Lots of security vendors play in the identity space. IBM is a leader in both areas while McAfee, RSA Security, and Symantec have acquired identity technologies over the past few years.
These vendors present a compelling vision of tighter alignment between identity and security that is sometimes referred to as “contextual security.” By unifying identity, network security, device identity, and data security, CISOs can create and enforce granular access policies that focus on what’s most important: sensitive data, profitable transactions, and valuable IT assets.
Identity and security alignment sure seems like a no-brainer. You could even make an argument that these areas are already in synch in areas like authentication, role-based access controls, privileged account management, and regulatory compliance.
Yup, it’s safe to say that the identity and security teams definitely work together already. That said, this relationship is “loosely-coupled” in many cases which leads to inefficiencies and increased risk.
Why the gap between identity and security? Think IT in the 1990s. In short order, enterprise organizations adopted file/print sharing (a la Banyan Vines and NetWare), client/server applications, and corporate Intranets. Each individual system had its own methods for user account provisioning, authentication, entitlements, and auditing creating an operations nightmare. Vendors like CA, IBM, Microsoft, and Novell developed tools to centralize identity command and control and ease identity operations. Oracle viewed these identity services as part of the middleware stack, acquired several IAM vendors, and made identity part of its application architecture strategy.
Of course, the security team was involved with identity in areas like password management, VPN access, and multi-factor authentication but these activities were somewhat peripheral to basic IAM workflow and operations.
So the two teams found areas for cooperation but continued to have different objectives and priorities thus remaining separate entities with their own budgets, tools, and skill sets. Unfortunately this disconnect no longer makes sense given the explosion of new devices, applications, and cloud services. Furthermore, many enterprises now open their networks to business partners, customers, and suppliers creating a complex mix of new accounts, user behavior, and access rights.
Without proper integration of identity and security, large organizations could see a big increase in vulnerable systems, fraud, and data breaches. CIOs and CISOs must recognize these risks on the one hand and the business/security opportunities around “contextual security” on the other. To paraphrase former President Ronald Reagan, “Mr. /Ms. CIO and CISO: Tear down this wall between identity and security.”
What can CIOs and CISOs do?
- Assess current the current relationship between IAM and security. Ask each team to identify operational inefficiencies, manual processes, and technology integration gaps. What frustrates them? What would they like to automate? What would they like to do but can't?
- Unify IAM and security architects and engineers. Task the teams to collaborate on projects henceforth in order to solve some of the problems identified in the assessment. Make sure to create metrics so you can measure your progress.
- Cross-train each team. It may be worthwhile to rotate individuals through both groups as well.
- Push back on vendors for integration options. It is no coincidence that IBM, McAfee, RSA, and Symantec are betting on IAM. Push these (and other) vendors on their strategies and timelines.
Push back on vendors for integration options. It is no coincidence that IBM, McAfee, RSA, and Symantec are betting on IAM. Push these (and other) vendors on their strategies and timelines.