In this ESG360 Video, ESG's Mark Bowker and Jon Oltsik discuss the different roles inside an IT organization and business, including: who owns identity and access management?
Read the related ESG Blog: ESG360 Video: Who Owns Identity and Access Management (IAM)?
Mark: Hi, everyone, I'm back here with Jon Oltsik and talking about our favorite two subjects, mobility and cyber security. One of the things that comes up, Jon, certainly, when you have those two subjects is really the different roles inside an IT organization and business. And one of the questions that I get is, at the end of the day, who owns identity and access management? Certainly, I see people deploying, for example, mobile device management and setting policy based on that user. So in that case, the mobility person. I see a Windows administrator inside of Active Directory, with the username setting policy. So, it seems as though identity and access management is owned or at least touched by multiple roles in IT. Are you seeing it similar from a security perspective and how do you see that security professional stepping into identity and access management?
Jon: Yeah. You couldn't be more right, Mark. And there's a history there of application developers, IT operations, security, all getting involved in this. And the issue is, if everyone owns it no one owns it. And from a security perspective, what we've seen is the security groups, the CISOs getting more involved, stepping in with at least an oversight role there to look at all of the places where there's an identity and access or identity repositories, all of the methods for authentication and all of the policies and trying to rationalize that a little bit. Because there are security risks all over the place and really, you do need kind of common oversight and common policy.
Mark: Yeah. And you and I have talked about this whole idea of Internet of Identities, right? So, now you've got in the case where you've got different devices, different operating systems, different browsers even, that now everybody has got to understand, no matter what their role is in IT. Whether it's up at the application or down at the data piece of it, to really understand what the…the ultimate goal is very simple, right? Jon Oltsik, Mark Bowker, logs into a device from this location, sets policy and you're given access based on those things.
Jon: That's right.
Mark: But unless the teams are communicating, that's difficult to pull off.
Jon: Yeah. And we're tracking a new concept called the software defined perimeter, which sort of sits in the middle of all that and makes access decisions based on who you are, where you are, what role you have, but also risk, because risk's always changing. So if I see a new type of threat…for instance, I see software vulnerability, I realize that your device has that vulnerability, I may change my access policy based on that. So it's very dynamic and it's new, but we think it will become kind of commonplace.
Mark: I agree and I think you'll see other teams, other organizations step into that. So I think you'll see HR even step in to making some of that, right? So I think it's important that they're all working together and ultimately, so they can understand what those policies are set. And it's simple, they don't have to go into different identity systems, to then have to set different policy based on different devices and I think that's the magic.
Jon: Yeah. And you can't underestimate the role of regulations here…
Mark: True. That's very true.
Jon: …because I may need for GDPR, for instance, I need to know who has access to personal identifiable information for European citizens.
Mark: Yeah. Totally agree. So, you'll see a lot more from us on this exact topic. Really working and talking with IT professionals that we talk to and ultimately, digging more into the subject and seeing how they do ultimately come together to provide those policies.
Jon: I wanna know that myself them.
Mark: All right. Sounds good.