Aligning executive order with IAM

June 15, 2017

The President’s Executive Order Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure, signed on May 11th, 2017 unveils a new era in American cybersecurity education and training. If your organization is to stay ahead of global cyber threats, then implementing the direct changes outlined in the executive order are a good thing for your business.

“The Framework” (a more colloquial name for the NIST-Critical Cybersecurity Framework, of CSF) breaks into five key Functions, each roughly following the other sequentially:

  • Identify
  • Protect
  • Detect
  • Respond
  • Recover

The progression of these areas is self-explanatory, yet provides a complete framework for rapid deployment of solutions should a system become compromised.

The first two Functions, identify and protect, are partially addressed using modern Identity Governance Administration (IGA) solutions.  By utilizing the role and entitlement discovery capabilities of IGA, businesses can efficiently identify assets, access levels and consequentially undertake risk assessment and risk management measures.

With a full assessment of an organization’s risk profile and a risk management plan in place, businesses can apply protective measures. The Framework identifies six core Categories within the Protect Function for federal institutions to focus on:

  • Access Control
  • Awareness and Training
  • Data Security
  • Information Protection Processes and Procedures
  • Maintenance
  • Protective Technology

Access Control is the most fundamental and challenging of the recommended protective Categories and is often implemented through the use of internal databases, servers or cloud systems which store user credentials (including their entitlement access levels to assets).  Businesses often deploy authentication technology where access is granted to the system and authorization technology in which access is granted to an asset.

Implementing a strong access control system can be a formidable task for even for the most capable organizations.  Adding to complexity, businesses need to guard against unauthorized remote access while managing segregation of duties, privilege access levels, data management during transfer, and termination.

Effective access control is best executed alongside auditing and data retention policies. With careful management of access control policy and enfrocement, many key Framework Functions can be efficiently undertaken using a combination of IGA and IAM products.

At Integral Partners, we are well positioned to help plan and implement all forms of IAM and IGA solutions which integrate with The Framework as part of a strategic security program.

In today’s Cybersecurity world where the stakes of failure are so high, having a concrete plan in place will save costly reconfiguration down the road and ensure your business is protected using the rigorous methodology found at the highest levels of government.