Hi community,
Our client is looking for risk elimination but doesn't want IdAM to be implemented? How can we convince the client to choose IdAM? What approach would you use?
Also, which tool can be embedded along with IdAM to make security more efficient and more versatile?
Hi @Amimesh Anand,
It seems to be important first to analyse the current situation of your client. Because you can easily highlight main topics to talk about security.
By the way, you can have 2 different approaches, according to the Identities stuff and Roles subjects.
Identities - to guarantee a unique identity to everyone, a manager for everyone, no orphan accounts, accounts are automatically activated/deactivated on the due date, etc.
Role - to be sure everyone is granted (when they need) specific roles and roles are removed when it is not necessary anymore. Without role management, it is not possible to easily manage it, except if there are 6 employees in the company.
Those are a couple of examples but the list is quite long, actually.
It all depends on the risks but just look at Maersk - NotPetya and other cyber incidents.
Prevention is so much better than cure! Trust me - it is one year of my life - I will never get back.
What's the issue, expense? How does one eliminate risk if they can't positively identify who's logging into the network? Depending upon the devices (endpoints) in use, I'd recommend steering them toward a push MFA solution (Duo is an example). A lot of companies will add simple SMS OTP or those annoying six-digit codes sent to your phone, and while it's better than nothing, the SS7 protocol is susceptible to Man-in-the-middle attacks.
If you need some backup material, go download Verizon's DBIR. The #1 attack vector for years running is identity compromise or credential theft.
I think in your initial interview, and evaluation with the client, the necessity will answer for itself.
What is your normal process for adding a new user? what is your normal process for terminating a user from your system? How much time does that take? How much does that cost? How do you know if you have orphaned accounts? is it important for you to know who has access to what systems? if so, how do you know that answer? Is it important for you to know who has certain roles in certain applications? If so how do you determine that?
This is really more of a sales question than a tech question if you want to get a positive response, throwing tech at them will just give them room to debate, or dig their heels in, find out what their problems are, find out how to help them, let them tell you their problems or processes, and you show them how to solve them they will be asking you for the solution, you won't have to recommend it.
So we do not give you a textbook answer that may or may not apply.
Can you help us answer your question by providing a bit of details about the organization? To help guide any customer, understanding their current environment is imperative. For example: how big is the IT dept, the company? what industry are they in? what workloads are they running? what infrastructure? etc.
Not too crazy details, but basics.