It\u2019s ever more challenging in today\u2019s work-from-anywhere world to prevent cybersecurity breaches. And while all organizations work hard to prevent attacks through traditional security measures such as multi-factor authentication, patching, training, and more, the bad guys increasingly find their way in through poorly thought-out, scattered access and identity management practices. The solution, we\u2019ve seen in discussions during CIO roundtables, seminars, and dinners, is to adopt a privileged access identity management approach. \n\nWhen you have an improperly managed access and identity process and technology, you might as well hang a sign outside the door: \u201cCome On In\u201d. And once a bad actor hijacks someone\u2019s (or something\u2019s) real identity to enter, they can use that access to move north-south, east-west across networks to steal, manipulate, or hold hostage data, sensitive information, and critical business applications. They can falsely approach vendors, partners, customers, and consumers. In the process, risk levels increase, reputation plummets and operational efficiency is severely compromised. \n\nPrivileged access management (PAM) should define the set of rights you give to every single contractor, employee, partner, and vendor. A well-implemented PAM program helps protect organizations against cyberthreats by monitoring, detecting, and auditing unauthorized privileged access to critical resources. \n\nBut PAM should not be implemented willy-nilly on some resources, platforms, users, or types of devices \u2013 and not others. Enterprises should adopt holistic, integrated solutions that provide your enterprise with the visibility to discover, on-board, manage, and audit any user or device by role, function, persona, time, or location. \n\nPAM takes many forms. Some companies prefer to give access to individual PCs, tablets, and mobile phones. But the per-device privilege is a red herring. What if the device is stolen and hacked by a nefarious actor \u2013 or even used incorrectly by a coworker? \n\nA better approach is to manage access by name, function, role, assignment, or persona. It\u2019s critical, also, to place time-based, or geographic-based parameters on identity and access. For example, I may be working on a project for 10 days. Or, I\u2019m temporarily filling in for my boss and her other management responsibilities. Or, I\u2019m a financial analyst with access to sales and fulfillment data, but only for my investment company\u2019s upper Midwest region. \n\nThat said, there are three complicating factors beyond human identity that can make access to IT systems risky. The first relates to today\u2019s lack of perimeter. Does the data and process reside or occur at the core, in the cloud, or at the edge? Should one restaurant manager have access to the neighboring restaurant\u2019s data, even if they\u2019re in the same company? When should a developer access data on-premises or in the public cloud? \n\nThe second consideration is identity for IoT devices. Indeed, in the first half of 2023, IoT DDoS attacks surged by 300%, causing a $2.5 billion global financial loss, according to some sources. From Target to household appliances to St. Jude Medical, too many breaches use non-compute devices with IP addresses as a gateway into enterprise resources. Holistic identity management should cover not only people and devices but also the IoT systems that support a company. \n\nThen there\u2019s the matter of OT and manufacturing systems which may or may not be connected in some way to ordering, fulfillment, sales, marketing, financial reporting, and regulatory systems. The factory is an edge location, even if most (or many) of its processes appear to be independent of business systems. Think of the dual identities needed in terms of production and business for mining, agriculture, oil and gas, transportation, hospitality, retail, and logistics, as well as policing and the military. \n\nIdeally, IT and security managers should control access from a single console. Integrated identity management should have a set of rules for the user (role, persona), device (PC, IoT), platform (cloud, edge OT), location (geographic or, again, platform), and time (one action, one day, etc). \n\nAutomating the process will help. If I\u2019m given assignment X for Y time; shouldn\u2019t the system provide access \u2013 and take it away \u2013 once the project or timeframe is complete? \n\nOf course, there\u2019s the issue of artificial intelligence. Indeed, AI can help organizations implement adaptive authentication strategies. AI can analyze contextual factors, such as location, device, and behavior, to determine the level of authentication needed. Moreover, generative AI can be employed to build anomaly detection models. (We\u2019re still waiting for the flip side of this: an AI-assisted attack.) \n\nMany companies are beginning to use biometrics, like retinal scans, facial recognition systems, and fingerprints, to help qualify and meter access. \n\nPAM is an evolving field and should be viewed in the context of your overall Zero Trust architecture, consideration of Identity-as-a-Service (IaaS), and AI \/ ML. Nefarious actors are not going away, but the enterprise can use privileged access to help guard valuable business assets.