How to Implement a Solid Identity and Access Management Strategy

Most enterprises select and implement technology to perform tasks better, deliver higher value to users, fulfill their business mission and become more agile as an organization. But it often happens that many IT initiatives, including identity and access management (IAM), deter new technology initiatives and hamstring a company’s IT agility. This is largely because IAM can appear to be an unwelcome process for employees to learn. In this eWEEK slide show, One Identity Product Marketing Manager Todd Peterson explains 11 universal truths of IAM that provide common-sense guidance on how to implement a solid IAM strategy—without impeding business agility.

Security often is addressed on a point-by-point basis, such as “I need to secure system X” or “I need to prevent threat Y.” Anyone who attempts to deal with security in that piecemeal manner will find himself in a losing battle, constantly running from one fire to the next. It’s important to approach security (IAM being a major subset of that) with a unified strategy: a single set of controlling policies that apply to all systems; a single user identity; a single set of parameters that control access; and a single point of management.

A direct result of the complexity inherent in today’s IAM landscape is the extremely broad range of things that can break or be exploited. With any single user having many dozens of individual identities across just as many systems (and with each system requiring different attributes or controls), it quickly becomes obvious that there are too many disparate factors to handle. Simply understanding everything a user can access, not to mention what the user does with that access, becomes impossible. Therefore, it’s important to implement IAM in a way the exposes not only identity but also authorization. That way you can see and resolve the danger before it becomes an issue.

We all have that guy in IT who just gets things done. When red tape stands in the way of getting access to something you need to do your job, calling this IT superhero can result in receiving exactly what you need. But there’s a security problem associated with relying on the helpful IT guy; not every employee is trustworthy and may be requesting access they shouldn’t have.

The most secure way to deal with access requests and fulfillment is to automate the controls around decision-making and ultimately fulfillment. For example, user requests for access are automatically checked against an established security policy, without requiring IT intervention (and while tracking the entire transaction). Users are granted the access they need—and should have—but in a way that won’t cause trouble during audits.

Hackers want to get to your organization’s crown jewels—the data that is the lifeblood of everything you do. They have lots of time and creativity and enjoy the hunt almost as much as the kill. You, on the other hand, have a job to do, and it probably doesn’t involve watching every user and entry point for suspicious activity. But the bad guys will always aim for the easiest targets; they will continue to look to exploit weaknesses in your systems and users’ behavior.

We have many passwords to remember in spite of our best efforts to use the same strong one everywhere. So what do we do? We write them all down and store them in a drawer, on a sticky note under the keyboard or in a note called “passwords” on our phones. The dangers are clear: Regardless of how appropriately provisioned a user is, how thoroughly you monitor and how strong your security policy is, all bets are off if a password falls into the wrong hands.

Many of the most damaging and high-profile security breaches of recent years were the result of insiders using privileged access to do bad things. Some steal and publicize critical data. Others set time bombs to destroy systems. The common theme is that someone in a trusted position was given privileged access and abused it. The echoes of “I trust my staff, they would never intentionally hurt the company” are still bouncing off the walls of these organizations.

Just because something is in the cloud doesn’t lessen the need for the same security concerns that are the bedrock of on-premises IAM. In fact, many of the critical aspects of good IAM—specifically unified, business-driven and policy-based workflows—become even more critical when they move out of your direct control. When the controlling aspects of IAM can be unified, automated and controlled by the business rather than IT, the specifics of deployment—whether on premises or in the cloud—become much more manageable.

IAM is a moving target. It’s not uncommon for organizations to talk about how they are on the fifth year of their three-year IAM plan and are nowhere close to achieving their original objectives. IAM projects often rely on highly customized solutions purpose-built for the specific makeup of an organization. But the problem is that when those things are defined in year zero, the solution planned for year three and delivered in year five is nowhere close to the actual requirements of the present.

The harsh reality is that the success (or lack thereof) of any IAM project is tied to the enthusiasm of the executives who are paying for it—and that enthusiasm is going to be directly dampened by complexity. When duplicate activities must be performed on different systems, using different tools and often with heavy IT involvement, that results in headache-inducing complexity—and decreased desire to involve IAM and IT in projects.

It is very difficult to satisfy both efficiency and security, and that difficulty is directly proportional to the complexity of your environment. It’s a constant battle: “Do you want me to be secure or do you want me to be efficient?” Of course, the answer is both, but the truth is complexity puts security and operational efficiency at odds. To have both, IAM and IT professionals need to reduce complexity—this can be done by unifying and automating.