Fully charged, we’re back from the Gartner IAM Summit in Las Vegas. Looking to the New Year, it seems appropriate to comment on risks. The keynote, Ant Allan, spoke on “Managing Identities and Access in a Digital World." Speaking frankly, the Gartner IAM Summit wasn’t our introduction to this message. The presentation recommended similar guidelines to other Gartner keynotes this year. Namely, Peter Firstbrook’s description of the “Six Principles of Resilience to Manage Digital Security” and Earl Perkin’s “Manage Risk and Deliver Security in a Digital World.”
We appreciate analysts sharing research. Their collaboration leads to synthesis and insights into IAM’s drivers and risks. Groupthink isn’t the problem. Rather, regardless of the messenger, our reaction was the same. While behind the principles, why stop there? We’re ready to offer answers.
In divulging the characteristics of resilience, there are two aspects to each principle. Each requires two actions. There is an action to start and an action to stop or unlearn. With businesses rapidly changing, IT must abandon antiquated models and thinking. Under such pressure, unlearning can be harder than learning. It involves divesting from familiar practices and adds value where previously absent. Unlearning is necessary for problem solving, innovation, creativity, resilience, and survival.
Let’s divide the principles into actions to stop and those to start. In this matrix, the principles of resilience are grouped according to actions. There are practices to unlearn and Stop along with new ones to adopt and Start. The six principles and their behaviors are:
|1-||Focusing on Check Box Compliance||Risk-Based Decision Making|
|2-||Solely Protecting Infrastructure||Supporting Business Outcomes|
|3-||Being (Merely) a Defender||Facilitating Operations|
|4-||Trying to Control Information||Enabling Information Flows|
|5-||Viewing Technology as the End||Becoming People-Centric|
|6-||Trying to Perfectly Protect||Investing in Detection and Response|
Principle 1: Risk Culture
Guideline: Stop focusing on checkbox compliance, and shift to risk-based decision making.
Companies that were victims of this year’s biggest breaches were also compliant. Compliance does not make an organization secure. Nor does it secure operations. Compliance represents an audit baseline.
To encourage risk-based decision-making, start by developing a security culture. Along with awareness, business users must be able to assess risks. Reduce risks by engaging business users in IAM requests, approvals, and governance.
Principle 2: Outcome Focus
Guideline: Stop solely protecting infrastructure, and begin supporting business outcomes.
Typically, information security investments focus on protecting enterprise infrastructure. However, a well-fortified infrastructure alone does not secure a business. To elevate security, you must protect whatever the business cares about.
Moving from an infrastructure focus to supporting business outcomes takes alignment. It takes strong partnerships between operations and business units. To protect identities, organizations must immediately respond and continuously adapt to threats.
Principle 3: Better Facilitate
Guideline: From defender to facilitator balance protecting with delivering business outcomes.
As gatekeepers and defenders, IT’s foremost mission is protection. In the digital age, IT must assume a risk advisor role. To achieve business outcomes, organizations must navigate evolving security risks.
In balancing protection with enabling outcomes, IT must effectively facilitate operations. Facilitation involves gauging acceptable security for access and provisioning requests. IAM systems assemble risk profiles for users, their access and requests.
Principle 4: Make Workflow
Guideline: From trying to control information flow to understanding how it flows and risks.
With cloud and SaaS adoption, less information flows within a firewall. Effective risk management means understanding workflow and providing controls. To apply security, managers and auditors need visibility into all IAM requests.
Hybrid workflow requires attribute-based access controls. IAM access controls determine where information resides and who can access it. By providing visibility, identity management adds flexibility and security to enterprise operations.
Principle 5: People-centric
Guideline: Accept the Limits of Technology and Become People-Centric.
People-centric security forms a foundation for enterprise resiliency. While users remain vulnerable to phishing in spite of detection and prevention technologies, motivated people can overcome security limits.
People must be risk-aware and engaged to make the right decisions. They need tools to be accountable for security audits, approvals and governance. In becoming people-centric, assume applicable security practices that are easy to use.
Principle 6: Detect Respond
Guideline: Stop striving for 100% protection, and invest in detection and response.
Security breaches highlight a failure to detect and respond to attacks. This principle requires a profound focus shift. Response involves not only technology, but also the people supporting an enterprise.
Digital security recognizes that system compromises are inevitable. More than prevention, you need to detect compromises and react faster. IAM allows for detection, real-time alerts and the immediate termination of access.
Gartner’s researchers predict by 2017 50% of IT spending will occur outside of traditional IT department control. They note we are at an intersection of two extraordinary digital trends. These include the ongoing transformation of digital business and the ever-growing capacity and capability of adversaries.
With legal action against board members, information security is no longer seen as a technical problem. It is now considered a business problem. In this era, security leaders must empower businesses with solutions that mitigate identity and access management risks.
Get the Top 10 Identity Manager Migration Best Practices Workbook
Start your migration from legacy software with the Top 10 Identity Manager Migration Best Practices Workbook. Use this workbook to think through your information security risk before you transition to next generation identity manager software.