foster a strong security-aware culture. Basic IAM hygiene practices are essential for minimizing risks. Companies should adhere to the principle of least privilege, track all identities, monitor usage, and conduct regular entitlement reviews.

Given the significant number of IAM-related root causes behind data breaches and cyber incidents, operationalizing IAM governance processes effectively is crucial. A well-managed IAM landscape serves as the foundation for a robust cybersecurity posture, enabling organizations to navigate the complexities of the digital age with confidence.

In conclusion, as organizations continue to embrace AI and cloud technologies, prioritizing identity and access management is not just a best practice; it is a necessity. By centralizing IAM, implementing phishing-resistant MFA, minimizing unknown assets, revisiting IAM fundamentals, and cultivating a security-aware culture, companies can significantly enhance their security posture and safeguard their digital assets.

About the Author: Varun Prasad is the Vice President of the ISACA San Francisco Chapter and a member of ISACA’s Emerging Trends Working Group. His expertise in cybersecurity and IAM strategies positions him as a thought leader in the field, helping organizations navigate the complexities of modern security challenges.