Identity and access management (IAM) has always been a heavy burden for large organizations. Why? Multiple folks across companies – business people, software developers, IT operations, human resources, security, compliance auditors, etc. – play some role across the IAM spectrum.
As a result of this IAM group hug, technology decisions tend to be made tactically without any central oversight or integrated strategy but this behavior may be changing. According to ESG research, 49% of large organizations claim they now have a formal enterprise-wide strategy in which IAM technology decisions are managed by central IT. In other words, someone in IT is now responsible and accountable for all IAM technology.
Okay, that’s a good start but these decisions are often driven by the need to streamline IT operations – a valid objective but not nearly enough. In my humble opinion, we’ve entered the “me generation” of computing where most business applications should be designed and customized for identity. Identity-based applications can then be used to improve business processes and security.
I realize that I’m not the first person to write on this topic but allow me to elaborate on some of my thoughts here:
- Everything that touches the network must have a detailed identity. To some extent this has been happening for years, but we need more than IP/MAC addresses or user name and password. The more identity attributes we have, the richer the identity experience. This is true for consumers (think Amazon and Google) and devices as well. If I know that an unmanaged device on the network hasn’t been patched in 6 months, I can deny network access or route the patient to a remediation VLAN. Oh and by the way, this is especially critical for making IoT applications productive and secure. Vendors like Aruba (HP), Bradford Networks, Cisco, ForeScout, Pulse, and Vidder will all play here.
- Strong authentication is a requirement. It’s 2016, people, so all organizations should have a plan in place for totally eliminating user names and passwords. Yes, this project will still take some effort but it’s gotten a lot easier over the past few years driven by smart phones, commodity biometrics, and industry standards like FIDO. Once again, everything that touches the network should have a pair of asymmetric keys and a digital certificate. Not up for managing a PKI environment? Service providers like Microsoft, Okta, Ping, or RSA can bridge this gap.
- Business and security people need to think about identity at a deeper level. This is really where business process enablement and risk management intersect. Business and security managers must get together and come to an agreement about what different users and devices should be able to do under specific circumstances. In other words, this is where you discuss the details about who gets access to what resources based upon their roles, device type, location, behavior, etc. Yes, security is important but this isn’t just for black listing; attribute-based access can also be used proactively like offering a user special services when they are detected nearby.
- Users have to be active participants rather than passive IT entities. Identity-based applications are all about fine-tuning and IT can’t do everything on its own. Users should be provided with self-service tools so they can customize their profiles, contribute to identity operations, and provide feedback to developers. And while many consumer-focused organizations may not like it, end users must have the ability to protect their privacy and decide who gets to see their data and who does not.
From a security perspective, it’s important to realize that in a world of perpetual mobility and massive amounts of data, identity IS the security perimeter. The sooner we realize this the better we will be at mitigating risk and protecting valuable digital assets.
Finally, anyone interested in learning more about the future of identity and its role in business applications should read about the National Strategy for Trusted Identities in Cyberspace. Very interesting and forward looking stuff from NIST.