By Steve Mowll and Chris Williams
Point: We might be making it harder than it needs to be. Setting complex requirements may affect long-term suitability and success.
Chris Williams –Advisory Architect, RSA Identity
Visiting with security and identity practitioners, talking about their missions, histories, and achievements, I sometimes see their eyes glaze with a temporary haze of “hesitation.” In these moments, I believe what races through their minds is the sudden resolution that perhaps what they have set out to accomplish may not actually have been attainable within a singular discipline project.
It’s no wonder, given how identity and access management (IAM) has evolved over the years from its core purpose focused on simple system-level account and privilege administration to include password synchronization and single sign-on (SSO), multi-factor authentication (MFA), compliance, governance, policy management, event and behavioral analytics, fraud detection and risk management. And with all of this advanced functionality, we exponentially increase process and the likelihood of ineffectiveness.
Multi-discipline process accommodation is the dark shadow-lurking beast that can destroy an IAM project from within – actually derailing the project and crushing it under its own weight. If we accept the premise that managing identities requires more than just creating accounts and reporting on access, how do we achieve success?
Perhaps our best route to success lies within a simple truth we’ve all heard from Mick Jagger and friends: “You can’t always get what you want, but if you try sometimes well you might find, you get what you need.”
How do we get what we need? Let’s take a page from other IT projects and align the IAM project to a service:
In summary, don’t try to boil the ocean, focus on what matters most. And remember, the more complex you build the environment, the least likely it will serve a long-term purpose or adhere to fulfilling its core purpose and functionality.
COUNTERPOINT: IAM is inherently hard, but to be successful in the long run, you need to look at the problem from a business-driven perspective and start with the end in mind.
Steve Mowll, Identity Architect, RSA
While I agree with Chris to some degree – you do need to setup your IAM program in the right way – however, I believe that identity and access management is, by its very nature, inherently hard. This is because people rarely, if ever, look at the actual business problem in a holistic way.
For example, a company starts an IAM project and they define the top 100 business-critical applications. (Side point: you should just know to do this, but I am still amazed how many companies have not defined their most critical business applications).
Next, you want to gather access information about these applications to understand who has access to what and maybe provision access automatically, perform segregation of duties (SoD) against them, etc. However, the challenge you face is that each application is completely different in EVERY way. So the program goes down the road of creating 100 processes to collect the data, 100 different sets of rules for SoD, 100 different provisioning adapters, and strangely enough, they either completely fail at or only partially achieve what they set out to do taking a huge amount of time, effort and money.
All of this because we do not think about the problem in the right way, from a strategic business-driven perspective.
The way to solve this problem is to think about IAM as a foundational component of your business and not as an afterthought. To do this, you must:
Any company can do this, even if they have the most mixed-up environment imaginable, and stop the IAM pain and suffering as new technologies are onboarded or old ones reengineered.
If you are moving to the cloud, this effort should be at the top of your “things to consider” list as it will make a huge difference in the speed of adoption and your control of those services in the future. You will likely not retain the same cloud provider indefinitely, so how easy will it be to change and maintain the same level of service when you transition?
I urge you to change the nature of the problem and begin with the end in mind.
The post YIN AND YANG: TWO VIEWS ON IAM – NATURE OR NURTURE appeared first on Speaking of Security – The RSA Blog.
|Update your feed preferences|