DZone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
Refcards Trend Reports
Events Video Library
Over 2 million developers have joined DZone. Join Today! Thanks for visiting DZone today,
Edit Profile Manage Email Subscriptions Moderation Admin Console How to Post to DZone Article Submission Guidelines
View Profile
Sign Out
Refcards
Trend Reports
Events
View Events Video Library
Zones
Culture and Methodologies Agile Career Development Methodologies Team Management
Data Engineering AI/ML Big Data Data Databases IoT
Software Design and Architecture Cloud Architecture Containers Integration Microservices Performance Security
Coding Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
Culture and Methodologies
Agile Career Development Methodologies Team Management
Data Engineering
AI/ML Big Data Data Databases IoT
Software Design and Architecture
Cloud Architecture Containers Integration Microservices Performance Security
Coding
Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance
Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks

Integrating PostgreSQL Databases with ANF: Join this workshop to learn how to create a PostgreSQL server using Instaclustr’s managed service

Mobile Database Essentials: Assess data needs, storage requirements, and more when leveraging databases for cloud and edge applications.

Monitoring and Observability for LLMs: Datadog and Google Cloud discuss how to achieve optimal AI model performance.

Automated Testing: The latest on architecture, TDD, and the benefits of AI and low-code tools.

Related

  • Cloud Migration: How To Overcome Fears and Capitalize on Opportunities
  • Safeguard Your AWS Account: IAM Best Practices
  • Post-Pandemic Cybersecurity: Lessons Learned and Predictions
  • The Rise of Biometric Security: Protecting Data in the Future of Cybercrime

Trending

  • Automated Testing Lifecycle
  • Top 7 Best Practices DevSecOps Team Must Implement in the CI/CD Process
  • Next.js vs. Gatsby: A Comprehensive Comparison
  • Bad Software Examples: How Much Can Poor Code Hurt You?
  1. DZone
  2. Software Design and Architecture
  3. Security
  4. Identity and Access Management: Where Security and Operations Meet

Identity and Access Management: Where Security and Operations Meet

In the wake of massive data breaches caused by user credential theft, identity and access management (IAM) has become one of the most important tools in the CSO’s toolbox.

Ken Ammon user avatar by
Ken Ammon
·
May. 23, 16 · Opinion
Like (4)
Save
Tweet
Share
4.85K Views

Join the DZone community and get the full member experience.

Join For Free

In the wake of massive data breaches caused by user credential theft, identity and access management (IAM) has become one of the most important tools in the CSO’s toolbox.

But, really IAM has been a tried and tested tool in the Chief Security Officer’s toolbox for decades, used for improved IT operations and compliance as well as IT security. The focus and use cases have merely shifted over time – in particular to the privileged user and his or her access and activity.

The U.S. government has rightly been promoting the use of both multi-factor authentication through the use of personal identity verification (PIV) credentials and privileged access management (PAM).

An example of the government’s move to promote PAM has been through a memorandum from the Office of Management and Budget, which among its many recommendations, tightens up policies and procedures for privileged users and is a driving requirement of the Department of Homeland Security Continuous Diagnostics and Mitigation program. Recommendations include:

  • Tighten privileged user policies, practices, and procedures
  • Inventory and validate privileged account scope and numbers
  • Minimize the number of privileged users
  • Limit functions that can be performed when using privileged accounts
  • Limit the duration that privileged users can be logged in
  • Limit the privileged functions that can be performed using remote access
  • Ensure that privileged user activities are logged and regularly reviewed

These considerations help provide agencies with an excellent way to identify high-risk privileged users and accounts.

PAM Tips Beyond OMB Recommendations

These developments and others show that the government is heading in the right direction regarding PAM. More importantly, we see the private sector understands the benefits of PAM because privileged users – or at least his or her credentials – are recognized as a high risk factor.

The convergence of IAM as a SecOps (security and operations) practice establishes a more holistic IT management approach.

Here are a few additional PAM best practices not directly spelled out in the OMB recommendations that highlight this.

  • PAM has to be about more than just security; it has to affect everything an organization does in its day-to-day operations. It begins with policies focusing on what systems privileged users can access to do their jobs, and what level of privilege is really needed for them to successfully carry out their tasks.
  • PAM must enable user identification and authentication. Organizations need to set up procedures to positively identify users. Doing this allows administrators to take steps like controlling the credentials used to access the system, applying multi-factor authentication, controlling shared accounts, and enhancing background checks and identity proofing.
  • Authentication and access control must be separate. This involves taking a “zero trust approach” and segmenting the network to prevent attackers from gaining broad access to resources.
  • In addition to preventing unauthorized access, organizations also need to establish monitoring procedures to oversee user sessions, log-ins and behavior on the network.

Security for the Application Economy

No single security solution will be 100 percent effective. But by implementing these suggestions, adopting the proposed NIST guidelines, and recognizing the relationship between security and operations, CSOs and CIOs can chart a course for success for securing their organizations and optimally running their businesses.

SecOps is just two-thirds of the story for security in the application economy. Secure application development is another must-have for app economy success. A topic for discussion another day.

Is your organization viewing IAM – in particular privileged access management – as a holistic security and operations initiative?  If not, you could be missing out on critical benefits and an easier path to justifying the investment.

security

Published at DZone with permission of Ken Ammon, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

Related

  • Cloud Migration: How To Overcome Fears and Capitalize on Opportunities
  • Safeguard Your AWS Account: IAM Best Practices
  • Post-Pandemic Cybersecurity: Lessons Learned and Predictions
  • The Rise of Biometric Security: Protecting Data in the Future of Cybercrime

Comments

Partner Resources

X

ABOUT US

  • About DZone
  • Send feedback
  • Careers
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • Become a Contributor
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 3343 Perimeter Hill Drive
  • Suite 100
  • Nashville, TN 37211
  • support@dzone.com

Let's be friends: