In the cloud and mobile world, managing identities is more critical than ever

Many legacy identity systems simply can't keep up with modern requirements – but there are ways to make upgrades pay for themselves

Think you've got identity under control? Think again, warns one expert in the area who has seen far too many organisations stumbling on with legacy identity and access management (IAM) environments that are no longer up to the challenges of modern mobile and cloud-based information infrastructures.

A strong focus on automation in early IAM solutions left many companies with systems that had been designed to meet specific application needs, but had struggled to accommodate new applications and platforms. This, says Sailpoint global president Kevin Cunningham, was a fatal flaw that has left many businesses scrambling to upgrade their environments – and, more worryingly, many others unaware that they even need to.

“Legacy solutions were focused on automating on-boarding/off-boarding functions, with no attention paid to corporate policy,” he explains. “As a result, organisations automated a lot of bad activity and compounded the problem. They also failed to address the entire enterprise, with a focus on either cloud-based applications or on-premises applications. As a result, they created visibility silos.”

These silos continue to cause problems in all kinds of environments by forcing employees to jump between IAM systems with different credentials and capabilities – and complicating or even obstructing the management of systems access by contractors and outside suppliers.

This activity is not only counterproductive, but can hinder overall digital-transformation objectives by creating artificial usability barriers within enterprises that by definition need resource access that is as seamless as possible. The federal government's $33.3m investment in a trusted digital identity framework reflects the need for such seamless access across on-premises, cloud and mobile capabilities that are coming closer and closer together every day.

Although that kind of investment far exceeds the commitment necessary for conventional businesses, it reflects the mission-critical nature of a robust and modern IAM overhaul – which, Cunningham says, is all too often avoided while businesses try to modernise their ageing and often “completely inadequate” identity infrastructure.

“Often, implementation of these projects took a lot of time and resources, so enterprises tend to 'throw good money after bad' in an attempt to fix them,” he explains. “Instead, they really need to migrate to a modern governance-based approach with an IAM platform that provides complete visibility and control across the entire IT infrastructure, can evolve with the company, and provides a single view into all user access rights – for every employee, contractor and partner – across every system, application and data repository regardless of how it's accessed.”

Adopting this broader approach to IAM requires a mindset that sees identity not just as a username and password combination, but as a critical linkage between the various usage paradigms in which employees are typically working.

It also requires what can often be a big step for most businesses: engaging the business itself to take an active role in setting and reviewing access policies that have, all too often, been left to the IT organisation to manage. Given that IAM is normally implemented by the IT organisation, this tendency is hardly surprising – but that doesn't make it correct.

Indeed, says Cunningham, a key part of making modern IAM work is understanding that the management of identity is also a business process at its heart – and one that requires buy-in from employees if it's ever going to work as it should. This business requirement requires a commitment to the practice of 'identity governance' – an overreaching framework around IAM that is becoming increasingly relevant with updates to compliance standards like PCI DSS, which recently tightened its expectations around retailers' authentication and related practices.

Even as they implement tighter controls to meet identity-governance requirements – closing problematic issues such as 'entitlement creep' (in which employees change departments and are progressively granted increasing levels of access) – organisations must also be careful not to be too strict. “They must balance the need to enable employees to do their jobs while mitigating the risk of those credentials being abused,” Cunningham explains.

“Simply by having good visibility into who has access to what, and what they are doing with that access, organisations are already much more prepared. Without identity governance, organisations must rely on manual processes to revoke access privileges after the employment or partnership ends. With identity governance, as soon as HR changes hat person's status to 'inactive', automated controls will immediately revoke access.”

Use IAM to power smarter business

IAM frameworks are about more than automation, however: having been designed as open and standards-compliant frameworks that must by their very nature be flexible and expandable, modern frameworks are also proving to be capable platforms for businesses to introduce a broad range of other capabilities.

In Sailpoint's case, tight integration with third-party solutions is being delivered through initiatives such as Sailpoint's Identity+ Alliance, which debuted in late 2015 and recently added nine new members: Covertix, Heimore, Exabeam, LogRhythm, Osirium, PlainID, SecureAuth, Thycotic and Wallix.

Such partnerships allow businesses to leverage IAM information in a range of ways. Security information and event management (SIEM) analytics, for example, can be applied against IAM records to get detailed information about user behaviour that can help both during governance audits and in tasks such as strategic resource planning. Mobile device management can be enhanced by heavily leveraging IAM, as can solutions specifically designed to manage privileged accounts.

Leveraging such capabilities not only enables new capabilities, but helps provide more concrete use cases and return on investment (ROI) figures that can be used to help justify the expense in time and money required to shift to a modern IAM platform.

Better ROI comes not only from the use of better visibility but from reductions in cost from automating manual processes such as password resets; minimising the time and money that goes into regular recertification; to the benefits that come from being able to quickly provision employees' application and resource access.

Even in those organisations with existing IAM platforms, these benefits can often help justify the commencement of the transition. “In many cases, organisations can maintain legacy solutions and put a next-generation governance solution on top of it,” says Cunningham.

“The legacy solutions can serve as 'plumbing' while organisations focus on the governance overlay. Once that's in place, they'll likely want to replace the legacy plumbing solutions.” Given the escalating threat environment that businesses face, rapid action on IAM is a critical part of any organisational cybersecurity response. “As we watch cyber attack after cyber attack based on password exploitation rock some of today's largest organizations, you have to wonder why more isn't being done,” Cunningham says.

“Regardless of how an identity solution is deployed, the fundamental requirements remain the same: it needs to provide a single view into 'who has access to what', 'what can be done with that access', and 'whether that access is appropriate', across the entire IT infrastructure.”

Join the CSO newsletter!

Error: Please check your email address.

Tags SecureAuthThycoticWallixroiOsiriumSailPointPCI DSSLogRhythmExabeamSIEMcovertixCSO Buyers GuidePlainIDIAMHeimore

More about LogRhythmThycotic

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place