IAM Questions Your Security Team Should Be Able to Answer

Why Do Security Teams Have to Answer Identity and Access Management (IAM) Questions? 

Answering these questions used to be somewhat optional in cybersecurity, but these days with SaaS and cloud and working from home, the network perimeter has broken down and user access management is the only thing still connecting all of these pieces in your IT infrastructure.

That's why the first step of almost any hack is an attacker taking over a user account.

It is also why SOC2, NIS, ISO27001, all of standards stress decent user access management.

And it is also the reason why modern approaches to cybersecurity like Zero Trust talk about "minimizing the identity attack surface" and that the term "identity threat detection and response" was created last year.

List of Vital IAM Questions

❓ Do you know whether there are still active user accounts in your systems that belong to people that already left the company? Can these people still access your systems?
❓ Do you know who of your employees exactly has administrator rights on your critical servers?
❓ Do you know which employees can access HR data? Financial data?
❓ Do you know which employees can commit fraud by both submitting and approving contracts?
❓ Which leavers still have accounts lying around?
❓ Who has administrator rights on your critical servers?
❓ How many active user accounts have never logged in?
❓ Which people can both submit and approve contracts?
❓ Who can access privacy-sensitive employee data?
❓ Which guest accounts exist?
❓ Which app integrations exist?
❓ Are there users without MFA?
❓ Are there users with outdated passwords?
❓ What accounts have not been used for quite some time?
❓ How many groups do we have? 
❓ How many groups are empty? 
❓ Which users are not assigned to any group?
❓ Who has which license?
❓ Who has which roles? 
❓ Which employees are granted a specific role?
❓ Who has been granted permission X through his/her roles?
❓ How do we design a new role?
❓ Which roles overlap? 
❓ Who exactly adheres to your policies?
❓ What is the state of the data quality?
❓ Which robot accounts are still active?
❓ Which users belong to more or other groups than their peers?

Challenges in Answering IAM Questions

Navigating user access data in IAM frameworks presents challenges for organizations due to its complexity. There are many reasons why this is hard: 

👉 Organisations have small security teams
👉 Organisations don’t have the needed expertise
👉 No budget for an Identity Governance Administration solution
👉 Too much Technical data
👉 Limited reporting by current IGA suite

Time-consuming IAM processes and budget constraints slow down establishing strong identity governance. Popular IGA suites, while extensive, often lack comprehensive cybersecurity reporting, leaving gaps in assurance for highly mature companies.

Prove That You are In Control of Your Users and Their Access 

FREE GUIDE

How to prove that you are in control

👉 8 Categories of identity indicators;
👉 How to choose the right indicators?
👉 Indicators based on the ISO27001-framework; 

GET THE GUIDE

[Webinar] How to Achieve Mature Access Governance Within Days

Join Elimity's Webinar on January 31st, 2023! 

In this session, Elimity CEO, Maarten Decat, will give an overview of the essentials of user access governance and will showcase how this approach is successfully applied in practice by industry leaders such as Securitas, the Belgian Railroads and Federale Assurances.