Security leaders can unite the business around identity

Success in security depends on working with others. Getting their support on key initiatives to better protect what matters.

How do you do that?

I recently talked with Kevin Cunningham (Linkedin), President & Co-Founder, SailPoint about the challenge for security leaders to connect with others and get support. With an impressive background that includes founding and marketing Waveset and then co-founding and leading Sailpoint, Kevin understands the importance of getting others on board with your mission.

We started our discussion with an acceptance that the perimeter approach isn’t working. SaaS adoption continues and is increasing. And while the expansion of business is great for us; it’s also good for attackers, too.

That creates a unique pressure on identity. It is the common line – especially as more of our systems are outside of our non-existent perimeter. It creates a need to know how to manage the identity and to better control access.

Kevin explains the details below.

How does identity create an opportunity to bring security and the business together?

Historically, the business side of an organization has viewed security programs as a hindrance – something that at best must be tolerated (and in the worst of cases, ignored), in the interest of more pressing business needs and priorities. To be fair, an over-zealous security program can limit the productivity of business users. But at the same time, a program that is too lax puts the organization at risk. The key is to strike a balance – to minimize the impact to (or even boost) the productivity of business users while managing risk to an acceptable level for the organization.  

A sound Identity management program provides security teams the opportunity to strike this balance.  The reality is that security needs business participation in the management of identity.  It’s the people in the line of business who are doing the hiring and transferring of people, forming relationships with strategic partners, doing mergers and acquisitions, etc. Those people know better than IT who should have access to what. But security must make participation in these processes E-A-S-Y and beneficial. Business people have little tolerance or time to learn new skills just to help the security team.

The key for security groups is to provide visible benefit to the business, while at the same time enforcing the security needed to manage risk. Examples of these benefits include self-service capabilities for gaining access to applications and managing their own passwords, as well as streamlining the onerous task of reviewing access privileges (as many organizations are required to do periodically). An effective identity management program delivers these benefits to the business while at the same time allowing for the behind-the scene controls that manage risk to an acceptable level for the organization. In this way, the effective management of identities can be viewed as a business enabler, as opposed to a hindrance.

It seems this is a second (or third) chance for a lot of companies. Is it getting easier to tackle identity projects?

Managing identities is one of those things that appears straightforward on the surface, but can be extremely complex once you dig under the covers. In complex environments, it’s not unusual to find hundreds (if not thousands) of applications – each with their own security models and many different types of users (employees, contractors, business partners) with very specific access needs. And these users are fluid: new people are coming on board all the time, people are changing jobs, people are leaving an organization, mergers and acquisitions are occurring, and business partnerships are created and dissolve. There are lots and lots of moving parts to be managed on a continuous basis. And rarely is the same person represented in all these systems by the same user ID. So it’s not surprising that some companies struggle mightily with an effective identity management program.

In my years of experience, the biggest differences between those that are highly successful, and those that continue to struggle year after year, break down into three categories: people, process and technology. Identity Management programs that are successful are typically led by strong individuals who have backing at a very high level in the company. Missing either of these elements, and the distributed nature of the identities across the enterprise means an uphill battle.

As far as processes go, I’ve seen several people take the approach of “paving the cow path,” that is automating existing (and outdated) processes with an automation tool.  What you can end up with can be an automated mess.  Successful identity projects take a hard look at existing processes and examine whether there are changes required to modernize or streamline. And lastly, the technology chosen can have a significant impact on the outcome of an identity program.  It’s imperative to understand underlying architecture. (i.e. How was the solution built? Through acquiring and knitting together multiple solutions or designed from the ground-up in a purposeful manner?)  Ensuring that the solution is well architected is key to avoiding an identity management nightmare.

Security leaders realize they can’t be the team of no. How can they navigate the complexity of identity while meeting business needs?

First and foremost, security leaders and teams must accept that the business will continue to evolve and adopt new technologies – with or without their involvement. The migration to the cloud and SaaS is happening and BYOD is a fact of life in most organizations. So there’s no sense in pushing back on these initiatives. Instead, security teams should find ways to facilitate new technology adoption in ways that allow them to partner with the business on this journey.

A centralized identity management strategy provides the security team with the ability to facilitate the deployment, adoption and management of these new technologies. With this kind of partnership, everybody wins. The business gets a set of automated capabilities that allow them to easily onboard users to these new technologies, manage them over time, and provide powerful self-service capabilities for password management and access request – all big gains for the business.  At the same time, the security team gains the visibility, policy enforcement, and control over these new technologies.

The key is taking the time upfront to explain the value proposition to the business stakeholders. It’s a frank conversation they will enjoy.

Why is a centralized viewpoint of identity essential in the our current landscape?

We live in a time of openness and collaboration, which is good for business. It allows companies to expand and grow – both organically and inorganically. More and more companies are embracing broad information sharing both internally and with business partners. At the same time, from a security perspective the physical network perimeter has disappeared.  People are using their own smart phones, laptops, and tablets to access corporate assets and more and more of these assets are cloud-based – beyond the protection of the corporate firewall. Often one’s identity is the only common element linking all this together, so managing it effectively is of paramount importance.

At the same time, the threats have never been greater or more sophisticated. For example, Google recently reported that they experience 4,000 state-sponsored cyber attacks per month. The dark web is full of identities for sale that have been stolen by organized criminals. For most companies, the time to detect an attack hovers around 150 days. The longer an attacker lingers in the network, the more time they have to move around and steal information. Oftentimes, an attacker achieves this with compromised identities.

Each department within the organization should care if they’re creating risk. And that caring comes through education and a culture of security that’s created by security teams and executive leadership together.

What does it take to check your current approach and get started on the path to better identity management?

It all starts with self-assessment. As a security leader, ask yourself these simple questions: Does my organization have an understanding of who has access to what? Do I know whether it’s appropriate given their relationship to my business (be they employee, contractor or customer?) Do I have a way to enforce controls and security policies over access at an enterprise level? And how do I manage identities over the course of a user’s life cycle with the organization?

If I’m a security leader and I can’t answer these questions adequately, I need to take this to executive leadership and admit, “We can’t quantify what our risk profile is.” Visibility is key – and that’s where you want to start. Once you have centrally gathered identity information from your applications (new and legacy), databases, directories and other enterprise resources, you can start to apply the necessary controls and process automation across its management.