Osirium comment: National Institute of Standards and Technology seeks feedback on IAM roadmap
April 2023 by James Nadal, Product Specialist, Osirium
In response to the news that The National Institute of Standards and Technology is seeking public comment on its draft roadmap for identity and access management, the comment from James Nadal, Product Specialist, Osirium.
"IAM is clearly an important part of cybersecurity. It’s good to see The National Institute of Standards and Technology is working on its IAM roadmap, seeking public feedback and acknowledging the need for collaboration, shared intelligence and experience.
It is very important, however, that the role of Privileged Access Management and the way it links with and complements IAM is also given serious consideration and factored into this work. IAM is part of, but not the complete solution for a modern IT environment.
Some would view IAM as being so critical that it is the central view of truth, delivering a ’single pane of glass’ to control everything they can do within an organisation by knowing everything about a person’s identity. Somewhat akin to George Orwell’s dystopian view of the future.
But this is an illusion and it quickly breaks down as soon as you realise that you need to take into account what a privilege (or attribute that maps to a privilege) means. Because these privileges are so contextual, the further you are from a device, the further you are from the truth of privilege-based risk.
As a shorthand, being ’admin’ on a local network switch is not the same as being ’admin’ on the firewall between your organisation and the Internet and this must be taken into account."