Think you've got identity under control? Think again, warns one expert in the area who has seen far too many organisations stumbling on with legacy identity and access management (IAM) environments that are no longer up to the challenges of modern mobile and cloud-based information infrastructures.
A strong focus on automation in early IAM solutions left many companies with systems that had been designed to meet specific application needs, but had struggled to accommodate new applications and platforms. This, says Sailpoint global president Kevin Cunningham, was a fatal flaw that has left many businesses scrambling to upgrade their environments – and, more worryingly, many others unaware that they even need to.
“Legacy solutions were focused on automating on-boarding/off-boarding functions, with no attention paid to corporate policy,” he explains. “As a result, organisations automated a lot of bad activity and compounded the problem. They also failed to address the entire enterprise, with a focus on either cloud-based applications or on-premises applications. As a result, they created visibility silos.”
These silos continue to cause problems in all kinds of environments by forcing employees to jump between IAM systems with different credentials and capabilities – and complicating or even obstructing the management of systems access by contractors and outside suppliers.
This activity is not only counterproductive, but can hinder overall digital-transformation objectives by creating artificial usability barriers within enterprises that by definition need resource access that is as seamless as possible. The federal government's $33.3m investment in a trusted digital identity framework reflects the need for such seamless access across on-premises, cloud and mobile capabilities that are coming closer and closer together every day.
Although that kind of investment far exceeds the commitment necessary for conventional businesses, it reflects the mission-critical nature of a robust and modern IAM overhaul – which, Cunningham says, is all too often avoided while businesses try to modernise their ageing and often “completely inadequate” identity infrastructure.
“Often, implementation of these projects took a lot of time and resources, so enterprises tend to 'throw good money after bad' in an attempt to fix them,” he explains. “Instead, they really need to migrate to a modern governance-based approach with an IAM platform that provides complete visibility and control across the entire IT infrastructure, can evolve with the company, and provides a single view into all user access rights – for every employee, contractor and partner – across every system, application and data repository regardless of how it's accessed.”
Adopting this broader approach to IAM requires a mindset that sees identity not just as a username and password combination, but as a critical linkage between the various usage paradigms in which employees are typically working.
It also requires what can often be a big step for most businesses: engaging the business itself to take an active role in setting and reviewing access policies that have, all too often, been left to the IT organisation to manage. Given that IAM is normally implemented by the IT organisation, this tendency is hardly surprising – but that doesn't make it correct.
Indeed, says Cunningham, a key part of making modern IAM work is understanding that the management of identity is also a business process at its heart – and one that requires buy-in from employees if it's ever going to work as it should. This business requirement requires a commitment to the practice of 'identity governance' – an overreaching framework around IAM that is becoming increasingly relevant with updates to compliance standards like PCI DSS, which recently tightened its expectations around retailers' authentication and related practices.
Even as they implement tighter controls to meet identity-governance requirements – closing problematic issues such as 'entitlement creep' (in which employees change departments and are progressively granted increasing levels of access) – organisations must also be careful not to be too strict. “They must balance the need to enable employees to do their jobs while mitigating the risk of those credentials being abused,” Cunningham explains.
“Simply by having good visibility into who has access to what, and what they are doing with that access, organisations are already much more prepared. Without identity governance, organisations must rely on manual processes to revoke access privileges after the employment or partnership ends. With identity governance, as soon as HR changes hat person's status to 'inactive', automated controls will immediately revoke access.”
Use IAM to power smarter business
IAM frameworks are about more than automation, however: having been designed as open and standards-compliant frameworks that must by their very nature be flexible and expandable, modern frameworks are also proving to be capable platforms for businesses to introduce a broad range of other capabilities.
In Sailpoint's case, tight integration with third-party solutions is being delivered through initiatives such as Sailpoint's Identity+ Alliance, which debuted in late 2015 and recently added nine new members: Covertix, Heimore, Exabeam, LogRhythm, Osirium, PlainID, SecureAuth, Thycotic and Wallix.
Such partnerships allow businesses to leverage IAM information in a range of ways. Security information and event management (SIEM) analytics, for example, can be applied against IAM records to get detailed information about user behaviour that can help both during governance audits and in tasks such as strategic resource planning. Mobile device management can be enhanced by heavily leveraging IAM, as can solutions specifically designed to manage privileged accounts.
Leveraging such capabilities not only enables new capabilities, but helps provide more concrete use cases and return on investment (ROI) figures that can be used to help justify the expense in time and money required to shift to a modern IAM platform.
Better ROI comes not only from the use of better visibility but from reductions in cost from automating manual processes such as password resets; minimising the time and money that goes into regular recertification; to the benefits that come from being able to quickly provision employees' application and resource access.
Even in those organisations with existing IAM platforms, these benefits can often help justify the commencement of the transition. “In many cases, organisations can maintain legacy solutions and put a next-generation governance solution on top of it,” says Cunningham.
“The legacy solutions can serve as 'plumbing' while organisations focus on the governance overlay. Once that's in place, they'll likely want to replace the legacy plumbing solutions.” Given the escalating threat environment that businesses face, rapid action on IAM is a critical part of any organisational cybersecurity response. “As we watch cyber attack after cyber attack based on password exploitation rock some of today's largest organizations, you have to wonder why more isn't being done,” Cunningham says.
“Regardless of how an identity solution is deployed, the fundamental requirements remain the same: it needs to provide a single view into 'who has access to what', 'what can be done with that access', and 'whether that access is appropriate', across the entire IT infrastructure.”