Estimated reading time: 5 minutes
By Rob Carter, Duke University; Kevin Hickey, University of Detroit Mercy; Kevin Mackie, Oregon Health & Science University; and David Walker, Independent
Editor’s Note: This article authored by Kevin Hickey, vice chair, and committee members Rob Carter and Kevin Mackie, and advisor David Walker marks the beginning of a Community Architecture Committee for Trust and Identity (CACTI)-sponsored initiative to highlight and strengthen the synergies between the IAM and cybersecurity functions at research and education institutions. Stay tuned as we explore areas to consider and actionable steps to achieve these goals.
As traditional network-based defenses lose their effectiveness, securing access at the identity level has become crucial in protecting against modern cyber threats. With the increasing decentralization of IT resources and the rise of cloud services, identity has effectively become the new security perimeter. This shift is especially relevant today, as many security breaches stem from compromised identities rather than technical vulnerabilities. This emphasizes the modern cybersecurity reality: “Hackers don’t break in; they log in,” highlighting the critical need for close coordination between identity and access management (IAM) and cybersecurity.
Cybersecurity
Cybersecurity is the art of protecting networks, devices, and data from unauthorized access or criminal use and the practice of ensuring confidentiality, integrity, and availability of information.
Source: “What Is Cybersecurity?” Cybersecurity & Infrastructure Security Agency (CISA)
Identity and Access Management (IAM)
Identity and Access Management (IAM) is a framework of business processes, policies, and technologies that facilitate the management of digital identities—ensures that users only gain access to data when they have the appropriate credentials.
Source: “CISA and NSA Release Enduring Security Framework Guidance on Identity and Access Management”, CISA
The Inherent Connection Between Cybersecurity and IAM
Cybersecurity and IAM are inherently connected, serving as the foundation of an organization’s strategy for securely delivering online services. In research and education, institutions handle sensitive data, such as research, personal information, and intellectual property, while also providing access to external collaborators, students, faculty, and researchers. Participation in federations, such as InCommon, which promote global research and scholarly collaboration, adds both opportunities and complexities. This open and collaborative environment can introduce vulnerabilities if IAM and cybersecurity are not properly aligned.
The effective integration of IAM and cybersecurity is crucial for strengthening an organization’s overall security posture. IAM systems provide essential signals, such as user behavior, access patterns, and anomalies, that enable cybersecurity teams to quickly determine whether suspicious activity originates from a legitimate user or a potential intruder. At the same time, security tools can inform IAM teams of emerging risks, prompting stronger access controls, such as multi-factor authentication or privilege reduction. Through ongoing collaboration, both teams can create a feedback loop that improves threat detection and response aligned to organizational objectives, as driven by requirements for privacy, business outcomes, and regulatory compliance.
Unfortunately, these two critical services are often misaligned and misunderstood, leading to inefficiencies, poor user experience, and weakened security. Recognizing and addressing the intersection between IAM and cybersecurity is essential, particularly in complex environments like research and education institutions, where there is a high demand for secure, yet accessible, resources.
5 Critical Success Factors for Aligning IAM and Cybersecurity Teams
Some critical success factors to consider for modern IAM and cybersecurity functions include:
- High-functioning, collaborative teams. Leaders need to foster a culture where IAM and cybersecurity teams work seamlessly together, understanding that both functions are vital to achieving the institution’s business goals. They should encourage joint initiatives and frequent communication between these teams to ensure alignment.
- Aligned goals. Shared goals should balance ease of access with robust security and compliance. Both teams must work towards providing the right access at the right time without compromising security.
- Clearly defined responsibilities. IAM and cybersecurity teams have overlapping areas of responsibility. When lines blur, accountability can suffer, leading to finger-pointing or decision paralysis. Clearly defined roles tested, for example, via joint tabletop exercises can avoid such issues.
- Customer-centric engagement. IAM teams typically have very customer-centric procedures because of their intrinsic focus on people. Cybersecurity teams must recognize that they too are providing a service and adjust their processes to meet end-customer needs.
- Agile policies. As the IAM, security, and regulatory landscapes continue to evolve rapidly, these teams play a key role in ensuring policies are up-to-date, aligned with organizational objectives, including privacy, and are well understood by customers.
As we begin this (CACTI)-sponsored initiative to highlight and strengthen the synergies between the IAM and cybersecurity functions at research and education institutions, check this space for updates as we explore areas to consider and actionable steps to achieve these goals.
About CACTI
The Community Architecture Committee for Trust and Identity (CACTI) is a standing architecture strategy group of community members chartered by Internet2’s Vice President for Trust and Identity. Margaret Cullen of Painless Security and Kevin Hickey from the University of Detroit-Mercy serve as the current chair and vice chair respectively. CACTI members include a broad representation from research and education. Minutes and additional information are available on the CACTI wiki.