My numerous years of information security leadership experience at large organizations have helped me become a well rounded IT security professional. Therefore, you probably wonder why I spend so much time talking about identity management software over other security technologies. As hard as I try to stress other areas of security, the “Identity” continues to be the ultimate endpoint of conversation. Think about it… An identity leads to an account… An account leads to access… Access leads to inappropriate actions, breaches and most other security topics. Ultimately, the "Identity", even when the identity relates to a service account, is what gains access to data/information and causes accidental or malicious harm.
Because of this identity/access synergy, I think all IT departments should be strategizing around identity management investments more than any other security investment in their organization. The rate of breaches, or at least the disclosure of breaches, is increasing and the entire business is finally awakening to information security risks. Expending financial and resource efforts on implementing buzzword security tools might not be the wisest decision if your existing identity management program is ineffective.
CIOs should not be complacent thinking that past investments in identity and access management (IAM) are keeping their organization secure. Business processes and corresponding technology implementations are constantly changing. As a result, identity management needs to be a continuous program that monitors business changes and how those changes impact security operations. Organizations must provide relevant resources to support and adapt the technology to keep up with business needs. When IT fails to invest in their IAM infrastructure, it tends to become dated and ineffective. This eventually leads to the painful and costly decision to either scrap it and start over or drain the budget with considerable enhancements to get it effectively running again.
Think about risk when deciding on information security investments
Successfully controlling an identity can help offset the need for other security technologies as well. Therefore, risk management methodologies should be applied when deciding what technologies should be purchased in your organization. A simple question to ask is…
“If I control new account creation, quickly delete access to terminated workers, successfully audit existing access and control passwords, will that reduce risk more than implementing "X" technology?”
Example: Let’s say your security team is lobbying to install an enterprise data loss prevention (DLP) solution, because employees with inappropriate access or terminated employees with active accounts are stealing data. Does it make sense to Band-Aid the access problem with DLP? Wouldn’t control over accounts and their corresponding access be a more effective way to reduce risk? You need to understand your risk points to successfully answer this question, and hopefully you understand that risk reduction should be the deciding factor on where money is spent on security solutions.
Let’s throw security out the door for a second. Identity management solutions enable business capabilities outside of just access requests. Providing employees a single interface to request and automate the granting of any "assignment" they require dramatically improves operations. I say "assignment" because the latest IAM solutions provide shopping cart interfaces that allow for requesting access, assets, services, opening tickets and just about everything else an Identity needs to perform their duties. Today’s IAM solutions do all this while utilizing workflows to securely obtain approvals before granting an assignment.
To sum up, take a second look at your security plans over the next year and re-evaluate the benefits of those investments in terms of risk reduction. You may find that applying more focus on managing identities will provide the greatest return on your security and operational investment.
Learn the role IT automation and business driven self-service administration play in creating lean operations. KuppingerCole’s Assignment Management — Think Beyond Access describes the shift in IT operations from tightly controlled identity management processes to workflow enabled administration.