Identity & Access Management
A framework for processes, policies, technologies and regulations - essential for security and compliance
The right person should have access to the right set of resources at the right time for valid reasons
Identity and Access Management (IAM)
Identity and access management (IAM) is a framework of business processes, policies and technologies that facilitates management of users' electronic or digital identities, and their accesses. This framework helps in building a strong IT security posture, ensures compliance and through automation, reduces cost of user management.
Steps to implement an IAM framework
Gather requirements
Collect, analyze and translate the business requirements into technical requirements. The requirement collection process has to be conducted in a proactive way, promoting the values of IAM for the business, outside the security organization.
Coordination and design
Define and design solutions according to the requirements. Translate the solution into activities and rank each activity in priority to plan the implementation.
Implementation
Perfom the activities. Special technical skills are required.
Maintenance
Maintenance of the platform - patch, security fix and versions updates. Required special platform skills
Supplier Management
Communication with providers of infrastructural service.
Solutions and Services we provide
- Sailpoint Identity Security Platform
- Identity and Access Management
- Federation
- Single Sign On
- Role and Entitlements Management
- Cloud Based IAM
Need more information?
Among Sectors We Serve
Health Care
Prioritize Privilege to Protect Patient Data, Secure and Simplify Operations while ensuring Compliance
Large volumes of patient data or Electronic Personal Health Information (ePHI) are generated daily by the rapidly expanding, interoperable care delivery networks.
From birth dates and social security numbers to private health concerns and detailed illness histories, healthcare information can be much more valuable to cyber attackers than credit card numbers.
Internet-connected medical devices – such as infusion pumps, heartrate monitors and even imaging and biopsy tables – have become a critical part of the healthcare environment. With medical devices outnumbering healthcare industry staff three to one, this broad movement of connected devices now represents a growing cybersecurity threat that puts patient data, medical information and, potentially patient wellbeing at risk.
From an operational perspective, juggling between various security zones and tiers, means valuable time lost in administering several virtual entrypoints, devices and passwords, or regulatory compliance requirements being unmet.
Securing connected devices – both unsupported legacy devices and new IoMT devices, providing easy and secure access for healthcare workers regardless of location, while taking into account "joiners, movers and leavers" – has emerged as one of the top priorities for healthcare IT security professionals.
In addition to addressing compliance recommendations and requirements from industry regulators as:
- Datatilsynet
- Helsetilsynet
- Norm for informasjonssikkerhet og personvern i helse- og omsorgssektoren (Normen)
- NSM's Grunnprinsipper for IKT sikkerhet
- The European Union Agency for Network and Information Security
- European Data Protection Board - EPDB
- NIST Framework - National Insitute of Standards and Technology
With over 20 years of experience within the healthcare sector, our solution architects and advisors have an in-depth understanding and sector insight with a broad skillset within network architecture, IT security and automation, applied in this field.
We can provide you with the following :
- Expertise
- Information Security Advisors
- Solution Architects
- Project Managers
- Consultants
- Technologies
For more informaiton, contact us.
Telecommunication
Telecommunications Systems Serve as a Critical Backbone to Nations and Economies Across the Globe.
These systems enable the transmission of financial transactions, business transactions and emergency response communication daily, and if compromised, the consequences could be dire.
Access to these systems are too often left unsecured and unmanaged, putting these critical assets at an increased risk of a damaging cyber attack that could impact telecommunications companies and everyday citizens alike.
Privileged accounts and sessions are repeatedly the target of both internal and external attacks – due to the system-wide access they grant – controlling these sensitive credentials is vital to remain compliant and to protect a business’s core assets.
To reduce the risk of potentially damaging unauthorized access to critical telecommunications systems, organizations should:
- tightly control and monitor all internal and third-party user and application access to privileged accounts on these systems
- maximize visibility of IT infrastructure changes and data accesses
- know ones data in order to protect what really matters
- have visibility of the traffic behind the perimeter security
- be fully aware at all times whether one is under attack, be able to rapidly respond and mitigate in an informed manner
- enforce identity and access management to build a strong IT security posture and ensure compliance
Having proactive security measures in place to mitigate risks associated with privileged accounts, identity verification, access grants and sensitive data, is not only important to the IT team supporting growing businesses, but it is also a priority for CEOs who understand the business benefits of protecting digital assets.
Approach compliance with confidence - address the evolving set of compliance and audit requirements facing telecommunication companies today:
- The Electronic Communication Act ("eKOM Loven")
- Post og telestyrelsen
Solutions and services we can provide
With over 20 years of experience within the telecom sector, our solution architects and advisors have an in-depth understanding and sector insight with a broad skillset within network architecture, IT security and automation, applied in this field.
We can provide you the following solutions and services:
Expertise
- Information Security Advisors
- Solution Architects
- Project Managers
- Consultants
Technologies
- Privileged Access Management
- Identity and Access Management
- Endpoint Detection and Response
- Data Centric Audit and Protection
For more information, contact us.
Industrial
From isolated legacy systems to Internet of Things, Integrated Operations, Hybrid- and Cloud environments
Critical production systems as ICS (Industrial Control Systems) have for decades been isolated from other systems or the Internet as a whole. Due to recent technological developments and business objectives to lower costs, improve operational efficiencies and meet regulatory compliance, IT systems and OT environments have increased connectivity exposing them to a significantly larger attack surface and risk of intrusion from malicious actors.
