In a world of increasing threats, IT security pros are motivated to strengthen security protocols and access to company data “to everything, everywhere.” Unfortunately, this approach often comes with a cost in usability, and can make security an inhibitor to business productivity.
Fortunately, new technologies and approaches exist that can overcome this usability vs. security challenge. Adaptive, risk-based identity and access management (IAM) techniques help IT scale their security posture to reflect the circumstance. IAM is all about making sure that the right people can get to the right resources to do their jobs without exposing those same resources to undue risk from unauthorized parties. Yet, for all its importance, there is an overabundance of IAM projects that didn’t live up to expectations, took too long and cost too much to complete, or even failed outright. But controlling access, managing and securing privileged accounts, and achieving governance are so critical that we can’t simply ignore the fact that it’s hard.
So what is the better way that can help prevent your IAM project from becoming one of the many that are disappointments?
A growing number of organizations are finding that the right approach to IAM can lead to a successful project. In these cases, IAM can move beyond being a necessary evil to an actual business-enabling asset. For organizations that succeed, they end up with every user – or at least the vast majority of them – having exactly the right access (provisioning) and all the right people making it happen and having insight into what goes on (governance). Successful IAM is much closer to a reality than many may have ever thought possible. While every organization is different, there are a few commonalities we can draw from these successful projects. Here’s a proposed basic recipe for IAM success.
Unify, Unify, Unify
Think back to the days of Windows NT – when every Windows server was an island unto itself and required unique identities (or accounts), authentication, authorization and were almost impossible to audit. Microsoft overcame that problem with the advent of Active Directory in Windows XP and a one-identity approach to IAM in Windows. That same thinking – reducing complexity; consolidating identities and thus provisioning, authorization, login and audit requirements; and avoiding addressing unique systems in silos can bring major benefits.
The more identities people have the more places that they must be provisioned, the more passwords they can forget, and the more holes an audit can find. Seek to arrive at a single source of the truth and then implement it enterprise-wide. And don’t forget that two or three identities is still much, much better than 10 or 12.
Minimize Customization as Much as Possible
One of the main reasons IAM project fail is because they rely almost entirely on customization. The traditional approach to IAM is to build custom connectors that contain all the business logic necessary to grant, control, and audit access across all systems. These heavily customized solutions give the appearance of unification as mentioned above, but in reality are just covering the complexity with additional complexity. It’s like the time my wife asked me to clean out the garage, so I moved everything into the kitchen. It got the job done, but didn’t really solve the problem.
The more you can use “configurable” IAM solutions the quicker you will realize value, the easier it will be to react to change, and the less you will rely on the expense of an army of developers and consultants.
Get Provisioning Right
It all starts with provisioning. But when things are un-unified and heavily reliant on rigid customization – provisioning is really, really difficult. If there is one constant in IAM, it is change. People change roles, what those roles mean changes as new systems or processes come online, regulations change what you are required to secure, and new technologies and trends suddenly throw everything for a loop. Each one influences how and what you provision.
If you do nothing else, make sure that however you provision, re-provision and de-provision users; you do it in an entirely unified and consistent manner, with an emphasis on configuration not customization.
Put the Business in Charge
One of the biggest roadblocks to successful IAM projects is the dependence on IT to do everything. After all, who else knows how to provision an account, set up rights within a system, or find the information required of an audit? But while IT knows how to do those things, it’s the line-of-business that’s accountable if something goes wrong. Newer IAM solutions are built with a focus on the business, as opposed to IT.
When the line-of-business is making decisions on who should have access to what – and when they are actually able to make that access happen on their own (provisioning) – everything gets easier. IT doesn’t have to be involved in everything, an audit is more likely to be painless, and security will increase.
Automate and Enable
Most IAM projects are focused on making something easier for someone. Whether that’s reducing the provisioning workload on IT (see above), streamlining login (single sign-on), or enabling users to reset their own passwords, the ability to automate previously cumbersome processes is the big selling point for most projects. But automating a complex, fragmented, and IT-centric IAM approach doesn’t yield the benefits of true automation with a focus on the business and unification.
Manual processes are the death-knell of a successful IAM project just as much as customization is. As you address the points above, look for places where automation can save time and money. Automation also decreases the chances for errors and can enable the line-of-business and end users to do many of the things they should do, but have always relied on IT for.
Always Look Forward
Much of the trouble with IAM projects is that they deal with a static situation at a specific point in time and can’t adapt to the constantly evolving world of users, access needs, compliance demands, and security threats. Many failed IAM projects were humming along quite smoothly until Bring-Your-Own-Device (BYOD), or SaaS, or virtualization were thrown into the mix. The inability to adjust to new technologies, new user demands, and the latest trend inevitably leaves a project lacking.
When evaluating solutions, approach from a “what if?” mindset as much as possible. While you can’t predict everything, a simple internal dialog on how a particular solution will or will not work with other solutions already deployed, their “cloud-readiness,” and their approach to newer trends like BYOD is a valuable undertaking. An adherence to industry standards is a good baseline in these decisions.
It can be done. There are happy endings, and the number of successful IAM projects grows each day. I’ve personally been involved with companies that were in the fifth year of their two-year IAM project, were severely over budget, and were sorely lacking in value or results. A simple shift in mindset, a focus on unification and the business, with an avoidance of siloed security and customizations, can result in a successful IAM project. One energy company realized in 14 weeks the value that an “old school” project failed to deliver in more than three years. Another reduced helpdesk costs by more than a million dollars a month. And a third was able to rapidly and securely adopt both a controlled and secure BYOD policy and a move to new SaaS applications and services without disruption operations or adding complexity or new customizations.
IAM is an important component to any successful security problem that can bring security managers additional organization, automation and peace of mind.