ESG360 Video: Who Owns Identity and Access Management (IAM)?

who-owns-iam-screenshot.jpgMobility and cybersecurity. While those two areas may have very different roles inside an IT organization and business, they both play integral parts in identity and access management. Given that, I’m always getting asked, “Who owns IAM?”

Today, IAM is touched by multiple IT roles, such as app developers, IT operations, and security. CISOs are getting involved as well, at least in oversight roles. That’s because where there are identity and access, or identity repositories, you also have security risks, and need common oversight and common policy. What’s more, it’s important for all of these IT groups to be able to communicate about these policies amongst themselves in order to help keep the company safe and protect against potential threats.

In this video, my colleague Jon Oltsik and I sit down to talk more about who owns IAM, and how IT professionals are leaning in to protect the company.

Stay tuned to hear more on this topic from Jon and me.

Video Transcript

Mark: Hi, everyone. I'm back here with Jon Oltsik and talking about our favorite two subjects, mobility and cybersecurity. One of the things that comes up, Jon, certainly, when you have those two subjects is really the different roles inside an IT organization and business. And one of the questions that I get is, at the end of the day, who owns identity and access management?

Certainly, I see people deploying, for example, mobile device management and setting policy based on that user. So in that case, the mobility person. I see a Windows administrator inside of Active Directory, with the username setting policy. So, it seems as though identity and access management is owned or at least touched by multiple roles in IT. Are you seeing it similar from a security perspective and how do you see that security professional stepping into identity and access management?

Jon: Yeah. You couldn't be more right, Mark. And there's a history there of application developers, IT operations, security, all getting involved in this. And the issue is, if everyone owns it, no one owns it. And from a security perspective, what we've seen is the security groups, the CISOs getting more involved, stepping in with at least an oversight role to look at all of the places where there's an identity and access or identity repositories, all of the methods for authentication and all of the policies and trying to rationalize that a little bit. Because there are security risks all over the place and really, you do need kind of common oversight and common policy.

Mark: Yeah. And you and I have talked about this whole idea of Internet of Identities, right? So, now you've got in the case where you've got different devices, different operating systems, different browsers even, that now everybody has got to understand, no matter what their role is in IT. Whether it's up at the application or down at the data piece of it, to really understand what the…the ultimate goal is very simple, right? Jon Oltsik, Mark Bowker, logs into a device from this location, sets policy and you're given access based on those things.

Jon: That's right.

Mark: But unless the teams are communicating, that's difficult to pull off.

Jon: Yeah. And we're tracking a new concept called the software-defined perimeter, which sort of sits in the middle of all that and makes access decisions based on who you are, where you are, what role you have, but also risk, because risk's always changing. So if I see a new type of threat…for instance, I see software vulnerability, I realize that your device has that vulnerability, I may change my access policy based on that. So it's very dynamic and it's new, but we think it will become kind of commonplace.

Mark: I agree and I think you'll see other teams, other organizations step into that. So I think you'll see HR even step in to making some of that, right? So I think it's important that they're all working together and ultimately, so they can understand what those policies are set. And it's simple, they don't have to go into different identity systems to then have to set different policy based on different devices and I think that's the magic.

Jon: Yeah. And you can't underestimate the role of regulations here…

Mark: True. That's very true.

Jon: …because I may need for GDPR, for instance, I need to know who has access to personal identifiable information for European citizens.

Mark: Yeah. Totally agree. So, you'll see a lot more from us on this exact topic. Really working and talking with IT professionals that we talk to and ultimately, digging more into the subject and seeing how they do ultimately come together to provide those policies.

Jon: I wanna know that myself.

Mark: Alright. Sounds good.

Topics: Identity and Access Management Cybersecurity Enterprise Mobility