With all the different identity management tools and options on the market, how do you make smart choices? One approach is to compare your company to industry standard benchmarks. With that approach, you’ll have peace of mind that you’re not simply guessing as you try to improve your security program.
Introducing Identity Management Standards
While these documents are not thrilling to read, they can be useful in helping you detect blind spots and other weaknesses in your identity management systems and strategy.
- Open Identity Exchange (OIX)
This trade organization publishes papers and organizes specific projects to advance identity management. A recent project, for example, focused on using bank credentials as an authentication mechanism. It’s a process that some Canadian companies are using already. You can use bank login credentials to log into your account at the Canada Revenue Agency (the Canadian equivalent of the IRS). OIX has the advantage of participation from major organizations including Microsoft, Google, and HSBC.
In contrast to OIX, OASIS focuses on a broader range of information security and has published numerous standards. Regarding identity management, you will find standards such as Electronic Identity Credential Trust Elevation Framework Version 1.0, Identity Provider Discovery Service Protocol and Profile and other standards looking at biometric issues. OASIS is an excellent resource if you are seeking technical standards that have already been voted on and approved by security professionals. The documents for the standards are available for free online.
Tip: As a manager, you might be looking for opportunities to help your cybersecurity staff think more broadly. In that case, encourage them to look into professional organizations, such as OASIS and ISACA. These organizations offer excellent leadership opportunities to security professionals looking to grow.
- Identity & Access Management (NIST)
Best known as a creator of scientific and technical standards, NIST has also published a few standards related to identity management. For instance, NIST published a guide to Role Based Access Control in 2007. If you are based in the US federal government or want to understand the expectations of that sector, we recommend reading “Digital Identity Guidelines” (published in Dec 2017) as a foundation. There are helpful mental models in the guidelines, including as a three-tiered approach to identity assurance.
- Identity and Access Management Standard (University of Toronto)
Reviewing university standards are helpful for a few reasons. With tens of thousands of students, faculty, and staff, the University of Toronto standard has a comparable impact of a standard at a large firm. It’s also helpful to see how they describe and package identity management. In this organization’s case, you can also see the identity management controls they have in place. These controls include request and approval controls, access reviews, and data retention (they must retain ID reviews for 24 months). Use this resource if you are interested in improving your controls further.
Resource: Worried about an upcoming identity management audit? Read our “How To Prepare For An Access Governance Audit” article for tips on how to get ready.
- Your Company’s Identity Management Standards
Yes, you should consider your company’s identity management standards as part of the landscape. In our experience, larger companies and those operating in highly regulated industries tend to have a dedicated identity management policy. Otherwise, the company might cover identity management as a section within a broader cybersecurity policy. How do you know if your identity management standards are sufficient? That’s what we will turn to next.
How to Use Identity Management Standards to Improve Your Security
Discovering all the various identity management standards on the market is insightful, but how does this information help you? The answer depends on your role. If you are a cybersecurity specialist with an interest in identity and access management, you might decide to explore the topic out of professional curiosity. That approach could help you discover gaps in your company’s current policies and methods. Alternatively, you might be looking for something simpler as a manager. We will assume you are looking at identity management from a management standpoint.
To use these standards, use the following steps.
- Identify your cybersecurity weaknesses and strategy
You don’t have to spend weeks going through identity management standards to get value from them. Instead, start with your organization’s cyber strategy and known weaknesses. If your company has recently grown through acquisition, you might have gaps in applying uniform security processes throughout the organization. Alternatively, you might have gaps in staff training and follow through; many organizations do.
As you go through this review, ask yourself if weak identity management is a contributing or primary driver for your security problems.
- Review your identity and access management framework
Find a copy of your organization’s identity and access management framework. Note that your company might call this by a variety of different names: an identity management policy, access governance policy, etc. Even a one-page statement of your company’s security standards might cover identity management in part.
- Describe your identity and access management processes and tools
By this stage, you have reviewed the high-level policy and governance for identity management. Now, you will need to review the processes and tools. We suggest asking if your approach to identity management is mostly manual or mostly system driven. Manual processes are common, but they hurt productivity and tend to have ineffective documentation.
- Discover improvement opportunities in identity management
At this stage, it is time to do some analysis. Compare your cyber security plan and identity management document to the standards we covered earlier in this article. You might have gaps regarding controls (or the systematic enforcement of controls you already have in place). To fully achieve identity management best practices without blowing your budget, use tools like Compliance Auditor. It automatically tracks requests and speeds up the entire identity management process.
Finally, you will need to make decisions about where to invest your security resources. That could include using Compliance Auditor and offering additional training to select employees on identity management.
