Considering a new identity management solution? Making sure the new solution fits with your current technology is a key selection criterion. Many vendors will tell you that their product will easily integrate with your systems. How do you conduct due diligence on these claims and ensure you make a wise purchase decision? Use this article as a resource to guide your technical compatibility assessment.
Assess Your Current Identity Management Arrangements
Before you head to the market to seek a solution, pause to understand what you currently have in place. You may discover that identity management practices vary within the organization. One department may be managing identity and users through spreadsheets. On the other hand, technically savvy departments may have some level of automation in place. To assess your identity management maturity, use the following questions:
- Reliance on manual processes. To what degree does the organization rely on manual efforts and techniques to carry out identity management?
- Audit. Are there any audit findings or observations related to identity management? Read “Will Your Vendor Selection Process Stand Up To Audit?” for additional insight on IT audit and identity management.
- Policy. Does the organization have a written policy describing identity management requirements?
- Currency. Are all departments and/or managers reviewing identity arrangements annually (or on the schedule specified)?
- Supervision over super users. What processes are in place to limit and supervise “super users” such as IT administrations and security experts?
- Systems Coverage. What internal and external systems are currently covered by your identity management process?
Tip: Do you have an IT auditor or technology procurement professional on staff? If so, consider inviting them to provide input in the identity management vendor selection process.
Develop Technical Compatibility Methodology
Now that you understand your current situation, you can design a technical compatibility assessment. The details provided assume that you are running a large and complex company. Scale down the process if you are in a small company or operate in a lightly regulated field.
What to Look For:
1. Compliance with company technology policies
If you adopt an identity management solution, it should help you implement your IT policies. You may find that your technology policies and procedures leave something to be desired (e.g. they lack measurable controls). If you have weak policies or controls, assessing technical compatibility will be more difficult.
Resource: If you have a large number of IT policies, use the 80/20 principle to focus on the most critical policies during this testing. For example, focus on the policies that are referenced most often by your IT auditors.
2. Compatibility for company operating systems
More likely than not, your company has multiple operating systems in place. Your desktop users may be on Windows while other systems run on Linux. Create a full list of operating systems in place at your company. Next, check that list against the technical capabilities of the identity management software you are considering.
3. Degree of customization required
“Customization” is a dangerous word in IT implementations. While flexibility is nice in theory, there’s a big difference between a project lasting weeks or months. To assess how much customization is needed, ask to speak with past customers who are similar to your business.
Tip: Are you planning out a significant update to your cybersecurity program? In that case, expect that you may require more extensive customization.
4. Compatibility with your directory service
Does your company use Microsoft Active Directory? Or Radiant Logic RDS instead? Carry out technical testing to verify that your directory system will easily work with your identity management solution. If this step is skipped, your IT staff may have to create expensive manual workarounds.
5. Assess encryption capabilities
Your approach to encryption management can make the difference between a hack attempt and a successful hack. Verify how the identity management software provider protects encryption keys. For instance, rotating encryption keys is one process you can use to reduce the risk of inappropriate access.
6. Assess the company’s approach to internal identity and password management
Does a company practice what it preaches in the area of identity management? If you are going to trust an important part of your cybersecurity to a company, it’s only fair to question their process. For example, does the company “embed” passwords on third party websites or services like Github? It may sound like a simple mistake, but it was a problem for Uber. Wired reports the details:
According to Bloomberg, Uber’s 2016 breach occurred when hackers discovered that the company’s developers had published code that included their usernames and passwords on a private account of the software repository Github. Those credentials gave the hackers immediate access to the developers’ privileged accounts on Uber’s network, and with it, access to sensitive Uber servers hosted on Amazon’s servers, including the rider and driver data they stole.
7. What types of multi-factor authentication are supported?
Relying on a single username and password to protect critical systems is passé. Do you use RSA tokens? If so, the identity management solution you select will need to track these assets. In our view, lack of multi-factor authentication support is a deal breaker.
8. Can you calibrate the notifications you receive?
If you force users to wade through dozens of notifications each day, two problems are likely. First, they are liable to start ignoring your identity management notifications. Second, they may start to resent the person who chose this annoying system! Test how the identity management product’s notifications settings can be tailored to suit your environment.
Technology is Only One Part of the Puzzle in Identity Management Success
Assessing technical compatibility is one part of the identity management selection process. Ask about training and automation as well. A technically brilliant solution that takes hours to use serves nobody well. You may also want to assess whether the company has experience in your industry.
Key management is the biggest pain of encryption (CSO Online)
Managing The Technology Procurement Process (Benesch Attorneys At Law)