I think therefore IAM: It's not cool, it's not sexy, but it's one of the most important and difficult areas in modern IT

2021-06-08 08:30

Even in a modestly complex organisation one could argue that IAM is not only one of the most important IT and security tasks in the business, but also one of the most difficult.

In such companies IAM is a significant job: in my 450-person day-job business, for example, there are two staff members who solely do IAM and others who also touch on it from time to time.

The hardest question to answer in IAM is: "What applications does X have access to, and what permissions do they have within those applications?".

An effective IAM specialist needs to understand applications, design procedures, analyse, agree and write RBAC definitions, police the IAM fulfilment process, produce reports despite there being no off-the-shelf reporting solution, carry out reviews, address inconsistencies and verify the remediation work, interface with and provide data to auditors... alongside an ongoing regime of continuous improvement.

These are all skills that can be applied in IAM - whether it's for automating the provisioning and deprovisioning of user access to systems, scripting the extraction of access data from applications for reporting, building a relational database for that data to live in so it's easy to query in a reporting tool, devising algorithms for calculating whether a user's login has lain unused for too long.

Employers: don't under-skill your IAM function or it'll end in tears through failed audits or exploitation of vulnerabilities caused by poor access provisioning and deprovisioning.

News URL

https://go.theregister.com/feed/www.theregister.com/2021/06/08/iam/

#IAM