Now more than ever, it’s critical to evaluate and improve your Identity and Access Management (IAM) practices. Between company-specific software, SaaS, and PaaS solutions, a typical mid-size corporate company can easily have over a hundred applications throughout its business.
Often in these vast environments, employees can easily sign up for new accounts without IT/CISO awareness and begin storing client data or reusing passwords that create unknown vulnerabilities in a company's security profile. SaaS aside, a company with legacy systems in place or has been through mergers or acquisitions will likely have user identities for systems not managed by their IT teams.
The chaos that ensues between the sheer number of combinations makes it challenging to keep your environment safe from your biggest security weakness: your employees. Improving your identity and access management needs to be a top priority, and Application Portfolio Management (APM) is a critical place to start.
Identity and Access Management Best Practices
A recent best practices report for Identity and Access Management (IAM) issued by CISA and the NSA lists five IAM threat mitigation techniques:
Identity Governance - Policy-based centralized orchestration of user identity management and access control and helps support enterprise IT security and regulatory compliance
Environmental Hardening - Makes it harder for a bad actor to be successful in an attack
Identity Federation and Single Sign-On (SSO) - Addresses interoperability and partnership needs centrally and allows centralized management of authentication and access to enable better threat detection and response options
Multi-factor Authentication (MFA) - Uses more than one factor in the authentication process, which makes it harder for a bad actor to gain access
IAM Monitoring and Auditing - Defines acceptable and expected behavior and then generates, collects, and analyzes logs to provide the best means to detect suspicious activity
Each technique requires the IT team to understand its software footprint, which can be achieved with application portfolio management practices.
Application Portfolio Management Practices as a Foundation for Identity and Access Management
Imagine a company that lacks full knowledge of its application inventory. It has MFA enabled for its email systems and configured Single Sign-On (SSO) for a few SaaS platforms through Active Directory. However, an employee signs up for an account on another SaaS platform using his corporate care and reuses the same password he uses to access an internal legacy system that doesn’t support SSO. Now, the IT department is unaware of this unmonitored application and a potential security vulnerability.
Had the company had a clear view of its environment, it could have established more comprehensive IAM practices, preventing these gaps and ensuring all applications—including legacy and unsanctioned SaaS—are properly secured.
That’s where Application Portfolio Management comes in. APM is the process of creating a detailed inventory of all applications in use, categorizing them by purpose, cost, and business value. It identifies key metrics like usage, maintenance needs, and lifecycle status to:
Reveal security concerns, like deficient Identity and Access Management
Discover outdated or redundant applications
Guide decisions on whether to update, consolidate, or retire them
Ensure the portfolio stays aligned with organizational goals
Define the Total Cost of Ownership
Understand your regulatory compliance status
Application Portfolio Management is critical to a company’s overall IT strategy and goes hand-in-hand with optimized Identity and Access Management practices.
Partner with Entech to Improve Identity and Access Management with Application Portfolio Management
A comprehensive APM assessment requires the contributions of stakeholders across the business, application engineering, IT finance, and tech ops. At Entech, we take a strategic, partnership approach to Application Portfolio Management to help our clients improve identity and access management, eliminate redundancies, and inform future investment decisions. Contact us today to learn more about how we can work together.
Eli Faulkner
Entech Chief Technology Officer