Skip to main content Skip to footer

Blog

IAM is at the heart of future-proof secure cloud

5-minute read

October 19, 2022

Just imagine, it’s another day at the office. CEO of CitiRisk Corp, Peter Halls, has messaged his CISO, Chas Thompson, to ask if he can spare five minutes to talk about “an urgent security issue.” Chas calls in to his Senior Systems Architect colleague, Simon Burns, on the way to warn him he might be leaning on him for some status information once he’s spoken to the boss about his concerns.

Simon is responsible for the security aspects of CitiRisk’s recent transition to the cloud. He knows the company inside and out, having worked at CitiRisk longer than anyone else in the team. He builds, modifies and changes everything in CitiRisk’s data center and has ultimate privileged access to all data for the company’s innermost operations.

Peter looks worried as Chas joins him in his office.

PETER: I’ve been hearing about our biggest competitor Consumore this morning; it looks like they’re going to be fined for millions of dollars after that data breach last week. It got me wondering about how well we’re protecting our own data.

CHAS: I heard their security measures were badly compromised. But we encrypt all our data and access is really tight, even now we’re in the cloud.

PETER: Yes, but have we done enough?

CHAS: Well, we’re all responsible for security, but Simon set it all up and he makes sure the right measures are in place.

PETER: Just Simon? That sounds a bit risky in itself. Don’t you think we should take a closer look at who is accessing our data and whether we have security blind spots?

Evaluating the blind spots

Chas realizes that Peter’s concerns put the spotlight on CitiRisk’s approach to being secure in the cloud—and, in particular, identity and access management (IAM). Three steps are important if Chas wants to be sure that he’s headed in the right direction to protect CitiRisk’s data—and the business as a whole:

  1. Migrate to the cloud with a security mindset.

    Some companies make the mistake of focusing on the big picture and ignoring the small but essential details. With authorization a critical capability in modernizing IT, IAM should be recognized as a fundamental security principle to secure a zero-trust strategy. Chas asks: How do I know who is authorized in our security environment and what’s their level of authorization?

  2. Scale beyond traditional risk assessments.

    Consider complexity, number of users involved in your initial cloud migration and ongoing support. Eliminate the manual process around risk and compliance which is not aligned with the speed and automation that is happening in the DevSecOps world. Chas asks: How do I know that what I've been told is actually happening, when we’re still looking at our security practices through legacy compliance lens?

  3. Know where your areas of concentrated risk are.

    Privileged access needs to be managed with cloud integrated solutions and should be limited to a small subset of your key resources or “super users.” Bear in mind that relying on one individual also introduces risk. Other examples of concentrated risk include device registration processes. Put the focus on low-friction, high-reward processes driven by automation. Chas asks: What happens if Simon leaves or, worse, decides to misuse the data that only he has access to?

You don't know what you don't know

Chas decides to take a moment to make sure he is using the right IAM strategy to protect his organization. He thinks back to the cloud migration they’d just completed. Perhaps they’d looked too closely at the destination rather than the journey. He’d been keen to get rid of the legacy high-risk security posture by deciding not to support older protocols or older security configurations that were known to have exposure. He’d discussed carefully with his team the right way to migrate. And they’d determined where they wanted a wholesale rebuild of their applications and where to upgrade to the latest vendor version. But had he paid enough attention to the balance of speed and security? More to the point, can he be sure the developers are not taking shortcuts which introduce new risks?

He decides to ask Simon and the rest of his team to find the answers to the questions on his mind around authorization, controlled access and concentrated risk.

Interacting securely and easily

After a series of conversations, Chas goes back to see Peter to briefly revisit how security has been part of the company’s cloud journey so far—and to reassure his boss about future-proofing security.

CHAS: I’m glad we spoke about our competitor’s security breach the other day. It’s made me take a pitstop to reflect on our cloud journey and revisit how we’re handling identity and access management.

PETER: I’m glad to hear that. What changes do you recommend?

CHAS: Well, I think first of all we need to modernize our workloads as we migrate data so that they integrate better with current IAM standards. Secondly, I think our introduction of multi-factor authentication could help us “pull applications across” and I’m going to work with Simon and others he’s training up in his team to make that happen.

PETER: Sounds good. Anything else?

CHAS: I think we need to be bigger and bolder in some of our decision making. How do you feel about getting rid of passwords altogether? It could help to simplify user experiences and mean our security is tighter.

PETER: That sounds like a big mindset change for our employees but I support you on that.

CHAS: And I think we should go further and implement a zero-trust strategy. It will mean we’re not just tiptoeing around cleaning up our IAM architecture as part of the migration process but introducing a really robust, authenticated way of working that makes attacks on our systems so much harder in the future.

PETER: All good suggestions Chas, let’s put them in motion. I can see identity and access management is both critical and complex to what we’re doing here, so taking a pause to refresh our approach has been a good use of all of our time.

Accenture Security is a leading provider of end-to-end cybersecurity services, including advanced cyber defense, applied cybersecurity solutions and managed security operations. We bring security innovation, coupled with global scale and a worldwide delivery capability through our network of Advanced Technology and Intelligent Operations centers. Helped by our team of highly skilled professionals, we enable clients to innovate safely, build cyber resilience and grow with confidence.

This document makes descriptive reference to trademarks that may be owned by others. The use of such trademarks herein is not an assertion of ownership of such trademarks by Accenture and is not intended to represent or imply the existence of an association between Accenture and the lawful owners of such trademarks.

This document is produced by consultants at Accenture as general guidance. It is not intended to provide specific advice on your circumstances. If you require advice or further details on any matters referred to, please contact your Accenture representative. This document contains fictional company and individual names whose sole purpose is to support and demonstrate a hypothetical situation within an organization.

Further reading

Digital Identity: The what, why and how
Passwordless: the juice is well worth the squeeze
Concerned about security in the cloud? Focus on identity management

WRITTEN BY

Gretchen Myers

Cloud Security Principal Accenture Security

LinkedIn