Complicating matters is the fact workforces are always in flux. That’s no different for E&U companies. Onboarding, retirement, promotions and departures will all require quick adjustments to access permissions. “It’s based on JML: joiners, movers, leavers,” says Lappage. “It continues to be a problem for people because you need to have a strong JML process within an organization for your identity access management to work well.”
The shift to remote and hybrid models of work in the wake of the pandemic has only made things harder, in an industry already heavily dispersed. More devices, IoT and cloud applications have added new endpoints for hackers to exploit. The law of averages, in other words, is not in favor of E&U companies.
Solutions to IAM Challenges for Energy and Utility Companies
Among the tools available are on-premises identity and access management services, such as CA Identity Manager, and cloud-based services, such as Okta or Centrify. There are also IAM tokens, which provide secure access by generating a passcode, producing a digital certificate or activating authentication technology. The future promises greater tools as well, with biometric security rapidly becoming more advanced. Biometrics can tackle IAM simply by recognizing physical attributes of a person — their face, voice, fingerprints or eyes — then granting access.
Some tools are, however, not technological but institutional. Organizations should have a concrete plan for how IAM is set up and implemented. A strategy that’s not fully thought out can leave E&U companies vulnerable. “Your weakest link is the system that’s not managed,” Lappage says.
That’s why some companies have shifted responsibility for access management away from IT departments to human resources, which has better data — and a better overview — of employee information. When JML happens, they are the first to know. Granting them authority for IAM ensures the quick access adjustments that close vulnerabilities.
“You want to make sure that everything comes from HR and flows down to the other systems,” says Lappage. “The awareness of the enhanced role of HR inside the organization is really important to the success of an IAM project.”
There are, of course, other tools, such as zero trust and secure access service edge, that have emerged on the market to improve cybersecurity. Lappage offers a caution, however. “Identity is the backplane to all those contemporary security controls. If you don’t have really strong identity access management, people are going to struggle with implementing those contemporary types of controls.”
In other words, the best way to manage IAM within an energy or utility organization isn’t a matter of subscribing to a cybersecurity service. “There are a hundred things you’ve got to do in security, and there’s no silver bullet,” Lappage says. However, a proper IAM plan, the right tools and proper awareness of the threats can help keep companies safe.