4 Tough IAM Questions from Auditors: Are You Ready for Today’s Compliance Audit?

Identities have become today’s keystone: an enterprise’s operational system only works when they work. Identities are central to most data access in modern security architectures, and yet are often vulnerable to breaches and undesired changes, accidental or malevolent.

Identities have become today’s keystone: an enterprise’s operational system only works when they work. Identities are central to most data access in modern security architectures, and yet are often vulnerable to breaches and undesired changes, accidental or malevolent.

This is why IAM resilience has become a requirement for security professionals today. IAM resilience is the ability for an organization to recover from a disruption in access to their Identity Access Management (IAM) environment. Common IAM disruptions include cyber attacks and administrative errors.  

Given the critical nature of identities, security practitioners attempt to protect their IAM environments by backing them up with custom-built scripts. However, often those scripts are never tested, and therefore may or may not work in the event of an emergency. A company that only relies on scripts for their IAM backup and doesn’t test them has an unproven Business Continuity and Disaster Recovery (BCDR) plan that is likely to fail them when needed most.  

Backups are easy, restoring is hard, migrating to another tenant is even harder, and migrating to another IdP is the hardest.

Many auditors are wising up to the dangers and risks posed by today’s lack of IAM protection. The following questions can help you assess the practical usefulness of an organizations BCDR plan for identities.  

Questions Auditors Are Asking

ONE:
Are backups actually occurring?

Because many scripts are untested, many organizations may erroneously believe they are reliably backing up enough of their identities to recover from DR scenarios.  

Auditors are now looking for evidence of successful backups and asking more detailed questions about those backups, such as:

  • How often are the backups occurring?
  • What process and tools are being used for the backup and restore?
  • How are organizations managing the security and integrity of those backups?
  • How are organizations rolling back failed changes?

Many auditors are looking for alerts on backup failures or audit reports as evidence of successful backups.

TWO:
Have backups been tested with a restore?

A backup is only as useful as its ability to restore an organization to functionality. Auditors are getting savvier about digging into the integrity of a backup’s ability to restore end user functionality.

Unfortunately, as our resilience specialists have analyzed various IAM environments, we have found that many IAM backups unknowingly exclude interdependent properties, relational links, and undocumented rules when restoring. Often those vulnerabilities can only be discovered during the process of restoring to a test tenant.  

Some questions auditors are asking around backup testing include:

  • How often are backups tested?
  • How long does it take to restore minimal viable functionality of the Identity Provider (IdP) and dependent applications? Full functionality?

THREE:
Are the backups practically useful?

Many IAM backups only have the capability to backup and restore the entire system: a database or VM-level restore. This type of backup is only practically useful in the most catastrophic cases.  

In many cases, only a portion of an IAM environment is affected by a disruption. For example: what if an errant script removes access for 20% of your users? In this case, a full backup and restore could be more disruptive than a manual reconstruction.

Auditors are questioning the usability of backups with questions like these:

  • Do you have capabilities for a partial backup and restore of your identities?
  • What is the disaster recovery plan for situations involving only a portion of your database?

FOUR:
What use cases does the backup strategy protect against?

As organizations and their executives increasingly recognize the critical nature of their IAM – and the potential business impact of a disruption – they are employing more and more comprehensive business continuity and disaster recovery strategies to protect against an IAM outage.

Depending on the size of the organization – and the estimated operational and revenue hit associated with a potential IAM disruption – security leaders are looking beyond typical backup and restore strategies to include alternative options.  

For those organizations where failure simply is not an option, here are some of the questions auditors and security leaders are asking:

  • If the primary tenant or region becomes unstable or unusable, can the backup restore to a separate IAM tenant?
  • What happens if the IdP becomes unstable or unusable? Can the identities be quickly moved to another IdP, or will business be disrupted until the IdP is again usable?  
  • Can the business withstand a multi-day IdP outage? What is the estimated impact and cost to the business for every hour that an IdP is unavailable?

Many organizations find the scrutiny of today’s auditors to be challenging. Especially as the increasing frequency of cyber attacks and accidental outages demonstrate catastrophic business impact, auditors are becoming more aggressive with their questioning.  

Is your organization ready to prove its resilience? Talk to one of our IAM resilience specialists to assess your business continuity plan: sales@mightyid.com  

Related posts

Event
Gartner Identity and Access Management Summit
Read
No items found.
Datasheet
MightyID Failover
Read
Datasheet
MightyID: A Powerful IAM Resilience Platform
Read

Ready to learn more?

Contact Us
Copyright 2024 | Terms and Conditions
By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.
PreferencesDenyAccept