While the profitability of industrial organizations are heavily dependant on the ability to secure their intellectual property and trade secrets, the implementation of security controls designed to mitigate the risks associated with these vulnerabilities, if not planned carefully, can be very costly.
Some of these risks include:
- high number of administrative or privileged accounts that enable user and application access to ICS
- use of shared accounts that enable access to critical systems without individual oversight
- use of industrial applications with embedded hard-coded credentials
- use of workstations with excessive administrator rights
- challenges of integrating and maintaining legacy systems in an ever evolving IT landscape
- uncontrolled processing of sensitive data leaving sensitive information over-exposed, potentially tampered with, copied, moved or deleted
Kommando can help your organization address the information and cyber security challenged through our:
Expertise
- Information Security Advisors
- Solution Architects
- Project Managers
- Consultants
Technologies
- Privileged Access Management
- Identity & Access Management
- Endpoint Detection & Response
- Data Centric Audit & Protection
Fore more information, contact us.
Oil & Energy
Industrial Control Systems - A High Value Target for Cyber Criminals
Industrial Control Systems (ICS) are critical production systems which are part of the Operational Technology (OT) environment in industrial enterprises. As IT systems and OT environments increase connectivity to each other, ICS are now exposed to IT systems and the Internet - significantly increasing the risk of intrusion from malicious actors that aim to cause damage to the systems themselves or to use the systems to gain access to other parts of the corporate IT Infrastructure.
Due to the high availability requirements of ICS assets, by enlarge, the risks associated with running commercial-off-the-shelf (COTS) equipment into operations and supervisory levels of ICS architecures are unaddressed.
Some of these risks may include:
- The high number of administrative or privileged accounts that enable user and application access to ICS
- The use of shared accounts that enable access to critical systems without individual oversight
- The use of industrial applications with embedded hard-coded credentials
- The use of workstations with full administrator rights
- The broken process of provisioning access with restrictions on what, when and where one can perform a job/task
To mitigate these risks and to address compliance requirements from industry regulators as:
- NVE - The Norwegian Energy Regulatory Authority (Emergency Regulation/Beredskapsforskrifter)
- The Norwegian Oil & Gas recommended guidelines (#104, #110 #123)
- ReNational Institute of Standards and Technology (NIST) SP-800-82
Industrial enterprises must proactively protect and monitor priviled accounts that enable accesses to ICS environments.
With long and broad experience from working with IT security and access control for the Oil and Energy sector, Kommando can provide:
Expertise
- Security advisors
- Solution architects
- Project managers
- Consultants
Technologies
- Privileged Access Management
- Identity & Access Management
- Endpoint Detection & Response
- Data Centric Audit & Protection (orchestrate IT security with data at its core)
For more information, contact us.
Finance
Attacks against the financial industry continue to grow as firms consecutively collect sensitive customer information. IT security must be as proactive and automatic as possible, for organizations to remain compliant, rapidly respond to threats and free IT to focus on digital innovations rather than firefighting.
Banks, insurers and other financial service providers require strong privileged access security to protect against growing external and internal threats to personal and proprietary information. Financial and banking firms continuously collect sensitive information about their customers and house considerable amounts of valuable resources, they are attractive targets among hackers worldwide.
The stringent regulatory requirements from both domestic and international governing bodies as GDPR, PCI-DSS, Sarbane's Oxley, MAS TRM, EBA-guidelines and more, keep financial service providers challenged. To remain compliant, respond to threats rapidly and free IT to focus on the digital innovations that strengthen customer loyalty and capture new sources of revenue, IT security must be as proactive and automatic as possible.
Kommando can help your organization address the information and cyber security challenged through our:
Expertise
- Information Security Advisors
- Solution Architects
- Project Managers
- Consultants
Technologies
- Privileged Access Management
- Identity & Access Management
- Endpoint Detection & Response
- Data Centric Audit & Protection
For more information, contact us.
Government
Mitigate security risks for national and local government agencies
National and local government IT teams are tasked to protect an immense variety and volume of sensitive information and critical systems - from human services to citizens' healthcare data, court and law systems, traffic systems, tax-, voting-, and financial information, etc.
The collection of Personally Identifiable Information (PII), and sharing it with other agencies to conduct business, makes it equally important for these agencies to stay compliant while providing effective IT security and ensuring operational efficiency.
Cyber-attacks on systems supporting public services can compromise public health and safety. Financially, state and municipal governments are increasingly seen as attractive targets of ransomware attacks. Whether it's ransomware or other malware, the costs, in terms of resources to recover from a cyber-attack can be significant, whereas in some cases records may be irretrievable.
Kommando can help you meet the exceptional demands of public sector IT and assist your organization in addressing the information and cyber security challenged through our:
Expertise
- Information Security Advisors
- Solution Architects
- Project Managers
- Consultants
Technologies
- Privileged Access Management
- Identity & Access Management
- Endpoint Detection & Response
- Data Centric Audit & Protection
For more information, contact me.