Managing identity and access management in uncertain times

If we remember one thing from 2018, it is that we are all victims now through one breach or another. Every day, we hear more news about another data breach affecting millions of users with significant financial and reputational consequences to its victims. With massive breaches like Equifax, Facebook, Deloitte, Quora and Yahoo, it is clear that breach notification services and multi-factor authentication (MFA) are not enough to prevent the next data breach headline from appearing in tomorrow’s newspapers.

Organizations have started thinking holistically, and rightly so, about risk and approaches to security using frameworks such as CARTA, Zero Trust, NIST SP 800 and IDSA.  These frameworks offer progressive thinking and valuable approaches to modern identity strategy, but there is no one size fits all. These frameworks are akin to buying furniture from IKEA; assembly required, but with a lot more complexity and a lot more at stake.

What’s wrong with IAM?

In 2017 I wrote about 3 ways to improve the security of identity and access management, where I identified some of the critical vulnerabilities in today’s IAM landscape. The risks that end-of-life IAM systems, provisioning silos, weak architecture and failure to focus on end-to-end experiences represent are not well understood or discussed often enough. The problem is that on-premise IAM solutions were driven by conformist and reactionary approaches to IT service management, such as single sign-on, centralized policy and log management. Cloud computing and SaaS largely disrupted on-premise IAM and changing business models resulted in a predictable decline of benefits realized over time through atrophy of on-premise assets.

Management and operations, adjacent disciplines within IAM, come with their own set of risks. Developers can integrate and automate all the things until the cows come home, and they often do with transformative results on business enablement and operational efficiency. However, until business leaders begin to address the underlying issues – IT being managed in stakeholders’ interests and run as a personal fiefdom – the risk of devastating data breaches will grow unabated.

Frameworks and guidelines

Modern frameworks and guidelines for IAM and security help to mitigate some of the business risks through documented best practices and fundamentals that focus on the people, process and technology aspects of an IAM program. Alliances and working groups help to accelerate the innovation lifecycle and democratize the security models and strategies that enterprises can easily adopt.

Zero Trust security

The Zero Trust security model has been with us for years but has only recently become popular in the wake of high-profile breaches. As businesses increasingly rely on 3^rd parties and contractors, Zero Trust security acknowledges that controlling access through legacy perimeter-centric models is no longer effective.

Initially developed by John Kindervag in 2010 while at Forrester Research, Zero Trust advocates flipping the default Allow state of access control policies to default Deny rules instead. In short, Zero Trust is the model whose primary aim is to never trust, always verify.

Zero Trust can be an effective way to block unauthorized access but pushes responsibility to administrators to define and manage granular access policies on behalf of their organization. Though continuous authentication is one aspect of modern IAM, it requires more administrative overhead in policy management and enforcement, which itself can result in unexpected access risk and overprivileged access if not managed effectively.

Gartner CARTA

Not surprisingly, Gartner came out with a framework of its own called CARTA – Continuous Adaptive Risk and Trust Assessment. CARTA is a broad risk management framework that compensates for the complexities of implementing Zero Trust by layering threat intelligence, context-awareness, continuous monitoring, automation and behavioral analytics to name a few.

CARTA can be a valuable framework for defining and implementing a broader cloud security strategy. Integrating and uniting preventative, detective and predictive controls with machine learning and artificial intelligence is not typically the purview of IAM vendors, but leading Cloud Access Security Brokers provide these capabilities to allow unprecedented visibility and risk management through APIs, log ingestion and analytics.

Risk is not binary. Therefore, Deny by Default will obviously not work everywhere. Leveraging security strategies imbued with CARTA philosophies might help some organizations to improve their security posture in less time and with less friction.

NIST SP 800 series

According to the NIST website, “SP 800 publications are developed to address and support the security and privacy needs of U.S. Federal Government information and information systems.” The 800 series publications were updated in July 2017 to include guidelines on digital identity management, identity proofing, strong authentication and password policies among others.

The finalized set of recommendations later became known as Digital Identity Guidelines. The guidelines recommend higher-assurance authentication, including the use of MFA, that companies create long password phrases rather than a mix of letters and characters (although that was revised in 2018 to require a minimum of 8 characters and that passwords should be reset only when they are forgotten) and requires the screening of new passwords against weak or compromised passwords.

Many NIST guidelines become the de-facto standard for best practices in identity management and cybersecurity, even within private sector companies who are looking to strengthen their security posture and protect against common attack vectors. Having an IAM strategy that is “aligned with NIST Digital Identity Guidelines” tends to earn credibility and brownie points with senior management.

Identity-defined security alliance

Today’s multi-cloud and heterogeneous computing environments require that security leaders take an ecosystem view of their identity and security strategies. Through the Identity Defined Security Alliance (IDSA) any organization can access the proven frameworks, best practices and packaged integrations to reduce risk and accelerate results.

Led by Ping Identity and Optiv, “The IDSA was created to help organizations recognize the importance of bringing identity and security together, reducing the risk of a breach through identity-centric security strategies.” according to the IDSA website.

Robert Block, Executive Services Director at Optiv, explains “Optiv is proud to help the Identity Defined Security Alliance develop and execute a plan for companies to better integrate next-generation identity solutions into their environments.”

While there are merits in each of these frameworks, the devil is in the details. Tactics and execution are more important than ever. No framework is perfect and blind faith in them can result in a fatally false sense of security.

Imperative for 2019: Upgrade your culture

In 2016 I wrote that “Within every organization, the values and people that shape the culture will ultimately affect how IAM is directed and managed.” Therefore, to improve businesses and investments in IAM are managed, we must first upgrade our values and invest in people and culture development.

In many organizations, the org chart is shaped like a pyramid hierarchically. This top-down approach results in employees specializing in their areas (E.g., infrastructure specialist) and being pigeonholed, where they become loyal to their departments and power becomes concentrated.

In a heterarchical or flat organization, the concentration of power is removed, and teamwork can be significantly improved when departmental lines are erased. To improve how we manage IAM – and to mitigate hidden organizational risk – barriers to multidisciplinary collaboration and shared purpose must be removed for the greater good.

Executive challenge

I posit that weak and compromised credentials have never been the leading cause of data breaches. That just so happens to be how cybercriminals get into your network, I.e., right through the front door. The major shortcoming in business today is the fixed mindset of security leaders (E.g., “This is my security strategy for 2019, so I’m set.”) and naïve assumption that “I have MFA enabled, so I’m protected.”

To drive profitability while delivering safer online experiences, business and security leaders must raise the bar and hold themselves accountable to higher standards. Good enough usually isn’t. It isn’t good enough for hackers, why should it be for you? (It was good enough for Deloitte, but we know how that chapter ends.) A fixed mindset isn’t good enough for hackers, why should it be for you?

I challenge every business and security leader to take the following pledge: “I am not going to do this thing just one time, but on a consistent on-going basis will strive to improve X, Y and Z, not just to improve shareholder value (which it will) but to do the right thing for my customers and help make the world a safer place.”

Today’s security leaders must see change and adaptability as the only survival strategy.  Key concepts of modern frameworks, such as context-aware, adaptive, continuous, proactive, automation, visibility, detect and predictive will all have a permanent place in the CISO’s vocabulary. However, so should heterarchy, growth mindset, self-disruption and non-conforming innovation.