By Elizabeth Snell

December 13, 2016 - Identity access management (IAM) solutions are essential for organizations that are looking to improve their cyber hygiene approach and overall cybersecurity measures, according to a recent Institute for Critical Infrastructure Technology (ICIT) report.

Along with helping to automate cyber hygiene practices, IAM can reduce user fatigue, provide access controls, establish user accountability, institute system auditability, and enable users to mitigate cyberattacks, according to ICIT.

“By securely automating these processes with an IAM solution, organizations gain holistic access controls, user accountability, and system auditability and threat detection,” the report’s authors explain. “By automating these functions with an IAM solution, organizations weaken adversarial attack chains that rely on compromising un-cyber-hygienic personnel.”

ICIT discussed in detail how access controls, user accountability, and system auditability can all be positively impacted by an organization establishing IAM solutions.

With access controls, ICIT explained that adversaries will often try and find the “path of least resistance” to gain access to a system. Users who do not practice good cyber hygiene will often be the weak link at an enterprise, and could inadvertently give a third-party access.

However, IAM can help in this process. For example, IAM solutions mitigate the risk of obsolete password-based access.

“Multi-factor authentication (MFA), an IAM subcomponent, adds a layer of security and access and privilege based control by requiring users to provide extra information or factors in order to access corporate applications, networks, or servers,” ICIT noted. “Consistent and comprehensive authentication policies and applied technologies can eliminate the security gaps that result from asymmetric user privileges and cyber-hygiene levels.”

IAM can also be integrated into existing systems through services that consolidate identities across applications and platforms. This could mitigate password reuse and user cyber-hygiene fatigue, researchers said.

For user accountability, ICIT explained that IAM solutions will validate a user’s identity and “establish an accountability chain that can be used to track suspicious activity and preempt the evolution of incident to breach.”

“IAM solutions, such as MFA, provide a mechanism to hold users legally responsible or to detect and monitor active malicious activity,” the researchers wrote.

System auditability can also improve with IAM solutions, as context-based rules could be created or an organization can generate log information. Furthermore, an organization could be enabled to forensically trace a potential incident.

“Information security professionals can use the information to improve incident response plans, to mitigate system vulnerabilities, to monitor the cyber-hygiene of the personnel base, and to improve cybersecurity awareness and training in response to the hyper-evolving threat landscape,” ICIT stated.

Overall, IAM solutions can help organizations enable users to mitigate cyberattacks from unsophisticated actors and to disrupt and detect attacks from sophisticated attackers. Automated cyber-hygiene best practices, reduced user fatigue, stronger access controls, user accountability, and system auditability are all potential benefits that can help add to stronger cybersecurity measures.

“Through the implementation of robust IAM solutions for all users, systems and networks, organizations can realize virtually immediate improvements to their cybersecurity posture while reinforcing cyber hygiene best practices among personnel.”

For healthcare cybersecurity, IAM solutions can be particularly helpful. Last year, Nicklaus Children's Hospital Director of IT Governance and CISO Alex Naveira told HealthITSecurity.com how it improved its IAM capabilities and implemented options from Courion.

Naveira said that process efficiencies and service levels were impacted, and that employees were able to be efficient immediately.

“The process levels also impacted the financials, because now the automated or provisioning processes are so much more effective that you don’t need to increase your staff,” Naveira explained. “The staff can now focus on more proactive items within the access government’s framework.”

Dig Deeper: